CIO-111 Software Development Life Cycle Policy

Office of the Chief Information Officer Enterprise Policy
CIO-111: Software Development Life Cycle Policy
Effective Date: 04/04/2019
​Policy Statementolicy Statement
This policy establishes controls addressing the approach to software development.  The controls provide guidance in decision-making and practices that optimize resources, mitigate risk, and maximize return on investments. 
  • Software Development Life Cycle (SDLC):  The consistent and repeatable process in which the Commonwealth Office of Technology (COT), or an agency, plans, develops, tests, deploys and maintains software, including custom software developed for the Commonwealth and commercial-off-the-shelf (COTS) software customized or configured for the Commonwealth.
The development of software presents numerous benefits to the Commonwealth, but also includes risks such as data breaches, maintenance and support costs, interoperability challenges, failed implementations, etc.  Consequently, this policy establishes the responsibilities for managing software through the Software Development Life Cycle.
COT and agencies shall ensure all projects developing and/or implementing software comply with all enterprise policies, best practices and standards established for the Commonwealth including, but not limited to:
KRS 42.726 authorizes the Commonwealth Office of Technology to develop policies and compliance processes to support and promote the effective applications of information technology within the executive branch of state government.
All executive branch agencies and non-executive branch agencies using COT-managed infrastructure or services shall adhere to this policy.  This includes employees, contractors, consultants, temporaries, volunteers, and other workers within state government.
Responsibility for Compliance
Each agency shall ensure that all staff within their organizational authority are aware of and comply with this policy.  The agency is responsible for enforcing it.  Unauthorized and/or neglectful actions regarding this policy may result in disciplinary action up to and including dismissal.  COT may require additional service charges for remediation efforts due to non-compliance with this policy.
COT’s Office of IT Architecture and Governance is responsible for maintaining this policy.  Organizations may modify this policy to fulfill their responsibilities, but must obtain approval through an exception request.  Staff should refer to their internal policy, which may have additional information or clarification.
Review Cycle
COT will review this policy at least every two years.
This page was last modified 8/6/2019 6:25 PM
Return to CIO Policies Home Page.
  • Commonwealth of Kentucky Enterprise Project Management Framework
  • Commonwealth of Kentucky Office of the Chief Information Security Officer
  • Commonwealth of Kentucky Office of IT Architecture and Governance