Operations & Maintenance Phase

Description
During the Operations & Maintenance (O&M) Phase, the certified and accredited system is released into the full-scale production environment for sustained use and operations/maintenance support. Changes and problems with the automated system/application or other IT solution may continually be identified and resolved to ensure that the system/application or other technological solution meets ongoing functional and non-functional needs. Periodically the automated system/application will also need to be re-certified and re-accredited for continued operation in the production environment. When the time comes that the automated system/application or other technological solution will no longer be needed or will be replaced, then a plan for final disposition of the system/application or IT solution must be prepared and approved prior to moving into the Disposition Phase.

Responsibilities
Project Manager: The Project Manager develops, documents, and executes plans and procedures for conducting activities and tasks of the Operations and Maintenance Phase. To provide for an avenue of problem reporting and customer satisfaction, the Project Manager should create and discuss communications instructions with the Business Product's customers. Project Managers should keep Help Desk personnel informed of all changes to the Business Product, especially those requiring new instructions to users.

Technical Support: Personnel who provide technical support to the Business Product. This support may involve granting access rights to the program, setup of workstations or terminals to access the system, and maintenance of the operating system for both server and workstation. Technical support personnel may be involved with issuing user IDs or login names and passwords. In a client-server environment, technical support may perform systems scheduled backups and operating system maintenance during downtime.

Vendor Support: The technical support and maintenance on some programs are provided through vendor support. A contract is established outlining the contracted systems administration, operators, and maintenance personnel duties and responsibilities. One responsibility which should be included in the contract is that all changes to the system will be thoroughly documented.

Help Desk: Help Desk personnel provide the day-to-day users help for the Business Product. Help desk personnel should be kept informed of all changes or modifications to the Business Product. Help Desk personnel are contacted by the users when questions or problems occur with the daily operations of the system. Help Desk personnel need to maintain a level of proficiency with the Business Product.

Operations or Operators (turn on/off systems, start tasks, backup etc): For many mainframe systems, an operator provides technical support for a program. The operator performs scheduled backup, performs maintenance during downtime and is responsible to ensure the system is online and available for users. Operators may be involved with issuing user IDs or login names and passwords for the system.

Customers: The customer needs to be able to share with the project manager the need for improvements or the existence of problems. Some users live with a situation or problem because they feel they must. Customers may feel that change will be slow or disruptive. Some feel the need to create work-arounds. A customer has the responsibility to report problems, make recommendations for changes to a system, and contribute to Operational Analyses.

Program Analysts or Programmer: Interprets user requirements, designs and writes the code for specialized programs. User changes, improvements, enhancements may be discussed in Joint Application Design sessions. Analyzes programs for errors, debugs the program and tests program design.

Configuration Control Board: A board of individuals may be convened to approve recommendations for changes and improvements to the Business Product. This group may be chartered. The charter should outline what should be brought before the group for consideration and approval. The board may issue a Change Directive.

Users Group or Team: A group of computer users who share knowledge they have gained concerning a program or system. They usually meet to exchange information, share programs and can provide expert knowledge for a system under consideration for change.

Contract Manager: The Contract Manager has many responsibilities when a contract has been awarded for maintenance of a program. The Contract Manager should have a certificate of training for completion of a Contracting Officer's Technical Representative (COTR) course. The Contract Manager‘s main role is to make sure that the interests of the Contracting Office are protected and that no modifications are made to the contract without permission from the Contracting Office.

Data Administrator: Performs tasks which ensure that accurate and valid data are entered into the Business Product. Sometimes this person creates the information systems database, maintains the database's security and develops plans for disaster recovery. The data administrator may be called upon to create queries and reports for a variety of user requests. The data administrator's responsibilities include maintaining the database's data dictionary. The data dictionary provides a description of each field in the database, the field characteristics and what data is maintained with the field.

Telecommunications Analyst and Network System Analyst: Plans, installs, configures, upgrades, and maintains networks as needed. If the investment requires it, they ensure that external communications and connectivity are available.

Information Systems Security Officer (ISSO): The ISSO has a requirement to review system change requests, review and in some cases coordinate the Change Impact Assessments, participate in the Configuration Control Board process, and conduct and report changes that may be made that affect the security posture of the system.

Critical Partners: The Critical Partners provide oversight, advice and counsel to the Project Manager during the Operations and Maintenance Phase.

