Skip to main content
 

Part 2. Information Technology

Chapter 125. Change Management

Section 1. Change Management Policy

2.125.1 Change Management Policy

Manual Transmittal

June 05, 2026

Purpose

(1) This transmits revised IRM 2.125.1 Change Management Policy.

Material Changes

(1) IRM 2.125.1.1 Program Scope and Objectives. Revised to strengthen governance, lifecycle management, auditability, and traceability of Configuration Items (CIs). Updated to reflect organizational realignment to Strategy & Product Management (SPM) and Infrastructure Tech Ops (ITO), and to incorporate integration with Configuration Management and ITIL 4 Change Enablement principles.

(2) IRM 2.125.1.1.1 Background. Updated to emphasize alignment with enterprise Configuration Management processes and ITIL 4 Change Enablement practices, including lifecycle traceability and integration with configuration baselines.

(3) IRM 2.125.1.1.3 Responsibilities. Revised to reflect updated governance ownership and accountability, including expanded responsibilities for policy enforcement, compliance oversight, coordination with Configuration Management, and continuous improvement.

(4) IRM 2.125.1.1.4 Program and Management Review. Updated to require formal evaluation of Change Management effectiveness, including metrics-driven performance monitoring, risk-informed decision-making, and alignment with enterprise objectives.

(5) IRM 2.125.1.1.5 Program Controls. Revised to establish a comprehensive governance framework defining control requirements, constraints, and boundaries for Change Management. Enhancements include expanded control requirements for authorization, segregation of duties, risk and impact assessment, change classification, documentation, auditability and traceability, validation and review, integration with enterprise processes, and monitoring and reporting. Metrics requirements were updated to standardize measurement, collection, and reporting to support governance oversight, performance evaluation, risk management, and continuous improvement.

(6) IRM 2.125.1.1.6 Terms/Definitions/Acronyms. Revised to standardize and expand terminology supporting Change Management governance and lifecycle execution. Updates include the addition of definitions aligned with ITIL 4 Change Enablement practices, such as Change Request (CR), Change Classification (Standard, Normal, Emergency), Change Model, Post-Implementation Review (PIR), Security Impact Assessment (SIA), Change Advisory Board (CAB), Configuration Baseline(s), and Configuration Management Database (CMDB). Acronyms were updated to reflect integration with enterprise processes and systems, including Continuous Integration / Continuous Deployment (CI/CD), Incident Management (IM), Incident Record (IR), and Priority classifications (P1, P2).

(7) IRM 2.125.1.1.7 Related Resources. Revised to include updated internal and external references, including Configuration Management Policy (IRM 2.150.1), Information Technology Security Policy (IRM 10.8.1), and ISO/IEC 20000 standards.

(8) IRM 2.125.1.2 Purpose. Revised to emphasize governance, risk-informed decision-making, lifecycle management, and auditability of Change Management activities.

(9) IRM 2.125.1.3 Scope. Updated to clarify applicability to all changes affecting IRS systems, infrastructure, services, and associated Configuration Items across the full service lifecycle.

(10) IRM 2.125.1.4 Mandates. Significantly revised to establish detailed lifecycle control requirements, including Change Request initiation, classification, risk and Security Impact Assessment (SIA), segregation of duties, authorization, scheduling, implementation, validation, documentation, closure, record lifecycle management, automated closure after 60 days, and integration with enterprise systems including CI/CD pipelines and the Configuration Management Database (CMDB).

(11) Editorial Changes. Made editorial updates throughout to improve clarity, consistency, terminology alignment, and formatting.

Effect on Other Documents

This IRM supersedes IRM 2.125.1 revision date October 31, 2022.

Audience

This IRM section applies to all Internal Revenue Service (IRS) Information Technology (IT) organizations, contractors, and stakeholders responsible for the planning, implementation, management, oversight, and day-to-day operation of IRS IT enterprise hardware, software, and services.

Effective Date

(06-05-2026)

Kaschit Pandya
Chief Information Officer

2.125.1.1 (10-31-2022)

Program Scope and Objectives

  1. Purpose. This document establishes the formal Internal Revenue Service (IRS) Information Technology (IT) policy for Change Management and defines the governance, requirements, and controls necessary to manage changes to Configuration Items (CIs) across the enterprise. This policy institutionalizes a standardized, risk-based, and auditable approach for managing changes throughout the service lifecycle.

