Beruflich Dokumente
Kultur Dokumente
Peace Corps
Version 4.2
Executive Summary
The Peace Corps‘ Systems Development Life cycle (SDLC) Handbook is the definitive
statement of the policies, standards, and life cycle that govern information technology (IT)
systems—including infrastructure—that are built by or for the Peace Corps. This SDLC is based
on the standard SDLC used throughout industry, and has been tailored, where necessary, to meet
the needs of the Peace Corps. This handbook also incorporates best practices from the Software
Engineering Institute‘s (SEI®) Capability Maturity Model® (CMM®).
The SDLC Handbook is a Peace Corps policy that applies to all IT projects and systems
irrespective of agency sponsor, developer, project size/type, methodology, or technology. Some
adjustments and latitude must be taken into consideration when applying the SDLC guidelines to
small project and/or minor enhancements and fixes. This document reflects the Peace Corps‘s
decision to integrate the SDLC with the agency‘s Enterprise Architecture Program and the
Capital Planning and Investment Control (CPIC) process that includes the Investment Review
Board (IRB). This integration allows the agency to manage its IT investments as part of its
Portfolio Management.
All projects—regardless of size or type—must be executed using disciplined engineering
techniques, including clearly defined requirements, appropriate documentation, Quality
Assurance (QA), and approvals. The level of detail and format of deliverables for different size
or types of projects should vary. This handbook provides a tailoring and approval process that
should be sufficient to satisfy SDLC requirements for any size project.
This handbook applies to all Peace Corps work: systems in operation, projects already underway,
and new projects. Through the tailoring and approval process, management of projects already
underway and systems in operation have a mechanism to account for and document SDLC
compliance.
Application to Project Management
The SDLC follows the standard best practices of Project Management. Projects go through five
phases: Initiation, Planning, Development, Validation, and Operations. Overlaid with these
phases, are the SDLC‘s nine stages that define the process of system development, with specific
criteria and policies applicable for each stage.
Projects will use this handbook and devise a Project Plan that covers the stages, and includes
tasks, deliverables, and activities as described in this handbook. Depending on project size,
complexity, visibility, and risk, the activities and deliverables may be combined or expanded. A
library should be established as part of the IT tools repository containing templates, examples,
and procedures that projects will consult in order to take advantage of existing best practices.
Upon management approval, a Project Work Authorization should be issued and the tailored
project plan will become the project‘s SDLC-compliant road map. The Chief Architect team
will assist projects in understanding the SDLC and applying it throughout all IT activities at the
Peace Corps.
Peace Corps i
December 14, 2009
Version 4.2 Acknowledgements
Acknowledgement
The Peace Corps is indebted to the U.S. Customs Service, and in particular, to Mr. S.W. Hall, Jr.,
Assistant Commissioner and Chief Information Officer, Office of Information and Technology
(OIT), and Mr. Guy D. Taylor, Director, OIT Planning Group, for graciously allowing liberal use
and republication of the U.S. Customs Service SDLC Handbook as source material for this initial
Peace Corps SDLC Handbook.
The Peace Corps has drawn heavily from the Customs document for its insight, organization, and
detailed description of the SDLC within the federal government arena. Portions of this Peace
Corps document do not differ in material detail from certain sections, definitions, and
descriptions contained in the U.S. Customs Service document.
Peace Corps 1
December 14, 2009
Version 4.2 Table of Contents
Table of Contents
1. Introduction .................................................................................................................. 1
1.1 Applicability ..................................................................................................................1
1.2 Guidance to Management ..............................................................................................1
1.3 How to Use This Handbook ...........................................................................................2
Peace Corps 1
December 14, 2009
Version 4.2 Table of Contents
1. Introduction
This Peace Corps Systems Development Life Cycle (SDLC) Handbook presents the policies,
approved life cycle, standards, and high-level processes that govern Information Technology (IT)
systems—including infrastructure—built by or for the Peace Corps. The SDLC defines
management expectations for developing and maintaining Peace Corps IT systems.
This handbook reflects the Peace Corps‘s commitment to adopting and applying the recognized
best practices and disciplined engineering methods represented in the Software Engineering
Institute (SEI®) Systems Engineering Capability Maturity Model® (SE-CMM®).1
1.1 Applicability
This handbook is an instrument of Peace Corps policy for the agency‘s SDLC. It applies to all
Peace Corps IT projects and systems regardless of sponsor, developer, project size, methodology,
or technology used. All staff and contractors involved in developing, maintaining, or
implementing systems or applications for the Peace Corps will become familiar with and follow
the guidance in this handbook.
The policies and life cycle process in this handbook apply equally to large and small projects,
including systems using Commercial Off-The-Shelf (COTS) solutions. All projects, whether
new, already underway, or systems in operation, are subject to the requirements and guidance of
this handbook. Accordingly, all Peace Corps projects must employ disciplined engineering
techniques, including clearly defined requirements, adequate documentation, QA, and approvals.
It is expected that, for projects of different size or type, there will be substantial variance in the
level of detail and format of project deliverables. This handbook provides a tailoring and
approval process that should be sufficient to satisfy SDLC requirements for any size project.
1
The Capability Maturity Model: Guidelines for Improving the Software Process, Mark Paulk, et al. Addison-
Wesley Publishing Company, New York, 1995. ISBN: 0-201-54664-7.
Peace Corps 1
December 14, 2009
Version 4.2 Introduction
already underway and systems in operation. This tailoring and approval process is part of Stage
2 of the SDLC, Project Initiation and Authorization.
Peace Corps 2
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Peace Corps 3
December 14, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Task: is a defined unit of work, with a measurable end, for one or more persons. The
level of effort required to complete the task is estimated and tracked.
