Common use of Secure Software Development Clause in Contracts

Secure Software Development. (a) Licensor shall ensure all Products have been developed in accordance with principles of secure software development consistent with software development industry best practices, including, security design review, secure coding practices, risk based testing and remediation requirements. (b) Licensor must use reasonable measures to secure the software development environment of the Products from unauthorized access. (c) Licensor shall include cybersecurity guidance in the Product documentation provided to GE. This documentation shall include guidance on how to configure the Products and/or the surrounding environment to best ensure security. It shall also include guidance on which logical or physical ports are required for the product to function. If authentication is used to protect access to any service or capability of the Products, regardless of the intended user of that service/capability, the Supplier shall ensure: (i) the Products shall not provide access to that service or capability using a default account/password; (ii) the Products shall not provide access to that service or capability using a “Backdoor” account or password; (iii) the Products’ associated authentication and password change processes shall be implemented with an appropriately secure cryptographic level; and (iv) GE shall be able to change any passwords supported by the Products. (d) Services or capabilities that are not required to implement the Product’s functionality shall by default be disabled, or shall require authentication to protect access to this service or capability. (e) In the event that any wireless technology is incorporated in any Product, Licensor shall document that the wireless technology complies with standard operational and security requirements specified in applicable wireless standard(s) or specification(s) (e.g., applicable IEEE standards, such as 802.11). (f) In the event that any cryptographic systems are contained in the Product, Supplier shall only use cryptographic methods that are “Approved” as defined in the Federal Information Processing Standard (FIPS) Security Requirements for Cryptographic Modules (FIPS 140-2), and Supplier shall provide an automated remote key-establishment (update) method that protects the confidentiality and integrity of the cryptographic keys.

Secure Software Development. (a) Licensor 1. Supplier shall ensure all Products have been developed in accordance with principles of secure software development consistent with software development industry best practices, including, security design review, secure coding practices, risk based testing and remediation requirements. (b) Licensor must use reasonable measures to secure the . Supplier’s software development environment of used to develop the Products from unauthorized accessmust have security controls that can detect and prevent attacks by use of network layer firewalls and intrusion detection/prevention systems (IDS/IPS) in a risk based manner. (c2. Supplier shall implement processes to ensure malware protection measures are implemented for the Products development environment and relevant assets. 3. The Supplier shall have a process to ensure the systems used in Products development environment(s) Licensor are properly and timely patched. 4. Supplier shall include cybersecurity guidance in the Product documentation provided to GEBuyer. This documentation shall include guidance on how to configure the Products and/or the surrounding environment to best ensure security. It shall also include guidance on which logical or physical ports are required for the product to function. If authentication is used to protect access to any service or capability of the Products, regardless of the intended user of that service/capability, the Supplier shall ensure: (i) the Products shall not provide access to that service or capability using a default account/password; (ii) the Products shall be configured with least privilege for all user accounts, file systems, and application-to-application communications, examples of file systems which implement file protection based on privileges are *xxx and NTFS; (iii) the Products shall not provide access to that service or capability using a “Backdoor” account or password; (iiiiv) the Products’ associated authentication and password change processes shall be implemented with an appropriately secure cryptographic level; and (ivv) GE Buyer shall be able to change any passwords supported by the Products. (d) 5. Services or capabilities that are not required to implement the Product’s functionality shall by default be disabled, or shall require authentication to protect access to this service or capability. (e) 6. In the event that any wireless technology is incorporated in any Product, Licensor Supplier shall document that the wireless technology complies with standard operational and security requirements specified in applicable wireless standard(s) or specification(s) (e.g., applicable IEEE standards, such as 802.11). (f) 7. In the event that any cryptographic systems are contained in the Product, Supplier shall only use cryptographic methods algorithms and key lengths that are “Approved” as defined in meet or exceed the Federal Information Processing Standard most current version of the National Institute of Standards and Technology (FIPSNIST) Security Requirements for Cryptographic Modules (FIPS 140Special Publication 800-2)131A, and Supplier shall provide an automated remote key-establishment (update) method that protects the confidentiality and integrity of the cryptographic keys.