Tag Archive for: Product Development & Management

Jama Software is always looking for news that would benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Benefits of the Inflation Reduction Act for Solar PV Manufacturing” – originally published on March 18, 2024.

Benefits of the Inflation Reduction Act for Solar PV Manufacturing

The US Inflation Reduction Act (IRA) has been a significant catalyst in the economic landscape, particularly within the solar photovoltaic (PV) manufacturing industry.
This article will explore the beneficial impact of the IRA on this green technology sector, considering the financial implications, the stimulation of technological advancement, and the prospects under the current legislation.

We will unravel the intricacies of this relationship, setting a foundation for a comprehensive understanding of the future trajectory of the solar PV manufacturing industry in the context of the IRA.

Understanding the Inflation Reduction Act

To fully grasp the impact of the Inflation Reduction Act on solar PV manufacturing, a comprehensive understanding of this legislation is necessary.

The act’s interpretation is rooted in the law’s intent to curb inflation by manipulating economic strategies and regulating financial practices, which brings a focus to its economic implications.

At its core, the IRA aims to stabilize pricing and enhance the dollar’s purchasing power, inadvertently promoting the affordability of renewable energy technologies like solar PV manufacturing.

The legal provisions of the act are its foundational pillars, governing its implementation and enforcement. They outline the responsibilities of key stakeholders, the rights of affected industries, and the penalties for non-compliance.

For the solar PV manufacturing sector, the act’s provisions could potentially reduce production costs and foster competitiveness.

However, like any significant policy shift, the act also brings Implementation Challenges. These can include industries needing to adapt to new economic conditions or potential resistance from sectors negatively affected by the act.

The solar PV manufacturing industry may need to invest in operational adjustments to fully exploit the benefits of the act.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

IRA’s impact on solar PV manufacturing

Drawing upon the legal provisions and economic implications of the IRA, we can explore its tangible effects on the solar PV manufacturing sector.

The act, through its policy implementation, has instigated several changes in this sector, notably in job creation, trade relations, environmental impact, and market competition.

The IRA has been instrumental in job creation within the solar PV manufacturing industry. It has stimulated this growth by providing tax incentives for manufacturing companies to enhance their workforce. This policy implementation has bolstered the industry and helped reduce unemployment rates.

Trade relations have also been impacted by the IRA. The act has fostered a more favorable trading environment for solar PV manufacturers by reducing inflationary pressures on imported raw materials. This has enhanced the competitiveness of US manufacturers in the global market, improving the country’s trade balance in the process.

Regarding environmental impact, the IRA has indirectly boosted the use of renewable energy sources. By making solar PV manufacturing more economically viable, the act has encouraged the production and use of solar panels, thereby reducing greenhouse gas emissions.

Lastly, the act has spurred market competition. The reduced inflation rates have made it more cost-effective for new businesses to enter the solar PV manufacturing sector. This has increased the number of manufacturers, promoting a more competitive market and a wider range of options for consumers.

Financial benefits of the IRA

Delving into the financial benefits of the Inflation Reduction Act, we observe a significant enhancement in the economic viability of the solar PV manufacturing sector. The IRA offers multiple rewards that collectively contribute to the growth and prosperity of this industry.

One of the most compelling benefits is the provision of tax incentives. These incentives lower the tax burden for solar PV manufacturers, freeing up capital that can be reinvested in the business.

This leads to investment growth, another key benefit of the IRA. Increased investment enables manufacturers to expand their operations, purchase new equipment, and hire more employees, fostering business expansion.

In addition to tax incentives and investment growth, the IRA promotes cost efficiency. By reducing the inflation rate, the act increases the purchasing power of manufacturers. This allows them to acquire raw materials and other necessities at lower costs, thereby improving the bottom line and encouraging economic stability.

Moreover, economic stability is further enhanced as the IRA helps to stabilise the value of the dollar. This is crucial for solar PV manufacturers, who often deal in international markets. A stable dollar value reduces the risk of currency fluctuations, providing a more predictable business environment.

IRA and technological advancements

Building on the economic implications, the Inflation Reduction Act also catalyzes technological advancements in the solar PV manufacturing industry.

By providing financial incentives, the IRA stimulates technological investments, leading to accelerated innovation in solar PV technology. These investments are crucial for research and development, enabling companies to explore new, efficient methods of solar PV production.

The IRA implications on technological advancements are significant. The policy’s effectiveness in encouraging investments has been reflected in increased technological breakthroughs, improved production processes, and enhanced solar panel efficiency.

These advancements not only strengthen the industry’s competitive edge but also contribute to environmental sustainability by promoting cleaner energy sources.

However, advancement challenges persist. The rapidly evolving nature of technology necessitates continuous investment and innovation. Despite the financial benefits provided by the IRA, the high costs associated with advanced technology development and implementation can pose a hurdle.

Therefore, while the IRA has been instrumental in fostering growth and innovation, addressing these challenges requires strategic planning and sustained commitment.

Moreover, the effectiveness of the IRA in driving technological advancements is contingent on a supportive regulatory environment. Policymakers must ensure that the IRA’s provisions align with the industry’s evolving needs, encouraging continued investment and innovation.

A dynamic policy framework can help maintain the momentum of technological progress, ensuring the solar PV manufacturing industry’s long-term competitiveness and sustainability.

RELATED: Jama Connect® for Traceable MBSE™

Future solar energy prospects under the IRA

Looking ahead, the Inflation Reduction Act holds promising potential for the future growth and development of the solar PV manufacturing industry.

It is expected to usher in advancements in various dimensions, including job creation, market expansion, environmental impact, global competition, and sustainable development.

The IRA could stimulate job creation by allocating funds for research, development, and manufacturing processes in the solar PV industry. This would not only increase employment but also enhance the skills of the workforce in this thriving sector.

Market expansion is another potential benefit of the IRA. With reduced inflation, the purchasing power of consumers is likely to increase, leading to heightened demand for solar PV products. This would pave the way for the expansion of the solar PV market.

The table below encapsulates the future prospects under the IRA for the solar PV manufacturing industry:

The IRA could bring about positive environmental impacts by encouraging cleaner energy production, thus reducing greenhouse gas emissions.

Additionally, it could enhance global competition by providing the US solar PV industry with a competitive edge.

Lastly, the IRA could foster sustainable development by promoting environmentally friendly and sustainable practices in the industry. These prospects under the IRA paint a bright future for the solar PV manufacturing industry.

Jama Connect® Features in Five: TestRail Integration

Learn how you can supercharge your systems development process! In this blog series, we’re pulling back the curtains to give you a look at a few of the powerful features in Jama Connect®… in about five minutes.

In this Features in Five Integration Series video, Steven Pink – Senior Solutions Architect at Jama Software® – demonstrates integrating test results from TestRail with Jama Connect®.

VIDEO TRANSCRIPT

Steven Pink: Hello and welcome to the Features in Five Integration Series. My name is Steven Pink and I’m a senior solutions architect at Jama Software. Today we’re going to be walking through a live demonstration of integrating test results from TestRail with Jama Connect.