    The objective of Change Management is to ensure that all changes are authorized, assessed for risk and impact, implemented in a controlled manner, and documented to maintain service integrity, minimize disruption, and support operational stability. All changes shall be recorded, tracked, and managed in an approved system of record to ensure end-to-end traceability and auditability.

    This policy establishes requirements for integration with enterprise policies, including Configuration Management Policy (IRM 2.150.1), to ensure that changes to CIs are reflected in configuration baselines and records. Change Management shall support lifecycle execution through defined controls that enable coordination, visibility, and accountability across all stages of change.

    This policy aligns with ITIL 4 Change Enablement practices by requiring standardized change classification, risk-based authorization, defined change models for repeatable changes, post-implementation review for applicable changes, and metrics-driven continuous improvement.

  2. Audience. This IRM section applies to all IRS IT organizations, contractors, and stakeholders responsible for the planning, implementation, management, oversight, and day-to-day operation of IRS IT enterprise hardware, software, and services, including those participating in Change Management activities.

  3. Policy Owner. Strategy & Product Management (S&PM) - IT.

  4. Program Owner. Infrastructure Tech Ops (ITO) Product Management, within S&PM - IT.

  5. Primary Stakeholders. Primary stakeholders include IT organizations and service providers responsible for implementing Change Management controls, managing Change Requests (CRs) and change records, executing change activities across the lifecycle, and maintaining alignment with Configuration Management processes and CI records.

  6. Contact Information. To recommend changes or provide feedback for this IRM section, contact the Change Management Program Management Office (ChM PMO): it.chm.pmo@irs.gov

2.125.1.1.1 (10-31-2022)

Background

  1. This Internal Revenue Manual (IRM) establishes the policy foundation for Change Management within the enterprise environment and aligns with federal requirements, related IT policies, and industry best practices.

  2. Change Management supports controlled and traceable changes to CIs and shall integrate with Configuration Management processes to maintain the integrity of configuration baselines and associated records across the CI lifecycle.

  3. This policy aligns with Information Technology Infrastructure Library (ITIL) 4 Change Enablement practices by supporting risk-based evaluation, standardized change classification, controlled implementation, and continuous improvement.

2.125.1.1.2 (10-31-2022)

Authority

  1. IRM 1.2.1.3 Policy Statements for Information Technology Activities

  2. Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource

  3. Federal Information Security Modernization Act (FISMA) of 2014 (Public Law 113-283, 44 USC 3554)

2.125.1.1.3 (10-31-2022)

Responsibilities

  1. The Change Management Process Owner shall be accountable for establishing, maintaining, and governing the Change Management policy and associated controls. This includes ensuring alignment with enterprise objectives, related IT policies, and industry best practices, and ensuring adequate resources are provided to support implementation, oversight, and continuous improvement.

  2. The Change Management Process Manager shall be responsible for the operational management and oversight of Change Management activities and for ensuring execution aligns with established policy, defined controls, and lifecycle expectations. The Process Manager shall oversee coordination, compliance, and performance monitoring across Change Management activities.

  3. The ChM PMO shall be responsible for:

    1. Developing, maintaining, and enforcing Change Management policy, standards, and supporting procedures to ensure consistent application of controls across the enterprise.

    2. Providing guidance, training, and support to personnel performing roles associated with Change Management activities to ensure effective and compliant execution.

    3. Monitoring performance and compliance through defined metrics, assessments, audits, and reviews, and implementing continuous improvement actions aligned with ITIL 4 Change Enablement practices.

    4. Ensuring coordination with Configuration Management to maintain accuracy and integrity of CI records and configuration baselines resulting from approved changes.

2.125.1.1.4 (10-31-2022)

Program and Management Review

  1. The ChM PMO shall manage and evaluate Change Management to ensure effectiveness, compliance, and alignment with enterprise objectives. Reviews shall be performed using the following principles:

    1. Process Management. Change Management shall be governed by a designated Process Owner and Process Manager accountable for oversight, enforcement, and continuous evaluation. Change Management shall be periodically reviewed to ensure alignment with enterprise requirements, related IT policies, and industry best practices. Metrics shall be defined, collected, and analyzed to support decision-making, risk management, and continuous improvement.

