2.150.1 Configuration Management Policy 2.150.1.1 Program Scope and Objectives 2.150.1.1.1 Background 2.150.1.1.2 Authority 2.150.1.1.3 Responsibilities 2.150.1.1.4 Program and Management Review 2.150.1.1.5 Program Controls 2.150.1.1.5.1 Controls 2.150.1.1.5.2 Metrics 2.150.1.1.6 Terms and Acronyms 2.150.1.1.7 Related Resources 2.150.1.2 Purpose 2.150.1.3 Scope 2.150.1.4 Mandates Part 2. Information Technology Chapter 150. Configuration and Change Management Section 1. Configuration Management Policy 2.150.1 Configuration Management Policy Manual Transmittal April 01, 2024 Purpose (1) This transmits revised IRM 2.150.1 Configuration Management Policy. Material Changes (1) IRM 2.150.1.1.2 (3). Updated reference to FISMA Act of 2023. (2) IRM 2.150.1.4 (2). Added configuration item ownership for change control. Effect on Other Documents IRM 2.150.1 dated November 7, 2022 is superseded. Audience The Configuration Management Policy is applicable to all Information Technology (IT) organizations, contractors, and other stakeholders having responsibility for configuration, management, oversight, and successful day-to-day operations of the IRS IT enterprise hardware, software, and applicable documentation. Effective Date (04-01-2024) Rajiv Uppal Chief Information Officer 2.150.1.1 (04-01-2024) Program Scope and Objectives Purpose. This IRM describes the formal Information Technology (IT) policy for implementing the requirements of the Configuration Management (CM) process. It provides the purpose, scope, authority, and mandates for institutionalizing this process. The objective of Configuration Management is to manage and control all IT configuration items (CIs) by ensuring accurate information on the attributes of IT system and service related components and their relationships for software engineering and service management processes. Audience. This policy is applicable to all IT organizations, contractors, and other stakeholders having responsibility for management, oversight, and successful day-to-day operations of IRS IT enterprise hardware, software, and applicable documentation. Policy Owner. Demand Management & Project Governance (DMPG) Division, within Enterprise Operations (EOps) - IT. Program Owner. Governance & Resource Management Branch, within DMPG - EOps - IT. Primary Stakeholders. IT organizations having responsibility for establishing an internal or local Configuration Management process and/or managing and controlling their IT system and/or system components are stakeholders in the Configuration Management process. Contact Information. To recommend changes or to make any suggestions to this IRM section, e-mail the IT CM Program Management Office (PMO): it.cm.process@irs.gov 2.150.1.1.1 (04-16-2018) Background This IRM establishes the Configuration Management process tailored from industry best practices and standards to support the system and operational requirements of the IRS. This IRM enables the Configuration Management process to meet certain industry, federal, and regulatory requirements. 2.150.1.1.2 (04-16-2018) Authority IRM 1.2.1.3 Policy Statements for Information Technology Activities Office of Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource” S: 2251: Federal Information Security Modernization Act (FISMA) of 2023 Note: Security Configuration Management policy and guidelines are explicitly defined in IRM 10.8.1 Information Technology (IT) Security, Policy and Guidance 2.150.1.1.3 (01-08-2021) Responsibilities The Director, Demand Management & Project Governance, is the Process Owner accountable for the Configuration Management process and providing resources for maintenance and support. The Chief, Governance & Resource Management, is the Process Manager responsible for establishing and managing the IT CM PMO under the Change & Configuration Management (CCMS) Section. The IT CM PMO is responsible for: Developing and maintaining the Configuration Management policy and process for Software Configuration Management and Service Management. Training and coaching Process Practitioners assigned to perform their roles defined in the Configuration Management process. Communicating and socializing the Configuration Management process throughout the process community and other key stakeholders. Improving the Configuration Management process through process and operational metrics, process assessments and audits, process reviews and evaluations, and customer satisfaction surveys. Conducting and supporting process assessments and audits, where applicable. Process Practitioners who are responsible for carrying out their roles and responsibilities in the Configuration Management process. Functions, Service, and Product Owners who are responsible for implementing the requirements of Configuration Management process in the development and delivery of IT services for the IRS. 2.150.1.1.4 (04-01-2024) Program and Management Review The IT CM PMO shall manage and evaluate the process based on the following guiding principles: Process Management. Configuration Management will have a single Process Owner and a separate Process Manager, responsible for implementing and ensuring adherence to the process. The process will be reviewed regularly to ensure that it continues to support the business requirements