User Primacy
Every system development project begins and ends with the user. Systems development focuses
on satisfying user requirements, including information systems security requirements imposed on
the user by federal regulation, through defined, documented, and mission-related performance
goals for that system. Business Sponsors and users continue this involvement until the system is
retired.
Peace Corps 4
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Project Metrics
When a project begins, metrics must be defined for the system‘s contribution to Peace Corps
mission performance and business improvement. The project must also document metrics for
expected systems performance, acceptance, and information system security criteria. These
metrics are documented in the project‘s Business Case, and the acceptance criteria are
documented in the User Requirements. The metrics required for each business case should be
based on either specific function points and/or earned value analysis. This will vary from project
to project but standard metrics analysis should be developed as part of the agency‘s CPIC
process. Small projects will not require this analysis.
Once the project has been approved, the following Project Management Performance Data must
be collected, documented, and used throughout the project‘s life cycle:
Effort for both product development and review activities
Cost
Work Product Size(s) and changes
Schedule (based on Effort and Size estimates plus staff availability)
Requirements (i.e., number of requirements) and Number of Changes
Product Quality (i.e., number of defects, severity, and status). Whenever possible
existing tools (such as Dimensions) will be used to document quality status and issues.
Critical Computer Resources (e.g., memory, storage, bandwidth, hardware, tools) needed
both for development and for deployment and operation.
Each of these items must be estimated during initial planning. Also, the assumptions and
constraints upon which the estimates are based should be documented. Data for each of these
metrics must be collected regularly during the project‘s life cycle.
The project compares actual accomplishments and effort with the estimates to provide objective
information on project status and trends. Corrective actions will be taken as required and
documented.
Peace Corps 5
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Peace Corps 6
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
code, and databases). These work products and code then undergo unit and integration
testing by the development team and supporting organizations until the system is ready for
acceptance testing. Applicable system documentation, such as the system security plan,
system configuration guide, and training plan are refined or updated. Also, equipment is
received and checked to ensure proper operation and integration.
6. Testing and Acceptance: There are two types of acceptance testing that occur in this
stage. First, the system is tested to ensure that it interfaces properly with other automated
systems within the Peace Corps environment. Second, independent testers (such as the QA
team) and users test the system to ensure that the developers have delivered a system that
meets the needs stated in the user and functional requirements. Security Certification (if
needed) is obtained during this stage; certification ensures that the security controls are in
place and operating as intended based on security requirements defined in previous stages.
In addition, validation of the system against the benefits and costs outlined in the business
case occurs. The IRB participates in the stage to ensure that the project is on track, within
budget and the benefits are indeed realized.
7. Operational Readiness: At this point, the new system is moved into the Peace Corps
Production environment in preparation for operational processing. Although the system is
now in the Production environment, it has not yet been transitioned to full operation. The
implementation of the system includes site preparations; infrastructure
installation/deployment; data conversions; database and system code installation into the
production environment; and, scheduling as necessary to make the new system available to
the general users. To ensure the system will be ready for operations, field testing and
parallel operations may be conducted as required. User Documentation and Training
materials must be finalized and released, with appropriate training plans implemented.
Prior to moving into Operations, the system‘s Authorizing Official must review the
system‘s Security Certification Package to determine whether the residual risk to the system
is acceptable, and whether there is adequate protection of the system and its data for the
system to be accredited for operation. Based on this the review, the Authorizing Official
may or may not authorize the system for operations. As a final component of the
Operational Readiness phase, the project team should document the project experience and
lessons learned.
8. Operations: The system is in general use throughout the Peace Corps. This stage consists
of activating and rolling out the system plus the activities to monitor performance of the
system in production and ensure continuity of operations. This includes performance
monitoring and management feedback; tracking of system performance statistics, costs, and
resource allocations; detecting defects in the application, operation, and local systems;
assessing the system‘s efficiency and effectiveness to determine if the investment was cost
beneficial and achieved the planned functionality; managing system and infrastructure
problems (e.g., recovery) and implementing changes; and the continuous monitoring of the
system‘s security controls.
The system is reviewed while in production to ensure that it continues to meet user needs
and security accreditation requirements. Independent evaluations may also be performed
during this and other stages of the life cycle to validate compliance with project standards,
processes, and functional and security requirements. Information should be collected to:
Peace Corps 7
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
demonstrate the systems‘ contribution and efficiency; and validate the gains projected in the
Business Case.
9. Disposition/Disposal: When a system is no longer needed or to be replaced, it is necessary
to identify the disposal requirements and procedures. The planned disposition of a system
ensures the orderly termination of the system. Particular emphasis is given to proper
preservation of the data processed by the system, so that the data is effectively migrated to
another system, archived in accordance with applicable records management regulations and
policies, for potential future access, or disposed of in a manner appropriate for the
information type handled by the system.
Figure 1 depicts a high-level view of the Peace Corps SDLC. The following chapter explains the
life cycle stages in more detail.
Peace Corps 8
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Major
Major
Reviews, Deliverables, & Activities
Stage Exit Stage 1 --
IRB Approval/Rejection
Criteria Concept & IT Concept Document
Funding Business Case Business Case
Approved Prepare Business Case
Identify Project Manager
Stage 2 --
Project Reviews
Project Work Initiation &
Authorization Authorization Initial Project Plan
Issued Draft User Requirements
Technical Compliance Reviews
Tailor the Life Cycle
Peace Corps 9
December 03, 2009
Version 4.2 The Peace Corps System Development Life Cycle
Select Phase
Concept and
1 2
Business Case
Initiation &
3
Project Management Authorization
Support
(ongoing throughout
the life cycle)
Project Definition
Project Planning and
Budgeting
Program Monitoring
Requirements
System Design
Management
Configuration
Control Phase
Management
Quality Assurance
Management Construction
Reviews
Meetings and
Associated
Documents
Acceptance
Operational
Readiness
Operations 4
Evaluate Phase
Retirement
Peace Corps 10
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Term Definition
Entry Criteria The conditions that must exist when the stage begins.
