2.149.1 Asset Management Policy 2.149.1.1 Program Scope and Objectives 2.149.1.1.1 Background 2.149.1.1.2 Authority 2.149.1.1.3 Responsibilities 2.149.1.1.4 Program Management and Review 2.149.1.1.5 Program Controls 2.149.1.1.6 Terms/Definitions/Acronyms 2.149.1.1.6.1 Terms and Definitions 2.149.1.1.6.2 Acronyms 2.149.1.1.7 Related Resources Part 2. Information Technology Chapter 149. IT Asset Management Section 1. Asset Management Policy 2.149.1 Asset Management Policy Manual Transmittal May 29, 2024 Purpose (1) This transmits revised IRM 2.149.1, Information Technology (IT) Asset Management (AM) Policy. Material Changes (1) IRM 2.149.1, was updated for editorial changes to: remove a decommissioned term, in order to meet the new IRS guidelines correct the Information Technology Infrastructure Library (ITIL) definition Effect on Other Documents IRM 2.149.1 dated September 29, 2022 is superseded. Audience The IT Asset Management Policy is applicable to all employees enterprise-wide responsible for managing IT equipment, including Asset Management’s stakeholders, customers, asset owners, contractors, and vendors. Effective Date (05-29-2024) Rajiv Uppal, Chief Information Officer 2.149.1.1 (05-29-2024) Program Scope and Objectives These policies define the Asset Management (AM) process and apply to all areas managing information technology assets. Purpose: This document describes the formal Information Technology (IT) policy for implementing the requirements of the Information Technology (IT) Asset Management Policy process. It provides the purpose, scope, authority, and mandates for institutionalizing this process. This policy establishes authority and responsibility for the performance of IT asset management throughout the IRS. It also establishes policies and procedures for management and control of hardware and software assets (TIER 3) throughout their lifecycle. Audience: The AM Policy is applicable to all employees enterprise-wide responsible for managing IT equipment, including AM’s stakeholders, customers, asset owners, contractors, and vendors. Policy Owner: The office of AM within Information Technology, UNS, Operations Service Support. Program Owner: Information Technology, UNS, Operations Service Support, Program Director is responsible for overseeing and managing IT assets enterprise-wide that meets the established criteria set forth in this IRM. Primary Stakeholders: All organizations, business units and employees including contractors who have inventory responsibilities are considered stakeholders and must abide by the criteria set forth in this IRM. Program Goals: AM is the process responsible for tracking and reporting the value and ownership of financial assets throughout their lifecycle. AM is part of ITIL Process. An IT asset is property or equipment that is part of the IT infrastructure, including hardware and software for IT and telecommunications data and voice that is in use, in reserve storage, or is awaiting disposal. All IRS organizations (including contractors) developing, maintaining, and controlling IT assets shall adhere to the mandates of this policy and all associated AM procedures. 2.149.1.1.1 (05-29-2024) Background UNS is responsible for the development, implementation and maintenance of this directive. Approval of this directive, including updates, rests with the Associate Chief Information Officer (ACIO) for UNS. All proposed changes to this directive must be submitted to the Information Technology, UNS, Operations Service Support, Asset Management organization. These policies define the Asset Management process and apply to all areas managing information technology assets. 2.149.1.1.2 (05-29-2024) Authority All AM activities shall be planned, managed, implemented, and controlled in accordance with all applicable laws, regulations, IRS policies, processes, and procedures. Throughout the lifecycle of hardware and software assets, the following policies apply: The Chief Information Officer (CIO) is the official responsible for ownership, management, and control of IT property. Organizations other than IRS IT are not authorized to purchase, acquire, manage, move or maintain IT property. IRS IT is also responsible for the accounting and recording of IT property in the inventory system. The CIO or other delegated executive shall ensure that necessary budget, labor, tools, and appropriate training are available to implement asset management policies and procedures. This process supports the integrity of the data by ensuring accurate and complete asset records are maintained. Reports shall contain complete, reliable, consistent, and timely financial information regarding IT assets. Asset data shall be documented using approved procedures. The IT asset records are periodically audited with the results reported to the applicable business and system stakeholders. The personnel designated or assigned to perform asset management activities shall be trained in the standards, process, and procedures for performing these activities. The collection of metric is used to determine the status of asset management activities and effectiveness to support increasing capability maturation. The asset management process shall ensure economic and efficient purchase, lease, maintenance, operation, and use of IT property. The disposal of hardware assets shall include transfer of excess or surplus computer equipment to qualifying schools and educational