Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Sample Quality Assessment Surveillance Plan (QASP)

Per the “Require demos, not memos” best practice, here is a sample QASP, which should be incorporated into agile software RFPs.

Deliverable Performance Standard(s) Acceptable Quality Level Method of Assessment
Tested Code Code delivered under the order must have substantial test code coverage and a clean code baseVersion-controlled, public repository of code comprising the product, which will remain in the government domain Minimum of 90% test coverage of all code Combination of manual review and automated testing
Properly Styled Code GSA 18F Front-End Guide 0 linting errors and 0 warnings Combination of manual review and automated testing
Accessibility Web Content Accessibility Guidelines 2.1 AA standards 0 errors reported using an automated scanner, and 0 errors reported in manual testing Pa11y
Deployed Code must successfully build and deploy into staging environment Successful build with a single command Combination of manual review and automated testing
Documented All dependencies are listed and the licenses are documented. Major functionality in the software/source code is documented. Individual methods are documented inline using comments that permit the use of documentation-generation tools such as JSDoc. A system diagram is provided Combination of manual review and automated testing, if available Manual review
Security OWASP Application Security Verification Standard 4.0, Level 2 Code submitted must be free of medium- and high-level static and dynamic security vulnerabilities Clean tests from a static testing SaaS (such as npm audit) and from OWASP ZAP, along with documentation explaining any false positives
User research Usability testing and other user research methods must be conducted at regular intervals throughout the development process (not just at the beginning or end) Artifacts from usability testing and/or other research methods with end users are available at the end of every applicable sprint, in accordance with the vendor’s research plan Manual review
U.S. General Services Administration Logo

De-risking Guide is a product of GSA’s Technology Transformation Services, and managed by 18F.

Looking for U.S. government information and services?

Visit USA.gov