    2. People. Roles and responsibilities shall be formally defined, assigned, and maintained to support accountability and segregation of duties. Personnel shall be qualified and provided with role-based training to ensure effective and compliant execution of Change Management activities. Change Management requirements and expectations shall be communicated across stakeholders to promote consistent adoption.

    3. Process. Change Management shall be documented, standardized, and controlled to ensure consistent execution and governance. Changes to Change Management shall be approved by the Process Owner and implemented in a controlled manner. Change Management shall integrate with related enterprise processes, including Configuration Management, to ensure traceability of changes and consistency of configuration baselines. Periodic reviews shall be conducted to evaluate performance, identify risks, and implement continuous improvement actions aligned with ITIL 4 Change Enablement practices.

    4. Technology and Tools. Tools supporting Change Management shall comply with enterprise architecture standards and shall support enforcement of defined controls, traceability, and auditability. Tool capabilities shall enable workflow management, authorization tracking, notification, escalation, and reporting. Automation shall be implemented where appropriate to improve consistency, reduce manual effort, and support lifecycle execution and performance monitoring.

2.125.1.1.5 (10-31-2022)

Program Controls

  1. Program Controls shall establish the governance framework for Change Management by defining required controls and performance measures to ensure changes are managed in a consistent, controlled, and auditable manner. Controls shall define requirements, constraints, and boundaries for authorization, documentation, implementation, and compliance. Metrics shall provide quantitative measures to evaluate effectiveness, efficiency, and risk, and shall support governance oversight, operational visibility, and continuous improvement.

2.125.1.1.5.1 (10-31-2022)
Controls

  1. Controls shall establish governance over Change Management by defining the requirements, constraints, and boundaries within which Change Management operates.

    Name Description
    Change Authorization Shall require documented authorization of all CRs by designated authorities prior to implementation, based on defined criteria, risk, and impact.
    Segregation of Duties Shall enforce separation of responsibilities across initiation, authorization, implementation, and validation to prevent end-to-end control by a single individual, with defined compensating controls for Emergency Changes.
    Risk and Impact Assessment Shall require documented evaluation of operational, technical, and security impacts, including Security Impact Assessment (SIA) where applicable, and identification of affected CIs and configuration baselines.
    Change Classification Shall require classification of CRs (e.g., Standard, Normal, Emergency) to determine required controls, processing requirements, and authorization levels.
    Change Documentation and Records Shall require complete and accurate recording of CRs, including approvals, implementation details, validation results, and outcomes to ensure auditability.
    Auditability and Traceability Shall ensure end-to-end traceability of CRs across the lifecycle, including linkage to CIs, configuration baselines, Incident Records (IRs), and related artifacts.
    Change Validation and Review Shall require validation of implemented CRs and Post-Implementation Review (PIR) for failed, major, or Emergency Changes to ensure outcome verification and root cause analysis.
    Change Management Integration Shall require integration with enterprise processes and systems, including Configuration Management (CMDB), Incident Management (IM), and CI/CD pipelines to ensure lifecycle control and consistency.
    Monitoring and Reporting Shall require metrics, reporting, and monitoring of CR activity, including Emergency Changes and Segregation of Duties compliance, to support governance, audit readiness, and continuous improvement.
2.125.1.1.5.2 (10-31-2022)
Metrics

  1. Metrics shall provide quantitative measures used to evaluate the performance, effectiveness, and efficiency of Change Management. Metrics shall be aligned to defined business objectives and performance targets and shall support decision-making, risk management, and continuous improvement.

  2. Management shall establish performance targets and shall ensure measurable data is collected, analyzed, and reported across Change Management activities. Results shall be used to identify gaps, implement corrective actions, and improve performance.

  3. Metrics shall be defined, standardized, and documented, including a data dictionary where applicable, and shall align with organizational strategic goals and ITIL 4 Change Enablement practices.

