ITEC-2410-S - IT Project Oversight Standards

1.0 TITLE: Standards for IT Projects Subject to Independent Verification and Validation (IV&V)

1.1 Effective Date: 12/19/2023

1.2 Approval Date: 12/19/2023

1.3 Type of Action: New

2.0 PURPOSE: This standard is provided to assist with adherence to ITEC-2410-P.

3.0 ORGANIZATIONS AFFECTED: State agencies as defined by K.S.A. 75-7201.

4.0 REFERENCES:

4.1 Kansas Statutes:

4.1.1 K.S.A. 75-7201 defines a ‘State agency’.

4.1.2 K.S.A. 75-7203 authorizes the Information Technology Executive Council (ITEC) to adopt information resource policies and procedures and provide direction and coordination for the application of the state’s information technology resources for all state agencies.

4.1.3 K.S.A 75-7211 directs the Branch Chief Information Technology Officer (CITO), under the direction of the Joint Committee on Information Technology (JCIT), to monitor state agency execution of reported information technology projects for their respective branch.

4.2 ITEC Policies:

4.2.1 3000-P defines policy, standard, and guidelines.

4.2.2 2400-S outlines the project plan approval and project Status reporting procedures

4.2.3 2410-S outlines the project oversight process for all projects with a cost of more than $10 million.

5.0 DEFINITIONS:

5.1 CITO - Refers to the Executive, Legislative or Judicial Branch Chief Information Technology Officer, with duties as defined in K. S. A. 75-7205, et seq.

5.2 Information technology (IT) project – An information technology effort by a state agency of defined and limited duration which implements, effects a change in, or presents a risk to, processes, services, security, systems, records, data, human resources, or architecture. (K.S.A. 75-7201(b)).

5.3 Project - means a planned series of events or activities that is intended to accomplish a specified outcome in a specified time period, under consistent management direction within a state agency or shared among two or more state agencies, and that has an identifiable budget for anticipated expenses.

5.4 IV&V refers to Independent Verification and Validation, which is a service performed by an independent third party that ensures the products developed and processes employed by the IT project meet specified requirements (business, technical, architectural, design), employs best practices, adheres to industry and state standards, and is being managed and controlled according to the approved baselined project plans. Additionally, IV&V will facilitate early detection and correction of errors, enhance insight into risks, provide findings and recommendations to ensure compliance with project scope, schedule, and budget requirements. Essentially, the IV&V vendor provides a status on the health of the IT project on a periodic basis. Verification and validation are used as defined in the current Project Management Body of Knowledge Guide (PMBOK Guide).

5.5 JCIT - Refers to the Kansas Legislature’s Joint Committee on Information Technology.

5.6 ITEC – Refers to the Information Technology Executive Council, duties defined in K.S.A. 75-7202.

5.7 KITO – refers to the Kansas Information Technology Office, which provides oversight of IT projects as outlined in statute, ITEC policies, and JCIT guidelines and recommendations.

6.0 STANDARDS:

6.1 A state agency is required to procure an external IV&V provider for IT projects that meet or exceed the cost threshold of $10 million.

6.2 Special Circumstances

6.2.1 Exceptions – State agencies with an IT project that meets the qualifying criteria to require IV&V have circumstances which justify not proceeding with IV&V, may request, in writing, prior to execution, an exception by the branch Chief Information Technology Officer (CITO).

6.2.2 The branch CITO may, in consultation with agency head, recommend IV&V for any IT project.

6.2.3 The agency has discretion to utilize IV&V services for any project.

6.2.4 Project Risk – project risk analysis involves examining how project outcomes and objectives might change due to the impact of a risk event. When completing the Risk Assessment Model (RAM), as part of the project planning, an overall project risk score of “high” will require further evaluation. A risk mitigation plan will be required. Agencies are encouraged to consider IV&V service as part of their mitigation strategies.6.2.5 During project execution, any change in project status reporting of more than 30% in project cost or schedule, will require a project recast. Agencies are encouraged to consider IV&V service as part of their recovery plan.