Inputs The work products that must be present before the activities of a specific
stage can be performed.
Outputs The work products that are generated or produced within a specific stage.
Exit Criteria The conditions under which the stage can be declared complete.
Tasks/Activities The steps involved in implementing a stage / activity:
A task is a defined unit of work for one or more people with a measured
endpoint. Multiple tasks may be defined to complete one activity.
An activity is the action, steps, or process taken to create or achieve a
specific product, service, or result. Activities may identify either the
“what” or the “how”
Primary Responsibility Those persons who perform hands-on activities or who have specific
approval authority. The roles listed are functional roles rather than titles.
Support Responsibility Those persons who provide assistance, reviews, and concurrence with
results/outputs. Support responsibilities also include sources that the
project can tap for expert advice. The roles listed are functional roles rather
than titles.
3.1.2 Inputs
Business Need
Business Sponsor‘s / User Ideas / Concepts.
Initial Business Requirements
Peace Corps 11
December 14, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Preliminary Cost-Benefit Analysis, if applicable (compliant with the Peace Corps E-300
process)
System Security Categorization and Preliminary Risk Assessment
Notification of Funding Approval, if applicable.
Peace Corps 12
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
3.2.2 Inputs
Outputs from Stage 1
Peace Corps 13
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
3.3.2 Inputs
Deliverables from Stage 2
3.3.3 Outputs
User and Functional Requirements Documents
Baseline security control requirements identified by the sensitivity and criticality analysis
as per National Institute of Standards and Technology (NIST) Special Publication (SP)
Peace Corps 14
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
800-60, security categorization per Federal Information Processing Standards (FIPS) 199,
and preliminary risk assessment
Initial Requirements Traceability Matrix (RTM)
Finalized Acquisition Plan(s)
Contract Award, if applicable
Training Requirements Document
Project Risk Management Plan.
Draft CM Plan
Draft QA Plan
Draft Disaster Recovery Plan
Draft System Test Plan
Draft Data Management Plan
Draft Implementation Plan
Peace Corps 15
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
3.4.2 Inputs
Output from Stage 3
3.4.3 Outputs
Draft Training Plan
Memo of User Acceptance of Design
Initial
– Project Plan, CM Plan, QA Plan
– Data Management Plan (including Data Model & Data Dictionary)
Peace Corps 16
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 17
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Conduct Project Review with Meeting Agenda and Minutes Chief Architect approval
Management & get approval Baseline Project Plan (conformance to EA and
standards) is mandatory
3.5.2 Inputs
Output from Stage 4
3.5.3 Outputs
Source Code documentation (e.g., diagrams and comments depending on tool and
methodology)
Infrastructure documentation
Source Code
Databases
Procedures
Developers‘ Test Cases / Scenarios and Results
Draft Documents
– User Documentation and Training Materials Outlines
Peace Corps 18
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 19
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 20
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
3.6.2 Inputs
Output from Stage 5
3.6.3 Outputs
System Acceptance
– System Acceptance Test Plan (Final)
– System Acceptance Test Cases / Scenarios and Results
– System Acceptance Test Problem Reports
– Testing Organization Recommendation
User Acceptance
– User Acceptance Test Cases / Scenarios and Results
– User Acceptance Test Problem Reports
– User Acceptance Test Signoff memo
Approved User Documentation and Training Materials
System Security Certification Package, includes final
System Security Plan
Full Security Risk Assessment,
Security Assessment Report
IT Contingency Plan
Incident Response Plan
System Interconnection Agreements
Plan of Actions and Milestones
Privacy Impact Assessment,
Certification Recommendation
Final Documents
– Implementation Plan
– Deployment Plan
Peace Corps 21
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
– Operations Manuals
Initial System and Documentation
Production Readiness Review Signoff Form
Peace Corps 22
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
AND
System Security Certification Package is complete, reviewed by Certification Agent, and
Certification Recommendation is issued.
3.7.2 Inputs
System Acceptance
– System Acceptance Test Plan
– System Acceptance Test Cases/Scenarios and Results
– System Acceptance Test Problem Reports
User Acceptance
– User Acceptance Test Cases/Scenarios and Results
– User Acceptance Test Problem Reports
– User Acceptance Test Signoff memo
Peace Corps 23
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
3.7.3 Outputs
Project Lessons Learned documents
Prepared Operational Sites
Prepared Support Infrastructure
Converted Data
System Moved to Production and Education Environments
Databases Moved to Production and Education Environments
Final User Documentation and Training Materials
Finalized System Documentation
Complete Accreditation package with Accreditation Memo from Authorizing Official
Training Schedule (includes Operational Sites) If applicable:
– Pilot Test Report
– Parallel Operations Report
– Pilot Training Class
Operation Readiness Review Signoff Form
Production Baseline of System and Documentation
Production Notice
Updated Change Control Database.
Peace Corps 24
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 25
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
The Authorizing Official has granted the system an Authorization to Operate, signifying
that the Authorizing Official has made the risk-based decision to approve the security
posture of the system and accepted any residual risk.
AND
System is baselined.
3.8.2 Inputs
Output from Stage 7
3.8.3 Outputs
System Being Used in the Field
Capacity and Performance Monitoring Reports
Operational Problem Reports
Help Desk Reports
Work Requests and System Change Requests
Configuration Management is in place
Upgraded/Replaced System Software/Hardware/Firmware
Post-Implementation Review (PIR) Reports
Evaluation Reports and Audits
Performance Measures for System Performance and System Contribution to Peace Corps
Mission
Trained Users
Updated User Documentation and Training Materials
Updated Security Documentation
– IT Contingency Test Plans and Reports
– Operational Lessons Learned documents
Continuous Monitoring of security controls
Security Reassessments, Re-Certification, and Re-Accreditation.
