Approved Date – 04/22/2016
Published Date – 04/22/2016
Revised Date – 05/25/2021

1.  Purpose

To provide the requirement for DC Agency to implement an Information System Change Control process to protect the confidentiality, integrity, and availability of information systems. 

2.  Authority

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html. 

3.  Applicability

This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. 
 
This Policy also applies to any providers and third-party entities with access to District information, networks, and applications. 

4.  Policy

Each District agency Chief Information Officer (CIO) must participate in the OCTO Information System Change Control process that includes at a minimum the following controls: 

1. Change Advisory Board 
   Each agency CIO shall consult with the OCTO Change Advisory Board (CAB) in which each agency plans and coordinates all system changes within the DC Government enterprise with the OCTO CAB. The CAB must evaluate all information system and security configuration changes before implementation. The OCTO CAB must approve, disapprove, or modify a system change. 
    
2. Change Manager  
   The OCTO Change Manager is the member of the CAB who ensures the change request is following the standardized operating procedure. The OCTO Change Manager can authorize the change. In addition, the OCTO Change Manager ensures timely decision-making for change requests. 
    
3. Change Owner/Initiator  
   Each agency ClO must designate a Change Owner or Initiator who must act as the liaison with the OCTO CAB, to track all agency system change requests, and report all CAB-approved system changes to the DC Chief Technology Officer through the CAB. The Change Owner/Initiator must be a District Government employee. 
    
4. CAB Membership 
   Representatives from each OCTO department and the change manager are the members of the Change Advisory Board. Each Agency CIO must ensure that the CAB meeting is joined by the 1T technical and information security personnel and management officials who understand the impacts of information system changes to provide relevant and knowledgeable advice to the OCTO Change Manager. 
    
5. Security Impact Analysis 
   Each agency must ensure that each proposed information system change, or security configuration is analyzed for potential impacts on the confidentiality, integrity, and availability of the information system and the data contained therein before change approval and implementation. 
    
6. Pre-Change Validation 
   Each Agency Change Owner/Initiator must ensure that each proposed information system or security configuration change is documented, tested, and validated before change approval and implementation.
    
7. System Access for Change Implementers 
   Each Agency must ensure that only authorized change implementers are granted "Minimum Necessary" access to information system components to implement the CAB-approved system changes or upgrades. 
    
8. Post Change Validation 
   Each Agency Change Initiator/Owner must ensure that each system change outcome (successful or unsuccessful) is documented and that each change was implemented per the CAB-approved system change. 
    
9. Auditing of System Changes 
   Each Agency in consultation with the Change Manager must conduct a monthly audit to detect and resolve unapproved system changes.  

5.  Exemption 

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.  Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.