We make it possible for you to integrate Jama Connect with preferred best-of-breed software to achieve live traceability across the end-to-end development cycle. Live requirements traceability is the ability for any engineer at any time to see the most up-to-date and complete upstream and downstream information for any requirement no matter the stage of systems development or how many siloed tools and teams it spans. This enables significant productivity and quality improvements and dramatically reduces the risk of product delays, cost overruns, defects, rework, and recalls, and ultimately results in faster time to market.

The goal of integrating with a testing tool like TestRail is to better visualize test coverage for our requirements. Jama Connect can help in identifying and calling out gaps in test coverage, while also visualizing and reporting on the test results, utilizing the filters, dashboards, and exportable reports.

Integration with TestRail starts by mirroring TestRail’s hierarchy of test suites, test sections, test cases, and test results in Jama Connect. We use sets of test cases to mirror the test suites and folders to mirror the test sections within those suites.

As we transition into Jama Connect, I want to point out how we’re relating our test results and test cases from TestRail to the requirements being authored and captured in Jama Connect. As we look at this relationship diagram, we see our software requirements and our user stories relate to the custom test cases being managed over in TestRail. This is a very common scenario for many of our customers where certain teams might be utilizing a different tool for testing, and we need to integrate those results back with the requirements managed in Jama Connect. We can author a test case directly within Jama Connect or within TestRail.

RELATED: Jama Connect® Integrations for Live Traceability™

Pink: So we’re going to start out by authoring a test case in Jama Connect. This demo suite would mirror a suite in TestRail, and this folder would mirror a section in TestRail. I’m going to author a new test case within this folder. We’ll call this example test case. Once I’ve saved this test case, we’ll trace it to the requirement that it covers within this project. I’m going to choose one of my example software requirements.

So now I’ve created a test case with a relationship to the software requirement that it covers. We’ll notice this integration URL is populated automatically and allows us to jump to the mirror of that test case that’s been created in TestRail. Once I’ve signed into TestRail, we’ll be able to see that that test case is mirrored into TestRail.

It is in that demo suite and in section A. If we want to run this test case, I’m going to go to my test runs and results and create a new test run. It’s going to be based on that demo suite, and we’re going to include all test cases, which is just one in this example. This example test case is now showing untested. And if I were to look back in Jama Connect, we’ll see for my example test case under the relationships tying back to that software requirement. As soon as we come in here and run our test execution, let’s say we update this to past or failed, this result is going to get sent back to Jama Connect automatically.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Pink: We can also see on the test case itself, there’s an easy link back into Jama Connect. So if our test runners working in TestRail would like to see requirement coverage and traceability, they’re able to easily click the link from TestRail and go back into Jama Connect and explore that traceability and coverage. I’ll use that link right now to go back to our test case in Jama Connect. And now we’ll see because we’ve executed that test case, there’s an associated test run, and that test run is showing the result of past. We can visualize all of this through our trace views, our dashboards, and our custom export templates within Jama Connect. So this is a great reason to be syncing and integrating these results so that we can visualize through the trace view which of these requirements have test cases in place, which requirements might have gaps in testing, as well as being able to drill down and see those test results, even being able to show status of those test results and the status of the defects associated.

Thank you for watching this Features in Five session on integrating test results between Jama Connect and TestRail. If you’re an existing customer and want to learn more, please reach out to your customer success manager or consultant. If you’re not yet a client, please visit our website at jamasoftware.com to learn more about the platform and how we can help optimize your development process.

To view more Jama Connect Features in Five topics, visit:
Jama Connect Features in Five Video Series

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from the Innovation News Network, titled “How Manufacturing Will Reap the Rewards of Smart Factories” – originally published on April 10, 2024.

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from the Innovation News Network, titled “How Manufacturing Will Reap the Rewards of Smart Factories” – originally written by Dahwood Ahmed and published on April 10, 2024.

How Manufacturing Will Reap the Rewards of Smart Factories

Dahwood Ahmed, Regional Director of UK&I at Extreme Networks, examines the concept of Industry 4.0 and how smart factories will push manufacturing into this.

Manufacturing is entering Industry 4.0, giving rise to the world’s first smart factories. A golden rush of data now pours from previously offline machinery, offering an unprecedented overview and insight into the entire manufacturing process.

And that’s just the beginning. From digital twins to biometric screening and payment, intelligent energy and climate management, smart sensors, digital signage, and 360 analytics for IT, Operations, and Marketing, the modern factory is becoming a marvelous technological beehive.

And the honey? Rich, actionable data. Digital tonnes of it.

However, all this data needs to be collected, analyzed, and used in real-time. And when there’s that much traffic, it can easily overwhelm and crash a traditional network infrastructure.

In other words, one of the biggest problems in modern manufacturing isn’t building smart factories. It’s keeping them running safely at maximum capacity—and reaping the rewards.

A smarter world

As we all know, every industry on the planet has been forced to adjust over the last five years. Manufacturing was no exception to this abrupt disruption of the status quo. It was because of war, a pandemic, and economic headwinds and because several game-changing technologies matured or were invented, introducing next-generation tools in areas such as cloud technology, IoT, robotics, blockchain, AI, and more.

All these changes and challenges created unprecedented pressure to keep the world’s production and supply chain flowing.

Luckily, manufacturing is an experienced and mature industry used to handling significant changes. Its leaders are already embracing digital transformations and innovative technologies, making impactful strides towards increased productivity, production, and capacity without sacrificing resilience and safety.

Consequently, manufacturing machines and everything else connected to smart factories are coming online, providing manufacturers with something they have never had before.

A real-time digital overview of – and insight into – the entire manufacturing process.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Smart factory technology all comes down to data

So, by gathering and analyzing data from sensors, machines, and other IoT devices, manufacturers gain real-time insights into their operations. They can measure and monitor equipment performance, identify potential problems before they occur, and automate manual processes.

In addition to data-driven decisions, there’s predictive analytics. By extracting actionable intelligence from new and existing data sources to predict future trends and behaviors, manufacturers can further improve machine maintenance, supply chain optimization, the quality of goods produced, the customer experience, and safety procedures.

On the topic of safety, smart factory technology also provides significant benefits. Smart factory solutions can help prevent accidents and keep workers safe by monitoring the environment and equipment, identifying hazards, and alerting workers to dangers. In addition to safety, smart factory technology can help optimize energy usage, reducing costs and making it more sustainable.

Needless to say, these are massive changes that will have considerable effects on an operation’s efficiency and effectiveness. This is particularly significant for manufacturing because the industry is full of operations where even minuscule improvements can yield massive results.

Building skyscrapers on outdated foundations

However, all these new trains need tracks. Legacy network technology wasn’t built to handle the complexity or sheer amounts of data circulating in a smart factory. Nor does it have the other capabilities of modern networking, such as running digital twins.

