Policy 330-02: Software Use, is the first major revision to the Office of Information Technology (OIT) Policy 330, first published in February 2016. This revision includes format changes, additional responsibilities for agencies to control the spread of unauthorized and unsupported software, and tasks the OIT with scanning for vulnerable software. Most of the responsibilities from Policy 330, version 01, were retained in version 02.


Risks that are addressed in this policy include:

  • Unauthorized system software
  • Unsupported system software
  • Vulnerable system software


Policy 330 addresses the following NIST SP 800-53 security controls:

  • CM-10: Software Usage Restrictions
  • CM-10 (CE 1): Restrictions on Open Source Software
  • CM-11: User-Installed Software
  • RA-5: Vulnerability Scanning
  • SA-22: Unsupported System Components

These controls are also required by, and are consistent with, IRS Publication 1075.


View or Download:

DRAFT Policy 330-02: Software Use