2.17.1 Infrastructure Currency Policy for Software

Manual Transmittal

October 26, 2020

Purpose

(1) This transmits revised IRM 2.17.1, Infrastructure Currency, Infrastructure Currency Policy for Software

Material Changes

(1) No changes; establishing IRM 2.17.1

Effect on Other Documents

Interim Guidance IT-02-0118-0001 is incorporated into this IRM. IRM 2.17.1 dated October 9, 2018, is superseded.

Audience

Information Technology

Effective Date

(10-26-2020)


Nancy Sieger
Acting Chief Information Officer

Program Scope and Objectives

  1. The IRS IT Commercial Off-The Shelf (COTS) software infrastructure shall only use Software Product Versions, which are approved in the Enterprise Standards Profile (esp).

  2. Purpose This section provides direction for maintaining IRS COTS software across the IRS IT Infrastructure.

  3. Audience IRS IT employees and business units deploying COTS software on the IRS IT infrastructure.

  4. Policy Owner The Director, ES/EA owns the policies contained herein.

  5. Program Owner Enterprise Infrastructure Currency is responsible for the administration, procedures and updates to the program.

  6. Primary Stakeholders All IRS IT ACIO areas and Business units that control COTS software on the IRS IT infrastructure.

  7. Program Goals These are the instructions for maintaining the currency of COTS software on the IRS IT infrastructure.

  8. Terminology referenced in this IRM:

    • Compliance: A software product version’s adherence to the standards and guidance provided in the Enterprise Standards Profile (ESP)

      Note:

      Please refer to IRM 2.15.1 for ESP related information.

    • Currency: A measurement of a software product’s lifecycle in relation to the vendor’s latest major version. The latest major version is N, the immediately preceding major version is N-1.

  9. The COTS products on the IRS IT Infrastructure shall be considered in compliance if they are using the most current “Major Version Approved” in the ESP or the immediately preceding major version that is approved in the ESP.

  10. For product versions identified as non-compliant, product custodians will, within 6 months of such identification, provide a plan to become compliant via upgrade, replacement, or removal from the IRS environment, or request to remain on the current version via Risk Acceptance Form and Tool (RAFT).

  11. Following a product version upgrade, any non-compliant instances of the product shall be removed/deleted/deinstalled from the Enterprise or a request to retain the non-compliant version shall be documented via a Risk Acceptance Form and Tool (RAFT). Completion of upgrades, removals, deletions or RAFT approval shall be completed within 12 months of the initial non-compliance date. The Infrastructure Executive Steering Committee (IESC) shall approve the disposition of all non-compliant versions.

    Note:

    This policy is not applicable in the test labs.

  12. Figure 2.17.1-1 provides several sample scenarios and the resulting compliance status.

    Figure 2.17.1-1

    If... And... Then...
    The version is approved for use in the ESP The latest major version in the ESP or the immediately preceding major version The version is compliant
    The version is approved for use in the ESP Is not either the latest major version in the ESP or the immediately preceding major version The version is not compliant, reference the non-compliance section of IRM
    The version is not approved for use or reflected in the ESP   The version is not compliant, reference the non-compliance section of IRM