TABLE OF CONTENTS
Topics | Sections |
3.1 What is the purpose of this chapter? 3.2 What is the scope of this chapter? 3.3 What terms do you need to know to understand this chapter? 3.4 What is the overall policy? 3.5 What are the authorities for this chapter? | |
3.6 Who is responsible for decommissioning information systems and Information Management and Technology (IMT) investments? | |
3.7 How does a system owner initiate the information system decommissioning process? 3.8 What are the planning requirements for information system decommissions? 3.9 When does a legacy system officially leave production? 3.10 What requirements apply to information system conversions? |
OVERVIEW
3.1 What is the purpose of this chapter? This chapter:
A. Ensures the U.S. Fish and Wildlife Service (Service) has a consistent and standardized policy and process for decommissioning Service information systems when they reach the end of their lifecycle, in accordance with Federal and Department of the Interior (Department) laws, regulations, and policies; and
B. Establishes responsibilities for system owners, project managers, and other key mission and business stakeholders for converting and decommissioning legacy information systems (legacy systems) and associated Information Management and Technology (IMT) investments in a manner that minimizes risks and negative impacts to Service information technology (IT) resources.
3.2 What is the scope of this chapter?
A. This chapter applies to:
(1) All information systems reported to the Department as an investment in our IMT investment portfolio using a Unique Investment Identifier (UII) or as part of an investment using a system-unique identification number and any IT components associated with those systems. This includes all systems operated by or on behalf of the Service regardless of whether the system is used across the enterprise or within a particular Region or program.
(2) Service employees, contractors, and other authorized agents who operate, manage, or dispose of information systems or IMT investments for the Service. We use the general term “employees” throughout this chapter to describe these individuals.
B. This chapter does not apply to:
(1) Lifecycle management of individual components (including both physical and virtual assets) such as computers, servers, mobile devices (i.e., smartphones and tablets), printers, and removable storage media (e.g., flash drives, external hard drives, etc.) that are not part of a larger information system as described in section 3.2A (1). Employees must dispose of these assets in accordance with applicable Service property policies, including Part 310 of the Service Manual, and applicable media sanitization policies and guidance defined by the Information Resources and Technology Management (IRTM) program.
(2) Activities undertaken to modify or change information systems during the operations and maintenance phase of the system lifecycle, including technical changes that fall under the authority of the Service’s Change Control Board. Employees responsible for retiring and disposing of information system components while implementing activities during this phase must still follow any applicable compliance requirements and guidance for securing and maintaining Service IT resources.
3.3 What terms do you need to know to understand this chapter?
A. Conversion. As used in this chapter, refers to the activities required to move functionality and data from a legacy system to an IRTM-approved receiving system prior to decommissioning the legacy system. Conversion activities are documented in a conversion plan.
B. Data. Recorded information, regardless of form or the media on which they are recorded (44 U.S.C. 3502(16)). This information can be unprocessed or processed and represented as text, numbers, or multimedia. Data and records management requirements are found in 274 FW 1, Data Management, and 280 FW 1, Records and Information Management Policy and Program, respectively.
C. Decommission. As used in this chapter, refers to the last stage of the system lifecycle and the processes and activities planned and undertaken to cease information system operations and terminate any associated investments. Decommissioning activities are documented in a decommissioning plan.
D. Information Management and Technology (IMT).
(1) Information management is the planning, budgeting, manipulating, and controlling of information throughout its life cycle. The term encompasses both information itself and the related resources, such as personnel, equipment, funds, and IT.
(2) IT includes, but is not limited to, any services, equipment, or interconnected systems or subsystems of equipment that we use to automatically acquire, store, analyze, evaluate, manipulate, manage, move, control, display, switch, interchange, transmit, or receive data or information.
E. IMT investment. Expenditures of IT resources to address mission delivery and management support. This may include an IMT project or projects for the development, modernization, enhancement, or maintenance of an information system or systems and the subsequent operation of those systems in a production environment.
F. IMT project. A temporary endeavor (with a defined start and end) with specific objectives to develop, modernize, enhance, dispose, or maintain an IMT system or investment. A project may consist of one or more components and may involve one or more acquisition- or development-related activities. This does not include technical activities done to maintain existing technical infrastructure or systems, such as configuration changes or repairs that fall into the category of operations and maintenance.
G. Information system. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
H. IT resources. Service budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, or other activity related to the lifecycle of IT and the IT services and equipment we obtain through acquisitions or interagency agreements. The term “IT resources” does not include grants that establish or support IT not operated directly by the Service.
