Purpose and Applicability; Definitions, Initiation, Planning, Execution, Monitoring and Controlling, Closeout, Agency for State Technology (AST) Oversight
AGENCY FOR STATE TECHNOLOGY
RULE NOS.:RULE TITLES:
74-1.001Purpose and Applicability; Definitions
74-1.003Initiation
74-1.004Planning
74-1.005Execution
74-1.006Monitoring and Controlling
74-1.007Closeout
74-1.009Agency for State Technology (AST) Oversight
NOTICE OF CHANGE
Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 42 No. 74, April 15, 2016 issue of the Florida Administrative Register. The changes to 74-1.001, .003, .004, .005, .006, .007, .009, F.A.C., and incorporated forms are supported by the record of public hearings held on the rule, were made in response to timely-submitted written material submitted to the agency or address comments submitted by JAPC for consideration and written response.
74-1.001 Purpose and Applicability; Definitions.
(1) Purpose and Applicability
(a) No change.
(b) This rule Rule establishes project management standards when implementing information technology (IT) projects. State Agencies must comply with these standards when implementing all IT projects. Cabinet Agencies must comply with these standards when implementing IT projects that have a total cost of $25 million or more and that impact one or more other agencies (pursuant to Section 282.0051(15)(a), F.S.). For all other IT projects, Cabinet Agencies are required to either adopt these standards or adopt alternative standards based on best practices and industry standards. (See 282.00515, F.S.). These standards are documented in rule Rule 74-1.001, F.A.C., through 74-1.008, F.A.C.
1. Operations and Maintenance (O&M) activities that support an existing product or service to keep it in conformance with its originally intended specifications, functionality, and service levels are exempt from these standards. O& M activities include:
a. through d. No change.
The terms above originate from the International Organization for Standardization standard No.: ISO/IEC 14764:2006, which may be found at: https://www.iso.org/obp/ui#iso:std:iso-iec-ieee:24765:ed-1:v1:en. https://www.iso.org/obp/ui/#iso:std:iso-iec:14764:ed-2:v1:en. O&M activities include, but are not limited to, break-fix actions, routine software upgrades, and network component replacements.
2. through 4. No change.
(c) This rule Rule establishes oversight standards that the Agency for State Technology (AST) will use for oversight of IT projects. These standards apply to IT projects of State Agencies that have a total cost of $10 million or more and that are funded in the General Appropriations Act or any other law; and IT projects of Cabinet Agencies with a total cost of $25 million or more and that impact one or more other agencies. (Per Sections 282.0051(4) and 282.0051(15) (a) (b), F.S.). These standards are documented in rule Rule 74-1.009, F.A.C.
(2) No change.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.00515, FS. History-New 7-16-15. Amended .
74-1.003 Initiation.
(1) through (4) No change.
INITIATION PHASE - Requirements by Risk & Complexity Category
4
3
2
1
Pre-Charter Risk and Complexity (R&C) Assessment
Required
4
3
2
1
Business Case and Alternative Analysis
Required – Articulate a clear path to a return on investment (ROI) or business value in instances where a positive ROI is not present. Demonstrate a clear understanding of the processes, costs, strengths, and weaknesses of the Agency’s current business process. Document, identify, and analyze potential solutions. Provide a compelling argument for implementation and examine benefits and risks associated with the recommended course of action as well as not taking the action.
Required - Provide a brief justification for the project in the Project Charter by answering the questions: Why is the project necessary? What problem is being solved?
4
3
2
1
Cost Benefit Analysis
Required - Document the economic feasibility of the alternatives being considered including the planned project costs, as well as each of the tangible benefits, and then calculate key financial performance metrics such as ROI and payback period.
Required - Include a brief discussion of any cost savings or cost avoidance expected, if applicable, in the Project Charter.
4
3
2
1
Project Charter
Required - Document the project description and high level objectives; scope / out of scope; initial estimates for budget, duration, and work effort; assumptions and / constraints; and initial risks. Identify the project manager, stakeholders and anticipated project resources.
4
3
2
1
Centralized
Project Repository
Required - Establish a centralized project repository to house and archive all project documentation. This repository should be documented in project planning materials.
