- 2.150.1 Configuration and Change Management Directive
- 184.108.40.206 Administration
- 220.127.116.11 Purpose of Directive
- 18.104.22.168 Scope
- 22.214.171.124 Mandates
- 126.96.36.199 Waivers and Deviations
- 188.8.131.52 CMMI, ITIL, PMI Compliance
- 184.108.40.206 Definitions, References
- 220.127.116.11 Authority and Reference Documents
- 18.104.22.168 Appendix A: CM Glossary
- 22.214.171.124 Appendix B: Abbreviations and Acronyms
Part 2. Information Technology
Chapter 150. 0 Configuration and Change Management
Section 1. Configuration and Change Management Directive
September 20, 2013
(1) This transmits revised IRM 2.150.1, Configuration and Change Management, Configuration and Change Management Directive.
Configuration Management (CM) and Change Management (ChM) procedures are referenced throughout the document.
(1) This Directive combines the IT Configuration Management (CM) Directive and the (ChM) Directive.
(2) Individual CM and ChM procedures have been published on the PAL and removed from the IRM.
IRM 2.150.1 dated July 24, 2013, is superseded.
The audience is all Information Technology organizations, employees and contractors.
Terence V. Milholland
Chief Technology Officer
Business Relationship Service Delivery (BRSD), Information Technology Enterprise Service Management (ITESM) and the Change Management (ChM) Program Management Office (PMO) are responsible for the development, implementation, and maintenance, of this directive. Approval of this directive, including updates, rests with the ACIO, Enterprise Services and the ACIO, Enterprise Operations and will be pursued via the Integrated Process Management process. All proposed changes to this directive must be submitted to the Information Technology (IT) Configuration Management Workgroup (CMWG).
The purpose of this Directive is to establish authority and responsibility for the performance of Configuration Management and Change Management throughout the IRS IT Organization. This combined directive has been created to manage the implementation of changes in order to control and minimize risks to the IRS production environment and supporting test, development, and business continuity environments. Change Management activities are formalized with standard procedures to document the changes approved for implementation and subsequent scheduling of the deployment.
All IT Organizations developing, maintaining and controlling systems in accordance with the Enterprise Life Cycle shall adhere to the mandates of this directive and all associated CM and ChM procedures.
All staff involved in the preparation, review, and approval activities resulting in the transition of a changed or new product from development/acquisition through deployment, into any IRS environment, e.g., Production, Development, Test, Disaster Recovery, etc., are required to perform those changes in accordance with this directive. Owners of Configuration Items and designated change authorities are covered by this directive and any process assets derived from this directive. CM and ChM will coordinate with each ACIO organization to ensure proper routing and disposition of changes impacting IRS owned and/or maintained systems.
The following directives apply across the IT Organization:
126.96.36.199.1 Change Management
188.8.131.52.1.1 All Changes to Configuration Items (CIs) will be registered
To maintain an accurate information status of Configuration Items, all proposed changes to CIs supporting any IRS system, e.g., Production, Development, Test, Disaster Recovery, etc., will be recorded as Request for Change (RfCs) in an approved Change Management system.
184.108.40.206.1.2 All Changes must be approved prior to implementation
All changes to CIs supporting any IRS system, e.g., Production, Development, Test, Disaster Recovery, etc., will be approved prior to their implementation, with the allowed exception of Emergency Changes. A Change Advisory Board shall be established under this directive to make those approvals, with the authority to charter subordinate boards as appropriate. Emergency Changes implemented without prior approval must be documented according to the emergency change procedure in an approved Change Management system and reviewed at the next meeting of the CAB.
220.127.116.11.1.3 All Changes must be deployed in an approved window
All changes shall be scheduled for deployment in an approved window, and can only be deployed outside that window if there is an accompanying P1 or P2 incident in KISAM that justifies the exception.
18.104.22.168.1.4 Risk, Technical, Security, and Business Impact Assessment
All changes will be assessed for risk and categorized based on risk. All RfCs must include an assessment of the risk and business impact of the change, as well as technical and security assessments of the planned work. Changes impacting the forecast business results, documented in the UWR, business case or equivalent justification will be presented to the owning IT Governance ESC or Governance Board (if low risk and or low cost) for acceptance of the impact prior to approval of the CR. This ensures a comprehensive review of proposed changes before they are authorized and approved for release into production.
22.214.171.124.1.5 Review of Unsuccessful Changes and Incidents Caused by Change
When changes are implemented, the success or failure of the implementation will be recorded on the RfC. Changes considered not successful include changes not implemented as planned; changes backed out, all or in part; changes not implemented per schedule; and changes causing incidents. These unsuccessful changes will be reviewed at the next CAB meeting and/or by Change Management staff, to determine the cause of the failure and plan remediation actions for the future.
126.96.36.199.1.6 Provision of Adequate Resources
Organization heads will work with IT Configuration Management and the Change Management Office to establish scalable practices to ensure compliance with the critical elements of the Configuration Management and Change Management processes.
188.8.131.52.1.7 Staff Training
ChM PMO will also provide clear process documentation and web-based training tools to enable effective process adoption.
