10-3.9 COTS Software

Commercial-off-the-shelf (COTS) software must be purchased from a Postal Service-approved source. The EAC approves COTS software for use within the Postal computing environment. Requests for unapproved COTS software must be submitted to the EAC for review and approval.

Computer software purchased for the Postal Service must be registered to the Postal Service. COTS software used within the MPE/MHE nonroutable address space environment is approved by Engineering.

COTS software used to process payment card information must be in certified by a Payment Application Qualified Security Assessor. The certification status of the COTS software must be checked prior to acquisition and before major new software releases are installed.

10-3.9.1 COTS Software Security Evaluation and Vulnerability Assessment

A COTS software security evaluation and vulnerability assessment must be performed for all proposed additions to the Postal computing environment. It is recommended that the COTS vulnerability assessment be updated for COTS software associated with sensitive-enhanced, sensitive, and critical information resources when first installed and for every version update.

10-3.9.2 COTS Independent Code Review

COTS applications that contain custom programming or scripts may be subject to an independent code review. An independent code review examines the custom source code and documentation to verify compliance with software design documentation, programming standards and to ensure the absence of malicious code. COTS custom programming or scripts may require a code review. COTS modification without authorization by the EAC is prohibited. (See Handbook AS-805-A, Information Resource Certification and Accreditation Process, for the criteria for conducting an independent security code review.)