Waldo Jaquith on Nostr: Blog entry: Agencies must not outsource compliance to their vendor scrum team. ...
Blog entry: Agencies must not outsource compliance to their vendor scrum team.
Incorporating HIPAA, NIST 800-53, or agency policy documents into a software development contract by reference means that the vendor will have to, at times, ignore the product owner, ignore user research, ignore the roadmap, and simply do what they believe those policy documents say to do. That is Actually Bad. Don't do that. https://waldo.jaquith.org/blog/2024/06/outsourcing-compliance/
Incorporating HIPAA, NIST 800-53, or agency policy documents into a software development contract by reference means that the vendor will have to, at times, ignore the product owner, ignore user research, ignore the roadmap, and simply do what they believe those policy documents say to do. That is Actually Bad. Don't do that. https://waldo.jaquith.org/blog/2024/06/outsourcing-compliance/