HHS Policy for HHSMail Change Management
March 2, 2006
Table of Contents
- 1. Purpose
- 2. Background
- 3. Scope
- 4. Policy
- 5. Roles and Responsibilities
- 6. Applicable Policies and Guidance
- 7. Information and Assistance
- 8. Effective Date/Implementation
- 9. Approved
This document establishes the Policy for change management within the Department of Health and Human Services’ (HHS) HHSMail project. The Policy applies to all HHS personnel, contractors, interns, visitors and others who use HHSMail. It implements requirements to establish objectives, responsibilities, standards, guidelines and instructions for change management to:
- Prevent a change to the HHSMail operating environment from causing a negative impact;
- Provide a mechanism for tracking and reporting changes to the HHSMail operating environment;
- Establish an agreed-upon method for approving or rejecting proposed changes to the HHSMail operating environment;
- Provide a forum for analyzing the impact of changes to the HHSMail operating environment;
- Establishes an HHSMail Change Control Board (CCB);
- Establishes a change control tracking system.
The HHS Enterprise E-mail initiative will develop and implement an enterprise-wide E-mail and calendaring solution to meet the Department’s needs. This initiative is one of several strategic IT initiatives associated with the Department’s enterprise-wide IT consolidation effort and further supports the Secretary’s One HHS vision. The five goals identified for this HHS Enterprise E-mail initiative are:
Goal 1: Reduce costs of providing E-mail service to over 65,000 HHS employees, contractors, and other users.
Goal 2: Provide consistent functionality for all HHS E-mail users.
Goal 3: Develop the most efficient E-mail operation possible for HHS E-mail users.
Goal 4: Provide all HHS E-mail users a consistent E-mail address scheme.
Goal 5: Provide a calendaring solution giving the ability to schedule people and resources across HHS.
This document establishes the Policy for change management implemented within the Department of Health and Human Services’ (HHS) HHSMail project. This Policy applies to all Department Operating Divisions, including the Office of the Secretary, and organizations conducting business for and on behalf of the Department, whether owned and operated by HHS, or operated on behalf of HHS, through contractual relationships and/or service level agreements when using HHS IT resources. It applies to all HHS personnel, contractors, interns, visitors or others who use HHSMail.
Within this Policy the term Operating Division (OPDIV) includes the Inspector General, as well as the Office of the Secretary as a combined, single entity. The Office of the Secretary includes the Offices of the Regional Directors.
The following lists the types of changes that require prior approval by the HHSMail change control board (CCB):
- New e-mail client software (version down to the service pack level);
- New e-mail server software (version down to the service pack level);
- Naming conventions;
- Exchange Server add-ins, patches, tools, and components that are deemed by the requesting OPDIV to potentially impact the ongoing, successful operations of Enterprise E-mail (HHSMail);
- Exchange client add-ins, patches, tools, and components which are deemed by the requesting OPDIV to potentially impact the ongoing, successful operations of HHSMail;
- New HHS standard applications which integrate with e-mail;
- New HHS directory service solution(s) that support HHSMail;
- Changes to the HHSMailpublic folder structure;
- Changes to the e-mail infrastructure deemed by the proposing OPDIV to either 1) require prior approval so as to coordinate the proper timing of changes by multiple OPDIVs or 2) require work on the part of the other OPDIVs;
- Changes that will cause an outage for one or more OPDIVs;
- Changes to any HHSMail procedures and policies;
- Changes for which the proposing OPDIV wishes to obtain formal CCB approval.
- Changes to HHSMail components that impact the HHS enterprise architecture
- Significant hardware changes to HHSMAIL system
Note: The above list is not all-inclusive. Therefore, the HHSMail CCB Chairperson should be contacted before a system change is implemented that may affect the HHSMail system or its operating environment.
This section details the HHSMail change control process. The flow chart in Appendix A graphically depicts the steps listed below.
