Common use of Application Development Clause in Contracts

Application Development. A. Where applicable, Contractor shall have a comprehensive secure development lifecycle System in place consistent with industry standard best practices, including policies, training, audits, testing, emergency updates, proactive management, and regular updates to the secure development lifecycle System itself. B. Where applicable, Contractor must review and test all application code for security weaknesses and backdoors prior to deployment with DOE. All high‐risk findings and exploitable vulnerabilities must be resolved before the Application is released. A development manager of Contractor must certify in writing to the DOE that a security review has been conducted and that all risks are acceptable before every release. For further information, please refer National Institute of Standards and Technology (“NIST”) Special Publication 800‐64 Revision 2. C. Contractors that handle Protected Information must respond to and resolve security‐related reports, inquiries and incidents in a timely and professional manner. The Contractor must notify the DOE within 24 hours of when Contractor becomes aware of any such incident or suspected incident that poses a potential risk to the Protected Information. The Contractor shall send the notification to ▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇▇▇▇.▇▇▇.▇▇▇.