Title: | Lifecycle Management for Information, Hardware, Software, and Services | Publication date: | 6/15/2021 | Effective date: | 9/20/1996 |
POLICY This policy establishes lifecycle management for information, hardware, software, and services to promote the efficient management of Laboratory Information and IT, while facilitating the scientific mission of Lawrence Berkeley National Lab (Berkeley Lab). Employees and affiliates who use or manage Laboratory Information or IT; employees and affiliates who acquire, develop, or manage hardware, software, or services. Not applicable | Anchor |
|---|
| _D._Policy_Statement |
|---|
| _D._Policy_Statement |
|---|
|
D. Policy Statement| Anchor |
|---|
| _D.1_Employee_Responsibilities |
|---|
| _D.1_Employee_Responsibilities |
|---|
|
D.1 Employee ResponsibilitiesEveryone is responsible for lifecycle management. Lifecycle management is a line-management function at Berkeley Lab. Laboratory employees and affiliates are responsible for the lifecycle management of Laboratory Information and Laboratory IT that they use or manage. Lifecycle management includes: - Planning and project management, including disaster and continuity planning
- Security throughout the lifecycle
- Acquisition, development, and implementation
- Management, operations, backups, and maintenance and
- Disposal or retirement
| Anchor |
|---|
| _D.2_Institutional_Services |
|---|
| _D.2_Institutional_Services |
|---|
|
D.2 Institutional ServicesFor both security and efficiency reasons, the Chief Information Officer identifies select services as Institutional Services. Only the responsible office or its designee may provide Institutional Services. | Anchor |
|---|
| _D.3_Operations_Divisions |
|---|
| _D.3_Operations_Divisions |
|---|
|
D.3 Operations DivisionsOperations divisions may not acquire hardware, software, or services to support operation-level activities without coordination with and approval from the IT Division. | Anchor |
|---|
| _D.4_Researchers_and |
|---|
| _D.4_Researchers_and |
|---|
|
D.4 Researchers and Research DivisionsIn general, researchers and their line management are in the best position to identify hardware, software, and service needs, excluding Institutional Services. When identifying needs, researchers should use a cost-benefit approach to evaluate commercial, open source, custom, or other existing solutions. This section provides additional requirements or policy to promote responsible stewardship. - General Requirements for Software Development
- Lifecycle Management. Researchers should consider what components of lifecycle management, including quality assurance, are appropriate to the risks and uses of their software. In general, the peer review process constitutes adequate quality assurance for software developed for research purposes.
- Licensing. Researchers should consider licensing options early in their project and contact the Innovation and Partnerships Office for assistance.
- Disclosure Requirement. Under certain circumstances, researchers must submit software developed in the course of their work at Berkeley Lab per requirements of the Software Disclosure and Distribution policy.
- Software and Service Acquisition
- Acquisition. If unavailable through Laboratory venues (e.g., software.lbl.gov and ebuy.lbl.gov), researchers may acquire software via standard procurement procedures. Researchers may acquire IT services provided that the services meet security requirements as appropriate.
- For cloud providers, researchers should assess the risks and identify any controls to mitigate those risks. Guidance: Cloud Services - Things to Consider.
- Researchers must contact Cyber Security to discuss appropriate controls if a software or service:
- Has deep, persistent connections to institutional business systems or
- Has a Berkeley Lab domain name and is highly visible to the outside world such that compromise or failure would be newsworthy or
- Processes sensitive data such as Personally Identifiable Information (PII) or institutional financial or safety data with special integrity and availability requirements
- Licensing Agreements. Berkeley Lab permits licensing agreements in which the user accepts the agreement by clicking or opening the package. A Procurement representative must sign licensing agreements that require signatures.
- Hardware Acquisition. In support of our mission, Berkeley Lab encourages system choice to support the diverse needs of researchers. Divisions and groups may set hardware standards or leave hardware decisions to the discretion of the principal investigator or end user. Standards and decisions should be based on managing lifecycle costs in support of effectively achieving research missions.
| Anchor |
|---|
| _D.5_Safety_Software |
|---|
| _D.5_Safety_Software |
|---|
|
D.5 Safety Software and Software with Physical InterfacesDuring the course of research or operations, employees and affiliates may be involved with the development, maintenance, management, or use of Safety Software or software with physical interfaces. Employees and affiliates must adhere to the following requirements. - Safety Software. Safety Software is software whose degradation can have a direct effect on human safety (see full definition in Section F, below). Safety Software at Berkeley Lab must be appropriately approved, controlled, and tested.
