Table of Contents | Chapter 4 | Chapter 6
5.0 OBJECTIVE
5.1 TASKS AND ACTIVITIES
5.1.1
Refine Acquisition Strategy in System Boundary Document
5.1.2
Analyze Project Schedule
5.1.3
Create Internal Processes
5.1.4
Staff Project Office
5.1.5
Establish Agreements with Stakeholders
5.1.6
Develop the Project Management Plan
5.1.7
Develop the Systems Engineering Management Plan
5.1.8
Review Feasibility of System Alternatives
5.1.9
Study and Analyze Security Implications
5.1.10
Plan the Solicitation, Selection and Award
5.1.11
Develop the CONOPS
5.1.12
Revise Previous Documentation
5.2 ROLES AND RESPONSIBILITIES
5.3 DELIVERABLES
5.3.1
Acquisition Plan
5.3.2
Configuration Management Plan
5.3.3
Quality Assurance Plan
5.3.4
Concept of Operations
5.3.5
System Security Plan
5.3.6
Project Management Plan
5.3.7
Validation & Verification Plan
5.3.8
Systems Engineering Management Plan
5.4 ISSUES FOR CONSIDERATION
5.4.1
Audit Trails
5.4.2
Access Based on “Need to Know”
Many of the plans essential to the success of the entire project are created in this phase; the created plans are then reviewed and updated throughout the remaining SDLC phases. In the Planning Phase, the concept is further developed to describe how the business will operate once the approved system is implemented and to assess how the system will impact employee and customer privacy. To ensure the products and/or services provide the required capability on-time and within budget, project resources, activities, schedules, tools, and reviews are defined. Additionally, security certification and accreditation activities begin with identification of system security requirements and the completion of a high-level vulnerability assessment.
The following tasks are performed as part of the Planning Phase. The results of these activities are captured in various project plans and solicitation documents.
Refine the role of system development contractors during the subsequent phases. For example, one strategy option would include active participation of system contractors in the Requirements Analysis Phase. In this case, the Planning Phase must include complete planning, solicitation preparation, and source selection of the participating contractors (awarding the actual contract may be the first activity of the next phase). If contractors will be used to complete the required documents, up-front acquisition planning is essential.
Analyze and refine the project schedule, taking into account risks and resource availability. Develop a detailed schedule for the Requirements Analysis Phase and subsequent phases.
Create, gather, adapt, and/or adopt the internal management, engineering, business management, and contract management internal processes that will be used by the project office for all subsequent life-cycle phases. This could result in the establishment of teams or working groups for specific tasks, (e.g., quality assurance, configuration management, change control). Plan, articulate, and gain approval for the resulting processes.
Further staff the project office with needed skills across the broad range of technical and business disciplines. Select Technical Review Board members and document roles and responsibilities. If needed, solicit and award support contracts to provide needed non-personal services that are not available through agency resources.
Establish relationships and agreements with internal and external organizations that will be involved with the project. These organizations may include agency and DOJ oversight offices, agency personnel offices, agency finance offices, internal and external audit organizations, and agency resource providers (people, space, office equipment, communications, etc).
Plan, articulate and gain approval of the strategy to execute the management aspects of the project (Project Management Plan). Develop a detailed project work breakdown structure.
Plan, articulate, and gain approval of the strategy to execute the technical management aspects of the project (SEMP). Develop a detailed system work breakdown structure.
Review and validate the feasibility of the system alternatives developed during the previous phase (CBA, Feasibility Study). Confirm the continued validity of the need (SBD).
Study and analyze the security implications of the technical alternatives and ensure the alternatives address all aspects or constraints imposed by security requirements (System Security Plan).
During this phase or subsequent phases, as required by the Federal Acquisition Regulation (FAR), plan the solicitation, selection and award of contracted efforts based on the selected strategies in the SBD. Obtain approvals to contract from appropriate authorities (Acquisition Plan). As appropriate, execute the solicitation and selection of support and system contractors for the subsequent phases.
Based on the system alternatives and with inputs from the end-user community, develop the concepts of how the system will be used, operated, and maintained. This is the Concept of Operations.
Review previous phase documents and update if necessary.
This document shows how all government human resources, contractor support services, hardware, software and telecommunications capabilities are acquired during the life of the project. The plan is developed to help insure that needed resources can be obtained and are available when needed. An outline is provided in Appendix C-6 detailing the types of information that should be included in the Acquisition Plan
The CM Plan describes the process that will be used to identify, manage, control, and audit the project’s configuration. The plan should also define the configuration management structure, roles, and responsibilities to be used in executing these processes. Appendix C-7 provides a template for the Configuration Management Plan.
The QA Plan documents that the delivered products satisfy contractual agreements, meet or exceed quality standards, and comply with the approved SDLC processes. Appendix C-8 provides a template for the Quality Assurance Plan.
The CONOPS is a high level requirements document that provides a mechanism for users to describe their expectations from the system. Information that should be included in the CONOPS document is shown in Appendix C-9.
A formal plan detailing the types of computer security is required for the new system based on the type of information being processed and the degree of sensitivity. Usually, those systems that contain personal information will be more closely safeguarded than most. See also NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, November 1998 at http://csrc.nist.gov/publications/nistpubs/index.html. An outline is provided in appendix C-10 detailing the information that is included in the System Security Plan.
This plan should be prepared for all projects, regardless of size or scope. It documents the project scope, tasks, schedule, allocated resources, and interrelationships with other projects.
The plan provides details on the functional units involved, required job tasks, cost and schedule performance measurement, milestone and review scheduling. Revisions to the Project Management Plan occur at the end of each phase and as information becomes available. The Project Management Plan should address the management oversight activities of the project. See Appendix C-11 for Project Management Plan Outline.
The Validation and Verification Plan describes the testing strategies that will be used throughout the life-cycle phases. This plan should include descriptions of contractor, government, and appropriate independent assessments required by the project. Appendix C-12 provides a template for the Validation and Verification Plan.
The SEMP describes the system engineering process to be applied to the project; assigns specific organizational responsibilities for the technical effort, and references technical processes to be applied to the effort. Information that should be included in the SEMP are shown in Appendix C-13.
Audit trails, capable of detecting security violations, performance problems and flaws in applications should be specified. Include the ability to track activity from the time of logon, by user ID and location of the equipment, until logoff. Identify any events that are to be maintained regarding the operating system, application and user activity.
Prior to an individual being granted access to the system, the program manager’s office should determine each individual’s “Need to Know” and should permit access to only those areas necessary to allow the individual to adequately perform her/her job.
Upon completion of all Planning Phase tasks and receipt of resources for the next phase, the Project Manager, together with the project team should prepare and present a project status review for the decision maker and project stakeholders. The review should address: (1) Planning Phase activities status, (2) planning status for all subsequent life-cycle phases (with significant detail on the next phase, to include the status of pending contract actions), (3) resource availability status, and (4) acquisition risk assessments of subsequent life cycle phases given the planned acquisition strategy.