Peace Corps 26
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 27
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Stage 9: Disposition/Disposal/Retirement
Entry Criteria
A management decision is made to retire or terminate a system
Inputs
Output from Stage 8
Outputs
System is officially retired
Records requiring retention are appropriately archived (Information Preservation)
All media is sanitized or destroyed in accordance with Peace Corps Media Sanitization
Policy and Procedures
Record Disposition Guidelines per Peace Corps Manual Section 892, "Records
Management‖
Exit Criteria
The system is no longer in operation and is removed from system inventory
Records that must be retained have been identified and properly archived
Peace Corps 28
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 29
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Goals
The overall goals of Requirements Management are to:
Establish a common understanding of user and IT needs
Ensure that project plans, activities, and products are kept consistent with defined needs
Ensure that project plans, activities, and products are kept focused on defined needs
Establish and control approved and certified requirements in order to facilitate
engineering and management activities.
Peace Corps 30
December 14, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
1.3.1 All projects must establish and follow a formal process to control project scope, assess
impacts of changes, and incorporate approved changes in a controlled manner.
1.3.2 All changes to certified requirements must be renegotiated, documented, and re-certified.
1.3.3 Once requirements have been approved and certified, all requirements changes will fall
under the CM (CM) change control policies.
1.3.4 Changes in requirements must be fully coordinated in accordance with Project Planning
and Project Monitoring policies.
1.4.1 The members of all affected organizations who are responsible for requirements
management will be trained in the objectives, procedures, and methods for performing their
requirements management activities.
Goals
The goals of Project Planning are to:
Develop and use plans for performing and managing all tasks associated with the project
(for both management and engineering tasks)
Document estimates (and their assumptions) for planning and tracking
Document project activities and commitments
Obtain agreement from affected groups and individuals to their commitments.
Peace Corps 31
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
2.2.1 If waivers from any policies are required, the project must gain approval from the Chief
Information Officer (CIO).
2.2.2 If waivers of any policies from organizations outside of the CIO are required, the project must
gain approval from that organization.
2.3 Tailoring
2.3.1 Tailoring of the SDLC and deliverables to meet project needs is allowed. The Project
Manager must document the reasons for the tailoring. Chief Architect must approve the
tailoring.
2.3.2 Projects may develop documents and plans as needed in addition to those defined and
required in the SDLC.
Peace Corps 32
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
2.5 Estimating
2.5.1 The Project Manager will use historical information from similar projects [when available] to
do initial planning.
2.5.2 The Project Manager will document the procedure used to develop estimates and schedules.
Estimates will include work product sizes, effort and cost.
2.5.3 The Project Manager will involve project team members, to the maximum extent possible, in
creating, identifying, and documenting estimates, schedules, and risks.
Peace Corps 33
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
2.8 Re-planning
2.8.1 The Project Plan will be revised, reviewed, and re-approved as changes are required and
corrective actions taken.
2.8.2 Re-base lining requires Management approval.
2.8.3 If a project‟s cost, schedule, or mission-related performance varies from approved plans by
10% or more, the project will redo the formal Project Initiation Review and be re-authorized.
2.8.4 The Project Manager has the authority to negotiate changes and revise the Project Plan
accordingly for changes within the scope of the project.
2.9.1 The Project Manager will explicitly assign and document responsibility for specific activities
and work products.
2.9.2 The following project roles at minimum must be assigned by name in writing:
Project Manager (PM)
Project QA
Project CM
Project Change Control Board
Planning
Risk Management
Computer Security Coordinator
2.9.3 If the Business Sponsor determines that major changes will occur to existing work processes
or workforce as a result of the project, the Business Sponsor will develop a plan in
coordination with labor and employee relations organizations to mitigate workforce issues.
2.9.4 The Business Sponsor is responsible for determining the duration of parallel operations, if
any, between the old and new systems.
2.9.5 Projects will comply with privacy policies throughout the life of the system.
2.9.6 During project initiation and system retirement, notifications must be placed in the Federal
Register for all systems covered by the Privacy Act of 1974 as amended.
2.9.7 Prior to implementation, all affected organizations and sites will be notified with sufficient time
Peace Corps 34
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
2.10.1 A Peace Corps-wide SDLC Library of recommended processes, procedures, examples, and
templates will be established and used as a reference.
2.10.2 Peace Corps Process Groups will be responsible for the assets in the SDLC Library
Goals
The goals of Project Monitoring are to:
Track project results and performance against the project plans
Take and monitor corrective actions when project results deviate significantly from the
project‘s plans
Ensure that changes to commitments are agreed to by the affected groups or individuals
and communicated to all interested parties.
3.1.1 Project Managers will hold Project Status meetings to review project and process activities
with project team members and other affected stakeholders on a regularly scheduled and
event-driven basis.
3.1.2 Management will review project and process activities on a regularly scheduled basis.
3.1.3 All meetings will be documented.
3.1.4 QA will review project activities and processes for the purpose of process improvement.
3.1.5 The Project Manager will conduct formal reviews, in accordance with a documented
procedure, with representatives of stakeholders external to the project to address the
accomplishments and results of the project at selected milestones.
3.2 Tracking
3.2.1 The Work Breakdown Structure, project cost estimate, and Schedule will be used for tracking
project activities and communicating status.
3.2.2 All project changes, issues, and problems must be identified, documented, and monitored.
Peace Corps 35
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
3.2 Tracking
3.2.3 The Project Manager is responsible for taking corrective actions and making changes within
the project to ensure that commitments are met.
3.2.4 All contributing groups will provide regular status reports to the Project Manager.
3.3. Risk Management
3.3.1 Each project will identify, assess, prioritize, document, mitigate, communicate, and monitor
both project and security risks on a regular basis.
