Office of the Chief
Independent Verification and Validation Policy (IV&V)
Effective Date: 05/30/2018
Statement: This policy establishes
controls related to the management of information technology (IT) projects
within the executive branch of the Commonwealth. The controls provide guidance in
decision-making and practices that optimize resources, mitigate project risk,
and maximize return on investments.
IT Project – A temporary endeavor undertaken to create a
unique product, service, or result. It has a definite beginning and end, and defined
scope, schedule and cost baselines. A
project is unique
in that it is not a routine operation, but a set of activities aimed at
accomplishing a specific onetime goal.
Independent Verification and Validation
(IV&V) – A comprehensive software and/or
hardware review, analysis, testing and validation performed by an objective
third party (outside the project team reporting hierarchy) to confirm (i.e., verify) that the requirements are
correctly defined, and to confirm (i.e., validate) that the system correctly
implements the required functionality and security requirements.
Project Assurance (PA) – An independent
(outside the project team reporting hierarchy) consulting process that assesses
the health and viability of a project through the examination of the business
environment, project framework, and project execution. PA is considered a subset of IV&V.
IV&V Oversight – A role which reviews
and makes recommendations to an IV&V vendor, project agency and/or federal
agency (i.e. HHS/CMS) regarding contractual aspects of the vendor-produced
deliverables and adherence to the vendor’s Statement of Work (SOW) and Contract
for IV&V Services.
Policy: As defined in House Bill 244 , the
Commonwealth Office of Technology (COT) Office of Project Management (OPM) is
responsible for overseeing large and/or critical IT projects across the
executive branch. To ensure projects
have the highest chance of success, Independent Verification and Validation or
Project Assurance services are mandatory for current and future IT
projects. All executive branch agencies are required to incorporate IV&V
or PA into their project plans based upon budget and special requirements.
After COT review, some select and
new IT projects preceding fiscal year 2021 will require a Memorandum of
Agreement (MOA) between COT and the requesting agency to define the appropriate
level of PA, IV&V, or IV&V Oversight to be involved and a target cost
for those services.
Beginning in fiscal year 2021,
all agency IT project plans will incorporate either IV&V or PA services
based upon the following criteria:
For projects with budgets of less than $1 million, agencies will include 5% of the project budget for PA services to be provided by COT OPM.
For projects with budgets of more than $1 million, agencies will include 10% of the project budget for IV&V services to be provided by COT OPM.
For all projects that require a specialty skill set that is not available within the Commonwealth of Kentucky, or is specifically required to use a 3rd party IV&V vendor by state/federal regulation, COT OPM will oversee the IV&V services provided by a 3rd-party vendor.
Authority: KRS 42.726 authorizes
the Commonwealth Office of Technology (COT) to develop policies and compliance
processes to support and promote the effective application of information
technology within the executive branch of state government.
executive branch agencies must adhere to this policy
This includes employees, contractors,
consultants, temporaries, volunteers, and other workers within state
Responsibility for Compliance:
Each agency must ensure that all staff within their organizational authority
are made aware of and comply with this policy. The agency is responsible for enforcing
it. Unauthorized and/or neglectful actions regarding this policy may
result in disciplinary action up to and including dismissal. COT may
require additional service charges for remediation efforts due to
non-compliance with this policy.
Division of Enterprise Governance and the Office of Project Management share
responsibility for maintaining this policy.
Review Cycle: COT
Office of Project Management will review this policy at least every two years.