4
3
2
1
PMP® Certified Project Manager
Required - The Project Manager must be PMP® certified. The PMP® Certified Project Manager is authorized by the Agency to lead the entire project team in the completion of the full project scope throughout the project lifecycle. This project manager must be an Agency employee or contractor (individual) of the Agency.
Not Required
4
3
2
1
Risk Manager
Recommended -Appointment of a Risk Manager, other than the Project Manager.
Not Required
4
3
2
1
Independent Verification and Validation (IV&V)
Recommended - Employ Independent Verification and Validation (IV&V).
Not Required
4
3
2
1
Initiation Gate R&C Assessment
Required
(5) No change.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .
74-1.004 Planning.
(1) No change.
(2) The following matrix provided below lists planning activities and documents required for the project based on the project’s Risk and Complexity (R&C) Category.
(2)(a) and (b) No change.
PLANNING PHASE - Requirements by Risk & Complexity Category
4
3
2
1
Project Scope
Required - Clearly delineate the project scope, specifically what is in scope, what is out of scope, project objectives, and deliverables. This will determine scope baselines and variances. Discuss how the project scope and objectives trace back through the Project Charter to initial project documents such as the Schedule IV-B.
Document the approach for project execution (identify the Software Development Life Cycle model that will be used – such as Agile, waterfall, etc.) Identify assumptions and constraints.
Required - Summarize the project scope (in scope and out of scope).
4
3
2
1
Work Breakdown Structure (WBS)
Required – Document the The hierarchical and incremental decomposition of the project into phases, deliverables, and work packages. Identifies all the tasks required to deliver the total project scope of work to produce each deliverable. Tasks must be decomposed into subtasks until they can be estimated, observed, and evaluated.
Not Required
4
3
2
1
Project Organizational and Governance Structure
Required – Document a A representation of the project from an organizational perspective. Include an organization chart with stakeholder and governance structures identified. Include a detailed description of the project and the Agency’s governance process with roles, responsibilities, and approval authorities identified for project documents or artifacts, including any processes for final product acceptance. Include reporting and escalation parameters for variances in baseline schedule, cost, and scope.
Required - Identify the project stakeholders and the responsibilities for decision-making and escalation.
4
3
2
1
Resource Plan
Required - Document the resources required to complete the project and how these resources will be acquired.
For human resources – identify project roles, skills, number, and resource type required, and specify the method(s) for acquiring new personnel or incorporating and backfilling the current responsibilities of existing personnel.
For equipment or materials- identify types, quantities, and purpose, and specify the method(s) for acquiring equipment or materials.
Recommended: List the number and type of resources anticipated and what, if any, resources must be procured.
4
3
2
1
Schedule Management Plan
Required - Document the approach to create an integrated master schedule that encompasses the total scope of the project and identifies the projects critical path. Describe the process for establishing and changing the schedule baseline. Describe the responsibilities, timeframes, and methods to manage, update and report progress (including Earned Value Analysis) throughout the project.
Recommended - Document the approach to create an integrated master schedule that encompasses the total scope of the project and identifies the projects critical path.
4
3
2
1
Project Schedule
Required - Develop and maintain an integrated master project schedule that identifies the total project scope of work (including milestones and deliverables); is task, resource, and cost loaded; identifies the project critical path, is baselined and updated with project progress; and contains the information necessary to provide earned value analysis and support schedule and cost performance index (SPI and CPI) variance analysis and reporting.
Required - Develop, and maintain a schedule that identifies the total project scope of work, assigned resources, and task start and end dates.
4
3
2
1
Project Budget
Required - Develop and maintain a Project Budget, which must include specific fiscal year cost totals over the life of the project and the overall total cost of the project. Also include a description of the funding source(s) for the Project and a breakdown of the Project costs by major expense categories.
Required –Develop and maintain a Project Budget, which must include specific fiscal year cost totals over the life of the project and the overall total cost of the project.
4
3
2
1
Project Spending Plan
Required - Develop and maintain a Project Spending Plan, which, as a component of the Project Budget, must include monthly planned (baselined) and actual expenditures (by expenditure or expenditure category) for each fiscal year.