3.3.2 The Project Manager is responsible for risk assessment and risk mitigation. Everyone
associated with the project is responsible for identifying and reporting potential risks to the
Project Manager to allow for assessment and mitigation.
3.4 Metrics
3.4.1 Metrics on all project activities will be gathered and reported to Management. This includes
Project Management Support activities as well as development activities.
3.4.2 Metrics will be used to provide objective information on project schedule, resources, costs,
requirements, work product sizes and changes, and product quality. Metrics will NOT be
used for motivation, punishment, or evaluation of individual or workgroup performance.
3.5.1 Projects must establish and maintain a repository for all project-related information in a
centralized, known, and accessible location. In the event that information from supporting
and stakeholder organizations is maintained outside the project purview, the project may
reference the required information rather than duplicate the information.
3.5.2 The project repository will contain or reference the most current project/release information
using version control.
3.5.3 All work products must be maintained or referenced in the project repository using version
control. The tracking method for referenced products will need to be negotiated with the
product owner. The project will document the referenced product tracking method.
3.5.4 Information reported for all meetings (agendas, minutes, action item lists, etc.) must be
maintained in the project repository.
3.5.5 Project lessons learned meetings will be planned and scheduled. Lessons learned will be
documented, updated, and reported for use in future projects and releases.
3.5.6 Before a system or an enhancement to a system can be moved into production, all system
documentation must be completed or amended, verified, and approved. Final user
documentation and training materials may be completed after implementation.
3.6.1. The members of all affected organizations responsible for project management activities will
Peace Corps 36
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
be trained in the objectives, procedures, and methods for performing their project planning,
estimating, tracking, and monitoring activities.
3.6.2 Project Managers will be trained in managing the technical and personnel aspects of the
project.
3.6.3 Project Team members will be provided an orientation in the technical aspects of the project.
Goals
The goals of QA are to:
Establish and implement QA plans and procedures for the project‘s work products and
processes at the project level
Objectively review, audit, and document the project work products, processes, and
activities to ensure that they meet all applicable standards and requirements
Provide management with visibility into the development processes used by the projects
Ensure that both the new or changed system is compatible with and works with existing
systems.
4.1 Project QA
4.1.1 All projects will plan, perform, document, track, and measure project QA activities during the
entire life cycle of the project. All QA activities will be performed based on a documented and
approved Project QA Plan.
4.1.2 A Project QA Team within the project will be identified and will be responsible for coordinating,
implementing and verifying project QA activities. They will periodically report the results of
their activities to the Project Team.
4.1.3 The results of QA activities will not be used to evaluate the performance of individuals.
4.1.4 Peer reviews will be planned and used to review work products as early in the development life
cycle as possible.
Peace Corps 37
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
4.1 Project QA
4.1.5 Formal reviews and signoffs will be performed. At minimum, these will occur: to certify
requirements, to verify system design, before transition to acceptance testing, and before
moving the system to production.
4.1.6 The Project QA Team will identify and document processes and procedures in their QA Plan to
account for deviations in project activities and work products.
4.2 Organizational QA
4.3.1 Testing will be conducted to ensure that the delivered product meets the certified requirements
and does not adversely affect existing software and systems.
4.3.2 All development teams will conduct and document unit and integration testing. Developers
must include test cases and test results for all security features and requirements.
4.3.3 The Project QA Team will monitor unit-, integration-, security-, and system-level testing.
4.4.1 Systems Acceptance Testing (SAT), Security Testing, and User Acceptance Testing must be
performed independent of the development process. All independent testers will document
their test results.
4.4.2 All documentation provided to the independent testers will be clear, concise, and complete.
4.4.3 Testing will be performed in accordance with documented Test Plans.
4.4.4 The Business Sponsor must verify that the user documentation and training materials are
acceptable and accurate.
4.5 QA Training
4.5.1 Members of the QA Organization and Project QA Team will be trained in the objectives,
procedures, and methods for performing their QA activities.
Peace Corps 38
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
4.5 QA Training
4.5.2 Members of the Project Team will receive orientation on the role, responsibilities, authority,
and the QA Organization activities.
4.5.3 The members of all affected organizations responsible for testing will be trained in the
objectives, procedures, and methods for performing their testing activities.
Goals
The goals of CM are to ensure that:
CM activities are planned
Selected work products are identified, tracked, controlled, and available from the CM
repository
Changes to identified work products are controlled and documented. The versions of
each work products must be clearly identified so that appropriate security updates can be
applied
Affected groups and individuals are informed of the status and content of the project‘s
baselines.
Security profiles and systems‘ security is maintained throughout the changes.
5.1.1 CM will be planned and used throughout the entire life cycle. Project CM activities will be
performed in accordance with a documented and approved Project CM Plan.
5.1.2 All projects will designate an internal Project Configuration Manager who will be responsible
for planning, performing, and verifying internal Project CM activities and for coordinating
with the CM Organization.
5.1.3 All CM activities will be conducted in accordance with the appropriate Peace Corps CM
(CM) Plans.
5.1.4 Work products to be placed under CM will be identified, controlled, and base lined.
5.1.5 Products will be created from the project‟s base lined as maintained in the CM repository.
CM will control their release according to a documented procedure.
5.1.6 CM will be applied to identify work products, including all tools and components needed to
recreate the previous version of the configuration item.
5.1.7 The Project CM Team will create, maintain, and implement a Project CM Plan that defines a
Peace Corps 39
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
5.2 Migration
5.2.1 Only properly authorized, tested, and approved hardware, system software, applications,
and application changes will be moved into the Production environment.
5.2.2 The Project CM Team is responsible for providing the QA Organization with a change
package that contains a complete list of all items to be implemented.
