CIO-103 Independent Verification and Validation Policy

Office of the Chief Information Officer Enterprise Policy
CIO-103: Independent Verification and Validation Policy (IV&V)
                                                                                                                                Effective Date: 05/30/2018
Policy Statement: This policy establishes controls related to the management of information technology (IT) projects within the executive branch of the Commonwealth.  The controls provide guidance in decision-making and practices that optimize resources, mitigate project risk, and maximize return on investments. 
·         IT ProjectA temporary endeavor undertaken to create a unique product, service, or result.  It has a definite beginning and end, and defined scope, schedule and cost baselines.  A project is unique in that it is not a routine operation, but a set of activities aimed at accomplishing a specific onetime goal.
·         Independent Verification and Validation (IV&V)A comprehensive software and/or hardware review, analysis, testing and validation performed by an objective third party (outside the project team reporting hierarchy) to confirm (i.e., verify) that the requirements are correctly defined, and to confirm (i.e., validate) that the system correctly implements the required functionality and security requirements. 
·         Project Assurance (PA) – An independent (outside the project team reporting hierarchy) consulting process that assesses the health and viability of a project through the examination of the business environment, project framework, and project execution.  PA is considered a subset of IV&V.
·         IV&V Oversight – A role which reviews and makes recommendations to an IV&V vendor, project agency and/or federal agency (i.e. HHS/CMS) regarding contractual aspects of the vendor-produced deliverables and adherence to the vendor’s Statement of Work (SOW) and Contract for IV&V Services.
Policy: As defined in House Bill 244, the Commonwealth Office of Technology (COT) Office of Project Management (OPM) is responsible for overseeing large and/or critical IT projects across the executive branch.  To ensure projects have the highest chance of success, Independent Verification and Validation or Project Assurance services are mandatory for current and future IT projects.  All executive branch agencies are required to incorporate IV&V or PA into their project plans based upon budget and special requirements.
After COT review, some select and new IT projects preceding fiscal year 2021 will require a Memorandum of Agreement (MOA) between COT and the requesting agency to define the appropriate level of PA, IV&V, or IV&V Oversight to be involved and a target cost for those services. 
Beginning in fiscal year 2021, all agency IT project plans will incorporate either IV&V or PA services based upon the following criteria:
  • For projects with budgets of less than $1 million, agencies will include 5% of the project budget for PA services to be provided by COT OPM.
  • For projects with budgets of more than $1 million, agencies will include 10% of the project budget for IV&V services to be provided by COT OPM.
  • For all projects that require a specialty skill set that is not available within the Commonwealth of Kentucky, or is specifically required to use a 3rd party IV&V vendor by state/federal regulation, COT OPM will oversee the IV&V services provided by a 3rd-party vendor.
Authority:  KRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies and compliance processes to support and promote the effective application of information technology within the executive branch of state government.
Applicability: All executive branch agencies must adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance:  Each agency must ensure that all staff within their organizational authority are made aware of and comply with this policy.  The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
Maintenance:  COT’s Division of Enterprise Governance and the Office of Project Management share responsibility for maintaining this policy.  
Review Cycle:  COT Office of Project Management will review this policy at least every two years.
This page was last modified 4/10/2019 6:37 AM

Return to CIO Policies Home Page