Digital twins and simulation technologies are arguably some of the most transforming manufacturing tools to emerge from Industry 4.0. They revolutionize how manufacturers design, test, and optimize their operations by letting them create virtual models of their networks and processes. Using these models, they can simulate and test different scenarios without impacting production.

Yet this also requires a modern network infrastructure because of the incredible amounts of data passing between physical manufacturing processes and digital twin simulations. And the more processes come online, the more important it becomes to stay online.

Production line downtime, regardless of its cause, whether system overload, equipment malfunction, or connectivity loss, is costly. Between 2019-2020 and 2021-2022, the annual cost of downtime for Fortune 500 companies worldwide soared by 65% to more than £102 million.

And that’s per facility.

RELATED: Jama Connect® Software Collaboration Datasheet

Staying secure

It’s not just network failure or equipment malfunctions, either. One of the few downsides of coming online is the exposure to bad actors, who are a relatively new threat to manufacturers. However, cybercrime is a threat that needs to be taken seriously.

From network disruption to halted production, lost data, compromised security, and reputational damage, cybercriminals seek to hold manufacturing operations hostage in any way they can, fully aware that a million-pound payout could be cheaper than an idle operation.

Network hardening strengthens the defenses of smart factories and can mitigate both passive (data is left intact) and active (data is corrupted or destroyed) forms of cybercrime. It provides industrial security and mitigates risk by providing a robust, secure network for a high density of connected devices, which brings us back to the heart of the matter.

The need for new infrastructure

Industry 4.0 is undoubtedly the next step in the evolution of manufacturing. Just like our brains process millions of nerve signals daily to transform our bodies into cohesive entities, smart factories can use technologies and the data they produce to create interconnected manufacturing marvels.

But the information must flow fast. If manufacturers want to reach their goals, if they want to build and run their smart new factories to the absolute pinnacle of their potential, they need to start at the beginning—with the foundation.

In other words, the network infrastructure.

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Med Device Online, titled “3 Lessons Learned From EU MDR Implementation To Ensure IVDR Adoption” – originally published on May 13, 2024 and written by Hilde Viroux and Maggie Chan (PA Consulting) and Dona O’Neil (Northeastern University.)

3 Lessons Learned From EU MDR Implementation To Ensure IVDR Adoption

In the previous article, “How The Right Operating Model For EU MDR Compliance Can Support A Global Footprint,” we discussed key factors for maintaining operational excellence to achieve cost reduction, enhanced compliance, and support global footprint. In this article, we shift our focus toward leveraging lessons learned from EU MDR implementation to ensure seamless transition during IVDR implementation, thereby minimizing the risks of product disruption in the EU market.

The new IVDR requirements present significant challenges for manufacturers, with approximately 90% of all IVD products subject to notified body (NB) review, which is a substantial increase from the current rate of less than 15%. With the limited capacity of NBs, establishing relationships with NBs and engaging in early planning are crucial. These amplify concerns over experience gaps for companies without a quality management system (QMS) for IVDs or any device products, established process and documentation system, or limited experience interacting with NBs. Bridging these gaps and establishing sustainable processes pose additional burdens for IVD manufacturers. However, drawing from EU MDR implementation lessons, IVD manufacturers can navigate this transition, mitigate risks, minimize business disruption, and ensure a smooth transition to IVDR.

For IVD manufacturers, the key lessons learned that can be leveraged from EU MDR implementation include early QMS preparation and planning and collaboration with internal and external stakeholders for project alignment and resource planning, alongside digitalization efforts to support data management and documentation.

RELATED: Jama Connect® for Medical Device & Life Sciences Development Datasheet

1. QMS Preparation And Planning

Manufacturers with an existing QMS for IVDs or medical devices need to conduct a gap assessment against IVDR requirements and develop tailored solutions to bridge the gaps, while those without structured procedures or systems must establish a robust QMS to ensure compliance. ISO 13485 specifies requirements for QMS, and those requirements are harmonized to IVDR. IVD manufacturers are required to comply with the standard. Implementing standardized processes and procedures in accordance with ISO 13485 demonstrates the manufacturer’s commitment to maintaining high standards of quality and compliance. Therefore, a QMS that is developed with insights from subject matter experts in EU MDR can accelerate the approval process with NBs and maintain a competitive position in the IVD industry.

For manufacturers with existing QMS, leveraging the expertise of those who have successfully implemented it, whether it’s for IVDR or EU MDR, would be great resources throughout the IVDR implementation journey as there are extensive similarities between EU MDR and IVDR (Table 1). These experts should prioritize IVDR project activities and provide insights into IVDR requirements. Such insights include evaluating the new classification of IVDs, highlighting gaps in existing processes and systems for IVDR, establishing relationships with NBs, and proposing customized solutions to bridge the knowledge gaps.

Summary of key QMS requirements under EU MDR and IVDR

On the other hand, manufacturers with limited to no experience with QMS or NBs need a dedicated team of subject matter experts (in-house or external) to conduct a gap assessment. The goal of the assessment is to highlight gaps, issues, potential risks, and impacts on the organization against IVDR requirements. This helps create a business case that outlines the requirements to bridge the gaps (knowledge, process, and system), a high-level timeline with key regulatory deadlines, and the associated costs for supporting the IVDR implementation. In addition, this business case should detail potential risks associated with not meeting the requirements by the deadlines, as this is important for senior stakeholders to gain early insight into the process.

2. Collaboration With Internal And External Stakeholders

Furthermore, ascertaining the costs associated with implementing new processes and systems, developing capabilities with the right skillsets, designing training to upskill team members, and selecting new vendors to outsource some of the processes is crucial for the business case before kicking off the implementation project. This information can help senior management to make informed decisions and align the business portfolio with regulatory and market strategies.

Similar to EU MDR implementation, collaboration is the key for a seamless IVDR implementation. It is important to promote cross-functional collaboration and clear communication with stakeholders to ensure everyone understands their roles and responsibilities, milestones are achieved, and compliance is met. A clear road map that outlines timeline, milestones, and key regulatory deadlines is necessary when engaging with stakeholders, not only to ensure alignment but also to enable management to plan their resources accordingly. Furthermore, early engagement with all actors in the supply chain enables a comprehensive understanding of their capabilities in achieving IVDR compliance, so the business case can be prepared accordingly.

IVDR compliance is an ongoing effort, so it is important to emphasize to senior stakeholders the importance of developing a comprehensive strategy for process sustainability and resources management to maintain operational excellence. Prior to the completion of implementation, a new business case should be created outlining the necessary resources (people and technologies) and the associated costs to maintain compliance once the important milestone of IVDR certification is achieved. Without an efficient strategy and comprehensive planning, a manufacturer will soon be at risk of non-compliance and face substantial consequences (e.g., product recalls, warning letters, reputation damage, litigation, fines and penalties, etc.).

Given that ongoing IVDR compliance is a long-term commitment, strategic outsourcing of certain processes to third-party providers may be necessary to ensure efficient resource allocation. Establishing a robust governance structure is crucial to oversee all in-house processes and activities of the supply chain, ensuring alignment with regulatory requirements and organizational objectives.