I. Legacy system. As used in this chapter, refers to an information system that is designated for replacement and subsequent decommissioning.
J. Receiving system. An information system that will be receiving processes, data, workflows, and/or logic from a legacy system as part of a conversion.
K. Record. All recorded information, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or is appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the U.S. Government or because of the informational value of data in them. See 44 U.S.C. 3301 and 280 FW 1, Records and Information Management Policy and Program.
L. System owner. Employee or organization having responsibility for the development, procurement, integration, modification, operation and maintenance, and final disposition of an information system.
M. Unique Investment Identifier (UII). A persistent numerical code applied to an IMT investment that allows the identification and tracking of an investment within the Service, Department, and Office of Management and Budget (OMB) IMT investment portfolios.
3.4 What is the overall policy?
A. We initiate conversion and decommissioning activities for information systems when they no longer meet mission or business needs due to technological obsolescence, performance, cost, or other factors. System owners are responsible for determining whether an information system has reached the end of its lifecycle in consultation with IRTM and appropriate business stakeholders. Once the system owner makes that determination, they must follow the process described in section 3.7 to begin decommissioning.
B. Figure 3-1 outlines the general process. Conversion and decommission activities cannot begin until the Associate Chief Information Officer (ACIO) approves the applicable conversion and decommissioning plans described below. Requirements may be tailored as necessary to fit the complexity of the system.
Figure 3-1: General Decommissioning Process Overview
C. Employees responsible for carrying out conversion and decommissioning activities must do so in a manner that:
(1) Safeguards all Service records, data, and other important information stored on the legacy system by ensuring that no information is dispositioned without adhering to the proper records disposition authorities;
(2) Minimizes risks to other Service information systems, IMT investments, and IT resources;
(3) Preserves the application files, security information, and system documentation needed to reconstitute the decommissioned system if necessary;
(4) Allows the Service to properly modify or terminate any investments associated with the system in a manner that meets Departmental and OMB reporting requirements;
(5) Ensures the Service meets all applicable compliance requirements including but not limited to cyber security, privacy, records management, data management, and information collection (Paperwork Reduction Act);
(6) Ensures stakeholders are made aware of the plans for the system and its IT resources;
(7) Facilitates reuse or release of IT components (e.g., physical or virtual servers) associated with the system, when possible; and
(8) Ensures that any conversion or decommission activities that impact other systems and components in the Service’s operating environment are reviewed and (if necessary) approved through the IRTM Change Control Board.
D. IRTM must:
(1) Ensure that decommissions are reflected in the Service’s enterprise architecture, systems inventory, IMT investment portfolio, and other system information repositories; and
(2) Develop standard operating procedures (SOP) and documentation to ensure all applicable requirements are met and facilitate internal and cross-functional collaboration when decommissioning systems.
3.5 What are the authorities for this chapter?
A. Departmental Records Management Policy (RMP) 2021-02, Electronic Records Management.
B. E-Government Act of 2002 (Public Law 107-347).
C. Federal Information Security Modernization Act (FISMA) of 2014 (Public Law 113-283).
D. Federal Information Technology Acquisition Reform Act (FITARA), which is part of the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 (Public Law 113-291).
E. Information Technology Management Reform Act of 1996 (passed as Division E of the National Defense Authorization Act for Fiscal Year 1996; subsequently designated as the Clinger-Cohen Act) (Public Law 104-106).
G. Office of the Chief Information Officer (OCIO) Directive 2022-002, Data Resource Management Program.
H. OCIO Memorandum dated July 13, 2022, Information Technology Portfolio Management Policy.
I. OMB Circular A-130, Managing Information as a Strategic Resource.
J. Paperwork Reduction Act, as amended (44 U.S.C. 3501 et seq.).
K. Privacy Act of 1974 (5 U.S.C. 552a, as amended).
RESPONSIBILITIES
3.6 Who is responsible for decommissioning information systems and Information Management and Technology (IMT) investments? See Table 3-1.