6.3 IT projects utilizing IV&V services will be required to document the acquisition of the IV&V vendor in KARS.

6.4 State agencies are required to follow the following State of Kansas IV&V requirements when procuring and utilizing an IV&V vendor:

6.4.1 The IV&V specifications and contracts must receive branch CITO approval and must include the following vendor requirements: 6.4.2 IV&V services must be provided and managed by a provider that is administratively and operationally independent (real and perceived) of the IT project.

6.4.2 The IV&V contractor and staff must have proven experience auditing IT projects of similar scope including, but not limited to the following:

6.4.2.1 Industry standards and best practices regarding quality assurance and quality control principles, tools, and techniques as they pertain to the IT project.

6.4.2.2 Knowledge of multiple industry methodologies, i.e., agile, waterfall, iterative, etc., as they pertain to the IT project.

6.4.2.3 Understanding of the Kansas Project Management Methodology, as the IT project and deliverables will be evaluated according to the methodology.

6.4.2.4 Auditing results of IT project testing, including: unit, integration, system, regression, and acceptance.

6.4.2.5 Writing and presenting recommendations for improvement.

6.4.2.6 Monitoring and reporting on project outcomes to ensure they are met, including but not limited to: meeting business needs, scope management, cost management, change control adherence, etc.

6.5 Agencies’ and IV&V contractors’ processes must include the following:

6.5.1 Agency Responsibility:

6.5.1.1 Must ensure IV&V services provided are administratively and operationally independent (real and perceived) of the IT project.

6.5.1.2 Must ensure key project stakeholders are available and compliant with IV&V project-related requests.

6.5.1.3 Review and provide feedback on IV&V deliverables in status reports within a mutually agreed to number of days.

6.5.1.4 Provide documentation of the contractor acquisition and project status reports in KARS.

6.5.2 Contractors

6.5.2.1 Perform initial analysis to create and document a baseline assessment/summary report at project inception.

6.5.2.2 Perform project status assessments compared to baseline at designated phases of project execution to deliver phased status reports (See Table 1 for recommended phases, milestones, and IV&V deliverables and Table 2 for a general description of the recommended IV&V deliverables).

6.5.2.2.1 Each assessment should include, but not necessarily be limited to, the following activities:

6.5.2.2.1.1 Identify and review relevant project documentation and project artifacts one week prior to the assessment;

6.5.2.2.1.2 Identify and schedule entrance interviews (to gather key information) and exit interviews (to review findings) with key project stakeholders (Sponsor, Project Manager, Project Team members, CITO or CITO Designee, etc.);

6.5.2.2.1.3 Develop and deliver a draft written status report within an agreed to number of days, and,

6.5.2.2.1.4 Review and respond to any feedback on the report, make any final revisions the IV&V provider believes are required, and submit the final report.

6.5.2.2.2 Each status report should include, but not necessarily be limited to:

6.5.2.2.2.1 An objective assessment of overall project health;

6.5.2.2.2.2 A summary of key findings, risks, issues, and recommendations for improving project performance; and,

6.5.2.2.2.3 A preview of the deliverables expected to be completed in the next phase of the project.

6.5.2.2.3 All IV&V assessment final reports will be submitted directly and simultaneously to the project sponsor, branch CITO, KITO, agency head, and project manager.

6.5.2.2.3.1 Each entity shall designate a primary contact, a submission procedure, and communicate it to the IV&V.

6.5.2.2.3.2 It is the responsibility of each entity to review assessments and ensure IV&V findings are addressed.

6.5.2.2.4 It is the responsibility of the agency head to ensure that their agency complies with all appropriate requests from the IV&V provider.

6.5.2.2.4.1 An agency primary contact, usually the project manager, shall be designated to facilitate, not direct, IV&V efforts.

6.5.2.2.4.2 A formal communication regarding the IV&V, its purpose, and general activities and the need for cooperation with its efforts shall be made during IV&V kickoff.

