2.150.1 Configuration and Change Management Directive

Manual Transmittal

September 20, 2013

Purpose

(1) This transmits revised IRM 2.150.1, Configuration and Change Management, Configuration and Change Management Directive.

Background

Configuration Management (CM) and Change Management (ChM) procedures are referenced throughout the document.

Material Changes

(1) This Directive combines the IT Configuration Management (CM) Directive and the (ChM) Directive.

(2) Individual CM and ChM procedures have been published on the PAL and removed from the IRM.

Effect on Other Documents


IRM 2.150.1 dated July 24, 2013, is superseded.

Audience


The audience is all Information Technology organizations, employees and contractors.

Effective Date

(09-20-2013)

Terence V. Milholland
Chief Technology Officer

Administration

  1. Business Relationship Service Delivery (BRSD), Information Technology Enterprise Service Management (ITESM) and the Change Management (ChM) Program Management Office (PMO) are responsible for the development, implementation, and maintenance, of this directive. Approval of this directive, including updates, rests with the ACIO, Enterprise Services and the ACIO, Enterprise Operations and will be pursued via the Integrated Process Management process. All proposed changes to this directive must be submitted to the Information Technology (IT) Configuration Management Workgroup (CMWG).

Purpose of Directive

  1. The purpose of this Directive is to establish authority and responsibility for the performance of Configuration Management and Change Management throughout the IRS IT Organization. This combined directive has been created to manage the implementation of changes in order to control and minimize risks to the IRS production environment and supporting test, development, and business continuity environments. Change Management activities are formalized with standard procedures to document the changes approved for implementation and subsequent scheduling of the deployment.

Scope

  1. All IT Organizations developing, maintaining and controlling systems in accordance with the Enterprise Life Cycle shall adhere to the mandates of this directive and all associated CM and ChM procedures.

  2. All staff involved in the preparation, review, and approval activities resulting in the transition of a changed or new product from development/acquisition through deployment, into any IRS environment, e.g., Production, Development, Test, Disaster Recovery, etc., are required to perform those changes in accordance with this directive. Owners of Configuration Items and designated change authorities are covered by this directive and any process assets derived from this directive. CM and ChM will coordinate with each ACIO organization to ensure proper routing and disposition of changes impacting IRS owned and/or maintained systems.

Mandates

  1. The following directives apply across the IT Organization:
    2.150.1.4.1 Change Management

    2.150.1.4.1.1 All Changes to Configuration Items (CIs) will be registered
    To maintain an accurate information status of Configuration Items, all proposed changes to CIs supporting any IRS system, e.g., Production, Development, Test, Disaster Recovery, etc., will be recorded as Request for Change (RfCs) in an approved Change Management system.
    2.150.1.4.1.2 All Changes must be approved prior to implementation
    All changes to CIs supporting any IRS system, e.g., Production, Development, Test, Disaster Recovery, etc., will be approved prior to their implementation, with the allowed exception of Emergency Changes. A Change Advisory Board shall be established under this directive to make those approvals, with the authority to charter subordinate boards as appropriate. Emergency Changes implemented without prior approval must be documented according to the emergency change procedure in an approved Change Management system and reviewed at the next meeting of the CAB.
    2.150.1.4.1.3 All Changes must be deployed in an approved window
    All changes shall be scheduled for deployment in an approved window, and can only be deployed outside that window if there is an accompanying P1 or P2 incident in KISAM that justifies the exception.
    2.150.1.4.1.4 Risk, Technical, Security, and Business Impact Assessment
    All changes will be assessed for risk and categorized based on risk. All RfCs must include an assessment of the risk and business impact of the change, as well as technical and security assessments of the planned work. Changes impacting the forecast business results, documented in the UWR, business case or equivalent justification will be presented to the owning IT Governance ESC or Governance Board (if low risk and or low cost) for acceptance of the impact prior to approval of the CR. This ensures a comprehensive review of proposed changes before they are authorized and approved for release into production.
    2.150.1.4.1.5 Review of Unsuccessful Changes and Incidents Caused by Change
    When changes are implemented, the success or failure of the implementation will be recorded on the RfC. Changes considered not successful include changes not implemented as planned; changes backed out, all or in part; changes not implemented per schedule; and changes causing incidents. These unsuccessful changes will be reviewed at the next CAB meeting and/or by Change Management staff, to determine the cause of the failure and plan remediation actions for the future.
    2.150.1.4.1.6 Provision of Adequate Resources
    Organization heads will work with IT Configuration Management and the Change Management Office to establish scalable practices to ensure compliance with the critical elements of the Configuration Management and Change Management processes.
    2.150.1.4.1.7 Staff Training
    ChM PMO will also provide clear process documentation and web-based training tools to enable effective process adoption.
    2.150.1.4.1.8 Process Improvement
    Process Improvement initiatives are strongly encouraged, to improve the quality of process performance, but these initiatives must be coordinated with IT Configuration Management and the Change Management Program Office to avoid redundant or conflicting efforts.