Table 3-1: Responsibilities for Decommissioning Information Systems and IMT Investments
These employees… | Are responsible for… |
A. The Director | Approving or declining to approve Servicewide policy. |
B. Directorate members | (1) Serving as (or designating another employee to serve as) the system owner for information systems within their Region or program; (2) Ensuring that employees within their Region and program coordinate with the ACIO and other IRTM officials while planning information system and IMT investment retirements, replacements, and conversions; and (3) Ensuring there are adequate resources to carry out required conversion and decommissioning activities including funding, personnel time, and any other necessary resources. |
C. Associate Chief Information Officer (ACIO) (i.e., Assistant Director - IRTM) | (1) Coordinating with applicable Directorate members to make decisions regarding the Service’s information systems and IMT investments; (2) Providing project management and technical support for converting and decommissioning information systems and assisting Regions and programs with planning and executing those activities; (3) Ensuring that the Service decommissions its information systems and IMT investments in accordance with Departmental policy, including applicable portfolio management and capital planning and investment control policies and guidance; (4) Approving conversion and decommissioning plans and certifying that conversion and decommission activities have been carried out in accordance with the approved plans; and (5) Establishing and implementing policies, procedures, and standards related to information system decommissions. |
D. Chief, IRTM Division of Policy and Planning | (1) Overseeing the IRTM Project Management Office (PMO), Investment Management Branch, and Records and Information Management Branch; (2) Directing resources from the groups mentioned above to assist with decommissioning information systems and IMT investments as needed; (3) Developing Service decommissioning policies and procedures; (4) Integrating the decommissioning process with related processes including but not limited to IMT governance, investment and portfolio management, records and information management, and project management; and (5) Ensuring information system decommissions are reflected in the Service’s enterprise architecture. |
E. Information Collection Clearance Officer (ICCO) | (1) Reviewing proposed decommission activities for compliance with the Paperwork Reduction Act and related Departmental and OMB guidance, (2) Assisting system owners with the OMB process to formally discontinue any information collections associated with an information system, and (3) Reviewing proposed revisions to information collections in response to information system conversions and decommissioning and assisting system owners with receiving approval through the OMB clearance process. |
F. IRTM Branch and Division Chiefs | (1) Ensuring proposed decommissioning activities are carried out in accordance with applicable procedures in their area of responsibility, (2) Reviewing proposed conversion and decommissioning plans for compliance with requirements in their area of responsibility, (3) Certifying that conversion and decommissioning activities have met the requirements in their area of responsibility once complete, and (4) Developing standard operating procedures within their area of responsibility in accordance with this chapter. |
G. Information System Security Officer (ISSO) | (1) Ensuring the overall security of the legacy system or receiving system and associated IT resources, as applicable, throughout the decommissioning process; (2) Updating and maintaining system security documentation for the legacy system and/or receiving system, as applicable; and (3) Reviewing or developing cyber security-related portions of conversion and decommissioning plans. |
H. Project Manager | (1) Working with the system owner and IRTM Branch and Division Chiefs to develop conversion and decommissioning plans, (2) Providing guidance and assistance to the system owner throughout the information system decommissioning process, (3) Ensuring conversion and decommission activities and tasks are completed on schedule, and (4) Coordinating with applicable IRTM Division and Branch Chiefs to assign resources (e.g., staff, equipment, etc.) to carry out conversion and decommission activities and tasks. |
I. System Owner | (1) Coordinating with Business Leads, Executive Sponsors, and other stakeholders to determine when a system has reached the end of its lifecycle and receiving any required approvals from Regional or program leadership to decommission the system; (2) Initiating decommissioning activities by meeting with the Service’s Requirements Management Board (RMB); (3) When a system conversion is required, coordinating with the receiving system’s system owner and ISSO to help identify and mitigate risks; (4) Ensuring any required conversion and decommission activities are carried out in accordance with this chapter and any supporting policies and procedures developed by IRTM; (5) Ensuring all IMT investment and portfolio management reporting requirements are completed in coordination with employees in the IRTM Investment Management Branch; (6) Certifying to the ACIO that conversion and decommission activities are complete; and (7) Coordinating resource requirements with their Directorate member to ensure there are adequate resources to carry out required conversion and decommissioning activities including funding, personnel time, and any other necessary resources. |
CONVERSION AND DECOMMISSION PROCESS REQUIREMENTS
3.7 How does a system owner initiate the information system decommissioning process?
A. Once a system owner determines a system has reached the end of its lifecycle, they must contact the Service’s Requirements Management Board (RMB). The RMB will meet with the system owner to discuss the requirements associated with the legacy system and will work with the IRTM Program and PMO to assign a Federal Acquisition Certification for Program and Project Managers (FAC-P/PM) certified project manager to assist throughout the entirety of the decommissioning process.
