Description
During the Implementation Phase, the automated system/application or other IT solution is moved from development status to production status. The process of implementation is dependent on the characteristics of the project and the IT solution, and thus may be synonymous with installation, deployment, rollout, or go-live. If necessary, data conversion, phased implementation, and training for using, operating, and maintaining the system are accomplished during the Implementation Phase. From a system security perspective, the final system must be certified and accredited for use in the production environment during the Implementation Phase. The Implementation Phase ends with a formal decision to release the final IT solution into the Operations and Maintenance Phase.
Responsibilities
Project Manager: The Project Manager is responsible and accountable for the successful execution of the Implementation Phase. The Project Manager is responsible for leading the Integrated Project Team that accomplishes the Implementation Phase activities and deliverables.
Integrated Project Team: The Integrated Project Team members (regardless of the organization of permanent assignment) are responsible for accomplishing assigned tasks as directed by the Project Manager.
Critical Partners: The Critical Partners provide oversight, advice and counsel to the Project Manager on the conduct and requirements of the Implementation Phase. Additionally, they provide information, judgments, and recommendations to the Business Owner and IT governance organization during investment reviews and in support of Investment Baselines.
-
Enterprise Architecture: Confirm that approved change requests are compliant with the Enterprise Architecture.
-
Security: Determine if the Authority to Operate, including the System Certification and Accreditation, is complete and System of Record Notice is published.
-
Acquisition: Guarantee that the contracts are being fulfilled according to award or approved changes and completed contracts are closed appropriately.
-
Budget: Ascertain if change requests are reviewed to determine if a new financial analysis is required.
-
Finance: Ascertain if actual expenses are in accordance with the budget plan.
-
HR: Find if issues related to staffing, workforce, or other HR areas have been addressed.
-
Section 508: Establish is implementation has maintained the integrity of Section 508 compliance.
-
CPIC: Confirm that the project is still within the original scope and that current Implementation Plan is reasonable.
-
Performance: Confirm that the completed Business Product is operating as expected and is positioned to meet performance targets.
IT Governance Organization: The IT governance organization conducts the Operational Readiness Review.
Activities
The following activities are performed as part of the Implementation Phase.
All affected users and organizations affected are notified of the implementation. Additionally, it is good policy to make internal organizations not directly affected by the implementation aware of the schedule so that allowances can be made for a disruption in the normal activities of that section. The notification should include:
-
The schedule of the implementation
-
A brief synopsis of the benefits of the new system
-
The difference between the old and new system
-
Responsibilities of end user affected by the implementation during this phase
-
The process to obtain system support, including contact names and phone numbers
Typically, implementation includes converting existing data for use in the new system. The tasks for this effort are two-fold: data input and data verification. When replacing a manual system, hard copy data is entered into the automated system. Some sort of verification that the data is being entered correctly should be conducted throughout this process. This is also the case in data transfer, where data fields in the old system may have been entered inconsistently and therefore affect the integrity of the new database. Verification of the old data becomes imperative to a useful computer system.
One of the ways verification of both system operation and data integrity can be accomplished is through parallel operations. Parallel operations consist of running the old process or system and the new system simultaneously until the new system is certified. In this way if the new system fails in any way, the operation can proceed on the old system while the bugs are worked out.
To ensure that the system is fully operational, install the system in a production environment.
During this phase, the documentation from all previous phases is finalized to align it with the delivered system. The Project Manager coordinates these update activities.
Prior to the Operational Readiness Review, the Authority to Operate must be obtained and a System of Record Notice published.
Final versions of the following documents are prepared during the Implementation Phase, and are required before the project proceeds to the Operations and Maintenance Phase:
-
Business Product
-
Project Completion Report
-
Service Level Agreements (SLAs) and Memoranda of Understanding (MOU)
-
Contingency/Disaster Recovery Plan
-
Operations and Maintenance (O&M) Manual
-
Systems Security Plan
-
Security Risk Assessment
-
Training Plan
-
Training Materials
-
User Manual
Exit Criteria
Objective: To verify the operational readiness of the Business Product for release into the production environment
Phase Specific Exit Criteria:
-
Business Product ready for production service and notification of the new solution is provided to all users and staff who are affected.
