2.150.1 Configuration Management Policy

Manual Transmittal

April 11, 2022

Purpose

(1) This transmits revised IRM 2.150.1 Configuration Management, Configuration Management Policy.

Material Changes

(1) Updated the Authority to cite the federal mandates and regulations.

(2) Updated the Mandates to provide clear and specific directives for managing configuration items

Effect on Other Documents

IRM 2.150.1 dated January 8, 2021 is superseded.

Audience

The Configuration Management Policy is applicable to all Information Technology (IT) organizations, contractors, and other stakeholders having responsibility for configuration, management, oversight, and successful day-to-day operations of the IRS IT enterprise hardware, software, and applicable documentation.

Effective Date

(04-11-2022)

Nancy Sieger
Chief Information Officer

Program Scope and Objectives

  1. Purpose. This IRM establishes the policy and sanctions the Configuration Management process for the Information Technology (IT) organization and hence will be called IT Configuration Management process. It provides the scope, authority, and mandates for institutionalizing the IT Configuration Management process.

  2. Audience. This policy is applicable to all IT organizations, contractors, and other stakeholders having responsibility for management, oversight, and successful day-to-day operations of IRS IT enterprise hardware, software, and applicable documentation.

  3. Policy Owner. Demand Management & Project Governance, under Enterprise Operations, Information Technology.

  4. Program Owner. Process & Document Management under the Demand Management & Project Governance.

  5. Primary Stakeholders. IT organizations having responsibility for establishing an internal or local Configuration Management process and/or managing and controlling their IT system and/or system components are stakeholders in the IT Configuration Management process.

  6. Contact Information. To recommend changes or to make any suggestions to this IRM section, e-mail the IT Configuration Management Program: it.cm.process@irs.gov

Background

  1. This IRM establishes the IT Configuration Management process tailored from industry best practices and standards to support the system and operational requirements of the IRS.

  2. This IRM enables the IT Configuration Management process to meet certain industry, federal, and regulatory requirements.

Authority

  1. IRM 1.2.1.3 Policy Statements for Information Technology Activities

  2. Office of Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource”

  3. Federal Information Security Modernization Act (FISMA) of 2014 (Public Law 113-283, 44 USC 3554)

    Note:

    Security Configuration Management policy and guidelines are explicitly defined in IRM 10.8.1 Information Technology (IT) Security, Policy and Guidance

Responsibilities

  1. The Director, Demand Management & Project Governance, is the Process Owner accountable for the IT Configuration Management process and providing resources for maintenance and support.

  2. The Chief, Process & Document Management, is the Process Manager responsible for establishing and managing the IT Configuration Management Program.

  3. The IT Configuration Management Program is responsible for:

    1. Developing and maintaining the IT Configuration Management policy and process for Software Configuration Management and Service Management.

    2. Training and coaching Process Practitioners assigned to perform their roles defined in the IT Configuration Management process.

    3. Communicating and socializing the IT Configuration Management process throughout the process community and other key stakeholders.

    4. Improving the IT Configuration Management process through process and operational metrics, process assessments and audits, process reviews and evaluations, and customer satisfaction surveys.

    5. Conducting and supporting process assessments and audits, where applicable.

  4. Process Practitioners who are responsible for carrying out their roles and responsibilities in the IT Configuration Management process.

  5. Functions, Service, and Product Owners who are responsible for implementing the requirements of IT Configuration Management process in the development and delivery of IT services for the IRS.

Mandates

  1. Establish a Configuration Management Plan that defines the resources (staff and tools), change authority, and appropriate process that will be used to support the configuration item throughout its life cycle.

    • All IT Projects developing new, enhancing, or improving IT system and/or system components shall establish a Configuration Management Plan.

    • All IT organizations maintaining and updating existing IT system and/or system components shall establish and maintain an organization-level or Associate Chief Information Office (ACIO) Configuration Management Plan and maintain currency every 3-years.

  2. Establish and maintain an inventory of IRS information systems in a configuration management system, such as a configuration management database.

    • Organizations and IT Projects shall select configuration items that will be managed and controlled throughout the life cycle.

    • All configuration items shall have defined attributes, ownership, and relationship information, such as system interfaces and dependencies.

    • All configuration items shall have a defined taxonomy, standard naming convention, and standard terms and definitions.

    • All configuration items shall establish and publish its configuration standards and baselines as the basis for change.

  3. Establish and maintain configuration control of all configuration items.

    • All proposed changes to configuration items shall go through the Change Management process and approved by an appropriate change authority.

    • All approved changes must update its configuration item record and establish its new baseline once deployed into the production environment.

  4. Establish the integrity and accuracy of all configuration items.

    • All configuration item records shall be regularly reviewed and verified to maintain overall accuracy, completeness, and consistency.

    • All configuration item records shall be verified and audited against its physical configuration item.