5.2.3 The CM Organization is the only group authorized to migrate applications and application
changes into Testing at the request of the Tester and then into the Production and the
Education environments upon approval by the Business Sponsor.
5.2.4 Projects that meet one or more of the emergency definition criteria are moved into
Production upon the approval of the Testers outside of the regularly scheduled application
migration periods.
5.2.5 Emergency project moves will follow currently established emergency procedures.
5.3.1 A Project Change Control Board (CCB) will be established having the authority for
managing the project's baselines. The CCB will record, review, approve/disapprove,
prioritize, and track change requests and problem reports for all configuration items/units.
5.3.2 If additional functionality needs to be added, a change request will be initiated and tracked.
5.3.3 Changes to baselines will be controlled according to a documented procedure.
5.4.1 The Project CM Team will record the status of project elements.
5.4.2 Each project will produce standard reports covering their CM activities and baseline
contents. Copies of these reports will be made available to all affected groups and
individuals.
5.4.3 The CM Organization will record and report status of the Production baselines.
5.4.4 Project CM will gather, collect, and report metrics to determine the status of its CM
activities.
5.4.5 A group external to the Project CM Team will periodically audit baselines and verify that
they conform to the documentation that defines them.
5.4.6 CM processes and activities will be reviewed in accordance with Project Monitoring, QA,
and security policies.
Peace Corps 40
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
5.5 CM Training
5.5.1 The members of all affected organizations responsible for performing CM-related activities
will be trained in the objectives, procedures, and methods for performing their CM activities.
5.5.2 Members of the CM Organization and the Project CM Team will be trained in the objectives,
procedures, and methods for performing their CM activities.
5.5.3 Members of the Project Team and other software-related groups will be trained to perform
their CM activities.
5.6.1 There will be separate and distinct libraries for all environments (development, test,
education, production, etc.).
5.6.2 A CM library system will be established as a repository for each project for software and
documentation baselines.
Peace Corps 41
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Goals
The overall goals of IT Security are to:
Ensure the safety and security of Peace Corps Volunteers and Staff by protecting their
information
Manage and mitigate risk to an appropriate level
Ensure that appropriate security controls are in place and functioning as intended
Ensure management is fully informed of the security risk mitigations and residual
security risk of their IT system
Provide assurances that IT security features work as claimed and cannot be easily
defeated
Peace Corps 42
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Ensure that the IT system has reasonable security controls to appropriately preserve the
data‘s integrity, availability, and confidentiality.
Peace Corps 43
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Security is an ongoing process, from business concept to disposal. IT security activities are
interwoven throughout the Peace Corps‘ nine SDLC stages and result in the specific security
outputs highlighted in the SDLC and required by various Peace Corps ITSRs. Figure 3, above,
depicts this relationship. Incorporating risk management activities during the appropriate stages
of the SDLC, culminating in the certification and accreditation (C&A) of the system, reduces the
duplication of effort in developing and documenting the security plans and procedures required
by both the SDLC and the IT security process. The remainder of this appendix will show the
interrelationships between the stages of the Peace Corp SDLC and IT Security, and the points
where key IT security risk management products are developed. For additional detail on Peace
Corps IT Security Requirements, please reference MS 542 and the ITSRs.
A.6.3 IT Security At Each Stage of the SDLC
Stage 1: Concept and Business Case
IT Security Tasks and Activities for the Concept and Business Case Stage
Task/Activity Document Notes
Identify security Information Type IT system and data criticality and sensitivity must be
categorization of Worksheet considered in preparation for formally describing the system‟s
IT system and its security categorization in terms of the IT system‟s
data availability, integrity, and confidentiality requirements. It is
within this stage that the impact levels defined in Federal
Information Processing Standard (FIPS) 199 are determined
and the overall security categorization of the system is
identified “based on the system‟s use, connectivity, and
aggregate information content”. The security categorization,
which can be low, moderate, or high, plays a role in
determining the levels of effort required to secure the IT
system and the information it will handle. The security
categorization aids in appropriately scoping the initial set of
minimum baseline security controls required for the system
from National Institute for Standards and Technology (NIST)
Special Publication (SP) 800-53 during the next SDLC stage
to fit the specific system security environment. The security
categorization is determined by using the Information Type
Identification Instructions and Worksheet as part of the
Project Information Form (PIF) process.
Peace Corps 44
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Concept and Business Case Stage
Task/Activity Document Notes
Assess the Business Impact The business impact assessment incorporates what is
potential business Assessment known about the IT system; its business function; the data it
impact of the IT will process, transmit, and store; and, its proposed
system environment to identify the availability requirements of the
system, and the related recovery time objective (how quickly
a system needs to be restored after a disruption) and
recovery point objective (the amount of data loss that can be
tolerated after a disruption). The business impact
assessment process is a key input to the Agency‟s IT
disaster recovery planning process. The quick business
impact assessment incorporated into the PIF is maintained
by the IT Disaster Recovery Plan Coordinator and provides
key availability and recovery requirements information to the
IT system Project Team, which may impact design decisions,
architecture and cost analysis for the system. The business
impact assessment will also contribute to IT contingency
planning for the IT system. For additional guidance see
Peace Corps ITSR for System and Services Acquisition.
Evaluate the size Project Sizing Project Sizing Worksheet helps identify the specific SDLC
or complexity of requirements for a project. Information identified during
the project project sizing that is relevant to the IT system‟s security
posture includes: whether this is a new IT system or an
enhancement to an existing IT system; if the project involves
a Major Application or a General Support System; and, if the
project is an enhancement to a current system, whether this
will be a significant change to the system requiring re-
certification and accreditation.
Identify the Preliminary Risk The boundaries of the IT system are identified to delineate
system‟s security Assessment the accreditation boundaries for the system and the
boundary associated security responsibilities.
