Implementation Phase

During the Implementation Phase, the automated system/application or other IT solution is moved from development status to production status. The process of implementation is dependent on the characteristics of the project and the IT solution, and thus may be synonymous with installation, deployment, rollout, or go-live. If necessary, data conversion, phased implementation, and training for using, operating, and maintaining the system are accomplished during the Implementation Phase. From a system security perspective, the final system must be certified and accredited for use in the production environment during the Implementation Phase. The Implementation Phase ends with a formal decision to release the final IT solution into the Operations and Maintenance Phase.

Project Manager: The Project Manager is responsible and accountable for the successful execution of the Implementation Phase. The Project Manager is responsible for leading the Integrated Project Team that accomplishes the Implementation Phase activities and deliverables.

Integrated Project Team: The Integrated Project Team members (regardless of the organization of permanent assignment) are responsible for accomplishing assigned tasks as directed by the Project Manager.

Critical Partners: The Critical Partners provide oversight, advice and counsel to the Project Manager on the conduct and requirements of the Implementation Phase. Additionally, they provide information, judgments, and recommendations to the Business Owner and IT governance organization during investment reviews and in support of Investment Baselines.

IT Governance Organization: The IT governance organization conducts the Operational Readiness Review.

The following activities are performed as part of the Implementation Phase.

All affected users and organizations affected are notified of the implementation. Additionally, it is good policy to make internal organizations not directly affected by the implementation aware of the schedule so that allowances can be made for a disruption in the normal activities of that section. The notification should include:

Typically, implementation includes converting existing data for use in the new system. The tasks for this effort are two-fold: data input and data verification. When replacing a manual system, hard copy data is entered into the automated system. Some sort of verification that the data is being entered correctly should be conducted throughout this process. This is also the case in data transfer, where data fields in the old system may have been entered inconsistently and therefore affect the integrity of the new database. Verification of the old data becomes imperative to a useful computer system.

One of the ways verification of both system operation and data integrity can be accomplished is through parallel operations. Parallel operations consist of running the old process or system and the new system simultaneously until the new system is certified. In this way if the new system fails in any way, the operation can proceed on the old system while the bugs are worked out.

To ensure that the system is fully operational, install the system in a production environment.

During this phase, the documentation from all previous phases is finalized to align it with the delivered system. The Project Manager coordinates these update activities.

Prior to the Operational Readiness Review, the Authority to Operate must be obtained and a System of Record Notice published.

Final versions of the following documents are prepared during the Implementation Phase, and are required before the project proceeds to the Operations and Maintenance Phase:

Exit Criteria
Objective: To verify the operational readiness of the Business Product for release into the production environment

Phase Specific Exit Criteria:

Generic Exit Criteria:

Project Reviews
Three project reviews are required during the Implementation Phase.

The first is System Certification. System Certification is the comprehensive evaluation of the management, operational, and technical security controls implemented for an information system to ensure compliance with information security requirements. The certification evaluation includes review of the Information Security Risk Assessment (IS RA), System Security Plan (SSP), other system life cycle documentation, and any findings from past assessments, reviews and/or audits, as well as technical testing and analysis. The technical certification assessment, called the Security Test and Evaluation (ST&E) process, is the execution of test procedures and techniques by an independent third party designed to evaluate the effectiveness of information security controls in a particular environment, and to identify any vulnerabilities in the information system. The results of the certification assessment, together with a review of any other independent audits, reviews or assessments are documented and appropriate corrective action is taken to strengthen internal controls. The SSP and/or IS RA are then updated based upon improvements and changes made to the system, and then the system is certified (approved) prior to subsequent System Accreditation (i.e., authorization to process) by the organization's Chief Information Officer/ Designated Approval Authority.

The second review is the System Accreditation. System Accreditation is the official management decision to authorize operation of an information system. To make an informed decision, the organization's Chief Information Officer (CIO) / Designated Approval Authority (DAA) must have sufficient knowledge and understanding of the current status of the security programs and security controls in place to protect the system and information processed, stored, or transmitted by the system. This is a business-driven, risk-based decision founded upon current, credible, comprehensive documentation and test results provided in the System Certification package prepared as a result of predecessor System Certification activities. The organization's CIO/DAA must explicitly accept or reject any identified residual risks to the organization's operations and assets remaining after the implementation of the prescribed set of security controls as documented in the SSP and/or IS RA. Ultimately, the CIO/DAA must strike a firm balance between authorizing the operation of information systems necessary to support completion of the business mission, while ensuring that an adequate level of information security is in place. The objective is to strive to implement the most effective security controls, in consideration of technical, budgetary, time, and resource limitations, while continuing to support business mission requirements.

The third review is the Post-Implementation Review (PIR). After a period of sustained operation (after at least one full processing and reporting cycle has been completed and all users have been trained and are comfortable with the operation), a PIR is conducted of the completed IT solution or automated system/application that was released into the production environment to determine if it is operating as expected. The purpose of the review is to ascertain the degree of success from the project (in particular, the extent to which it met its objectives, delivered planned levels of benefit, and addressed the specific requirements as originally defined), to examine the efficacy of all elements of the working business solution to see if further improvements can be made to optimize the benefit delivered, and to learn lessons from the project that can be used to improve future project work and solutions.

Stage Gate Review
The Operational Readiness Review (ORR) is a formal inspection conducted to determine if the final IT solution or automated system/application that has been developed or acquired, tested, and implemented is ready for release into the production environment for sustained operations and maintenance support. The IT governance organization cannot delegate this review.