non-profits as a high priority. The IRS complies with audit requests from the Treasury Inspector General for Tax Administration’s (TIGTA) Office of Audit and resolves audit findings. The IRS adheres to Government Accountability Office (GAO) policies and procedures. Federal agencies are required to employ tracking systems, such as specialized fully automated applications depending on the needs of the organization, for software protected by quantity licenses to control copying and distribution and to help ensure that software is used in accordance with licensing agreements. Bureaus are required periodically scan their networks to detect and remove any unauthorized or unlicensed software. Federal agencies are required to develop software license management policies and procedures. Federal agencies are also required to prepare inventories of software present on computers to help to ensure that software is used in compliance with copyright laws. Federal agencies are required to take inventory of their information technology assets and ensure they are not paying for unused or under utilized installed software. 2.149.1.1.3 (05-29-2024) Responsibilities UNS is responsible for the development, implementation and maintenance of this directive. Approval of this directive, including updates, rests with the Information Technology, UNS, Operations Service Support, Asset Management organization. All proposed changes to this directive must be submitted to UNS. 2.149.1.1.4 (05-29-2024) Program Management and Review Policies outline a set of plans or courses of action that are intended to influence and determine decisions or actions of a process. Policies provide an element of governance over the process that provides alignment to business vision, mission and goals. ProcessManagement Statement: The AM Process will have a single Process Owner and a separate Process Manager, responsible for implementation and ensuring adherence to the process. The process will be reviewed regularly to ensure that it continues to support the business requirements of the enterprise. The process will be designed and developed based on ROI to the business. Process metric will be focused on providing relevant information as opposed to merely presenting raw data. People Statement: Roles and responsibilities for the process must be clearly defined and appropriately staffed with people having the required skills and training. The mission, goals, scope and importance of the process must be clearly and regularly communicated by upper management to the staff and business customers of IT. All IT staff (direct and indirect users of the process) shall be trained at the appropriate level to enable them to support the process. Rationale: It is imperative that people working in, supporting, or interacting with the process in any manner understand what they are supposed to do. Without that understanding the Asset Management Process will not be successful. Process Statement: Modifications to the Asset Management Process must be approved by the Process Owner. The design of the process must include appropriate interfaces with other processes to facilitate data sharing, escalation and workflow. The process must be capable of providing data to support real-time requirements as well as historical/trending data for overall process improvement initiatives. The process must be fully documented, published and accessible to the various stakeholders of the process. The process will be reviewed on a periodic basis in order to ensure it continues to support organizational goals and objectives (continuous improvement). The process must include Inputs, Outputs, Controls, Metrics, Activities, Tasks, Roles and Responsibilities, Tool and Data requirements along with documented process flows. The process will be kept straight forward, rational, and easy to understand. Rationale: The process must meet operational and business requirements. Technology andTools Statement: All tools selected must conform to the enterprise architectural standards and direction. Existing in-house tools and technology will be used wherever possible, new tools will only be entertained if they satisfy a business need that cannot be met by current in-house tools. The selection of supporting tools must be process driven and based on the requirements of the business. Selected tools must provide ease of deployment, customization, and use. The selected tools must support heterogeneous platforms. Automated workflow, notification and escalation will be deployed wherever possible to minimize delays, ensure consistency, reduce manual intervention and ensure appropriate parties are made aware of issues requiring their attention. The tools used by this process are the following: Hardware Asset Management Repositories Software Asset Management Repositories Rationale: Technology and tools should be used to augment the process capabilities, not become an end themselves. 