In sustainment, the system is in use and evolves through periodic and event-driven maintenance and upgrades. For software-intensive systems, Sustainment presents critical challenges to maintaining the security posture. Maintenance in the operational environment is essential to provide for system restoral in the case of failure and for rapid resolution of Business objectives-impacting deficiencies. In the non-operational maintenance environment, approved changes are implemented to resolve less critical deficiencies and enhance the system. In either case, maintenance actions may put the operational Business objectives and system security at risk.

For systems that include from a few to hundreds of COTS products, periodic upgrades are needed to maintain compatibility across the products and ensure continuing vendor support. Since the acquirer cannot control COTS evolution, a new release of such a system may bring with it changes not requested or expected by the user, operator, or maintainer. So COTS upgrades further complicate security reviews.

Activities performed during Sustainment include Transition to Operations and Maintenance, Operate and Maintain System, Upgrade System, and Retire and Dispose of System. These activities are listed in Table 4, along with software security actions the acquirer—and after transition, the operator and maintainer—should perform to prevent, identify, and mitigate the impacts of security risks and breaches.

Technology Sustainment activities

Activity Name

Activity Description

Transition to Operations and Maintenance

Objective: Transition system to operations and maintenance function.

Transition system to operations and maintenance function.

Typical Artifacts: Transition plan and report, verification and validation records

Transition plan and report, verification and validation records

Software Security Actions:

Identify security risks in the environment and the system.

Given the operations and maintenance environment, provide an assessment of the robustness of the system and its resilience against security risks. Provide mitigation recommendations.

Participate in technology requirement activities.

Operate and Maintain System

Objective: Use the system in its intended environment, performing maintenance as directed to address deficiencies in performance and quality.

Use the system in its intended environment, performing maintenance as directed to address deficiencies in performance and quality.

Typical Artifacts: Transition plan and report, verification and validation records, updated operator, user, and maintenance manuals

Transition plan and report, verification and validation records, updated operator, user, and maintenance manuals

Software Security Actions:

Identify security risks in the environment and the system.

Ensure adequate regression testing is conducted when the system is modified and participate in technology requirement activities.

Given the operational environment, provide an assessment of the robustness of the system and its resilience against security risks. Provide mitigation recommendations.

Ensure the software maintenance activity can support and test the security requirements for the system.

Upgrade System

Objective: Incorporate new features into the delivered system. These features may be delivered under the same contract (e.g., for a planned incremental capability) or under a new or modified contract.

Incorporate new features into the delivered system. These features may be delivered under the same contract (e.g., for a planned incremental capability) or under a new or modified contract.

Typical Artifacts: Depending on the extent and nature of the features, the process may return to the Design or Implementation, Integration, and Verification activity of System Acquisition. Some or all of the same artifacts will be produced or modified.

Depending on the extent and nature of the features, the process may return to the Design or Implementation, Integration, and Verification activity of System Acquisition. Some or all of the same artifacts will be produced or modified.

Software Security Actions:

Same as the security actions of all activities from the relevant System Acquisition activity through Operate and Maintain System.

Retire and Dispose of System

Objective: Dispose of system when it is no longer required.

Dispose of system when it is no longer required.

Typical Artifacts: System disposal records

System disposal records

Software Security Actions:

Ensure precautions are taken so that security countermeasures are not revealed and so that disposal does not compromise other systems (e.g., ensure data that could allow entry into another system or reveal its vulnerabilities is destroyed).

If media are to be sanitized, ensure required information is retained and secured first.

Operate and Maintain System

Objective: Use the system in its intended environment, performing maintenance as directed to address deficiencies in performance and quality.

Use the system in its intended environment, performing maintenance as directed to address deficiencies in performance and quality.

Typical Artifacts: Transition plan and report, verification and validation records, updated operator, user, and maintenance manuals

Transition plan and report, verification and validation records, updated operator, user, and maintenance manuals

Software Security Actions:

Identify security risks in the environment and the system.

Ensure adequate regression testing is conducted when the system is modified and participate in technology requirement activities.

Given the operational environment, provide an assessment of the robustness of the system and its resilience against security risks. Provide mitigation recommendations.

Ensure the software maintenance activity can support and test the security requirements for the system.

Upgrade System

Objective: Incorporate new features into the delivered system. These features may be delivered under the same contract (e.g., for a planned incremental capability) or under a new or modified contract.

Incorporate new features into the delivered system. These features may be delivered under the same contract (e.g., for a planned incremental capability) or under a new or modified contract.

Typical Artifacts: Depending on the extent and nature of the features, the process may return to the Design or Implementation, Integration, and Verification activity of System Acquisition. Some or all of the same artifacts will be produced or modified.

Depending on the extent and nature of the features, the process may return to the Design or Implementation, Integration, and Verification activity of System Acquisition. Some or all of the same artifacts will be produced or modified.

Software Security Actions:

Same as the security actions of all activities from the relevant System Acquisition activity through Operate and Maintain System.

Retire and Dispose of System

Objective: Dispose of system when it is no longer required.

Dispose of system when it is no longer required.

Typical Artifacts: System disposal records

System disposal records

Software Security Actions:

Ensure precautions are taken so that security countermeasures are not revealed and so that disposal does not compromise other systems (e.g., ensure data that could allow entry into another system or reveal its vulnerabilities is destroyed).

If media are to be sanitized, ensure required information is retained and secu
red first.