B. System owners for information systems may also be required to provide a briefing to the Service’s IMT Requirements Committee (IMTRC) and IMT Executive Board (IMTEB) depending on the complexity of the system.
3.8 What are the planning requirements for information system decommissions?
A. Prior to beginning decommissioning activities, the project manager assigned to the decommission must work with the system owner and relevant IRTM Branch and Division Chiefs to develop a decommissioning plan. Developing a decommissioning plan helps ensure the legacy system is decommissioned in accordance with the requirements described in section 3.4C. The plan must be approved by the ACIO prior to moving forward with decommissioning the system.
B. The decommissioning plan must, at a minimum, describe plans and resource allocations for:
(1) Formally discontinuing any information collections associated with the system;
(2) Preserving software, documentation, and configuration information in a manner that would allow the system to be reinitiated if necessary;
(3) Sanitizing, disposing, or reusing hardware used exclusively by the decommissioned system;
(4) Migrating or dispositioning the data stored in the system in accordance with 274 FW 1, Data Management and updating relevant data management plans;
(5) Dispositioning all records in the system in accordance with 280 FW 1, Records and Information Management Policy and Program and the Department’s Administrative and Policy records schedules, the General Records Schedule, and the Service’s latest approved records disposition schedules;
(6) Performing required cyber security and privacy-related tasks, including but not limited to updating associated security boundaries or conducting a Privacy Impact Assessment (PIA);
(7) Terminating the IMT investment associated with the legacy system in accordance with Departmental and OMB investment reporting requirements;
(8) Working with IRTM to complete all required asset management actions including updating system monitoring and asset inventory systems in accordance with the IRTM Change Control Board charter and Change Control SOP; and
(9) Communicating about the change and potential impacts to system stakeholders and, if necessary, Service leadership.
3.9 When does a legacy system officially leave production?
A. Once the decommissioning plan is complete, the project manager and system owner will coordinate with applicable IRTM staff to carry out decommissioning activities. The project manager will also prepare a clearance sheet to track completion of required activities. IRTM Branch and Division Chiefs must use the clearance sheet to indicate when activities within their area are complete.
B. When all decommissioning activities are complete, the project manager will create a memorandum officially decommissioning the system. The memorandum indicates that all activities described in the plan (section 3.8B) are complete.
C. The ACIO, as the Service’s Authorizing Official for information systems, signs the memorandum to provide final approval for the legacy system to be removed from production and the Service’s system inventory, IMT investment portfolio, and enterprise architecture repository.
3.10 What requirements apply to information system conversions? Often, it is necessary to transfer data, records, or system functionality from a legacy system to a receiving system prior to decommissioning the legacy system. In those cases, the following requirements apply:
A. The project manager must work with the system owner and applicable IRTM Branch and Division Chiefs to develop a conversion plan that describes the risks, proposed schedule, and necessary resources for the conversion. If the receiving system has a different system owner, the project manager will also need to coordinate with that system owner to provide an overview of the receiving system. The plan must be approved by the ACIO prior to beginning the system conversion.
B. At minimum, the conversion plan must:
(1) Map how the legacy system hardware and software will be supported by the receiving system;
(2) Describe how the data on the system will be converted including addressing issues related to data quality control and assurance and plans for updating any data management plans associated with the system;
(3) Describe the records that will be transferred to the new system or otherwise dispositioned in accordance with the applicable records disposition schedule of the legacy system and how Records and Information Management oversight will be implemented on all components of the receiving system;
(4) Address all cyber security and privacy requirements and activities that will be required including but not limited to:
(a) Documenting whether the receiving system has the necessary security and privacy controls in place for the sensitivity and impact level of the information on the legacy system, and
(b) Conducting a Privacy Threshold Analysis to determine any privacy impacts from the conversion;
(5) Analyze potential impacts to other information systems or the larger Service operational environment because of the conversion. Conversion activities that may result in impacts to other systems and components still in operation may need to be reviewed and approved by the IRTM Change Control Board through a request for change prior to implementation; and
(6) Describe any necessary asset management tasks that must be completed in coordination with IRTM operational staff.
C. The project manager and system owner must work with IRTM staff to complete all required activities within their area and track progress on a clearance sheet. Once finished, the project manager must create a memorandum certifying that conversion activities were completed successfully. The Service’s Chief Records Officer and ACIO must sign the memorandum before the legacy system can be decommissioned in accordance with sections 3.8 and 3.9.