of the enterprise. Process metrics will be focused on providing relevant information as opposed to merely presenting raw data. People. Roles and responsibilities for the process shall be clearly defined and appropriately staffed with people having the required skills and training. The mission, goals, scope and importance of the process shall be clearly and regularly communicated by upper management to the staff and business customers of IT. All IT staff (direct and indirect users of the process) shall be trained at the appropriate level to enable them to support the process. It is imperative that people working in, supporting or interacting with the process in any manner understand what they are supposed to do. Without that understanding Configuration Management will not be successful. Process. Modifications to the process shall be approved by the Process Owner. The design of the process shall include appropriate interfaces with other processes to facilitate data sharing, escalation and workflow. The process shall be capable of providing data to support real-time requirements as well as historical/trending data for overall process improvement initiatives. The process shall be fully documented, published and accessible to the various stakeholders of the process. The process will be reviewed on a periodic basis to ensure it continues to support organizational goals and objectives (continuous improvement). The process shall include Inputs, Outputs, Controls, Metrics, Activities, and Roles and Responsibilities along with documented process flows. The process will be kept straight forward, rational, and easy to understand. The process shall meet operational and business requirements. Technology and Tools. All tools selected shall conform to the enterprise architectural standards and direction. Existing in-house tools and technology will be used wherever possible, new tools will only be entertained if they satisfy a business need that cannot be met by current in-house tools. The selection of supporting tools shall be process driven and based on the requirements of the business. Selected tools shall provide ease of deployment, customization and use. Automated workflow, notification and escalation will be deployed wherever possible to minimize delays, ensure consistency, reduce manual intervention and ensure appropriate parties are made aware of issues requiring their attention. Technology and tools should be used to augment the process capabilities, not become an end themselves. 2.150.1.1.5 (04-01-2024) Program Controls Program controls are driven by the policies and guiding principles on how the process will operate. 2.150.1.1.5.1 (04-01-2024) Controls Controls provide direction on the operation of processes and define constraints or boundaries within which the process shall operate. Name Description Plan A documented plan that will define the scope, objective, resources, change authority, and activities for Configuration Management. Taxonomy Defined standards for naming and classifying CIs including terms and definitions. Configuration Information A description of a configuration item about its physical characteristics, relationships, and ownership which would be the basis for change and control. Model A defined structure and approach to recording relationships between configuration items that includes the level of detail that the organization wants to trace the relationships. Baselines Documented agreed descriptions of the attributes and/or specifications of a configuration item, at a point in time, which serves as the basis for defining change. These also include corrections resulting from an incident or configuration verification and audit to restore the baseline to its previously approved and agreed upon state. Change Management A process used to manage and control changes to configuration item baselines. Configuration Reports The frequency and distribution for regularly produced Configuration Management reports on the status of configuration items. Configuration Audits An examination of a configuration item to determine whether it confirms to its design and requirements including the integrity of its record. 2.150.1.1.5.2 (04-01-2024) Metrics Metrics are used for the quantitative and periodic assessment of a process. They should be associated with targets that are set based on specific business objectives. Metrics provide information related to the goals and objectives of a process and are used to take corrective action when desired results are not being achieved and can be used to drive continual improvement of process effectiveness and efficiency. Management will regularly set targets for process performance, gather quantifiable data related to different functions of Configuration Management, and review that data to make informed decisions and take appropriate corrective action, if necessary. All measurements shall have a defined data dictionary, map to the organizational strategic goals, and be documented in the CM Process Measurement Plan. Enterprise and local Configuration Management processes, including Configuration Management tool owners, shall produce metrics and measurement reports to measure the effectiveness and efficiency of the Configuration Management process. 