-
No outstanding concerns among stakeholders regarding implementation.
-
Security and authorization to operate documents are complete and the system is considered Certified and Accredited
Generic Exit Criteria:
-
Variances from baselines have been identified and mitigated. [Cost and schedule variances and scope changes are identified, significant variances are explained, and Corrective Action Plans (CAPs) or rebaseline requests are in place as appropriate.]
-
Investment baselines have been reviewed and revised as appropriate. [Should this investment continue as-is, be modified, or be terminated based on current knowledge?]
-
The Project Management Plan and component plans have been reviewed and appropriately updated. [This includes Risk Management, Acquisition Strategy, Change Management, Configuration Management, Project Categorization, Requirements Management, Communication Plan, WBS/Schedule, IV&V Planning, Quality Assurance, Records Management, Staff Development Plan and Security Approach.]
Project Reviews
Three project reviews are required during the Implementation Phase.
The first is System Certification. System Certification is the comprehensive evaluation of the management, operational, and technical security controls implemented for an information system to ensure compliance with information security requirements. The certification evaluation includes review of the Information Security Risk Assessment (IS RA), System Security Plan (SSP), other system life cycle documentation, and any findings from past assessments, reviews and/or audits, as well as technical testing and analysis. The technical certification assessment, called the Security Test and Evaluation (ST&E) process, is the execution of test procedures and techniques by an independent third party designed to evaluate the effectiveness of information security controls in a particular environment, and to identify any vulnerabilities in the information system. The results of the certification assessment, together with a review of any other independent audits, reviews or assessments are documented and appropriate corrective action is taken to strengthen internal controls. The SSP and/or IS RA are then updated based upon improvements and changes made to the system, and then the system is certified (approved) prior to subsequent System Accreditation (i.e., authorization to process) by the organization's Chief Information Officer/ Designated Approval Authority.
The second review is the System Accreditation. System Accreditation is the official management decision to authorize operation of an information system. To make an informed decision, the organization's Chief Information Officer (CIO) / Designated Approval Authority (DAA) must have sufficient knowledge and understanding of the current status of the security programs and security controls in place to protect the system and information processed, stored, or transmitted by the system. This is a business-driven, risk-based decision founded upon current, credible, comprehensive documentation and test results provided in the System Certification package prepared as a result of predecessor System Certification activities. The organization's CIO/DAA must explicitly accept or reject any identified residual risks to the organization's operations and assets remaining after the implementation of the prescribed set of security controls as documented in the SSP and/or IS RA. Ultimately, the CIO/DAA must strike a firm balance between authorizing the operation of information systems necessary to support completion of the business mission, while ensuring that an adequate level of information security is in place. The objective is to strive to implement the most effective security controls, in consideration of technical, budgetary, time, and resource limitations, while continuing to support business mission requirements.
The third review is the Post-Implementation Review (PIR). After a period of sustained operation (after at least one full processing and reporting cycle has been completed and all users have been trained and are comfortable with the operation), a PIR is conducted of the completed IT solution or automated system/application that was released into the production environment to determine if it is operating as expected. The purpose of the review is to ascertain the degree of success from the project (in particular, the extent to which it met its objectives, delivered planned levels of benefit, and addressed the specific requirements as originally defined), to examine the efficacy of all elements of the working business solution to see if further improvements can be made to optimize the benefit delivered, and to learn lessons from the project that can be used to improve future project work and solutions.
Stage Gate Review
The Operational Readiness Review (ORR) is a formal inspection conducted to determine if the final IT solution or automated system/application that has been developed or acquired, tested, and implemented is ready for release into the production environment for sustained operations and maintenance support. The IT governance organization cannot delegate this review.