- Approval and Inventory. Software that meets the definition of Safety Software must be reported to the Environment/Health/Safety (EHS) Division for approval. EHS must approve the development of safety software in coordination with the Information Technology Division. The Office of Contractor Assurance maintains the Safety Software Inventory, and the organization that owns or uses the software updates the inventory.
- Safety Software Quality Assurance Requirements. Anyone involved in the development, maintenance, management, or use of software on the Safety Software Inventory must adhere to the Safety Software Quality Assurance Requirements.
- Where software is part of a safety chain, but where a nonsoftware control protects human safety from software degradation, management may adopt a subset of the Safety Software Quality Assurance Requirements at its discretion.
- Software with Physical Interfaces. Software used to monitor or interact with the physical world presents additional risks. This software usually includes programmable logic controllers (PLC) and supervisory control and data acquisition systems (SCADA). Even where this software does not rise to the level of Safety Software, it still merits deliberate controls and testing. Anyone involved in the development, maintenance, management, or use of software with physical interfaces should conduct a risk analysis and identify appropriate controls. When conducting the risk analysis, consider the whole system, including both software and nonsoftware components. Specific risks to consider include cyber security, data integrity, and damage to equipment.
| Anchor |
|---|
| _D.6_Open_Source |
|---|
| _D.6_Open_Source |
|---|
|
D.6 Open Source SoftwareThe Laboratory encourages the use of open source software and contributing to open source projects provided that contributions are within the terms associated with the funding for the work. - Cyber Security. Open source software may have cyber security benefits as multiple individuals view the code. However, use caution, especially with smaller projects. Download the software from a reputable source and, when available, use tools to check the integrity of the code (e.g., checksums).
- Licensing. Open source software is typically released under a license that creates a legal obligation between the copyright holder and Berkeley Lab. Users must review and adhere to the licensing restrictions, especially when modifying or including the code within other software.
| Anchor |
|---|
| _D.7_Information_Technology |
|---|
| _D.7_Information_Technology |
|---|
|
D.7 Information Technology DivisionThe Information Technology Division is responsible for developing and maintaining a graded approach to IT lifecycle management, from conception to retirement.
All IT-managed services (including institutional), hardware, software, and outsourced services must adhere to the IT lifecycle management approach, which incorporates grades based on risk to physical safety as well as privacy. Employees and affiliates are responsible for adhering to this policy. | Anchor |
|---|
| _F._Definitions/Acronyms |
|---|
| _F._Definitions/Acronyms |
|---|
|
F. Definitions/AcronymsTerm | Definition | Safety Software | Safety Software includes the following: - Safety System Software. Software for a nuclear facility that performs a safety function as part of a structure, system, or component (SSC) and is cited in either (a) a DOE-approved documented safety analysis or (b) an approved hazard analysis per DOE P 450.4, Safety Management System Policy, dated 10-15-96 (or latest version) and 48 CFR 970-5223.1.
- Safety and Hazard Analysis Software and Design Software. Software used to classify, design, or analyze nuclear facilities. This software is not part of an SSC but helps to ensure the proper accident or hazards analysis of nuclear facilities or an SSC that performs a safety function.
- Safety Management and Administrative Controls Software. Software that performs a hazard control function in support of nuclear facility or radiological safety management programs or technical safety requirements or other software that performs a control function necessary to provide adequate protection from nuclear facility or radiological hazards. This software supports eliminating, limiting, or mitigating nuclear hazards to workers, the public, or the environment as addressed in 10 CFR Parts 830 and 835, the DEAR Integrated Safety Management System clause, and 48 CFR 970-5223.1.
| Laboratory Information | Information used to accomplish job-related tasks; information may be owned by the Regents of the University of California or the Department of Energy. | Laboratory Information Technology (IT) | Berkeley Lab-managed IT, including computing devices, networks, services, and accounts |
None Information Technology Policy Manager
Information Technology Division
[email protected] J. Revision HistoryDate | Revision | By whom | Revision Description | Section(s) affected | Change Type | 1/2/2012 | 0 | J. Bonaguro | Rewrite for wiki (brief) | All | Minor | 11/28/2012 | 1 | J. Bonaguro | Rewrite for wiki (policy) | All | Minor | | 3/22/2017 | 1.1 | S. Lau | Technical edits | All | Minor | | 6/15/2021 | 1.2 | A. Sultan | Periodic review. Minor editorial and formatting changes. No policy revisions. | All | Editorial |
|