Activities
Operations support is an integral part of the day-to-day operation of a system. In small systems, all or part of each task may be done by the same person. But in large systems, each function may be done by separate individuals or even separate areas. The O&M Manual was completed in the Implementation Phase. This document defines tasks, activities, and responsible parties and needs to be updated as changes occur. Systems operations activities and tasks need to be scheduled, on a recurring basis, to ensure that the production environment is fully functional and is performing as specified. The following is a checklist of systems operations key tasks and activities:

Data/software administration is needed to ensure that input data and output data and databases are correct and continually checked for accuracy and completeness. This includes ensuring that any regularly scheduled jobs are submitted and completed correctly. Software and databases should be maintained at (or near) the current maintenance level. The backup and recovery processes for databases are normally different than the day-to-day data/software administration volume backups. The backup and recovery process of the databases should be performed as a data/software administration task. A checklist of data/software administration tasks and activities includes the following:

One fact of life with any system is that change is inevitable. Users need an avenue to suggest changes and identify problems. A User Satisfaction Review which can include a Customer Satisfaction Survey can be designed and distributed to obtain feedback on operational systems to help determine if the systems are accurate and reliable. Systems administrators and operators need to be able to make recommendations for upgrades to hardware, architecture and streamlining processes. For small in-house systems, modification requests can be handled by an in-house process. For large integrated systems, modification requests may be addressed in the Requirements Document and may take the form of a change package and may require justification and cost benefits analysis for approval by a review board. The Requirements Document for the project may call for a modification cut-off and rollout of the system as a first version and all subsequent changes addressed as a new or enhanced version of the system. A request for modifications to a system may also generate a new project and require a new project initiation plan.

Daily operations of the system/software may necessitate that maintenance personnel identify potential modifications needed to ensure that the system continues to operate as intended and produces quality data. Daily maintenance activities for the system must take place to ensure that any previously undetected errors are fixed. Maintenance personnel may determine that modifications to the system and databases are needed to resolve errors or performance problems. Also, modifications may be needed to provide new capabilities or to take advantage of hardware upgrades or new releases of system software and application software used to operate the system. New capabilities may take the form of routine maintenance or may constitute enhancements to the system or database as a response to user requests for new/improved capabilities. New capability needs may begin a new problem modification process described above.

At the beginning of this phase any outstanding Plans of Action and Milestones (POA&Ms) must be completed. Throughout the phase, continuous security monitoring of selected controls must be conducted. In addition, periodic reviews of controls, periodic re-evaluation of information categorization and re-certifications and revision of risk assessments and security plans, and re-certification and re-authorizations to process (re-accreditation) are conducted as required. Because systems undergo periodic maintenance, enhancements and improvement, mini life cycles may be required throughout this stage. Continuous vigilance should be given to virus and intruder detection. The Project Manager must be sure that security operating procedures are kept updated accordingly.

Review and update system documentation including the operations from the previous phases. In particular, the Operations Manual, Business Case Analysis, and Contingency/Disaster Recovery Plan (including results of tests during this phase) need to be updated as required and finalized during the O&M Phase. Reporting of security incidents related to the system is also conducted during this phase.

Periodically, a Continued Authority to Operate must also be prepared to assure that risks are assessed and the approving authority explicitly identifies risks to HHS operations, assets and individuals.

System changes may also create new privacy risks. For such changes, OMB requires that Privacy Impact Assessments (PIAs) are performed and updated as necessary to reflect new or changed information collection authorities, business processes, or other factors affecting the collection and handling of information in identifiable form

Inevitably, changes in requirements and technology will necessitate the replacement of IT systems. To facilitate that transition, a Disposition Plan is prepared to describe how the retirement of the system will be conducted and how records management will be addressed for both the system documentation and the Business Product.

Exit Criteria
Objective: To verify that the Business Product is managed and supported in a robust production environment and to determine whether the Business Product is still cost-effective to operate or if it should be retired.

Phase Specific Exit Criteria:

Generic Exit Criteria:

Project Reviews
Three periodic project reviews and one special review are conducted in the Operations and Maintenance Phase.

The first review is the annual System Re-Certification. System Re-Certification is the comprehensive re-evaluation of the management, operational, and technical security controls implemented for an information system that is performed during the Operations & Maintenance Phase to ensure that the system is continuing to operate at an acceptable risk level. Over the life of the system, many changes occur that may reduce the effectiveness of internal security controls. Security controls typically become outdated and less effective as threats and vulnerabilities evolve. The objective of the System Re-Certification is to ensure that system certification is an on-going process, and that information security is managed throughout the life of the system.

The second review is the periodic System Re-Accreditation. System Re-Accreditation is the official management decision to authorize continued operation of an information system after acceptable System Re-Certification and any necessary adjustments have been completed.

The third review is the annual Operational Analysis. The Operational Analysis is performed to evaluate system performance, user satisfaction with the system, adaptability to changing business needs, and new technologies that might improve the system. This review is diagnostic in nature and can lead to development or maintenance activities. Any major system modifications needed after the system has been implemented follow the EPLC framework life cycle process from planning through implementation. The Operational Analysis ultimately determines whether the IT Investment should continue, or be modified or terminated.

A Disposition Plan should be developed and reviewed by the project team should the Operational Analysis conclude that the investment should be terminated. The Disposition Plan should include a detailed plan with checklist, dependencies, and timing of activities for both contract closeout and administrative closeout.

Stage Gate Review
The Operations & Maintenance Stage Gate Review evaluates whether the project should proceed to the Disposition Phase.