4.1 The system owner shall establish a Change Control Board (CCB). The CCB shall:
4.1.1 Review impacts of change requests based upon the analysis of changes submitted by the requestor
4.1.2 Approve/Disapprove all change requests;
4.1.3 Meet on a periodic basis or whenever a key change request or group of change requests requires consideration.
4.2 The system owner shall chair the change control board. The chairperson shall:
4.2.1 Act as the CCB facilitator;
4.2.2 Ensure change requests are entered into the change request tracking system;
4.2.3 Ensure change requests are routed to all necessary parties for review before a decision is made;
4.2.4 Schedule CCB meetings and establish the agenda for these meetings;
4.2.5 Formally communicate all change request decisions to all necessary parties.
4.3 The actual change control process consists of the following steps:
4.3.1 Submitting OPDIV – Shall use the form in Appendix B to submit a Change Request (CR) to the CCB Chairperson.
§ Identifies the application/system in question;
§ Describes the aspect of the application/system that the OPDIV feels is in need of change;
§ Describes the impact of leaving the application/system as-is compared with incorporating the suggested change;
§ Describes in detail the impact of the requested change as well as the downstream impacts on the related (dependent) systems that it interfaces with, interacts with or sends or receives information to/from. The impact assessment should include cost impacts as well as technological architectural impacts, including scheduling and staffing/resources impacts;
§ Provides alternatives analysis regarding the implementation/scheduling of the requested change(s).
§ Provide backout procedures for failed changes
4.3.2 CCB Chairperson - collects CRs and enters them into a formal CR Tracking System. CCB members should have access to the system, as well as Chief Technology Officers (CTOs) and Information Systems Security Officers, at each OPDIV’s discretion.
4.3.3 CCB Chairperson - submits a Change Notice (CN) to all OPDIVs and the CCB six business days before the change. If the change does not need CCB approval, but other OPDIVs should be notified, the CN must include the following:
§ Complete description of the change, including the proposed implementation date;
§ Change date and time;
§ Locations where the change will be implemented;
§ OPDIV point of contact information.
Note: No further steps are required after CN is sent
4.3.4 HHSMail Host and OPDIV technical staff - perform and submit a CR Impact Analysis (if warranted by CCB Chairperson) that includes the reason for the change as well as the architectural impact analysis, including dependencies. The completed CR impact analysis is submitted to the CCB Chairperson.
4.3.5 CCB Chairperson - reviews and routes Impact Analysis and CR to CCB members for OPDIV review. CCB Chairperson schedules CCB meeting with agenda.
4.3.6 OPDIVs Affected by Change - submit Impact Analysis of CR before the next CCB meeting. The Impact Analysis should include an estimate of cost and scheduling impacts that will be encountered, as well as, the effects of other implementation factors such as:
- Purchases required including hardware, software, network, communications, etc.;
- Staff required to implement the change from concept to deployment;
- Impact on staffing to support the resulting application/system after the change is implemented;
- Impact on interfacing systems/applications;
- Impact on all related policies and procedures;
- Impact on training and user materials;
- Address the timing of the proposed change (wholesale, staggered, geographic, etc.);
- Custom application programming changes required;
- Test procedures;
- New installation programs or procedures.
4.3.7 CCB - reviews Impact Analyses submitted by the OPDIVs and HHSMail Host and approves or rejects the CR(s).
4.3.8 If the CR is approved, the CCB determines if the CR needs CIO Council approval. If so, the CCB Chairperson shall forward the CR to the CIO Council for their approval. CR’s that require major policy changes or that have major budget implications are usually sent to the CIO Council for approval.
4.3.9 (If applicable) The CIO Council approves or rejects CCB recommendation on the CR.
4.3.10 If the CR is approved by the CIO Council, then the CIO Council determines if the CR needs ITIRB approval. If so, the CIO Council should forward CR to the ITIRB for their approval.CR’s that have major budget implications are sent to the ITIRB for approval.
4.3.11 (If applicable) The ITIRB reviews the CCB recommendation for the CR andapproves or rejects it.
4.3.12 CCB Chairperson - collects CR decisions from CCB, CIO Council and ITIRB to update the CR Tracking System within 1 day after the decision. Regardless of whether a CR is approved or rejected, the following information is recorded:
§ Date, description, and OPDIV submitting the CR;
§ Estimated impact of the change on the areas listed above;
§ Date when the change was accepted, rejected, or deferred;
§ If rejected, the reason for rejection.