Required - Document current fiscal year planned expenditures and actual expenditures by month and Fiscal Year total to date. Include other expenditure detail as required for the Project Status Report.
Recommended - Document current fiscal year planned expenditures and actual expenditures by month and Fiscal Year total to date.
4
3
2
1
Communications Management Plan
Required - Identify the project information requirements of stakeholders and detail what, when, and how information will be collected and reported.
This will include the responsibility, frequency, format, and distribution method for meeting summaries, project status reports, project governance meetings, and stakeholder communications, including reporting variances in schedule, cost, or scope and emerging risks or issues. Document the location of the project repository.
Include documentation for Decision Tracking and Action Item Tracking (see rule Rule 74-1.006, F.A.C. - Monitoring and Controlling).
Required - Identify the project information requirements of stakeholders and detail what, when, and how information will be collected and reported.
4
3
2
1
Change Management Plan
Required - Document the change control process and documentation involved in identifying, analyzing impacts, escalating, approving, and managing project change requests related to the project’s schedule, cost, or scope baselines, or a change to project deliverables (see Rule 74-1.006, F.A.C. - Monitoring and Controlling).
4
3
2
1
Quality Management Plan
Required - Document the processes and procedures for ensuring quality planning, quality assurance, and quality control are all conducted.
Required - Document any method(s) for ensuring customer acceptance of the product or service.
4
3
2
1
Deliverable Acceptance Plan
Required - Document each deliverable, the acceptance criteria for each deliverable, and the deliverable acceptance process (including roles and responsibilities).
Required - List the deliverables and the person(s) responsible for approving deliverables.
4
3
2
1
Risk Management Plan
Required - Document the process for the descriptive identification (listing), evaluation (probability and impact), prioritization, and response to risks (specified mitigation strategies for each risk), as well as the nature of any time sensitivity to risks that may impact the project. Identify the roles and responsibilities of individuals assigned to risks. Identify and document the process to be used for tracking, periodic review, and update of Risks (see Rule 74-1.006, F.A.C. - Monitoring and Controlling).
Required - Describe the method for monitoring and controlling risk.
4
3
2
1
Issue Management Plan
Required - Document the process for (and the documentation of) the identification, evaluation, prioritization, management, and resolution (with due date) to issues impacting the project. Identify and document the process to be used for tracking, periodic review, and update of Issues (see rule Rule 74-1.006, F.A.C. - Monitoring and Controlling). Identify the roles and responsibilities of project staff.
Required - Describe the method for monitoring and addressing issues.
4
3
2
1
Procurement Management Plan
Required - If procurement is required by the project, document any products or services needed, identify the specific products and services to be purchased, along with the appropriate purchasing methods, rules, and statutes affecting these activities.
Required - List any procurements required for the project.
4
3
2
1
Organizational Change Management Plan
Required - Assess and Document document the impact of delivering the project’s products to the user organization and individual users; the readiness of the user organization and individual users to accept those changes; and identify, describe, and plan the action necessary to facilitate those changes.
Required - Document the impact of delivering the projects products to the user organization and the individual users.
Recommended –
Document the impact of delivering the projects products to the user organization and the individual users.
4
3
2
1
Florida Cybersecurity Standards
Required – Compliance with rule chapter Rule Chapter 74-2, F.A.C.
4
3
2
1
Requirements Traceability Matrix (RTM)
Required - Prepare a document (usually a table) that links high-level design and requirements with detailed requirements, detailed design, test plans, and test cases.
The RTM ensures that all requirements are identified and correctly linked (from high-level to detailed and technical levels) throughout the project.
Required - Document Requirements.
Planning Gate R&C Assessment
Required
(3) No change.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .
74-1.005 Execution.
(1) through (2) No change.
EXECUTION PHASE - Requirements by Risk & Complexity Category
4
3
2
1
Operations and Maintenance (O&M) Plan
Required - Develop an O&M Plan prior to the scheduled completion of the project’s Execution phase. Document Obtain concurrence from those responsible for the operation and maintenance (e.g., financial, information technology, and operational managers, etc.) on their readiness to support the system from a budgetary, staffing, technology, and operational perspective after go-live.
