{"id":69499,"date":"2026-02-02T14:44:08","date_gmt":"2026-02-02T22:44:08","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=69499"},"modified":"2026-02-20T16:25:38","modified_gmt":"2026-02-21T00:25:38","slug":"bppm-87-65","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-65\/","title":{"rendered":"87.65 Software Development"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Software Development<\/strong><\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.65<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br \/>\u00a0 \u00a0<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr \/>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 \u00a0\u00a0 Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 \u00a0\u00a0 Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 \u00a0\u00a0 Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 \u00a0\u00a0 Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 \u00a0\u00a0 Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 \u00a0\u00a0 Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 \u00a0\u00a0 Information Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 \u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 \u00a0\u00a0 Requirements<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Four_1\">4.1 \u00a0\u00a0 General Requirements <\/a><\/li>\n<li><a href=\"#Four_2\">4.2 \u00a0\u00a0 Moderate- and High-Impact System Requirements<\/a><\/li>\n<li><a href=\"#Four_3\">4.3 \u00a0\u00a0 High-Impact System Requirements <\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Five_0\">5.0 \u00a0\u00a0 Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0\u00a0\u00a0\u00a0\u00a0 Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1\u00a0\u00a0\u00a0\u00a0\u00a0 Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2\u00a0\u00a0\u00a0\u00a0\u00a0 Specific Policy Overview and Purpose<\/h4>\n<p>All WSU software applications must be procured, designed, developed, used, and maintained in a manner that protects institutional data, systems, and user privacy. This policy establishes requirements to ensure that information security and user privacy considerations are integrated within the entire software development lifecycle.<\/p>\n<h3 id=\"Two_0\">2.0\u00a0\u00a0\u00a0 Applicability<\/h3>\n<p>This policy applies to all individuals, organizations, businesses, and groups, internal and external to WSU, that develop, maintain, and\/or monitor software applications used for WSU business. This policy also applies to procurement of all WSU software applications.<\/p>\n<p>This policy also applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0\u00a0\u00a0\u00a0 Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1\u00a0\u00a0\u00a0\u00a0\u00a0 Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2\u00a0\u00a0\u00a0\u00a0 Information System Owners<\/h4>\n<p>WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.\u00a0<\/p>\n<h4 id=\"Three_3\">3.3\u00a0\u00a0\u00a0\u00a0 Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/software-development-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/software-development-procedure.pdf\"><u>see examples<\/u> (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0\u00a0\u00a0 Requirements<\/h3>\n<h4 id=\"Four_1\">4.1\u00a0\u00a0\u00a0\u00a0 General Requirements<\/h4>\n<p>Information\u00a0System\u00a0Owners, or their delegates,\u00a0must\u00a0maintain\u00a0a Software Development Life Cycle (SDLC) for\u00a0WSU\u00a0developed applications.\u00a0\u00a0<\/p>\n<p>During mission and business process planning, WSU\u00a0Information\u00a0Owners, or\u00a0their\u00a0delegates,\u00a0must\u00a0determine\u00a0the\u00a0high-level\u00a0information\u00a0security and privacy requirements for software applications.\u00a0\u00a0<\/p>\n<ul>\n<li>The resources\u00a0required\u00a0to protect the application\u00a0are to\u00a0be included as part of the capital planning and investment control process.\u00a0<\/li>\n<li>A\u00a0separate\u00a0line\u00a0item for\u00a0information\u00a0security and privacy\u00a0is to\u00a0be included in programming and budgeting documentation.\u00a0\u00a0<\/li>\n<\/ul>\n<p>Information\u00a0System Owners, or\u00a0their\u00a0delegates,\u00a0must\u00a0approve the use of all software applications\u00a0in their Area of responsibility\u00a0in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-32\/\">UPPM 87.32<\/a>.<\/p>\n<p>WSU\u00a0must\u00a0acquire, develop, and manage software applications by employing a\u00a0software\u00a0development life cycle that integrates considerations for\u00a0information\u00a0security and privacy.\u00a0<\/p>\n<ul>\n<li>Information\u00a0security and privacy roles and responsibilities\u00a0are to\u00a0be defined and documented throughout the SDLC.\u00a0<\/li>\n<\/ul>\n<ul>\n<li>Individuals having\u00a0information\u00a0security and privacy responsibilities\u00a0are to\u00a0be\u00a0identified.\u00a0<\/li>\n<li>SDLC activities\u00a0are to\u00a0be integrated into the WSU\u00a0information\u00a0security and privacy risk management process.\u00a0\u00a0<\/li>\n<\/ul>\n<p>Only applications currently supported by their developers\u00a0are to\u00a0be utilized in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-32\/\">UPPM 87.32<\/a>.