Identify and Preliminary Risk The Preliminary Risk Assessment is performed in the two
assess the Assessment initial stages of the SDLC, and updated during the
potential risks to subsequent two stages as more details about the IT system
the IT system are defined. This is to ensure that the security requirements
of the IT system for integrity, availability, and confidentiality
are identified along with the minimum baseline security
controls. Early identification of system specific risks and
security requirements enables the requisite security controls
to be fully integrated into the IT system‟s design and
architecture. In order to identify system-specific threats to
and vulnerabilities of a particular IT system in its
environment, a Preliminary Risk Assessment is performed
following NIST SP 800-30 and Peace Corps ITSR for Risk
Assessments. The Preliminary Risk Assessment contains a
level of detail equivalent to the system definition and what is
known about the IT system. For additional guidance see
Peace Corps ITSR for Risk Assessment.
Peace Corps 45
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Initiation and Authorization Stage
Task/Activity Document Notes
Identification and Security Control Incorporate what is known about the system, its data, and its
scoping of Requirements proposed environment with the system‟s security
baseline security Matrix categorization and preliminary risk assessment to begin the
controls (Includes process of identifying and scoping the baseline security
managerial, controls. NIST SP 800-53 and Peace Corps ITSRs provide
operational, and guidance on the required baseline security controls; the
technical security objective of this guideline is to standardized the selection of
controls.) security controls and maintain consistency across the
Agency, while allowing flexibility for tailoring the security
controls to fit the specific IT system‟s requirements. Through
this process the baseline security controls are refined,
tailored, or augmented to fully address the protection needs
of the system.
Understanding that the security controls identified based on
an IT system‟s security categorization and NIST SP 800-53
are the minimum controls necessary for a particular system, it
should be recognized that there may be a need for additional
security controls beyond the minimum that protect against
specific, unique threats possibly exploiting system
weaknesses, or vulnerabilities.
Analyze cost of Security Control Security Control Cost Analysis is required once the
implementing Cost Analysis baseline security controls have been identified and tailored.
security controls Federal reporting requires that IT security expenditures for IT
systems be identified as a separate line item. Performing the
security control cost analysis at this stage in the SDLC
enables evaluation of the project‟s security requirements from
a security cost perspective, and facilitates early consideration
of design and architecture options that may have a dramatic
impact on project cost. The security control cost analysis is
typically requested by the EAAB.
Refine the system Preliminary Risk The boundaries of the IT system are update to reflect what is
boundary Assessment known about the system.
definition
Peace Corps 46
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Initiation and Authorization Stage
Task/Activity Document Notes
Refine and update Preliminary Risk The Preliminary Risk Assessment is updated to ensure
Preliminary Risk Assessment that it contains a level of detail equivalent to the system
Assessment definition and what is known about the IT system. For
additional Guidance see Peace Corps ITSR for Risk
Assessment.
Peace Corps 47
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Peace Corps 48
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Peace Corps 49
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Peace Corps 50
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Stage 5: Construction
Peace Corps 51
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Peace Corps 52
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Testing and Acceptance Stage
Task/Activity Document Notes
Finalize the System Security The System Security Plan documents all of the information
planned security Plan about the system, including: its boundaries; unique system
controls for the identifier; system description responsibility for the system, its
system operations and its security, provides identifying information
about the system, describes the hardware and software, and,
the system‟s security controls implemented to protect the
system. The SSP should be updated throughout the life of
the system. For additional guidance see Peace Corps ITSR
for Planning.
Finalize the IT IT Contingency The IT Contingency Plan Test Plan will test the
contingency plan Plan Test Plan effectiveness of the IT Contingency Plan in supporting the
test plan for the availability and recovery requirements of the system. The
system Test Plan must be finalized so that it can be executed during
this stage. For additional guidance see Peace Corps ITSR
for Contingency Planning.
Peace Corps 53
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Testing and Acceptance Stage
Task/Activity Document Notes
Conduct the IT IT Contingency Follow the IT Contingency Plan Test Plan to test the IT
Contingency Plan Plan Test Report Contingency Plan and ensure that it will be effective in the
Test Plan event of a real system disruption and be capable of
supporting the availability and recovery requirements of the
system. While conducting the test and after the test, capture
in the IT Contingency Test Plan Report all corrective
actions, lessons learned, revisions, or recommendations
identified through the test activity. For additional guidance
see Peace Corps ITSR for Contingency Planning.
Update IT IT Contingency The updated IT Contingency Plan should incorporate or
contingency plan Plan address all corrective actions, lessons learned, revisions, or
for the system (may be a part of the recommendations identified through the test activity. For
SSP) additional guidance see Peace Corps ITSR for Contingency
Planning.
Finalize incident Incident Before moving through testing, the system‟s Incident
response plan Response Plan Response Plan must be complete. For additional guidance
(may be a part of the see Peace Corps ITSR for Incident Response.
SSP)
Finalize IT security IT Security The IT Security Training Plan must be finalized to address
training plan Training Plan the security training requirements of general system users,
(may be a part of the privileged users, and users with significant security
SSP) responsibilities before the system can move to the
Operational Ready Stage, when the training must begin to be
delivered. For additional guidance see Peace Corps ITSR for
Awareness and Training.
Document System Security The long term storage, archiving, and record retention
requirements for Plan requirements of the IT system must be defined and
preserving or documented in the system‟s SSP along with media
destroying system sanitization procedures. For additional guidance see Peace
data Corps ITSR for Planning and Media Protection. For System
of Records information refer to the Freedom of Information
Act and Privacy Act Office.
Complete and Security The complete Security Assessment Test Plan should have
conduct the Assessment Test a test case to test every security requirement in the Security
security Plan Requirements Traceability Matrix. It should be noted that
assessment test testing of security controls during this stage includes review
plan of system and security documentation, such as the SSP, risk
assessment, IT contingency plan, and security training plans.