2.149.1.1.5 (05-29-2024) Program Controls Process controls summarized in below table, represents the policies and guiding principles on how the process will operate. Controls provide direction over the operation of processes and define constraints or boundaries within which the process must operate: Name Description GAO, CFO and TIGTA Audits Formal inspection and verification to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met. Asset Management Policies Policies and regulations that provide guidance for managing the IT Asset Management program. Security Policies Policies to ensure the confidentiality, integrity, and availability of IT assets. Annual Inventory Certification Plan Annual overview of hardware asset management objectives, guidelines, and activities necessary to meet IRS’ annual financial audits and deliverables, including certifying the accuracy and completeness of IRS’ authoritative inventory system. Governance Governance ensures that policies and strategy are actually implemented and that required processes are correctly followed. 2.149.1.1.6 (05-29-2024) Terms/Definitions/Acronyms Definitions of Asset Management’s terms and acronyms. 2.149.1.1.6.1 (05-29-2024) Terms and Definitions The definitions listed below are some commonly used terms and are provided as an aid to understanding IT Asset Management. Term Definition Agreed Life An asset is designed to perform a function at an acceptable level for a predetermined amount of time according to the manufacturer’s lifecycle. It ensures that the defined services for the asset are met to provide the level of service required by the customer, in terms of quality and reliability. Annual Inventory Certification Plan Annual overview of hardware asset management objectives, guidelines, and activities necessary to meet IRS’ annual financial audits and deliverables including certifying the accuracy and completeness of IRS’ authoritative inventory system. Artifact A work product created by a process or procedure step, e.g., plans, design specifications, etc. Asset Any resource or capability. Assets of a service provider include anything that could contribute to the delivery of a service. Assets can be one of the following types: management, organization, process, knowledge, people, information, applications, infrastructure, and financial capital. Audit Formal inspection and verification to check whether a standard or set of guidelines is being followed, that records are accurate, or that efficiency and effectiveness targets are being met. An audit may be carried out by internal or external groups. Certification Issuing a certificate to confirm compliance to a standard. Certification includes a formal audit by an independent and accredited body. Depot A centralized storage area for In Stock IT equipment. Entry Criteria The elements and conditions (state) necessary to trigger the beginning of a process step. Exit Criteria The elements or conditions (state) necessary to trigger the completion of a process step. Hardware Asset Property meeting certain financial and security criteria that is part of the information technology infrastructure and represents a physical piece of computing electronic equipment. Incident The Enterprise Service Desk logs and tracks reported incidents. The incident will be assigned to a service provider for resolution. Information Technology (IT) The use of technology for the storage, communication, or processing of information. The technology typically includes computers, telecommunications, applications and other software. The information may include business data, voice, images, video, etc. Information Technology is often used to support business processes through IT services. Information Technology Infrastructure Library (ITIL) A set of best practice guidance for IT service management. ITIL consists of a series of publications giving guidance on the provision of quality IT services, and on the processes and facilities needed to support them. IT Asset Property or equipment that is part of the information technology infrastructure, including hardware and software for IT and telecommunications data and voice that is in use, in reserve storage, or is awaiting disposal. IT Asset Lifecycle A series of states connected by allowable transitions. The set of business practices that join financial, contractual, and inventory functions to support the management from acquisition to disposition for hardware and software found in the IT environment. IT Asset Plan A tactical plan for managing an organization's infrastructure and assets to deliver an agreed standard of service. IT Equipment Profile The standardized list of IT equipment given to each employee based upon their occupation in the IRS. Knowledge Article Shared information or instructions contained in a centralized database. License Position An organization view, which identifies whether software is under-licensed (at risk of a compliance audit) or over-licensed (wasting money on unnecessary software purchases), assisting in managing license compliance. Move/Add/Change Form A form used to document the status (location/assignment/user) of any piece of hardware (IT asset). It is used to update the repository. Process A structured set of activities designed to accomplish a specific objective. A process takes one or more defined inputs and turns them into defined outputs. A process may include any of the roles, responsibilities, tools, and management controls required to reliably deliver the outputs. A process may define policies, standards, guidelines, activities, and work instructions if they are needed. Process Owner A role responsible for ensuring that a process is fit for purpose. The process owner’s responsibilities include sponsorship, design, change management, and continual improvement of the process and its metrics. This role is often assigned to the same person who carries out the process manager role, but the two roles may