CIO-102 Technology Sunset Policy

​​​​

Office of the Chief Information Officer Enterprise Policy

CIO-102: Technology Sunset Policy
Effective Date: 07/08/2015
Revision Date: 10/23/2018
Review Date: 10/23/2018

Policy Statement:  This policy establishes controls addressing the sunsetting of technology. The controls provide guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investments. 
Definition:  
Technology Sunsetting - The business process in which the Commonwealth Office of Technology (COT), or an agency, determines that a particular technology has reached the sunset stage in its life cycle and plans for its disposition.  The impetus for determining the sunset status may be a technology event, such as a vendor or COT determining the technology is obsolete or unsupported, or a function is no longer needed due to organizational business needs.


Policy: Obsolete or unsupported software and hardware present numerous risks to the Commonwealth, including security vulnerabilities or incompatibility with features and functions of newer technologies.  Consequently, this policy establishes the responsibilities for addressing technology in sunset status.
COT and agencies shall review their technology portfolio, according to established review schedules.  The technology portfolio review shall ensure the technology meets security, business, and technology requirements and standards.  If a technology cannot be upgraded to meet requirements and standards, or no longer meets a business requirement, COT and the agencies will collaborate to place the technology in a sunset status, and determine its eventual disposition.
If COT determines that a technology needs to be sunset or replaced, COT shall notify agencies using an Agency Contact Memo (ACM), by e-mail, and on the COT public website.
When an agency identifies a candidate technology for sunset, it shall nominate that technology to the CIO with a rationale for sunset status. If known, the agency shall also identify any other agencies that may be affected by the sunset of the technology.  If a technology is approved for sunset, the CIO shall identify a lead organization, COT or agency, to lead the sunset and final disposition of the technology.
Agencies requesting an architectural exemption for continued use of technology designated in sunset status must submit an exception request to COT’s Office of IT Architecture and Governance. The cost associated with retaining and supporting aging software is the responsibility of the agency.
COT may disable a technology in sunset status, if the CIO, after consultation with the CISO, determines the software creates an operational or security risk to the Commonwealth
Authority: KRS 42.726 authorizes the Commonwealth Office of Technology to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government. 
Applicability: All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services shall adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance: Each agency shall ensure that all staff within their organizational authority are made aware of and comply with this policy. The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance: COT’s Office of IT Architecture and Governance is responsible for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle: COT will review this policy at least every two years.

 

 

​​
This page was last modified 8/6/2019 6:13 PM
 

Return to CIO Policies Home Page


 


 
 

 

References: