Common use of Code Review Clause in Contracts

Code Review. If the Deliverables include software code or applications developed by Contractor for Agency, such code or applications shall follow current industry design and best practices, including, but not limited to those published by the National Institute of Standards & Technology (NIST), the SANS (SysAdmin, Audit, Network, Security (SANS) Institute), and other recognized bodies. If the Deliverables include software or code that will be developed by Contractor and migrated into a production environment, Contractor shall implement the following controls for the purpose of maintaining software integrity and traceability throughout the software or code creation life cycle, including during development, testing, and production: (i) Contractor shall configure at least two software environments including a development/quality assurance (QA) environment and a production environment; (ii) Contractor shall implement a change management procedure to ensure that activities in the development/QA environment remain separate and distinct from the production environment; (iii) Contractor shall segregate duties between development and testing of software changes and migration of changes to the production environment; (iv) Contractor shall implement security controls to restrict individuals who have development or testing responsibilities from migrating changes to the production environment; (v) Contractor shall create a process to log and review all source control activities; (vi) Contractor shall implement a source control tool to ensure that all changes made to the production system are authorized, tested, and approved before migration to the production environment; (vii) Contractor shall not make any development or code changes in a production environment; and (viii) Contractor shall implement additional internal controls as specified in the Agreement. Contractor shall cooperate with Agency’s code review of the relevant software or application Deliverables. Prior to implementation or acceptance of a Deliverable, Contractor shall subject such Deliverable, if it includes software code or script, to independent application review by Agency or its delegated reviewer to validate that all applicable enterprise IT standards and security policies have been met, as well as other specifications as identified in this Agreement. The review shall be performed by individuals other than Contractor’s or Agency’s personnel who developed the Deliverables. For purposes of this requirement, "independent" may include other staff of the Agency provided that no direct reporting relationships exist between the development and review organizations.