Office of the Chief
Information Officer Enterprise Policy
CIO-111: Software Development Life Cycle Policy
Effective Date: 04/04/2019
Policy Statementolicy Statement
This policy establishes controls addressing
the approach to software development. The
controls provide guidance in decision-making and practices that optimize resources,
mitigate risk, and maximize return on investments.
Software Development Life Cycle (SDLC): The consistent and repeatable process in which the Commonwealth Office of
Technology (COT), or an agency, plans, develops, tests, deploys and maintains software,
including custom software developed for the Commonwealth and commercial-off-the-shelf
(COTS) software customized or configured for the Commonwealth.
development of software presents numerous benefits to the Commonwealth, but
also includes risks such as data breaches, maintenance and support costs,
interoperability challenges, failed implementations, etc. Consequently, this policy establishes the
responsibilities for managing software through the Software Development Life
COT and agencies shall ensure all projects
developing and/or implementing software comply with all enterprise policies,
best practices and standards established for the Commonwealth including, but
not limited to:
KRS 42.726 authorizes the Commonwealth Office of
Technology to develop policies and compliance processes to support and promote
the effective applications of information technology within the executive
branch of state government.
executive branch agencies and non-executive branch agencies using COT-managed
infrastructure or services shall adhere to this policy. This includes employees, contractors, consultants, temporaries,
volunteers, and other workers within state government.
Each agency shall ensure that all staff
within their organizational authority are aware of and comply with this policy.
The agency is responsible for enforcing
it. Unauthorized and/or neglectful
actions regarding this policy may result in disciplinary action up to and
including dismissal. COT may require
additional service charges for remediation efforts due to non-compliance with
COT’s Office of IT Architecture and
Governance is responsible for maintaining this policy. Organizations may modify this policy to
fulfill their responsibilities, but must obtain approval through an exception
request. Staff should refer to their
internal policy, which may have additional information or clarification.
review this policy at least every two years.