For additional guidance see Peace Corps ITSR for
Certification, Accreditation, and Security Assessments.
Prepare security Security The Security Assessment Report provides verification if all
assessment report Assessment planned security controls are implemented and functioning as
Report intended. Corrective actions recommended in the Security
Assessment Report must be implemented, added to the
POA&M, or determined to be an acceptable risk. For
additional guidance see Peace Corps ITSR for Certification,
Accreditation, and Security Assessments.
Peace Corps 54
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
IT Security Tasks and Activities for the Testing and Acceptance Stage
Task/Activity Document Notes
Continue to track Plan of Action The IT system‟s Plan of Action and Milestones (POA&M)
plans and and Milestones should reflect all corrective actions identified during testing to
milestones for the ensure that mitigation of these corrective actions is
IT system appropriately managed. For additional guidance see Peace
Corps ITSR for Certification, Accreditation, and Security
Assessments.
Complete full Full Risk The full Risk Assessment documents the security posture of
assessment of Assessment the system in terms of implemented security controls,
risks acceptable risk, and residual risk.
Prepare the Certification The system‟s certification is prepared for review by the
Certification Package Certification Agent. The package must include: System
Package Security Plan, Full Security Risk Assessment, Security
Assessment Report, IT Contingency Plan, Incident Response
Plan, System Interconnection Agreements, Plan of Actions
and Milestones, and Privacy Impact Assessment. For
additional guidance see Peace Corps ITSR for Certification,
Accreditation, and Security Assessments.
Document Certification The Certification Agent must document their recommendation
certification Recommendation for the Authorizing Official. Recommendation can be to
recommendation authorize, deny, or interim authorize the system for
operations. This recommendation is included with the
Certification package. For additional guidance see Peace
Corps ITSR for Certification, Accreditation, and Security
Assessments.
Peace Corps 55
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Stage 8: Operations
Peace Corps 56
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Peace Corps 57
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Stage 9: Disposition/Disposal/Retirement
Goals
The goals of Contract Monitoring are to:
Select qualified contractors and/or subcontractors
Ensure that the contractor and subcontractors agree to their commitments to each other
Maintain ongoing communications through the life of the contract
Track and monitor the contractor/subcontractor‘s actual results and performance against
the agreed upon commitments.
7.1.1 The Statement of Work (SOW) will be written with particular attention to defining the critical
success factors and measures of performance.
7.1.2 Any changes to the SOW must be approved according to the procedure defined by the
Peace Corps 58
December 03, 2009
Version 4.2 Appendix A. Recommneded SDLC Policies
Contracting office.
7.2.1 Regular meetings with the contractor/subcontractor management will be scheduled in the
Project Plan. Results will be documented and distributed.
7.2.2 Technical work to be performed by the contractor/subcontractor will be tracked and formally
reviewed on a regular basis.
Peace Corps 59
December 03, 2009
Version 4.2 Life Cycle Stages – Detailed Description
Peace Corps 60
December 14, 2009
Version 4.2 Checklists of Key SDLC Policies and Elements
In addition to project status, both project risks and security risks will be monitored and
reassessed regularly, particularly at major milestones and when the schedule is under revision.
All certifications, signoffs, meeting minutes, and decisions will be maintained in the project
repository.
Peace Corps 61
December 03, 2009
Version 4.2 Checklists of Key SDLC Policies and Elements
B.3 Deliverables
All projects regardless of size must consider and determine each of the following deliverables /
information for applicability. The results of that determination must be documented. While
most of the information noted below is required, the documents may be combined with each
other or with one of the required project deliverables as documented in the project‘s tailoring
rationale. The approval is done via the appropriate reviews of these deliverables.
Appendix B.3 - Table 22: Checklist of Deliverables
Peace Corps 62
December 03, 2009
Version 4.2 Checklists of Key SDLC Policies and Elements
Peace Corps 63
December 03, 2009
Version 4.2 Checklists of Key SDLC Policies and Elements
Peace Corps 64
December 03, 2009
Version 4.2 Checklists of Key SDLC Policies and Elements
Peace Corps 65
December 03, 2009
Version 4.2 Appendix D. Acronyms
Appendix C. Acronyms
AR ..................Account Representatives
AS ..................Applications Systems
ATO ...............Authorization to Operate
CMM® ...........Capability Maturity Model®
CPIC ...............Capital Planning and Investment Control
CPIC ...............Capital Planning and Investment Control
C&A ...............certification and accreditation
CCB................Change Control Board
CIO .................Chief Information Officer
CISM ..............Chief Information Security Manager
COTS .............Commercial Off-The-Shelf
CI....................configuration items
COOP .............Continuity of Operations Plan
CDR ...............Critical Design Review
EAAB .............EA Advisory Board
EFR ................Emergency Fix Requests
EA ..................Enterprise Architecture
FIPS................Federal Information Processing Standards
FISMA ...........Federal Information Security Management Act
HT ..................High-Throughput
IT ....................information technology
IRB .................Investment Review Board
IRB .................Investment Review Board
ITSRs .............IT Security Requirements
MS ..................Manual Section
NIST ...............National Institute of Standards and Technology
OIT .................Office of Information and Technology
ORR ...............Operational Readiness Review
POA&M .........Plan of Action and Milestones
PRR ................Production Readiness Review
PIF ..................Project Information Form
QA ..................Quality Assurance
RTM ...............Requirements Traceability Matrix
SEI® ..............Software Engineering Institute‘s
SP ...................Special Publication
SOW...............Statement of Work
SSP .................System Security Plan
SDLC .............Systems Development Life cycle
SE-CMM® .....Systems Engineering Capability Maturity Model®
UFR ................Unfunded Request
WBS ...............Work Breakdown Structure
Peace Corps 66
December 14, 2009