    2.150.1.4.2 Configuration Management

    2.150.1.4.2.1 CM Activities
    All CM activities shall be planned, managed, implemented and controlled in accordance with all applicable laws, regulations, IRS policies and IT CM Plans, processes, and procedures
    2.150.1.4.2.2 CM Plan Support
    CM Plan that supports the implementation of these directives shall be developed and maintained for each program, development project or operational system. Development projects and operational systems may leverage higher-level plans. However, these CM plans must provide adequate guidance and necessary requirements to support the development and maintenance of all systems implementing the plan.
    2.150.1.4.2.3 CM Plan Implementation
    CM plans shall be implemented in accordance with approved CM standards and procedures, tailored, as necessary, for the program, project, or operational system. All tailoring shall be documented in the applicable CM Plan and approved by CM process owner or designated representative.
    2.150.1.4.2.4 CM Program
    The IT CM Program shall have the authority and responsibility for implementing the necessary processes to support the integrity of products development using the ELC Framework.
    2.150.1.4.2.5 Responsibilities
    Responsibilities for program, project, or operational system level CM activities shall be explicitly assigned by the applicable IRS Executive and outlined in a CM Plan. Roles and responsibilities shall be aligned with the IT Configuration and Change Management Plan.
    2.150.1.4.2.6 CM Process Owner
    The Configuration Management process owner shall work closely with the Change and Release Management process owners to ensure the integrity of identified configuration items (CI) and services provided by IT Organizations.
    2.150.1.4.2.7 Approved Procedures
    Using approved procedures, CIs and associated artifacts shall be identified and documented in accordance with prescribed standards.
    2.150.1.4.2.8 Configuration Identification Maintenance
    Program, project, and operational system CIs shall be maintained in an approved CM repository or system, and CI data shall be recorded in accordance with the approved process and procedures.
    2.150.1.4.2.9 Auditing
    The CM Program is responsible for periodically auditing identified production system CIs and reporting findings to applicable Business and IT system stakeholders.
    2.150.1.4.2.10 FCA and PCA
    CM Functional Configuration Audits (FCA) and Physical Configuration Audits (PCA) of CIs shall be conducted as required by the CM Program, process owner and the ELC Framework. This requirement shall be planned into the development and operational life cycle of all IT production systems.
    2.150.1.4.2.11 CM Training
    Organization personnel designated or assigned to perform CM activities shall be trained in the standards, processes, and procedures for performing these activities, consistent with the CM Program approved process.
    2.150.1.4.2.12 CM Repository
    CM and other controlled information, such as documents, requirements data and measurements, shall be recorded and maintained in a library or CM Repository and shared as necessary with applicable stakeholder organizations.
    2.150.1.4.2.13 CM Resources
    The CTO or other delegated executive shall ensure that necessary budget, labor, tools and appropriate training is available to implement the CM plans, policies, and procedures established by the CM process owner and program.
    2.150.1.4.2.14 CM Metrics
    The CM Program shall establish and collect metrics used to determine the status of the CM activities and effectiveness of the CM process.
    2.150.1.4.2.15 CM Review
    CM plans and activities shall be reviewed by IT management and the program/project managers on a periodic and event driven basis.
    2.150.1.4.2.16 CM Oversight
    The IT CM Program is responsible for oversight of the CM process and supporting activities. The CM Program shall assess process compliance to support measurements of effectiveness, capability maturity and external auditing of IT organizations.

Waivers and Deviations

  1. Any waivers or deviations from this directive require written approval from ITESM and/or ChM PMO.

CMMI, ITIL, PMI Compliance

  1. The Capability Maturity Model Integrated (CMMI) can be used to judge the maturity of an organization's processes and related procedures and process assets and can be used to plan further improvements. CMMI sets the standard for the essential elements of effective and mature processes, improved with quality and efficiency. Configuration Management process improvement activities will be conducted by a chartered process working group.

  2. The Information Technology Infrastructure Library(ITIL) contains a collection of best practices, enabling organizations to build an efficient framework for delivering IT Service Management (ITSM) and ensuring that they are meeting business goals and delivering benefits that facilitate business change, transformation, and growth.

  3. The Project Management Institute (PMI) organization advances the project management profession through globally recognized standards and certifications.

  4. This process asset is used to indicate that all artifacts are developed or acquired, incorporating CMMI, ITIL, PMI requirements, to meet the business objectives of the organization and that they represent investments by the organization that are expected to provide current and future business value to the IRS.

Definitions, References

  1. Definitions
    A Glossary is also available on the Integrated Process Management (IPM) Process Asset Library (PAL).

  2. References
    The following resources are either referenced in this document or were used to create it.

    • IT Configuration Management Directive

    • IT Change Management Directive

Authority and Reference Documents

  1. The following lists the regulatory documents that validate the IT Configuration and Change Management Directive:

    • IT Directive Template

    • Internal Revenue Manual (IRM) 2.7.5, System Control Point (SCP) Configuration Management (CM) Guidelines.

    • Internal Revenue Service IT Change Management Program Management Office, Operating Charter.

Appendix A: CM Glossary

  1. Figure 1 is the CM Glossary

Appendix B: Abbreviations and Acronyms

  1. Figure 2 is the List of Abbreviations and Acronyms