184.108.40.206.1.8 Process Improvement
Process Improvement initiatives are strongly encouraged, to improve the quality of process performance, but these initiatives must be coordinated with IT Configuration Management and the Change Management Program Office to avoid redundant or conflicting efforts.
220.127.116.11.2 Configuration Management
18.104.22.168.2.1 CM Activities
All CM activities shall be planned, managed, implemented and controlled in accordance with all applicable laws, regulations, IRS policies and IT CM Plans, processes, and procedures
22.214.171.124.2.2 CM Plan Support
CM Plan that supports the implementation of these directives shall be developed and maintained for each program, development project or operational system. Development projects and operational systems may leverage higher-level plans. However, these CM plans must provide adequate guidance and necessary requirements to support the development and maintenance of all systems implementing the plan.
126.96.36.199.2.3 CM Plan Implementation
CM plans shall be implemented in accordance with approved CM standards and procedures, tailored, as necessary, for the program, project, or operational system. All tailoring shall be documented in the applicable CM Plan and approved by CM process owner or designated representative.
188.8.131.52.2.4 CM Program
The IT CM Program shall have the authority and responsibility for implementing the necessary processes to support the integrity of products development using the ELC Framework.
Responsibilities for program, project, or operational system level CM activities shall be explicitly assigned by the applicable IRS Executive and outlined in a CM Plan. Roles and responsibilities shall be aligned with the IT Configuration and Change Management Plan.
184.108.40.206.2.6 CM Process Owner
The Configuration Management process owner shall work closely with the Change and Release Management process owners to ensure the integrity of identified configuration items (CI) and services provided by IT Organizations.
220.127.116.11.2.7 Approved Procedures
Using approved procedures, CIs and associated artifacts shall be identified and documented in accordance with prescribed standards.
18.104.22.168.2.8 Configuration Identification Maintenance
Program, project, and operational system CIs shall be maintained in an approved CM repository or system, and CI data shall be recorded in accordance with the approved process and procedures.
The CM Program is responsible for periodically auditing identified production system CIs and reporting findings to applicable Business and IT system stakeholders.
22.214.171.124.2.10 FCA and PCA
CM Functional Configuration Audits (FCA) and Physical Configuration Audits (PCA) of CIs shall be conducted as required by the CM Program, process owner and the ELC Framework. This requirement shall be planned into the development and operational life cycle of all IT production systems.
126.96.36.199.2.11 CM Training
Organization personnel designated or assigned to perform CM activities shall be trained in the standards, processes, and procedures for performing these activities, consistent with the CM Program approved process.
188.8.131.52.2.12 CM Repository
CM and other controlled information, such as documents, requirements data and measurements, shall be recorded and maintained in a library or CM Repository and shared as necessary with applicable stakeholder organizations.
184.108.40.206.2.13 CM Resources
The CTO or other delegated executive shall ensure that necessary budget, labor, tools and appropriate training is available to implement the CM plans, policies, and procedures established by the CM process owner and program.
220.127.116.11.2.14 CM Metrics
The CM Program shall establish and collect metrics used to determine the status of the CM activities and effectiveness of the CM process.
18.104.22.168.2.15 CM Review
CM plans and activities shall be reviewed by IT management and the program/project managers on a periodic and event driven basis.
22.214.171.124.2.16 CM Oversight
The IT CM Program is responsible for oversight of the CM process and supporting activities. The CM Program shall assess process compliance to support measurements of effectiveness, capability maturity and external auditing of IT organizations.
Any waivers or deviations from this directive require written approval from ITESM and/or ChM PMO.
The Capability Maturity Model Integrated (CMMI) can be used to judge the maturity of an organization's processes and related procedures and process assets and can be used to plan further improvements. CMMI sets the standard for the essential elements of effective and mature processes, improved with quality and efficiency. Configuration Management process improvement activities will be conducted by a chartered process working group.
The Information Technology Infrastructure Library(ITIL) contains a collection of best practices, enabling organizations to build an efficient framework for delivering IT Service Management (ITSM) and ensuring that they are meeting business goals and delivering benefits that facilitate business change, transformation, and growth.
The Project Management Institute (PMI) organization advances the project management profession through globally recognized standards and certifications.
This process asset is used to indicate that all artifacts are developed or acquired, incorporating CMMI, ITIL, PMI requirements, to meet the business objectives of the organization and that they represent investments by the organization that are expected to provide current and future business value to the IRS.
A Glossary is also available on the Integrated Process Management (IPM) Process Asset Library (PAL).
The following resources are either referenced in this document or were used to create it.
IT Configuration Management Directive
IT Change Management Directive
The following lists the regulatory documents that validate the IT Configuration and Change Management Directive:
IT Directive Template
Internal Revenue Manual (IRM) 2.7.5, System Control Point (SCP) Configuration Management (CM) Guidelines.
Internal Revenue Service IT Change Management Program Management Office, Operating Charter.
Figure 1 is the CM Glossary
Figure 2 is the List of Abbreviations and Acronyms