\u00a0<\/p>\n<p>Internal developers that provide application development services for the university\u00a0must\u00a0include security and privacy requirements, descriptions, and criteria, explicitly or by reference with interconnection agreements.<\/p>\n<p>Administrator documentation\u00a0is to\u00a0be obtained or developed for WSU applications. The documentation\u00a0must\u00a0describe:\u00a0\u00a0\u00a0<\/p>\n<ul>\n<li>Secure configuration, installation, and operation of the application;\u00a0<\/li>\n<\/ul>\n<ul>\n<li>Effective use and maintenance of security and privacy functions and mechanisms; and\u00a0<\/li>\n<li>Known vulnerabilities\u00a0regarding\u00a0configuration and use of administrative or privileged functions.\u00a0<\/li>\n<\/ul>\n<p>User documentation\u00a0is to\u00a0be obtained or developed for\u00a0WSU\u00a0applications. The documentation\u00a0must\u00a0describe:\u00a0\u00a0\u00a0<\/p>\n<ul>\n<li>User-accessible security and privacy functions and mechanisms and how to effectively use them;\u00a0<\/li>\n<\/ul>\n<ul>\n<li>Methods for user interaction, which\u00a0enable\u00a0individuals to use the application in a secure manner; and\u00a0<\/li>\n<li>User responsibilities in\u00a0maintaining\u00a0security.\u00a0<\/li>\n<\/ul>\n<p>Systems security and privacy engineering principles\u00a0are to\u00a0be applied during design, development, implementation, and modification of the system.\u00a0<\/p>\n<p>A flaw remediation process\u00a0is to\u00a0be implemented to correct identified flaws\u00a0in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.\u00a0<\/p>\n<p>When an\u00a0Information\u00a0System Owner, or\u00a0their\u00a0delegate,\u00a0determines\u00a0that the need for a business application is no longer necessary then the application and all associated systems\u00a0are to\u00a0be decommissioned\u00a0in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-72\/\">UPPM 87.72<\/a>.\u00a0<\/p>\n<h4 id=\"Four_2\">4.2\u00a0\u00a0\u00a0\u00a0 Moderate- and High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to moderate- and high-impact systems.<\/p>\n<p>For moderate- and high-impact applications,\u00a0WSU\u00a0application developers\u00a0must\u00a0provide a description of the functional properties of security and privacy controls to be implemented.\u00a0<\/p>\n<p>For moderate- and high-impact applications,\u00a0WSU\u00a0application developers\u00a0must\u00a0provide design and implementation\u00a0information\u00a0for the\u00a0security and privacy\u00a0controls\u00a0of the system.\u00a0<\/p>\n<p>For moderate- and high-impact applications,\u00a0WSU\u00a0application developers\u00a0must\u00a0identify\u00a0the functions, ports, protocols, and services early in the\u00a0software\u00a0development life cycle.\u00a0<\/p>\n<p>Moderate- and high-impact applications\u00a0are to\u00a0be maintained in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a>.\u00a0<\/p>\n<p>Moderate- and high-impact application developers\u00a0must\u00a0develop and implement a plan for ongoing security and privacy assessments.\u00a0<\/p>\n<p>The assessment results\u00a0must\u00a0include evidence of execution.\u00a0<\/p>\n<p>Moderate- and high-impact application developers\u00a0must\u00a0follow a documented development process that\u00a0identifies\u00a0the standards and tools used in the development process.\u00a0\u00a0<\/p>\n<ul>\n<li>Changes to development tools are to be maintained in accordance with\u00a0<a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-30\/\">UPPM 87.30<\/a>.\u00a0<\/li>\n<li>The development process, standards, tools, tool options, and tool configurations\u00a0are to\u00a0be reviewed regularly to\u00a0determine\u00a0if tool configurations selected and employed\u00a0still\u00a0satisfy security and privacy requirements.\u00a0<\/li>\n<\/ul>\n<p>Developers for moderate- and high- impact applications\u00a0are to\u00a0perform a criticality\u00a0analysis at key decision points in the SDLC. The breadth and depth of criticality analysis\u00a0is to\u00a0be defined and\u00a0maintained\u00a0with the application documentation.\u00a0<\/p>\n<h4 id=\"Four_3\">4.3\u00a0\u00a0\u00a0\u00a0 High-Impact Systems<\/h4>\n<p>In addition to the above, the following requirements apply to high-impact systems.<\/p>\n<p>High-impact application developers\u00a0must\u00a0deliver the application with the security configuration implemented. The configuration\u00a0is to\u00a0be used as the default for any\u00a0subsequent\u00a0reinstallation or upgrade.\u00a0\u00a0<\/p>\n<h3 id=\"Five_0\">5.0\u00a0\u00a0\u00a0 Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br \/><strong>Revisions:<\/strong> Feb. 2026 (Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-651\/\">651<\/a> &#8211; NEW).<\/p>\n\n<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Software Development<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69499"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=69499"}],"version-history":[{"count":7,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69499\/revisions"}],"predecessor-version":[{"id":69995,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/69499\/revisions\/69995"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=69499"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=69499"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=69499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}