2.150.1 Configuration Management Policy

Manual Transmittal

April 16, 2018

Purpose

(1) This transmits a revised IRM 2.150.1, Configuration Management, Configuration Management Policy.

Material Changes

(1) Separates the Configuration and Change Management policy and mandates.

(2) Updates new process ownership to Demand Management & Project Governance under Enterprise Operations.

Effect on Other Documents

IRM 2.150.1 dated September 20, 2013 is superseded.

Audience

The Configuration Management Policy is applicable to all Information Technology (IT) organizations, contractors, and other stakeholders having responsibility for configuration, management, oversight, and successful day-to-day operations of the IRS IT enterprise hardware, software, and applicable documentation.

Effective Date

(04-16-2018)

S. Gina Garza
Chief Information Officer

Program Scope and Objectives

  1. This document describes the formal Information Technology (IT) policy for implementing the requirements of the Configuration Management process. It provides the purpose, scope, authority, and mandates for institutionalizing this process.

  2. Configuration Management is responsible for maintaining information about configuration items required to deliver an IT Service. It covers the identification, recording, and reporting of IT components, including their versions, constituent components and relationships. Items that should be under the control of Configuration Management include hardware, software, and associated documentation.

Background

  1. Information systems are typically dynamic, causing the system state to change frequently because of upgrades to hardware, software, firmware or modifications to the surrounding environment in which a system resides. Industry standards and best practices such as the Capability Maturity Model Integrated (CMMI), Information Technology Infrastructure Library (ITIL), and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 20000:2011 Information Technology Service Management, including those issued by the Government Accounting Office (GAO) and the Office of Management and Budget (OMB), and several National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) and Special Publications (SP), stress that information systems (e.g., general support systems, major applications, and minor applications) must document and assess the potential impact that proposed system changes may have on the operational processes and security posture of the system. Information Technology (IT) industry best practices recognize this as an essential aspect of effective system management, as well as being part of the continuous monitoring and maintenance of security accreditation of Federal systems required.

  2. Configuration Management is a critical control for ensuring the integrity, security, and reliability of the Internal Revenue Service (IRS) information systems. Absent a disciplined process for controlling configuration changes, management cannot be assured that its systems will operate as intended, or that systems’ maintenance will be performed in a cost-effective or timely manner.

Purpose
  1. The purpose of this Policy is to establish an IT-wide Configuration Management Program and to provide responsibilities, compliance requirements, and overall principles for the Configuration Management process to support information technology management across the IT organization.

Scope
  1. This Policy is applicable to all the IRS IT enterprise hardware, software, and applicable documentation that might impact the IRS IT system and services performance, operations, and security.

Authority

  1. Demand Management & Project Governance (DMPG) is responsible for the development, implementation, and maintenance, of this policy. Approval of this policy, including updates, rests with the Configuration Management process owner under DMPG. All proposed changes to this directive must be submitted to the World Class Center of Excellence (WCOE) Branch under DMPG.

Mandate

  1. Establish a configuration management plan to describe how configuration management will be conducted throughout the project or product lifecycle.

  2. Leverage on existing Configuration Control Board (CCB) to control the product and service baseline and evaluate and approve proposed changes to the Configuration Items. No new CCBs or sub-ordinate CCBs shall be created, and any exceptions will require approval from the Configuration Management process owner.

  3. Identify, control, record, report, audit, and verify Configuration Items, including attributes and relationships.

  4. Work with Change Management to account for, manage and protect the integrity of the Configuration Items throughout their service lifecycle.

  5. Ensure the integrity of the Configuration Items by maintaining an accurate and complete Configuration Management System.

  6. Support efficient and effective service management by providing accurate configuration information.