  4. All enterprise and local Change Management functions, including tool owners, shall produce and report metrics to support governance oversight, operational visibility, and continuous evaluation of performance.

2.125.1.1.6 (06-05-2026)

Terms/Definitions/Acronyms

  1. The tables in the Terms/Definitions and Acronyms list commonly used terms and acronyms in the Change Management policy.

2.125.1.1.6.1 (06-05-2026)
Terms

  1. The following terms establish standardized definitions used within this policy to support consistent interpretation and application of Change Management requirements.

    Term Definition
    Change Management (ChM) The governance framework used to manage changes to systems and services to ensure control, traceability, and compliance.
    Change Request (CR) A formal record used to propose, evaluate, authorize, implement, and track a change.
    Configuration Item (CI) A component or service element subject to management and control that may be affected by a change.
    Configuration Baseline(s) An approved and documented state of a set of CIs that serves as a basis for change control and traceability.
    Change Classification The categorization of changes (e.g., Standard, Normal, Emergency) to determine required controls, processing requirements, and authorization levels.
    Standard Change A pre-authorized, low-risk change that follows an established and approved change model.
    Normal Change A change that follows the defined CM process, including assessment and authorization prior to implementation.
    Emergency Change A change that requires expedited processing to resolve or mitigate Priority 1 (P1) or Priority 2 (P2) incidents or prevent significant service disruption.
    Change Authorization The formal approval to implement a change based on defined criteria, including risk and impact.
    Change Record The documented record of a change maintained to support traceability, accountability, and auditability.
    Change Model A predefined and approved approach used to manage repeatable changes in a consistent and controlled manner.
    Post-Implementation Review (PIR) A structured review conducted after implementation to evaluate outcomes, identify root cause of issues, and determine corrective actions.
    Security Impact Assessment (SIA) The evaluation of potential security effects of a change to ensure risks are identified and addressed.
    Change Advisory Board (CAB) A governance body that provides review and recommendations to support risk-informed authorization of changes.
    Configuration Management Database (CMDB) The repository used to store and manage information about CIs and their relationships.
2.125.1.1.6.2 (06-05-2026)
Acronyms

  1. The following acronyms are used within this policy:

    Acronym Full Name
    CAB Change Advisory Board
    CI Configuration Item
    CI/CD Continuous Integration / Continuous Deployment
    ChM Change Management
    CMDB Configuration Management Database
    CR Change Request
    IM Incident Management
    IR Incident Record
    PIR Post-Implementation Review
    P1 Priority 1
    P2 Priority 2
    SIA Security Impact Assessment
2.125.1.1.7 (09-19-2018)

Related Resources

  1. The following policies provide related governance and requirements applicable to Change Management:

    • IRM 2.150.1 Configuration Management Policy

    • IRM 10.8.1 Information Technology (IT) Security, Security Policy

    • ISO/IEC 20000-1:2018 — Information technology — Service Management — Part 1: Service Management System Requirements (Clause 8.6 — Change Management)

    • ISO/IEC 20000-2:2019 — Information technology — Service Management — Part 2: Guidance on the Application of Service Management Systems

    • Information Technology Infrastructure Library (ITIL) 4 — Change Enablement practice

2.125.1.2 (10-31-2022)

Purpose

  1. This policy shall establish enterprise requirements for managing changes to systems, infrastructure, and services to ensure a consistent, controlled, and auditable approach to change implementation and lifecycle management.

  2. Change Management shall define governance, roles, responsibilities, and control requirements to ensure changes are authorized, risk-informed, and implemented in a manner that minimizes disruption to services and supports operational stability. Change Management shall also ensure changes are recorded, traceable, and aligned with enterprise objectives and compliance requirements.

2.125.1.3 (10-31-2022)

Scope

  1. This policy shall apply to all changes that may impact IRS systems, infrastructure, and services. This includes changes to architectures, applications, software, tools, documentation, and all associated CIs across the full service lifecycle.

  2. All organizations and stakeholders responsible for initiating, reviewing, authorizing, implementing, or validating changes shall comply with this policy.