RELATED: What the New Medical Device Regulations (EU MDR) Mean for You

3. Digitalization

Additional pre- and post-market reporting requirements add burdens, especially for manufacturers without an established QMS or limited experience with NBs. However, digitalization can play an important role in relieving these burdens and streamlining the processes. Digital solutions, such as artificial intelligence (AI) and machine learning (ML) technologies, can significantly enhance efficiency and accuracy by automating routine activities such as data collection, compliance triage, and report drafting. These solutions can streamline the process for drafting various types of regulatory reports, such as clinical performance report, performance evaluation report, technical documentation, and others.

Additionally, a regulatory information management (RIM) system can play a crucial role in managing the submission of regulatory documents to improve traceability. It can facilitate tracking of document signoffs and enable monitoring of document submission locations, ensuring comprehensive traceability throughout the regulatory process. These digital solutions not only enhance data management and documentation efficiency but also streamline the compliance process with IVDR.

Conclusion

For IVD manufacturers, lessons learned from EU MDR implementation offer invaluable guidance when creating the business case for IVDR implementation and post-compliance maintenance, designing an implementation road map, and establishing sustainable processes and systems for IVDR compliance. By incorporating early preparation, implementing collaborative efforts with stakeholders, and utilizing digital solutions for efficient data management and documentation management, manufacturers can mitigate risks, minimize business disruption, and ensure compliance with IVDR requirements. Furthermore, establishing robust governance structures and strategic resource planning is essential for long-term success in this evolving regulatory landscape. Embracing these strategies not only facilitates a smooth transition during IVDR implementation but also fosters a culture of continuous improvement and innovation within the IVD industry.

In this blog, we recap our webinar, “Best Practices for Live Requirements Traceability” – Click HERE to watch it in its entirety.

Best Practices for Live Requirements Traceability

As the product and software development process grows in complexity, with more and more teams adding information, it is becoming increasingly difficult to track requirements throughout the development lifecycle and for stakeholders to get a clear view. Every decision can have an impact on the requirement or the product itself.

How do you prevent your organization from wasting time and resources, repeating research and searching for information, and how do you ensure that final deliverables tie in directly to the initial business needs?

The answer is Live Traceability™. Live Traceability is the ability to see the most up-to-date and complete upstream and downstream information for any requirement, no matter the stage of systems development or how many siloed tools and teams it spans.

This enables engineering and product management processes to be managed through data and to improve performance in real-time.

In this webinar, attendees will learn about the challenges of live requirements traceability and how you can utilize Jama Connect® to overcome them. You will see how to provide backward and forward visibility for requirements, but also other information about the product you are building. You will also learn how easy it is to do an impact analysis, to generate reports, and get an overview of how your requirements tie together.

In this session you’ll learn more about:

  • Best practices for live requirements traceability in a modern solution
  • The easy and intuitive way you link your information in Jama Connect
  • How Jama Connect can be leveraged to help with impact analysis
  • Understanding suspects and traceability views

Below is a preview of our webinar. Click HERE to watch it in its entirety.

The following is an abbreviated transcript of our webinar.

Best Practices for Live Requirements Traceability

Martijn Janssen: Today, I’m going to talk to you about traceability and our Jama Connect solution. The goal is to give you a few insights and to give you a short overview on how traceability is used within the Jama Connect solution and where it can help you to find information, connect information, and make sure that you have the most value out of your requirement management tool.

To actually go through the session, I have a number of topics I want to touch on and just do a quick overview in the short time we have available today. First of all, I will do a little introduction, talk to you about how data gets connected together, and then we’ll actually go into the system and take a look at three little minutes scenarios, so a very basic scenario on how you actually would get information into the system, how you would connect it together and trace and track the information throughout the platform.

Then the second scenario, we’ll go into a bit more on how the Jama Connect solution allows you to trace and track information from all the points in the system and to actually make sure you can take action on the topics when you find them. The last part is a little bit more advanced on the reuse of information and reuse of assets, data assets, throughout the different projects or products in the Jama Connect solution, so you can reuse that information, or for instance, create variance over something along those lines. Then we’ll open it up for some questions and answers at the last part.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution

Janssen: Okay. When we talk about capturing data, we all know data in our organizations in different forms exist, so we have documents, and we have Excel sheets, and those Excel sheets contain rows and all those rows have the data around a certain requirement on a certain topic. Now, that’s all fine, but what we actually are after, what we really want from the system is information. Information gets created by building relationships and structure around those data assets in the system. When you do that, you basically empower your users and the ecosystem around you to find that information and to go along the relationship you build to get context on the data they are looking at.

Now, you can go a step higher with that, and that would be the top of the triangle is the knowledge part. The knowledge part means that you actually have to consider capturing the decision on the change you make to the information. We’ll touch you a little bit on that today, but that’s also in part a possibility in the Jama Connect.

The benefits of getting that information related, as I stated, you can trace those relations back to get to the source of where your data started, what was the first part that you actually started off from, what was the decision point, where did you start with capturing that requirement? Also, at a higher level, you can have an overview of what will happen when you change that specific part of information or piece of information. What will the ripple-down effect be when I start changing that specific part?

And then on the learning part on the actual knowledge part, you want to capture the why of a change, so why did we change it? If you go back in time and look at those changes, you can actually find back why you made the change and why you decided to, for instance, have a status changed or a requirement changed.

And of course, you do not do that in your own ecosystem. You have many, many connections around you that have input on those decisions and have input on those connections, so engineering partners, customers, and other departments within the company can be invited to take part in that process. We’ll take a look at that a little bit later on.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

Janssen: So in the Jama Connect solutions, we will take a look at the first part for data to information, so how do we actually relate information together and what is involved in building those relationships. And when I have them, what leverage, what value and benefits can I get out of those relationships and what kind of overview do they give me? Now then, on the question part, we’ll take a little look as well on all the different areas where Jama Connect allows you to collaborate and to capture decisions and information on the changes you make during the process of building up your requirement.

Why would we do all these exercises in the system? What is the underlying question? There’s a number of questions we get on a daily basis from our customers when it comes to traceability, so questions like, did we miss anything? Are we building a product that is still complying to what we originally set out to do? What was the original requirement? Where do we start off from? Do we have everything covered when it comes to the validation or the actual testing of parts? Embracing change is something that a lot of customers are on different levels when it comes to how they approach change, but when you look at change, and actually before you do the change, you can see what will happen if you do change that item and what will happen if you start editing the information you have at the top level or at a medium level, it gives you a lot more insight into what will happen and what will the impact be for the organization. So, change becomes a bit more, let’s say, easier to look at and to decide what you want to do.

CLICK HERE TO WATCH THIS WEBINAR IN ITS ENTIRETY:
Best Practices for Live Requirements Traceability

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from the U.S. Food & Drug Administration, titled “Ramping Up Security to Meet Operational Resilience Rules” – originally published on April 29, 2024.