be separate in larger organizations. Quality Reviews Quality reviews ensure compliance to asset management policies. RACI (Responsible - Accountable - Consulted - Informed) This model is used to help define roles and responsibilities, instructions for the activities used in the Hardware Asset Management procedures. Recipient The point of contact (POC) receiving the IT asset. Request for Change (RFC) A formal proposal for a change to be made (work request). An RFC includes details of the proposed change, and may be recorded on paper or electronically. Rogue Asset An unmanaged asset which appears amidst a population of managed assets. This can happen as a result of non-compliance with the policies concerning asset control and barcoding. Service Request A request from a user for information, or advice, or for a standard change or for access to an IT service. For example to reset a password, or to provide standard IT services for a new user. Service requests are usually handled by Enterprise Service Desk, and do not require an RFC to be submitted. Software Asset Property meeting certain financial and security criteria that is part of the information technology infrastructure and software installed on personal computers, laptops, desktops, servers, mainframes, network and mobile devices. TIER 3 Software (Micro) Personal computers such as Desktop PC, Laptop PC, etc. Tool Job aid for a specific purpose, e.g., checklist, template, application, etc. 2.149.1.1.6.2 (05-29-2024) Acronyms The abbreviations and acronyms include an alphabetical listing of some commonly used terms in IT Asset Management. The abbreviations and acronyms include an alphabetical listing of some commonly used terms in IT Asset Management. Acronyms Definition ACIO Associate Chief Information Officer AM Asset Management ARM Asset Management Reports CIO Chief Information Officer CFO Chief Financial Officer CMMI Capability Maturity Model Integrated COE Common Operating Environment EOL End of Life FMSS Facilities Management and Security Services (formerly Real Estate and Facilities Management (REFM) GAO Government Accountability Office IRM Internal Revenue Manual IRS Internal Revenue Service IT Information Technology ITIL Information Technology Infrastructure Library ITSM IT Service Management PD Process Description PMI Project Management Institute POC Point of Contact RACI (Responsible, Accountable, Consulted, and Informed) This model is used to help define roles and responsibilities, instructions for the activities used in the Hardware Asset Management procedures RFC Request For Change ROI Return On Investment SAM Software Asset Management TIGTA Treasury Inspector General for Tax Administration UNS User & Network Services 2.149.1.1.7 (05-29-2024) Related Resources The following lists the regulatory documents that validate the Asset Management Policy: Public Law 89-306, Automated Data Processing Equipment Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Controls Treasury Department Publication 32-01, Accounting Principles and Standards OMB Circular A-127, Financial Management Systems Public Law 101-576, Chief Financial Officers Act of 1990 Executive Order 12999, Educational Technology: Ensuring Opportunity for All Children in the Next Century Public Law 104-106, Clinger-Cohen Act of 1996, formerly Information Technology Reform Act of 1996 IRM 1.2.1 - Servicewide Policy Statements and IRM 1.2.2 - Servicewide Delegations of Authority, to see information technology activities such as Policy Statement 2-93 (formerly P-1-229) Delegation Order 1-41 Delegation Order MITS-2-1-1, Authority to Approve IT Resources Policies and Procedures Memorandum No. 46.5, Evidentiary Documentation in Support of Receipt and Acceptance IRM 10.8, Information Technology(IT) Security IRM 1.14.4, Personal Property Management, Facilities Management and Security Services IRM 1.35.6, Administrative Accounting, Property and Equipment Accounting IRM 2.21, Shopping Cart Processing for Information Technology Products and Services IRM 1.15, Records and Information Management IRM 6.800, Employee Benefits IRM 2.127, Testing Standards and Procedures National Institute of Standards and Technology Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations (Aug. 2009) Treasury Directive Publication 85-01, Treasury IT Security Program (Nov. 3, 2006) Executive Order, Department of the Treasury Directive 85-02, Software Piracy Policy (May 4, 2010) Executive Order 13103 (Sep. 30, 1998), Computer Software Piracy Executive Order 13589, Promoting Efficient Spending (Nov. 09, 2011) Public Law 113-291, National Defense Authorization Act, Federal Information Technology Acquisition Reform Act, (FITARA) (Dec. 2014) “OMB issued Memorandum M-16-12, dated June 2, 2016:” Improving the Acquisition and Management of Common Information Technology: Software Licensing Public Law 114-210, Megabyte Act of 2016, Making Electronic Government Accountable by Yielding Tangible Efficiencies Act of 2016 (July 29, 2016) Asset Management - Enterprise-wide Software User Guide Asset Management - UNS Software User Guide Asset Management - Hardware User Guide General Services Administration Bulletin Federal Management Regulation (FMR) B - 34, Disposal of Federal Electronic Assets Memorandum, dated July 26, 2011 and signed by CTO for IRS Computer Room and Ownership and Management which assigns ownership of all Computer Rooms to Enterprise Operations More Internal Revenue Manual