2.150.1.1.6 (04-01-2024) Terms and Acronyms The table below defines terms that are used in Configuration Management. Term Definition CM Process Owner The CM Process Owner is the single point of contact for the process at the enterprise level and is accountable for the overall quality of the process, ensuring that the process is performed as documented and is meeting its objectives. CM Process Manager The CM Process Manager supports the CM Process Owner and is responsible for the operational management of the process. CM Process Practitioner The CM Process Practitioner are those assigned a role in the Configuration Management process that carry out its core activities. Process A set of linked activities that transform specified inputs into specified outputs, aimed at accomplishing an agreed-upon goal in a measurable manner. Control Represents the policies and guiding principles on how the process will operate and define the constraints or boundaries within which the process shall operate. Metric Defines quantitative and qualitative measures to track the performance of a process. Role Assigned to perform specific tasks within the process and its responsibilities are confined to the specific process. Roles do not imply any functional standing within the hierarchy of an organization. For example, the Process Manager role does not imply the role is associated with or fulfilled by someone with a functional management responsibilities within the organization. Configuration Item A collection and combination of hardware, software, and documentation that is used to deliver a product or service. The table below lists the acronyms used in this IRM. Acronym Term CCMS Change & Configuration Management CM Configuration Management CI Configuration Item DMPG Demand Management & Project Governance GRMB Governance Resource & Management Branch IT Information Technology IT CM PMO IT Configuration Management Program Management Office 2.150.1.1.7 (04-01-2024) Related Resources The following list the primary sources of guidance associated with Configuration Management. IRM 2.150.2 Configuration Management Process IRM 2.125.1 Change Management Policy IRM 2.125.2 Change Management Process IRM 2.22.1 Unified Work Request (UWR) Process IRM 10.8.1 Information Technology (IT) Security, Policy and Guidance 2.150.1.2 (04-01-2024) Purpose The purpose of this Policy is to establish formal requirements to manage configuration items and ensure that a consistent and systematic approach is used in the identification, control, reporting, and verification/audit to support software engineering and service management processes in the delivery of IT products and services. This includes establishing an IT-wide Configuration Management framework and to provide responsibilities, compliance requirements, and overall principles for the Configuration Management process to support information technology management across the IT organization. 2.150.1.3 (04-01-2024) Scope This Policy is applicable to any configuration items that might affect the IT systems, infrastructure, and services in the IT environment. This should also include related documentation that is used to define, design, debug, and deploy the configuration items in the operating environment. 2.150.1.4 (04-01-2024) Mandates Establish a Configuration Management Plan that defines the resources (staff and tools), change authority, and appropriate process that will be used to support the configuration item throughout its life cycle. All IT Projects developing new, enhancing, or improving IT system and/or system components must establish a Configuration Management Plan. All IT organizations maintaining and updating existing IT system and/or system components shall establish and maintain an organization-level or Associate Chief Information Office (ACIO) Configuration Management Plan and maintain currency every 3-years. Establish and maintain an inventory of IRS information systems in a Configuration Management system, such as a Configuration Management database. Organizations and IT Projects must select configuration items that will be managed and controlled throughout the life cycle. All configuration items must have defined attributes, ownership, and relationship information, such as system interfaces and dependencies. All configuration items must have a defined taxonomy, standard naming convention, and standard terms and definitions. All configuration items must have an established and published configuration standards and baselines as the basis for change. Establish and maintain configuration control of all configuration items. All proposed changes to configuration items must go through the Change Management process and approved by an appropriate change authority. All proposed changes must be associated to its CI Owner for controlling changes to their configuration item. All approved changes must update its configuration item record and establish its new baseline once deployed into the production environment. Establish the integrity and accuracy of all configuration items. All configuration item records must be regularly reviewed and verified to maintain overall accuracy, completeness, and consistency. All configuration item records must be verified and audited against its physical configuration item. More Internal Revenue Manual