FDA Takes Action Aimed at Helping to Ensure the Safety and Effectiveness of Laboratory Developed Tests

Today, the U.S. Food and Drug Administration took action aimed at helping to ensure the safety and effectiveness of laboratory developed tests, or LDTs, which are used in a growing number of health care decisions and about which concerns have been raised for many years.

LDTs are in vitro diagnostic products (IVDs) that the FDA has described as intended for clinical use and designed, manufactured and used within a single clinical laboratory that meets certain regulatory requirements. IVDs can play an important role in health care; they are used in the collection, preparation and examination of specimens taken from the human body, such as blood, saliva or tissue. They can be used to measure or detect substances or analytes, such as proteins, glucose, cholesterol or DNA, to provide information about a patient’s health, including to identify, monitor or determine treatment for diseases and conditions.

The FDA announced a final rule today amending the FDA’s regulations to make explicit that IVDs are devices under the Federal Food, Drug, and Cosmetic Act (FD&C Act) including when the manufacturer of the IVD is a laboratory. Along with this amendment, the FDA issued a policy to phase out, over the course of four years, its general enforcement discretion approach for LDTs. The agency also issued targeted enforcement discretion policies for certain categories of IVDs manufactured by laboratories.

“LDTs are being used more widely than ever before – for use in newborn screening, to help predict a person’s risk of cancer, or aid in diagnosing heart disease and Alzheimer’s. The agency cannot stand by while Americans continue to rely on results of these tests without assurance that they work,” said FDA Commissioner Robert M. Califf, M.D. “The final rule announced today aims to provide crucial oversight of these tests to help ensure that important health care decisions are made based on test results that patients and health care providers can trust.”

RELATED: Jama Connect® for Medical Device & Life Sciences Development Datasheet

Although historically the FDA has generally exercised enforcement discretion for most LDTs, meaning that the agency generally has not enforced applicable requirements with respect to most LDTs, the risks associated with most modern LDTs are much greater than the risks associated with LDTs used when the FDA’s enforcement discretion approach was adopted many decades ago. At that time, many LDTs were lower risk, small volume and used for specialized needs of a local patient population. Now, many LDTs are used more widely, for a larger and more diverse population, with large laboratories accepting specimens from across the country. LDTs also increasingly rely on high-tech instrumentation and software, are performed in large volumes and are used more frequently to help guide critical health care decisions.

Moreover, there is a growing body of evidence that demonstrates that some IVDs offered as LDTs raise public health concerns; for example, they do not provide accurate test results or do not perform as well as FDA-authorized tests, including from published studies in the scientific literature, the FDA’s own experience in reviewing IVDs offered as LDTs, news articles and class-action lawsuits.

The FDA is aware of numerous examples of potentially inaccurate, unsafe, ineffective or poor quality IVDs offered as LDTs that caused or may have caused patient harm, including tests used to select cancer treatment, aid in the diagnosis of COVID-19, aid in the management of patients with rare diseases and identify a patient’s risk of cancer.

Without greater oversight of the safety and effectiveness of LDTs, patients may be more likely to initiate unnecessary treatment, or delay or forego proper treatment based on inaccurate test results or tests promoted with false or misleading claims. This could result in harm, including worsening illness or death, as well as unnecessarily increase health care costs.

Increased compliance with device requirements under the FD&C Act (such as premarket review, quality system (QS) requirements, adverse event reporting, establishment registration and device listing, labeling requirements and investigational use requirements) will put patients and health care providers in a better position to have confidence in IVDs regardless of where they are manufactured.

With increased oversight, the FDA will also be able to help promote adequate representation in validation studies, as well as transparency regarding potential differential performance and unknown performance in certain patient populations, which may ultimately help advance health equity.

“Today’s action is a critical step toward helping to ensure the safety and effectiveness of LDTs, while also taking into account other public health considerations, including continued access to critical tests patients rely upon,” said Jeff Shuren, M.D., J.D., director of the FDA’s Center for Devices and Radiological Health. “Through targeted enforcement discretion policies for certain categories of tests manufactured by a laboratory, we expect patients and health care professionals will continue to have access to the tests they need while having greater confidence that the tests they rely on are accurate.”

The phaseout of the FDA’s general enforcement discretion approach for LDTs over a period of four years will protect the public health by helping to assure the safety and effectiveness of these tests, while avoiding undue disruption to patient care. Better assuring the safety and effectiveness of LDTs may also foster test innovation and facilitate the collective efforts of the scientific and medical communities to identify promising technologies, new therapies or areas worthy of future research.

Importantly, the FDA considered the large volume of comments received on the notice of proposed rulemaking, and in light of that input, has adjusted the phaseout policy in a manner that better serves the public health. After this phaseout, the FDA generally will expect IVDs made by either a non-laboratory or laboratory to meet the same requirements, though certain IVDs manufactured by laboratories may fall within one of the agency’s targeted enforcement discretion policies.

The FDA intends to exercise enforcement discretion with regard to premarket review and most quality system requirements for certain categories of IVDs, including but not limited to:

  • Currently marketed IVDs offered as LDTs that were first marketed prior to the date of issuance of the final rule. This enforcement discretion policy is intended to address the risk that the perceived costs of compliance with such requirements could lead to the widespread loss of access to beneficial IVDs on which patients currently rely.
  • LDTs manufactured and performed by a laboratory integrated within a health care system to meet an unmet need of patients receiving care within the same health care system when an FDA-authorized test is not available. This enforcement discretion policy is intended to help avoid patients being deprived of critically needed LDTs where certain risk mitigations exist that may help laboratories to identify any problems with their LDT and may help inform appropriate use and interpretation of such LDTs.

The FDA has also included additional enforcement discretion policies, such as for LDTs approved by the New York State’s Clinical Laboratory Evaluation Program (CLEP), as described in the preamble to the final rule, where that program’s review of analytical and clinical validity helps to mitigate the risk of harm from inaccurate and unreliable LDTs.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution for Medical Device & Life Sciences

Draft Guidance Documents

The agency also issued two draft guidances today. One provides the agency’s thinking about an enforcement discretion policy for certain laboratories offering certain unauthorized IVDs for immediate response to an emergent situation, such as an outbreak of an infectious disease, in the absence of a declaration applicable to IVDs under section 564 of the FD&C Act. The other provides insight into the FDA’s thinking about the factors the agency intends to consider when developing a policy regarding enforcement discretion for certain IVDs during a public health emergency declared under section 564 of the FD&C Act.

Inquiries
Media: James (Jim) McKinney, 240-328-7305
Consumer: 888-INFO-FDA

Jama Connect® Recognized as a Top Rated Requirements Management Solution on TrustRadius!

Jama Connect® has achieved notable recognition on TrustRadius, solidifying its position as a leading platform for requirements, risk, and test management. With an intuitive user interface, robust features, and exceptional customer support, Jama Connect has been honored with a “Top Rated” distinction by TrustRadius in 2024.

