Policy Statement: This
policy establishes controls addressing the sunsetting of technology. The controls
provide guidance in decision-making and practices that optimize resources, mitigate
risk, and maximize return on investments.
Definition:
Technology Sunsetting -
The business process in which the Commonwealth Office of Technology (COT),
or an agency, determines that a particular technology has reached the sunset
stage in its life cycle and plans for its disposition. The impetus for determining the sunset status
may be a technology event, such as a vendor or COT determining the technology
is obsolete or unsupported, or a function is no longer needed due to
organizational business needs.
Policy: Obsolete
or unsupported software and hardware present numerous risks to the
Commonwealth, including security vulnerabilities or incompatibility with
features and functions of newer technologies.
Consequently, this policy establishes the responsibilities for
addressing technology in sunset status.
COT and
agencies shall review their technology portfolio, according to established
review schedules. The technology
portfolio review shall ensure the technology meets security, business, and
technology requirements and standards.
If a technology cannot be upgraded to meet requirements and standards,
or no longer meets a business requirement, COT and the agencies will collaborate
to place the technology in a sunset status, and determine its eventual
disposition.
If COT
determines that a technology needs to be sunset or replaced, COT shall notify
agencies using an Agency Contact Memo (ACM), by e-mail, and on the COT public
website.
When an agency identifies
a candidate technology for sunset, it shall nominate that technology to the CIO
with a rationale for sunset status. If known, the agency shall also identify any
other agencies that may be affected by the sunset of the technology. If a technology is approved for sunset, the
CIO shall identify a lead organization, COT or agency, to lead the sunset and
final disposition of the technology.
Agencies
requesting an architectural exemption for continued use of technology
designated in sunset status must submit an exception request to COT’s Office of
IT Architecture and Governance. The cost associated with retaining and
supporting aging software is the responsibility of the agency.
COT may disable
a technology in sunset status, if the CIO, after consultation with the CISO,
determines the software creates an operational or security risk to the
Commonwealth
Authority: KRS
42.726 authorizes the Commonwealth Office
of Technology to develop policies and compliance processes to support and
promote the effective applications of information technology within the
executive branch of state government.
Applicability: All
executive branch agencies and non-executive branch agencies using COT-managed
infrastructure or services shall adhere to this policy. This includes employees, contractors, consultants, temporaries, volunteers, and other
workers within state government.
Responsibility for Compliance: Each
agency shall ensure that all staff within their organizational authority are made
aware of and comply with this policy. The agency is responsible for enforcing it. Unauthorized and/or neglectful actions regarding
this policy may result in disciplinary action up to and including dismissal. COT may require additional service charges for
remediation efforts due to non-compliance with this policy.
Maintenance: COT’s Office
of IT Architecture and Governance is responsible for maintaining this
policy. Organizations may modify this
policy to fulfill their responsibilities, but must obtain approval through an
exception request. Staff should refer to
their internal policy, which may have additional information or clarification.
Review Cycle: COT will
review this policy at least every
two years.