2.150.1 Configuration Management Policy

Manual Transmittal

July 02, 2020

Purpose

(1) This transmits a revised IRM 2.150.1 Configuration Management, Configuration Management Policy.

Material Changes

(1) Editorial updates.

Effect on Other Documents

IRM 2.150.1 dated April 16, 2018 is superseded.

Audience

The Configuration Management Policy is applicable to all Information Technology (IT) organizations, contractors, and other stakeholders having responsibility for configuration, management, oversight, and successful day-to-day operations of the IRS IT enterprise hardware, software, and applicable documentation.

Effective Date

(07-02-2020)

Nancy Sieger
Acting Chief Information Officer

Program Scope and Objectives

  1. This document describes the formal Information Technology (IT) policy for implementing the requirements of the Configuration Management process. It provides the purpose, scope, authority, and mandates for institutionalizing this process.

  2. Configuration Management is responsible for maintaining information about configuration items required to deliver an IT Service. It covers the identification, recording, and reporting of IT components, including their versions, constituent components and relationships. Items that should be under the control of Configuration Management include hardware, software, and associated documentation.

Background

  1. Information systems are typically dynamic, causing the system state to change frequently because of upgrades to hardware, software, firmware or modifications to the surrounding environment in which a system resides. Industry standards and best practices such as:

    • Institute of Electrical and Electronic Engineers (IEEE) Standard for Software Configuration Management in Systems

    • Software Engineering Body of Knowledge (SWEBOK)

    • ITIL Service Transition 2011: Service Asset and Configuration Management

    • International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000:2011 Information Technology Service Management (ITSM)

    • National Institute of Standards and Technology (NIST) Special Publications (SP) 800-128 Guide for Security-Focused Configuration Management

    including those issued by the Government Accounting Office (GAO) and the Office of Management and Budget (OMB), stress that information systems (e.g., general support systems, major applications, and minor applications) must document and assess the potential impact that proposed system changes may have on the operational processes and security posture of the system. Information technology industry best practices recognize this as an essential aspect of effective system management, as well as being part of the continuous monitoring and maintenance of security accreditation of federal systems required.

  2. Configuration Management is a critical control for ensuring the integrity, security, and reliability of the Internal Revenue Service (IRS) information systems. Absent a disciplined process for controlling configuration changes, management cannot be assured that its systems will operate as intended, or that systems’ maintenance will be performed in a cost-effective or timely manner.

Purpose
  1. The purpose of this Policy is to establish an IT-wide Configuration Management Program and to provide responsibilities, compliance requirements, and overall principles for the Configuration Management process to support information technology management across the IT organization.

Scope
  1. This Policy is applicable to all the IRS IT enterprise hardware, software, and applicable documentation that might impact the IRS IT system and services performance, operations, and security.

Authority

  1. Demand Management & Project Governance (DMPG) is responsible for the development, implementation, and maintenance of this policy. Approval of this policy, including updates, rests with the Configuration Management process owner under DMPG. All proposed changes to this directive must be submitted to the IT CM Program under DMPG.

Mandates

  1. Establish a configuration management plan to describe how configuration management will be conducted throughout the project or product lifecycle.

  2. Leverage on existing Configuration Control Board (CCB) to control the product and service baseline, and evaluate and approve proposed changes to the configuration items. No new CCBs or sub-ordinate CCBs shall be created, and any exceptions will require approval from the Configuration Management process owner.

  3. Identify, control, record, report, verify, and audit configuration items, including attributes and relationships.

  4. Work with Change Management to account for, manage, and protect the integrity of the configuration items throughout it product and service lifecycle.

  5. Ensure the integrity of the configuration items by maintaining an accurate and complete Configuration Management System.

  6. Support efficient and effective service management by providing accurate configuration information.