Visit the full report to discover why customers love using Jama Connect for product, systems, and software development. This recognition highlights Jama Software’s unwavering commitment to providing a reliable and efficient requirements management solution that empowers teams to drive innovation and attain exceptional outcomes.

RELATED: The Essential Guide to Requirements Management and Traceability

Jama Software values the feedback from our clients who have used Jama Connect and are committed to providing them with the best support, resources, and expertise to help them succeed. As the leading provider of requirements management software, Jama Software is proud to receive recognition for our commitment to enabling multidisciplinary engineering organizations to develop products, systems, and software to maximize their success.

I’m VERY likely to recommend Jama Connect to a colleague because they’d struggle to get anything done without using it! That’s the tool we’re using for Requirements Management now, so I recommend to my colleagues that they get amongst it!”

-From a review collected and hosted on TrustRadius – Ian Webb, Systems Engineering Technical Writer – Enphase EnergyElectrical & Electronic Manufacturing

“For our company, it was imperative that we streamline all our processes and have a solution that is well controlled for audit purposes. Jama Connect has been able to satisfy these needs easily with its intuitive design which shortened the user learning curve. Furthermore, the configuration management of artifacts is built in from the start which is incredibly powerful for auditors of our products.”

-From a review collected and hosted on TrustRadius – Eric Zaremski, Lead Program Manager – FORT Robotics

From all of us at Jama Software® to all of you, thank you!

 

In this blog, we offer a preview of our comprehensive guide to understanding ANSI/AAMI SW96:2023 and mitigating security risks.

What You Need to Know: ANSI/AAMI SW96:2023 — Medical Device Security

Managing risk around a medical device’s entire lifecycle has become increasingly complex. Many devices use third-party components, which is especially true for devices that require a network to operate. This increased need for connectivity, along with other emerging threats, is putting security at the forefront of medical device industry standards.

A recent report titled “2023 State of Cybersecurity for Medical Devices and Healthcare Systems” found 993 vulnerabilities in the 966 medical products it examined—a 59% year-over-year increase from 2022. Software applications, including those that medical devices relied on to work, accounted for 64% of the vulnerabilities found.

With device vulnerability increasing, new standards aim to keep up with emerging threats. As a result, ANSI/AAMI SW96:2023 was created to help protect against threats, understand risk, and guide manufacturers in taking the most appropriate actions to enhance security. However, because the standard is relatively new, many device manufacturers are still finalizing the interpretation of how this impacts their organizational processes. If you’re still working to get familiar with the standard, we’ve created a complete guide to make the task easier.

THIRD-PARTY COMPONENTS MAY INCREASE SECURITY RISK, WITH ONE STUDY FINDING THAT SOFTWARE ALONE ACCOUNTED FOR 64% OF NOTED VULNERABILITIES.

What is ANSI/AAMI SW96:2023?

ANSI/AAMI SW96:2023 guides security risk management for medical devices, aligning with the processes included in ISO 14971:2019.

The new standard addresses the entire lifecycle of a medical device, including areas such as design, production, and post-production. It’s intended for use with AAMI TIR57 Principles for Medical Device Security – Risk Management, which addresses cybersecurity analysis, and AAMI TIR97, Principles for Medical Device Security, which guides processes for managing medical devices in the post-market space.

The goal of the new standard is to support manufacturers in ensuring that medical devices are reliable, work as intended, and don’t cause harm to patients, operators, or the environment. It also focuses on mitigating any potential risks around device failure.

RELATED: Understanding Integrated Risk Management for Medical Devices

Why is security for medical devices important?

Security has always been important to medical device manufacturers, which is why considerations are included in ISO 14971:2019. However, ANSI/AAMI SW96:2023 aims to deepen security-related standards.

Addressing potential security risks throughout the entire product lifecycle, including design, production, and post-production, enables manufacturers to identify and mitigate potential risks through a more focused and proactive approach. It helps manufacturers continually identify, review, and safeguard against fast-evolving threats

Understanding the security risk management process

As you get up to speed with ANSI/AAMI SW96:2023, the “security risk management process” section includes details for mitigating potential threats. It includes six major sections, everything from security risk analysis to production and post-production activities. Each section contains a detailed framework, but for the sake of simplicity, we’ve highlighted a few main points for each.

The 6 Sections of Security Risk Management

  1. Security risk analysis. It focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle.
  2. Security risk evaluation. Establishes a security assessment strategy and testing processes.
  3. Security risk control. Identifies, designs, and implements security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures.
  4. Evaluation of overall security residual risk acceptability. Determine if the “security residual risk” of a device is acceptable.
  5. Security risk management review. A security management report is prepared.
  6. Production and post-production activities. Potential vulnerabilities are monitored to identify any new security risks. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.

Section 1: Security Risk Analysis

The security risk analysis focuses on selecting product security standards, performing threat modeling, and establishing capabilities to identify and detect security vulnerabilities across a medical device’s entire lifecycle. It covers:

  1. Security risk analysis process: It suggests that manufacturers perform a security risk analysis, and the results are recorded in the “security risk management file.”
  2. Intended use and reasonably foreseeable misuse: The “security risk management” file includes reference documents developed in compliance with clause 5.2 of ISO 14971. It needs to account for “the use of a medical device in a way not intended by the manufacturer, but which can result from readily predictable behavior.”
  3. Identification of assets and characteristics related to security: You’ll also identify potential medical device vulnerabilities such as third-party components, hardware, and software.
  4. Security risk estimation: You will estimate the associated “risks” for each of the identified security vulnerabilities and potential impacts on areas like confidentiality and integrity.

Section 2: Security Risk Evaluation

The security risk evaluation establishes a security assessment strategy and testing processes. A few areas it considers:

  1. Evaluation of each security risk: Identify each security risk area, determining if a “security reduction” is required.
  2. Evaluation of security risks with a potential safety impact: Consider every potential risk to determine any potential safety impacts.

RELATED: The Complete Guide to ISO 13485 for Medical Devices

Section 3: Security Risk Control

This section is focused on identifying, designing, and implementing security risk control measures, as well as verifying the implementation effectiveness of any security risk control measures, including:

  1. Security risk control option analysis: Determine if a security risk control measure is appropriate for mitigating security risks to an “acceptable level.”
  2. Implementation of security risk control measures: Security risk measures are selected based on the prior step.
  3. Security residual risk evaluation: After the security risk control measures are implemented, the manufacturer evaluates the security residential risk and records this evaluation in the security risk management file.
  4. Benefit-risk analysis: If a security residual risk is found to be “acceptable” using the criteria created in the security risk management plan, and further security risk control isn’t practical, the manufacturer conducts benefits versus security risk analysis.
  5. Risks arising from security risk control measures: The manufacturer reviews the effects of the security risk control measures to understand whether new security vulnerabilities and threats are introduced that could impact security, safety, or privacy.
  6. Completeness of security risk controls: The manufacturer periodically reviews security risk control activities to ensure all vulnerabilities and threats are considered and security risk control activities are complete.