Table 1a – Sample list of waterfall approach project phases, milestones, and IV&V deliverables

Phase	Project Milestone	Deliverable
Project Kickoff	Initiation Complete	IV&V Management Plan
Planning	Plan Complete	Baseline Assessment
Design Test Plan/Setup	Design Complete	Ongoing Report
Develop & Test	Development Complete	Ongoing Report
Develop & Test	Test Complete	Ongoing Report
Final	Project Complete	Final Report

Table 1b – Sample list of agile approach project phases, milestones, and IV&V deliverables

1stUser Story	Functionality Needed to address the User Story has been designed, configured, tested and User Acceptance Testing (UAT) completed
2ndUser Story	Functionality Needed to address the User Story has been designed, configured, tested and User Acceptance Testing (UAT) completed	Functionality ready to be moved to production.
3rdUser Story	Functionality Needed to address the User Story has been designed, configured, tested and User Acceptance Testing (UAT) completed	Functionality ready to be moved to production.
Roll Out	All User Stories have been moved to production	Sign-off that all requirements have been met.
Transition Plan	A plan for end user(s) to be on-boarded is completed.	Documents needed for training and communications are complete. There is a finalized schedule for meetings, trainings, communications, etc.
Final	Project Complete	Final Report

Table 2 – Description of Recommended IV&V Contract Deliverables

Deliverable	General Description
IV&V Management Plan	To be delivered prior to the commencement of the IV&V Review. The IV&V Management Plan shall contain the following: Resumes/CV of all Key IV&V Service Provider personnel A schedule describing the IV&V Project Phase Review periods, including tasks, activities, deliverables, and milestones, and the schedule’s critical path reflecting both IV&V and State’s delivery and response milestones. An organization chart reflecting the IV&V team, including the team’s place within the IV&V’s corporate structure, and the key names, addresses and other contact information to be used for dispute resolution and customer feedback; A narrative description of all deliverables, including expected format, content, and organization, to be developed and delivered during the phased IV&V Reviews; and, As Appendices, all applicable, Project lifecycle-appropriate IV&V Checklists to be utilized during the IV&V Project Phased Reviews.
Baseline	The Baseline analysis and summary report will include the following elements in the review: Project Management – projects must follow ITEC‑2400‑P and ITEC-2400-S;review all pertinent documentation defining the project requirements; project is staffed accordingly tracking mechanisms for communication and reporting are established; all Risk, Issue Management, Change Management tools have been established; plans to onboard all external resources and the necessary plans are in place to ensure project success and the business objectives are likely to be achieved.,. Business – Buy-in for the project is well understood; communication and responsibility are established; and financing and management reserves are established. Technical – All resources have been assigned and commitments have been established. Preview of what is expected during transition into the next phase of the project
Ongoing Reports	Each ongoing analysis and summary report will include the following elements in the review: Project Management – ensure project follows ITEC‑2400‑P and ITEC-2400-S;review all pertinent documentation ensuring approval of all scheduled deliverables; tracking mechanisms for communication and status reporting are updated; and all Risk, Issue management, and Change Management tools have been utilized where appropriate and the necessary plans are being carried out to ensure project success and the business objectives are being achieved. Business – acceptance of Design and use cases representing business needs, requirements and functionality have been approved. Technical – All major milestones and technical documentation are complete and up to date. GAP analysis is finalized, and Detailed requirements are updated where appropriate. Install, Site Prep, and Contingency plans are updated. Preview of what you will be expecting to see as we transition into the next phase of the project.
Final Report	Final Report analysis and summary report will include the following elements in the review: Project Management – ensure project followed ITEC‑2400‑P and ITEC-2400-S;review all pertinent documentation ensuring all scheduled deliverables have been approved; tracking mechanisms for communication and status reporting are updated; and all Risk, Issue management and Change management tools have been utilized where appropriate Documentation supporting the PIER (Post Implementation Evaluation Report) is updated. Business – Acceptance of all deliverables that represent the business needs, requirements and functionality have been approved and the business objectives have been achieved. Technical – All technical documentation is complete; transition from the Vendor is complete; and the Support and Maintenance plans have been delivered and accepted. Quality Assurance – All final test plans have been completed and all results accepted as complete.