How is the Fortify license managed

Question

How is the Fortify license managed at VA?

Answer

The VA Office of Information Security (OIS)-licensed Micro Focus Fortify Static Code Analyzer (SCA) tool that VA provides VA application developers with the ability to scan custom-developed VA application source code for potential security vulnerabilities is managed by the VA Software Assurance Program Office. It is an enterprise license and it is provided without cost or usage restriction to scan VA application source code. The license additionally includes the Fortify Software Security Center (SSC) tool.

VA developers are provided access to the Fortify license and installation media on Teams on the VA intranet. Fortify updates are also posted to Teams on the VA intranet as they become available by the vendor. Technical information about using Fortify at VA can be found elsewhere on this website.

Additional Information

VA does not represent that use of Fortify will guarantee obtaining an Authority to Operate (ATO). Licenses are made available during Fortify maintenance subscription contract base and option years. Fortify materials that are redistributed include a copy of the Fortify perpetual license file and installation software. License seats are managed as a function of the size of the overall VA agency headcount. The Fortify maintenance subscription contract is managed according to applicable OIS policies and procedures.