4.3.13 CCB Chairperson - formally communicates the CR decisions to all OPDIVs within 1 day after the decision is made.
The HHSMail Change Management Organization consists of the following parties:
- CIO Council
- Change Control Board (CCB)
- OPDIV managers and technical staff
- HHSMail Host
- HHSMail Implementation Team (during HHSMail Implementation and rollout)
The following provides a breakdown of roles and responsibilities for each of the parties involved in the Change Management Process (CMP):
- Approves modifications to the CMP (when requested by CIO Council).
- Approves change requests (when requested by CIO Council).
- Approves changes to the Change Management process (when requested by the CCB);
- Approves change requests (when requested by the CCB);
- Determines if a proposed change request or a proposed revision to the CMP needs to be approved by the ITIRB;
- Determines the architectural impact and the costs of the requested change;
- Ensures that the technical approach of the requested change meets architectural and security standards, or sets new standards for approval;
- Elects whether they wish to act in lieu of a separate CCB body.
- Reviews change requests when asked by the CCB Chairperson and performs an impact analysis.
- Implements approved change requests that pertain to HHSMail infrastructure under service provider management.
- Is comprised of one representative from each large OPDIV and one representative for the small OPDIV consortium. These representatives along with the CCB Chairperson are the only voting members on the board.
- Reviews impacts of change requests based upon OPDIV’s and HHSMail Host’s impact analyses;
- Approves/disapproves all change requests;
- Meets either on a periodic basis or whenever a key change request or group of change requests requires consideration;
- The HHSMail Chief Information Security Officer (CISO) will sit on the board to ensure all security concerns associated with CR’s are properly addressed.
- Acts as the CCB facilitator;
- Serves as the focal point for collecting change requests;
- Ensures change requests are entered into the change request tracking system on time;
- Routes change requests to the HHSMail Host before they go to the CCB; reviews the HHSMail Host’s impact analysis;
- Ensures change requests are routed to all necessary parties for review before a decision is made;
- Schedules CCB meetings and sets up the agenda for these meetings;
- Updates the change request tracking system through the lifecycle of the change request;
- Formally communicates all change request decisions to all OPDIVs;
- Maintains, updates, and distributes the change management policy (CMP) and the CCB charter; schedules CCB meetings to review the CMP and the CCB charter as necessary; ensures compliance with the CMP and the CCB charter;
- HHSMail Implementation Team Project Officer serves as CCB Chairperson during HHSMail implementation and rollout phases;
- Notifies all OPDIVs of changes which do not require CCB approval but should be sent to all the affected OPDIVs for informational purposes (e.g., a change notice).
- Submits change requests to the CCB Chairperson;
- Helps to ensure that all impacted OPDIVs are identified and involved before the decision is made;
- Provides additional representation to CCB meetings where necessary.
- Provides assessment of the impact as input to the CCB before a decision is made;
- Provides additional representation to CCB meetings when necessary;
- Implements approved change requests that pertain to HHSMAIL infrastructure under OPDIV management.
1. The Clinger-Cohen Act (CCA) (includes the Information Technology Management Reform Act and the Federal Acquisition Reform Act): The CCA requires the head of each executive agency to design and implement a process for maximizing the value and assessing and managing the risk of information technology (IT) acquisitions, development of an information technology architecture (ITA), and designation of Chief Information Officers (CIOs).
2. OMB Circular A-130, Management of Information Resources: This provides uniform information on information resources management (IRM) policies required by the Paperwork Reduction Act, in Section 8(b).The term “major” information system, means an information system that requires special management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant role in the administration of agency programs.
3. OMB Circular A-11: Circular A-11 consists of Part 1, entitled “Preparation and Submission of Budget Estimates,” Part 2, “Preparation and Submission of Strategic Plans and Annual Performance Reports,” and Part 3, “Planning, Budgeting, and Acquisition of Capital Assets.” A supplement to Part 3, “Capital Programming Guide,” is also included.
4. OMB Circular A-123: Departments must implement and test updated internal control standards, as well as new specific requirements, for conducting management’s assessment of the effectiveness of internal control over financial reporting.
For additional information please consult the HHSMail website at “intranet.hhs.gov/hhsemail”.
The effective date of this Policy is the date the Policy is approved.
These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
________________/s/____________________________ _March 2, 2006________
HHS Chief Information Officer DATE