2.125.1.4 (10-31-2022)

Mandates

  1. Change Requests Initiation. All proposed changes to CIs supporting IRS systems shall be formally recorded as a CR in an approved System of Record prior to evaluation, authorization, or implementation. Emergency Changes initiated in response to Priority 1 (P1) or Priority 2 (P2) incidents shall be recorded as CRs as soon as practicable and shall include linkage to the associated Incident Record (IR).

  2. Change Classification. All CRs shall be classified using defined criteria to determine required controls, processing requirements, risk handling, and authorization levels. Classification shall include designation of Emergency Changes, which shall be limited to conditions requiring immediate action to resolve or mitigate P1 or P2 incidents or prevent significant service degradation.

  3. Risk and Impact Assessment. Each CR shall include a documented assessment of operational, technical, security, and business impacts. A Security Impact Assessment (SIA) shall be performed where applicable. Assessments shall identify affected CIs, configuration baselines, systems, services, and dependencies to ensure traceability and support risk-informed decision-making. For Emergency Changes, assessment activities shall be performed to the extent practicable prior to implementation and completed retrospectively as required.

  4. Segregation of Duties. Segregation of Duties shall be enforced across the Change Management lifecycle to ensure that initiation, assessment, authorization, implementation, and validation activities are performed by separate individuals or roles. No individual shall have end-to-end control of a CR. Emergency Changes associated with P1 or P2 incidents may implement compensating controls where strict segregation is not practicable; such deviations shall be documented, justified, and subject to Post-Implementation Review (PIR).

  5. Change Authorization. Changes to CIs shall not be implemented without documented authorization from designated authorities independent of the individual(s) performing implementation. Authorization shall verify that required assessments, including SIA where applicable, have been completed and reviewed. Emergency Changes associated with P1 or P2 incidents may follow expedited authorization procedures but shall remain subject to defined emergency authorization controls and subsequent review.

  6. Change Scheduling. Approved CRs shall be scheduled within defined Deployment Windows. CRs shall only be implemented outside approved Deployment Windows under Emergency Changes, including response to P1 or P2 incidents or imminent risk of significant service disruption.

  7. Change Implementation. Approved CRs shall be implemented in accordance with defined procedures and controls. Implementation shall ensure logging, traceability, and alignment with Continuous Integration / Continuous Deployment (CI/CD) pipelines where applicable. Implementation shall include validated rollback or recovery capabilities. Implementation activities shall be performed by authorized personnel and shall be independent, where required, from those providing authorization. All CRs, including Emergency Changes, shall maintain traceability to affected CIs, configuration baselines, IRs where applicable, and approved CRs.

  8. Change Validation and Review. All implemented CRs shall be validated to confirm successful execution and achievement of intended outcomes. Validation shall be performed by personnel independent of implementation where practicable. CRs that fail, result in incidents, or are classified as major or Emergency Changes, including those associated with P1 or P2 incidents, shall undergo PIR to identify root cause and required corrective actions.

  9. Change Documentation and Record Update. CR records shall be updated to reflect implementation details, validation results, IR associations where applicable, and final outcomes. Records shall ensure completeness, accuracy, and auditability in accordance with established traceability requirements.

  10. Change Closure. CRs shall be formally closed only after validation, documentation, and required reviews are completed. Closure shall be performed by an authorized role independent of implementation where practicable. Approved CRs shall result in updates to configuration baselines and associated configuration records, including version control, in accordance with established traceability requirements. Emergency Changes shall not be closed until PIR activities are completed.

  11. Change Record Lifecycle Control. All CRs shall be maintained as auditable records throughout their lifecycle and managed in accordance with established lifecycle requirements. CRs remaining in a completed, pending closure, or awaiting review status for more than 60 calendar days shall be automatically closed by the approved Change Management System (CMS). Exceptions shall require documented justification and approval by the CM Process Owner.

  12. Change Management Integration and Reporting. Change Management shall be integrated with enterprise processes and systems, including Incident Management (IM), Configuration Management Database (CMDB), and CI/CD pipelines, to ensure end-to-end traceability and control across the CI lifecycle. Metrics and reporting shall include monitoring of Segregation of Duties compliance and tracking of Emergency Changes, including those associated with P1 and P2 incidents, to support governance oversight, audit readiness, performance monitoring, and continuous improvement.