Recommended
4
3
2
1
Project Management Plans
Required - As necessary, update Project Management Plan documents.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .
74-1.006 Monitoring and Controlling.
(1) Project Monitoring and Controlling spans all phases of the project and involves the regular review of project status in order to identify variances from baselined project schedule, cost, and scope. In addition, all project management plan components developed pursuant to rule 74-1.004 Planning must be monitored, controlled and maintained.
(2) No change.
(3) The following matrix details specific Monitoring and Controlling documentation and activities required for the project based on the project’s R&C Category.
MONITORING AND CONTROLLING - Requirements by Risk & Complexity Category
4
3
2
1
Monitor and Control Project Change
Required - Follow the change control process(es) documented in the Change Management Plan.
Complete an Event-Driven Risk & Complexity (R&C) Assessment for significant change requests (see rule 74-1.002, F.A.C. - Risk and Complexity Assessment). This assessment will confirm or adjust the project’s cumulative risk and complexity levels and R&C Category, and assist the Agency in determining whether changes to any project management plan documents and baselines are needed.
Maintain a change tracking log that includes change description, project impact (scope, schedule, and cost), owner, and status. This log is used to track, enter, review, analyze, approve, update, and report on project changes.
4
3
2
1
Monitor and Control Project Schedule
Required - Update the schedule at least weekly to reflect actual progress toward completion of scheduled tasks, milestones, and deliverables.
Required - Update the schedule at least biweekly to reflect actual progress toward completion of scheduled tasks, milestones, and deliverables.
Required - Use SPI to assess schedule variance. If SPI analysis indicates a trend towards a variance equal to or greater than 10% (SPI score ≤ 0.90 or ≥ 1.10), communicate the variance explanation to the project’s key stakeholder(s).
Required - Evaluate the baselined schedule against current progress.
1. Identify overdue tasks and compute the percentage of late tasks related to total tasks to date (Number of Overdue Tasks / Number of Total Tasks).
2. If this analysis indicates a trend towards a variance, equal to or greater than 10%, communicate the variance explanation to the project’s key stakeholders.
4
3
2
1
Monitor and Control Project Cost
Required - Monitor project costs monthly to identify both positive and negative variances between planned and actual expenditures.
1. Compare baselined planned expenditures to actual expenditures captured in the spending plan or the budget.
2. Identify the difference in baselined planned and actual expenditures and compute the percentage of cost variance for the period (Cost Variance / Total Planned Cost).
3. If there is a variance (positive or negative) equal to or greater than 10%, communicate the variance explanation to the project’s key stakeholder(s).
Required - Use CPI to assess cost variance.
If the CPI analysis indicates a trend towards a variance equal to or greater than 10% (CPI score ≤ 0.90 or ≥ 1.10), communicate the variance explanation to the project stakeholders.
Not Required
4
3
2
1
Monitor and Control Project Scope
Required - Monitor project scope, and manage changes to the original and agreed-upon scope as documented in the approved project planning documents.
Required - Monitor project scope and document changes.
4
3
2
1
Monitor and Control Project Quality
Required - Monitor and Control quality as documented in the Quality Management Plan.
4
3
2
1
Monitor and Control Project Risks
Required - Monitor and control risks as documented in the approved Risk Management Plan.
Perform risk reassessments to identify new risks, reassess current risks, escalate risks to issues, and close outdated risks.
Maintain a risk tracking log that includes risk description, owner, response / mitigation strategy, as well as risk probability, impact, priority, status and open / close dates. (or criticality), and tolerance. This log is used to track, enter, review, analyze, update, monitor, and report on risks.
Required – Monitor, document, and address risks.
4
3
2
1
Monitor and Control Project Issues
Required - Monitor and control issues as documented in the approved Issue Management Plan.
Review issues to identify new issues, reassess current issues, and close resolved issues.
Maintain an issue tracking log, which includes Issue description, owner, status, and dates opened, due and closed priority. This log is used to track, enter, review, analyze, update, monitor, and report on issues.
Required - Monitor, document, and resolve issues.
