Policy 330-02: Software Use is the first major revision to OIT Policy 330: Software Use. This revision includes format changes, additional responsibilities for agencies to control the spread of unauthorized and unsupported software, and tasks OIT with scanning for vulnerable software. Most of the responsibilities from Policy 330-01 were retained in version 02; however, terms and definitions listed in version 01 were removed. Many of these terms are defined in Guideline 101G1: IT Dictionary.

Risks that are addressed in Policy 330-02 include:

  • Unauthorized system software
  • Unsupported system software
  • Vulnerable system software

Policy 330-02 addresses the following NIST SP800-53R4 security controls:

  • CM-10: Software Usage Restrictions
  • CM-10 (CE 1): Restrictions on Open Source Software
  • CM-11: User-Installed Software
  • RA-5: Vulnerability Scanning
  • SA-22: Unsupported System Components

These controls are also required by and are consistent with IRS Publication 1075.

View or Download:

DRAFT Policy 330-02: Software Use