Skip to main content

How-to Create Software in Decision Focus

This guide describes how to add 3rd-party software to Decision Focus.

Note: The supplier must be approved in Decision Focus before adding the software.

Activities

CS-1

Login and select role

Login to Decision Focus Workspaces.

Software_Screenshot1.jpg

Select the “IA Process Control Platform” workspace.

Software_Screenshot2.jpg

Select the role "3P SW Owner" from the initial icon on the bottom left-hand side of the Decision Focus screen.

Software_Screenshot3.jpg

Add software

Select the "My Software" section and click on "Add Software".

Software_Screenshot4.jpg

Before adding software, enter keywords like software name, version, etc., in the field for “Software check” to verify that the software is not already listed. If there is no match, confirm with the “No duplicates confirmation” slider, and add the software in the “New Software” section.

Software_Screenshot5.jpg

Update the sections

The following sections need to be updated in Decision Focus to add the software for approval.

Note: Certain fields must be filled in for the software to be submitted. If they are not filled in, Decision Focus will display a “required message".

1. General information

Under "GENERAL INFORMATION", update the details like status, name, version, category, software homepage, and type of software.

Software_Screenshot6.jpg

2. Supply management & software supply management

This section is updated based on "Type of Software":

  • When the “Type of software” is “Runtime cost” and “Development cost, free runtime”, the “Supply management” section and “Software-Supply management” will be disabled for R&D as they will be handled by P&L and P&F teams.

    The agreement-related documents and emails should be placed in the Microsoft Teams folder created for R&D in the R&D Repository/General.

  • When the “Type of software” is “OSS”, “Free redistribution” or “Licensed by customer”, the “Supply management” section and “Software-Supply management” will be disabled for R&D.

Software_Screenshot7.jpg

3. Evidence

This section needs to be updated for all software components.

Software_Screenshot8.jpg

4. Export control

This section needs to be updated with information related to the export control classification number (ECCN) of the 3rd-party software being used in the release/product line, as well as information related to the software's availability, country of origin, etc.

Usually, the country of origin for OSS is kept as "–-—Not Applicable---."

Most OSS have ECCN as “—Not Applicable—”. However, some OSS have encryptions, and if ECCN needs to be calculated for them, please contact the Product Classification team !SE_IA_PCP_PCE for support.

The ECN & ECCN enum list can be found in the path ENUM list

Software_Screenshot9.jpg

5. Security checks

This section contains information related to security checks performed for commercial software and how often they shall be done.

Every 3rd-party software owner is responsible for tracking the life cycle and security updates of the software assigned to them. Software vulnerabilities must be tracked regularly based on the frequency set in the “Security Updates Check Frequency” field.

Vulnerability information can be found in NVD or CVE.Mitre. If needed, the technical responsible can contact their cyber security engineers.

After a check is done, the “Last Check Notification Date” must be updated, to the date on which the check is done.

Security checks are performed automatically using the Black Duck tool for OSS software. The OSS scan report is referred to here for final approval.

Software_Screenshot10.jpg

6. Lifecycle

This section should be updated with data related to the software lifecycle details, such as when the software was made available to the market, "End of Life", "End of Mainstream support", "End of Extended support", etc. This data is usually gathered directly from the vendor support portal or by receiving the information from the vendor by sending the required queries through email.

Note: Security checks and lifecycle details of OSS software are done automatically in Black Duck Hub (scan), and no manual checks are required. Also, the notifications from Decision Focus to the users for OSS are discontinued. Automatic notifications are shared by BDH for real time vulnerabilities of OSS components, for the projects to which the PO or RO has subscribed.

For runtime and development cost components in Decision Focus, automatic security check notifications are sent via mail, 15 days prior to frequency set in the "Secuirty Updates Check frequency". Also, a overdue notification is sent on every monday to Technical responsible, if the last check date is not updated after the 15 days buffer ends.

The software can have the following lifecycle statuses:

  • Active - the software is active and is supported by the vendor.
  • Expired - the software has reached end-of-life, and the vendor no longer offers support for any issues.
  • Issue - if a high-risk vulnerability is detected, the software lifecycle status can be moved to this status for further impact analysis.

Software_Screenshot12.jpg

Change status

After updating all the details in the above sections, change the software's status to “Filed for Approval” in the general information section. Click “Create Software” to create the entry and list the software in the software section.

Software_Screenshot13.jpg

Approve software

The 3rd-party software manager then approves the software, and it is ready for filing "Software Use" in products.

References

Owner: 3rd-party and OSS Team