Governance and Compliance Process
Process Owner: Manager, Business Relationship Management
Note: An owner must be a PCES-level manager.
This document establishes standard processes for the Technology Solution Life Cycle (TSLC) Governance and Compliance phase within the Postal Service Technical Environment. It addresses both Agile and Waterfall methodology.
The purpose of the Governance and Compliance process is to validate that requirements and design documents meet United States Postal Service (USPS) compliance standards. From a compliance standpoint, nothing changes.
This process applies to all:
Postal Service employees and contracted personnel involved in TSLC activities.
Postal Service technology solutions that require a production change to software code, data, or batch schedule processing. These include, but are not limited to:
All technology solutions and their components (hardware/infrastructure, software, database management services, and/or network) as authorized in the approved Requirements.
All services (including network, server, and mainframe) to be deployed in the Postal Service Technical Environment.
All maintenance releases for services and technology solutions to be operable in the Postal Service Technical Environment; maintenance releases include hardware, software, network, and database management system (DBMS) upgrades.
Implementation and/or configuration of Commercial-Off-the-Shelf (COTS) software.
- Other types of technology solutions may be required to follow the TSLC depending on the nature and scope of the change.
The Governance and Compliance process, which validates that the required
documents are up to date and stored in the TSLC Artifact Library, consists of
the following sub-process.
The Business Relationship Management Program Manager (BRM PM) ensures that
all of the applicable artifacts listed below from all of the previous phases
have been completed correctly and uploaded to the appropriate location in the
TSLC Artifacts Library.
Baseline artifacts are mandatory and must be uploaded. Tollgate artifacts must be uploaded within 10 business days after the associated Tollgate meeting for projects following the Tollgate process.
|Agile Phase||Waterfall Phase||Artifact Name||Audit Requirements|
|Business Needs Statement (BNS)||Tollgate|
|Initiate & Plan||Initiate & Plan||Rough Order of Magnitude Estimate (ROM)||N/A|
|CCB Document for the release|
|Master Release Inventory||Tollgate|
|Initiate & Plan||Initiate & Plan||Documented Approval and Funding to Proceed||N/A|
|Documented Tollgate Meeting Minutes||Tollgate|
|Initiate & Plan||Initiate & Plan||Approved Technology Solution Implementation Costs||N/A|
|Documented Stakeholder Approval to Proceed||Tollgate|
|Sprint 0||Requirements||Requirements approval with Requirements Traceability Matrix (RTM)||Tollgate|
|Sprint 0||Requirements||EA Checkpoint 1||N/A|
|Sprint 0||Requirements||SOX Impact Assessment (SIA)||SOX|
|Sprint 0||Requirements||Documented Tollgate Meeting Minutes||Tollgate|
|Sprint 0||Requirements||Updated Master Release Inventory||Tollgate|
|Sprints 1-n||Analysis & Design||Updated RTM||Baseline, Tollgate|
|Sprints 1-n||Analysis & Design||Updated SIA, if necessary||SOX|
|Sprints 1-n||Analysis & Design||EA Checkpoint 2 Approval||N/A|
|Sprints 1-n||Analysis & Design||Approved Technology Solution Design documents||N/A|
|Sprints 1-n||Analysis & Design||Approved Technology Solution Funding and Schedule||N/A|
|Sprints 1-n||Analysis & Design||Documented Tollgate Meeting Minutes||Tollgate|
|Sprints 1-n||Analysis & Design||Documented Stakeholder Approval to Proceed||Tollgate|
|Sprints 1-n||Analysis & Design||Updated Master Release Inventory||Tollgate|
|Sprints 1-n||Analysis & Design||Updated Project Plan||Tollgate|
|Sprints 1-n||Build||Build Plan||N/A|
|Sprints 1-n||Build||Build Test Results||N/A|
|SIT||SIT||Final SIT Strategy||N/A|
|SIT||SIT||Documented SIT Approval||Baseline|
|SIT||SIT||Updated SIA, if necessary||SOX|
|CAT||CAT||CAT Approval (Includes documented Stakeholder Approval to Proceed for Tollgate)||Baseline, Tollgate|
|CAT||CAT||Documented Tollgate Meeting Minutes||Tollgate|
|CAT||CAT|| Updated RTM
|All Phases||All Phases||C&A Artifacts as called out in AS-805A||N/A|
Baseline artifacts are mandatory and must be uploaded.
All artifacts listed in the Process Description section
Verify that artifacts are uploaded to the TSLC Library: Verify that all
artifacts, with emphasis on Baseline, Tollgate, and PCI/SOX (if applicable), are
uploaded to the TSLC Artifacts Library.
- TSLC Policy
- Develop and Maintain Secure PCI In-Scope Systems and Applications
- SIT – CAT Exemption and Post Production Review Process
- Secure System Review Process
- System Retirement Process
- Handbook AS-805 Information Security [PDF] [HTML]
- Handbook AS-805A, Information Resource Certification and Accreditation Process [PDF] [HTML]
- Payment Card Industry Data Security Standard (PCI DSS)
Access supporting documentation from ITWEB (Internal):
- TSLC Processes [Agile] [Waterfall]
- TSLC Templates [Agile] [Waterfall]
- Application Development Standards
Access Supporting Documentation from USPS.com (external):
- TSLC Processes
- For access to the following documents, contact the US Postal Service. See
Publication 5, Let's Do Business for further information
about local US Postal Service contacts.
- TSLC Templates
- Application Development Standards
Description of Change
|1.0||05.10.2013||Agile and Waterfall processes combined; updated for
Tollgates, PCI, and general compliance; ownership of TSLC processes
transferred from Manager, Solutions Development and Support, to Manager,
Business Relationship Management. |
Note: This document is Section 508 compliant.
Updated to clarify that the Requirements must be approved, not the Requirements Traceability Matrix document.
Removed baseline indicator from RTM for Sprint 0/Requirements phase.
Removed PCI Impact Assessment artifact requirement. PCI Impact Assessment is retired.
|1.3.1||06.15.2015||The annual review for functional accuracy and current PCI DSS requirements has been completed: No changes. CR 81805|
|1.3.2||06.26.2015||Non-substantive update: Update CR for annual review. Remove link and version of PCI DSS.|
|1.3.3||03.14.2016||Annual Review: No changes. The annual review for functional accuracy and current PCI requirements has been completed. CR 154951|
|1.3.4||10.31.2016||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 223948|