Section 4: Evaluation of Overall Security Residual Risk Acceptability

After the security risk controls are implemented and verified, the manufacturer determines if the overall “security residual risk” created by the medical device is acceptable.

Section 5: Security Risk Management Review

The standard recommends a review of the execution of the security management plan before releasing a new device. According to ANSI/AAMI SW96:2023, the review should ensure:

  1. The security risk management plan has been appropriately implemented.
  2. The “security residual risk” is at an acceptable level.
  3. Methods are in place to gather and review details in the production and post-production phases, and leadership has reviewed and approved the plan.

Section 6: Production and Post-production Activities

The final section is focused on establishing, documenting, and maintaining a system to monitor, assemble, and review information about medical device security in the production and post-market phases. Also, it establishes processes to stay aware of new threats, creating security incident response plans and other measures to identify ongoing vulnerabilities.

To Access This Content In Its Entirety, Visit:
What You Need to Know: ANSI/AAMI SW96:2023

Jama Connect® Features in Five: Git Repository Integration

Learn how you can supercharge your systems development process! In this blog series, we’re pulling back the curtains to give you a look at a few of the powerful features in Jama Connect®… in about five minutes.

In this Features in Five Integration Series video, Atef Ghribi, Senior Solutions Architect at Jama Software® – demonstrates a Git repository integration with Jama Connect® using a repository in GitLab.

VIDEO TRANSCRIPT

Atef Ghribi: Hello and welcome to the Features in Five Integration series. My name is Atef Ghribi and I am a senior solution architect at Jama Software. Today, we’ll be looking at the Git repositories integration using an example of a repository in GitLab. We make it possible for you to integrate Jama Connect with the preferred best-of-breed software to achieve Live Traceability™ across the end-to-end development cycle. Live requirements traceability is the ability for any engineer at any time to see the most up-to-date and complete upstream and downstream information for any requirement, no matter the stage of systems development or how many siloed tools and teams it spans.

This enables significant productivity and quality improvements, dramatically reduces the risk of product delays, cost overruns, defects, rework, and recalls, and ultimately results in faster time to market. Jama Connect being the central space repository for holistic overview across the traceability chain will be able to store the source code change track published by the integration hub from the source code repository management tools such as GitHub or GitLab. This allows software developers to work in their environments without adding additional steps to ensure traceability.

RELATED: Buyer’s Guide: Selecting a Requirements Management and Traceability Solution

Ghribi: The integration hub will take care of publishing the source code, and commit information to Jama Connect as soon as they are available in the Git repository. Additionally, software developers can provide traceability information in their source code commits, which will allow Jama Connect to create the trace links to other items, making sure that source code change sets are embedded into the traceability chain. By providing this seamless integration, Jama Connect will ensure better accessibility beyond tool boundaries to source code traceability for stakeholders who are not necessarily familiar with Git repositories.

This holistic traceability enables better efficiency in conducting impact analysis and controlling the change management process as well as facilitating reporting and tracking of metrics across tools to assess and achieve compliance with less effort. Here is a simple flow between GitLab and Jama Connect. I will start by adding a simple implementation task to my Jama Connect project. This is the input for the software developer to start working on the implementation. Now this is just an example. We can here use any other item type based on the process defined and configured within Jama Connect.

Going to my implementation issues set and here I will start by creating a new task and then I will just save and close and this will create a new implementation task inside of my Jama Connect project. I will take the ID provided by Jama Connect as information that I will use later for the traceability. Now in GitLab I will make some changes to my source code and will make sure to mention the implementation task ID and my source code commit. I’m of course just using the UI of GitLab here to edit the file, but this would be the same process if I’m working on a different environment development machine and submitting the changes sets from my own local repository.

We are just keeping things simple for the time being. So going into my file and then I’m going to edit the file as a single file just here adding some changes and I will make sure to mention in the commit message the message for the change. And then I will just put the ID as I got it from Jama Connect and now I will just commit the changes and we will see what will happen inside of Jama Connect. The integration will take care of the rest and we will go back to Jama and see how the source code change commit was published and how the traceability will be defined inside of Jama Connect.

RELATED: The Benefits of Jama Connect®: Supercharge Your Systems Development and Engineering Process

Ghribi: Within a few seconds based on the integration configured, we can refresh our project inside of Jama Connect and see how the source code change set will be published to the spot in the project tree that we defined in the integration hub. We will just refresh and now we will see that we now have one item representing our change commit with the name that was provided. So if we look closer here, we’ll be able to see that we have that same message. If we look at the traceability on the right-hand side of the screen and our relationship switch it, we will be able to see that there is one upstream link to the task implementation task that we used in the comment.

So as software developers we don’t need to redundantly create any items inside of Jama Connect or create any links after we submit our traceability. If I go also to the task that is inside of Jama Connect and look at the traceability chain, and refresh, we’ll be able to see here that source code traceability that is managed. So we have bidirectional traceability already inside of Jama Connect, which will now allow us to have and embed our code or change sets traceability source code to the traceability chain of our project.

Thank you for watching this Feature in Five session on the Git repositories integration for Jama Connect. If you are an existing customer and want to learn more, please reach out to your customer success manager or consultant. If you are not yet a client, please visit our website at jamasoftware.com to learn more about the platform and how we can help optimize your development processes.

To view more Jama Connect Features in Five topics, visit:
Jama Connect Features in Five Video Series

Jama Software is always looking for news that will benefit and inform our industry partners. As such, we’ve curated a series of customer and industry spotlight articles that we found insightful. In this blog post, we share an article, sourced from Innovation News Network, titled “Ramping Up Security to Meet Operational Resilience Rules” – originally published on April 8, 2024.

Ramping Up Security to Meet Operational Resilience Rules

Philip Pearson, Field Chief Information Security Officer at Aqua Security, discusses how meeting operational resilience targets is crucial for effective cybersecurity measures.

Operational resilience is the ability to prevent, withstand, recover, adapt and learn in the face of disruption, including cyber events.

Currently, it represents a far-reaching set of issues that are increasingly important to private sector organizations and lawmakers alike. In both the EU and the UK, stronger regulatory frameworks are evolving, accompanied by serious consequences for those who fail to comply.

For instance, the Digital Operational Resilience Act (DORA) and the NIS2 Directive are two major pieces of European cybersecurity legislation aimed at strengthening operational resilience and cybersecurity across various sectors, including finance. While they share common goals, they focus on different aspects and have distinct scopes of application.

Designed to strengthen IT security across a wide range of financial entities, DORA comes into force in early January 2025.

It focuses heavily on improving resilience “in the event of a severe operational disruption.” It is relevant to financial services industry organizations that supply services inside the EU. Failure to comply can result in penalties of up to 2% of the total worldwide revenue for any organization found to be in breach.

For any business leaders that operate within the parameters set out by GDPR, the jurisdiction rules will have a familiar ring about them, and the UK’s position outside of the EU will, for many organizations, be an irrelevance.