4
3
2
1
Decision Tracking
Required - Maintain a decision tracking log that includes decision description, approval authority, date of entry, due date, actual date of decision, project impact (scope, schedule, and cost), and status.
This log is used to track, enter, review, analyze, update, monitor, and report on decisions.
Recommended
4
3
2
1
Action Item Tracking
Required - Maintain an action item log that includes Action Item description, owner, dates assigned and due, priority, and status. This log is used to track, enter, review, analyze, update, monitor, and report on action items.
Recommended
4
3
2
1
Florida Cybersecurity Standards
Required – Monitor and control project compliance with rule chapter Rule Chapter 74-2, F.A.C.
4
3
2
1
Requirements Traceability Matrix
(RTM)
Required - Review and amend the RTM to capture progressive detail of requirements linkage throughout the project.
This matrix is used to document and link requirements from their origin to the deliverables that satisfy them.
Required - Update requirements documentation as necessary.
4
3
2
1
Lessons Learned
Required - Capture lessons learned from project team and stakeholders throughout the project.
(4) The Agency will report project status based on the project’s R&C Category at least monthly. Form AST-F-0505B, Project Status Report (07/16), is hereby incorporated by reference in this rule Rule. Form AST-F-0505B can be found on the AST website at: http://www.ast.myflorida.com/. Status reports will include:
PROJECT STATUS REPORT – Requirements by Risk & Complexity Category
4
3
2
1
Section 1 – Project Status Overview
A. Overview of Project Progress.
B. Overall Status
C. Schedule Performance Index (SPI)
Cost Performance Index (CPI)
Not Required
4
3
2
1
Section 2 – Project Progress
A. Project Milestones, Deliverables & Major Tasks
Not Required
B. Scope Changes
Summarize in Section 1B Only
4
3
2
1
Section 3 – Project Issues and Risks
A. Project Issues
Summarize in Section 1B Only
B. Project Risks
Summarize in Section 1B Only
4
3
2
1
Section 4 – Project Spending Plan
A. Identify Baselined Planned Expenditures vs. Actual Expenditures
Not Required
B. Major Project Expenditures
Not Required
Attach current project spend plan
Not Required
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .
74-1.007 Closeout.
(1) through (2) No change.
(3) Specific document templates are not prescribed – any project documentation that contains the information specified in the requirements below is acceptable.
CLOSEOUT PHASE – Requirements by Risk & Complexity Category
4
3
2
1
Project Closeout Report (PCR)
Required - Document the project’s accomplishments against the project budget, scope, schedule, and performance baselines. Include a discussion of the lessons learned compiled by the project team and stakeholders. The PCR must be completed as defined in the project schedule.
Required - Document the project’s accomplishments against the project budget, scope, and schedule. Include a discussion of the lessons learned.
4
3
2
1
Post Implementation Review (PIR) Report
Required – Document Evaluate and document whether the products or services delivered by the project meet the Agency’s business objectives, and provide the expected results and benefits as documented in the Initiation and Planning phases. Validate the cost benefit analysis and projected return on investment analysis. This analysis should be performed six months to one year after the product or service has been implemented, or as otherwise defined in the Project Charter.
Not Required
(4) The Agency must archive all Agency agency and third-party project documentation or artifacts.
(5) No change.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .
74-1.009 Agency for State Technology (AST) Oversight.
(1) through (6) No change.
(7) A The Agency must use a PMP® Certified Project Manager is required for any project meeting the criteria for AST oversight. The PMP® Certified Project Manager must oversee the entire project scope. shall, on behalf of the agency, lead the entire project team in the completion of the full project scope throughout the project lifecycle. This project manager must be an Agency employee or a contractor (an individual) of the Agency. If the Agency designates a PMP® Certified third party or vendor Project Manager, the Agency must also designate an Agency employee in a Project Manager role that is ultimately responsible for ensuring compliance with the rule and the successuful execution of the entire project effort. The designated Agency project manager will serve as the primary point of contact for AST.
(8) No change.
Rulemaking Authority 282.0051(18), FS. Law Implemented 282.0041, 282.0051, FS. History-New 7-16-15. Amended .