The NIS2 Directive has been active since January last year. It aims to improve the level of cybersecurity protection across the EU, with an emphasis on harmonising security requirements and reporting obligations. In addition, it encourages member states to integrate new areas, such as supply chain security, vulnerability management, and cyber hygiene, into their national cybersecurity strategies. The Directive also promotes improvements in knowledge sharing, collaboration, the development of an EU-wide vulnerability registry, a Crises Liaison Network, and improved cooperation, among other measures.

RELATED: Jama Connect® Amazon Web Service (AWS) GovCloud US Hosting

The role of Critical Third Parties in meeting operational resilience targets

In the UK specifically, regulators have looked closely at the role played by Critical Third Parties (CTPs) – external organizations whose services are vital to the operational integrity and operational resilience of financial institutions. CTPs could include cloud service providers such as AWS or Microsoft and a range of other technology businesses that play a key role in supporting the sector. Additionally, the Cross Market Operational Resilience Group, chaired by the Bank of England, provides detailed guidance on operational resilience for the financial services sector, which, whilst not legally binding, acts as a good base for best practice.

Our recent survey conducted at the Cloud & Cyber Security Expo at Tech Show London in March with 100+ cloud professionals indicated that awareness remains low around new compliance obligations. Nearly half – 46.5 % – were unsure of their organization’s ability to comply with supply chain regulations and frameworks such as NIS 2 or SBOM. And of those respondents who work in the finance sector, 30% were unaware of the Digital Operational Resilience Act (DORA). Just over a third – 35% – were confident of their organization’s ability to comply.

Additionally, the shift towards cloud-native technologies, with their distributed systems and microservices architectures, presents a new set of challenges for regulatory compliance and operational resilience. This environment, characterized by dynamic resource scaling to meet demand, introduces complexities in maintaining compliance amidst the fluid nature of containerized deployments and autoscaling practices.

Autoscaling, a hallmark of cloud-native environments, allows for efficient resource management but necessitates a nuanced approach to operational resilience. The ability of systems to automatically adjust resources complicates adherence to stringent regulatory frameworks, requiring organizations to adopt innovative monitoring and management strategies that align with the fluid dynamics of cloud-native operations.

RELATED: Traceable Agile™ – Speed AND Quality Are Possible for Software Factories in Safety-critical Industries

How can organizations be compliant, secure, and agile simultaneously?

So what impact are these regulations making (or will they make) in practical terms, and what technology priorities should organizations address to ensure compliance?

Across the current financial industry ecosystem, for example, there is an increasing reliance on the provision of agile, scalable, and reliable applications, with Kubernetes and DevOps among the platforms and methodologies playing an important role in software development and delivery strategies. In this context, resilience and security are – understandably – key considerations.

Operational resilience ensures that organizations working with Kubernetes and cloud environments deploy robust, secure infrastructure and applications capable of swiftly recovering from disruption. This includes implementing best practices for Kubernetes security, ensuring high availability and disaster recovery capabilities, and effectively managing third-party risks associated with cloud service providers.

Operational resilience in these environments also involves continuous monitoring, incident response planning, and regular testing of recovery procedures to ensure that the organization can maintain its critical functions under a variety of adverse conditions.

In relation to DevOps, which has become a widely adopted software development methodology globally, security can be improved by integrating advanced measures directly into development and deployment processes. This includes implementing ‘Compliance as Code’, which integrates automated compliance checks within the CI/CD pipeline.

The most effective approaches enforce compliance policies and regulatory requirements directly in the infrastructure as code (IaC) templates and container configurations. This ensures that every deployment automatically adheres to necessary compliance standards, reducing manual review processes and the potential for human error.

This should be accompanied by the use of immutable security policies for containerized applications and Kubernetes clusters. By defining strict security policies that cannot be altered once a container or service is deployed, this approach ensures that any attempts to change the security posture can only be made through the CI/CD pipeline, enforcing consistency, audibility, and compliance with existing security standards.

Looking more closely at the issues associated with CTPs or the wider supply chain, the creation of a Software Bill of Materials (SBOM) is a critical component in ensuring the security and integrity of software applications and their dependencies. This approach is increasingly relevant in the context of broader cybersecurity strategies and compliance with regulatory requirements such as DORA and is important for several reasons:

  • Transparency: SBOMs provide a clear, comprehensive view of an application’s software components, including open-source and third-party libraries. This transparency is vital for assessing software products’ security posture and compliance
  • Vulnerability management: With an SBOM, organizations can quickly identify which components might be affected by newly discovered vulnerabilities. This capability allows for rapid assessment and remediation, significantly reducing the window of exposure to potential threats
  • Compliance and reporting: Regulatory frameworks, including DORA, increasingly recognize the importance of understanding and managing the risks associated with software supply chains. SBOMs facilitate compliance with such regulations by documenting the use of components and ensuring that they meet the required security standards
  • Risk assessment: SBOMs enable organizations to perform detailed risk assessments of their software inventory, identifying potential security and compliance issues. This proactive approach supports DORA’s ICT risk management requirements by enabling financial entities to manage and mitigate risks associated with their software supply chain
  • Incident response: In the event of a security incident, having an SBOM allows for a quicker and more accurate determination of impact, supporting effective incident response strategies as outlined in DORA

However, while SBOMs provide a comprehensive inventory of all the components present in a software application, including those that may not be actively loaded into memory or called during runtime, these inactive components can still pose security risks.

Inactive but vulnerable components could potentially be used as part of an exploit chain or become an active threat later if the application’s functionality changes over time.

Therefore, SBOMs are a critical tool for risk management in the supply chain, but they must be part of a larger holistic security. It’s essential to consider the security implications of all components within a software application, even if they are currently unused. Maintaining a comprehensive SBOM and regularly reviewing it for vulnerabilities, even in inactive parts, are crucial security practices.

Additionally, alongside utilizing SBOMs, organizations must take a more comprehensive approach to vulnerability management, including continuous monitoring, prioritization, and proactive remediation.

Organizations must act now to stay ahead of the curve and ensure compliance with emerging regulations. Some concrete steps they can take include:

  • Educate staff on the requirements of DORA, NIS2, and other relevant regulations and take steps to assess the current level of compliance
  • Engage with industry peers, regulatory bodies, and security experts to stay informed about best practices and evolving threats
  • Develop a roadmap for enhancing your security posture, prioritizing initiatives that align with regulatory requirements and their overall business objectives
  • Partner with trusted security vendors and service providers who can provide the expertise, tools, and support needed to implement effective security measures and maintain compliance over time

Looking ahead, these represent just some of the key considerations for organizations operating in and around the finance industry ecosystem. In a climate where the role of regulation seems likely to increase even further, organizations that can integrate security into their development processes now will be better placed to adopt future changes in regulation as they emerge.

It’s essential to consider the security implications of all components within a software application, even if they are currently unused. Maintaining a comprehensive SBOM and regularly reviewing it for vulnerabilities, even in inactive parts, are crucial operational resilience practices.

CONTRIBUTOR DETAILS

Philip Pearson, Aqua Security  Field Chief Information Security Officer
Website: https://www.aquasec.com/