Governance and Compliance Process
Process Owners: Manager, Business Relationship Management, and Manager, Solutions Development and Support
Note: An owner must be a PCES-level manager.
This document establishes standard processes for the Technology Solution Life Cycle (TSLC) Governance and Compliance phase within the Postal Service Technical Environment.
The purpose of the Governance and Compliance process is to validate that requirements and design documents meet United States Postal Service (USPS) compliance standards. From a compliance standpoint, nothing changes.
This process applies to all:
Postal Service employees and contracted personnel involved in TSLC activities.
Postal Service technology solutions that require a production change to software code, data, or batch schedule processing. These include, but are not limited to:
All technology solutions and their components (hardware/infrastructure, software, database management services, and/or network) as authorized in the approved Requirements.
All services (including network, server, and mainframe) to be deployed in the Postal Service Technical Environment.
All maintenance releases for services and technology solutions to be operable in the Postal Service Technical Environment; maintenance releases include hardware, software, network, and database management system (DBMS) upgrades.
Implementation and/or configuration of Commercial-Off-the-Shelf (COTS) software.
- Other types of technology solutions may be required to follow the TSLC depending on the nature and scope of the change.
The Governance and Compliance process, which validates that the required
documents are up to date and stored in the TSLC Artifact Library, consists of
the following sub-process.
The Business Relationship Management Program Manager (BRM PM) ensures that
all of the required artifacts listed below from all of the previous phases
have been completed correctly and uploaded to the appropriate location in the
TSLC Artifacts Library.
Baseline artifacts are mandatory and must be uploaded before implementation. Tollgate artifacts must be uploaded within 10 business days after the associated Tollgate meeting for projects following the Tollgate process.
|Artifact Name||Audit Requirements||Artifact Upload Location|
|Business Needs Statement (BNS)||Tollgate||Project / Initiate and Plan / BNS Tollgate|
|CCB Document||Baseline, Tollgate||Program / Change Control Board Document (Required)|
Project / Initiate and Plan / Change Control Board Document (Required only if different from Program CCB Document.)
|Master Release Inventory||Tollgate||Project / Initiate and Plan / BNS Tollgate|
|Documented BNS Tollgate Meeting Minutes||Tollgate||Project / Initiate and Plan / BNS Tollgate|
|Documented Stakeholder Approval to Proceed to Baseline Phase||Tollgate||Project / Initiate and Plan / BNS Tollgate|
|Requirements with Approval||Baseline, Tollgate||Project / Release / IT Change Request|
|Documented Baseline Tollgate Meeting Minutes||Tollgate||Project / Requirements / Baseline Tollgate|
|Documented Stakeholder Approval to Proceed to Finalize Release Phase||Tollgate||Project / Requirements / Baseline Tollgate|
|SOX Impact Assessment (SIA)||SOX||Project / Analysis and Design / SOX Impact Assessment Form|
|Documented Finalize Release Tollgate Meeting Minutes||Tollgate||Project / Analysis and Design / Finalize Release Tollgate|
|Documented Stakeholder Approval to Proceed to Implementation Phase||Tollgate||Project / Analysis and Design / Finalize Release Tollgate|
|Documented Implementation Tollgate Meeting Minutes||Tollgate||Project / Customer Acceptance Test / Implementation Tollgate|
Final CAT Results with Scripts, and Approval (includes Documented Stakeholder Approval to Proceed to Closeout Phase)
|Tollgate||Project / Customer Acceptance Test / Implementation Tollgate|
|IT Change Request
||Baseline||Project / Release / IT Change Request|
|Documented Tollgate Meeting Minutes||Tollgate||Project / Release / Closeout Tollgate|
|PPR||Tollgate||Project / Release / Closeout Tollgate|
|Release Metrics||Tollgate||Project / Release / Closeout Tollgate|
|Documented Stakeholder Approval to Close||Tollgate||Project / Release / Closeout Tollgate|
|C&A Artifacts as called out in AS-805A||CISO||N/A|
Baseline artifacts are mandatory and must be uploaded prior to release to
production unless the project is following the Tollgate process. If Tollgate,
documents from the Tollgate must be uploaded within 10 business days of the
All artifacts listed in the Process Description section
Verify that all artifacts, with emphasis on Baseline, Tollgate, and PCI / SOX (if applicable), are
uploaded to the TSLC Artifacts Library.
- TSLC Policy
- Develop and Maintain Secure PCI In-Scope Systems and Applications
- SIT – CAT Exemption and Post-Production Review Process
- Secure System Review Process
- System Retirement Process
- Handbook AS-805 Information Security [PDF] [HTML]
- Handbook AS-805A, Information Resource Certification and Accreditation Process [PDF] [HTML]
- Payment Card Industry Data Security Standard (PCI DSS)
Access supporting documentation from ITWEB (Internal):
Access Supporting Documentation from USPS.com (external):
- TSLC Processes
- For access to the following documents, contact the US Postal Service. See
Publication 5, Let's Do Business for further information
about local US Postal Service contacts.
- TSLC Templates
- Application Development Standards
Description of Change
|1.0||05.10.2013||Agile and Waterfall processes combined; updated for
Tollgates, PCI, and general compliance; ownership of TSLC processes
transferred from Manager, Solutions Development and Support, to Manager,
Business Relationship Management. |
Note: This document is Section 508 compliant.
Updated to clarify that the Requirements must be approved, not the Requirements Traceability Matrix document.
Removed baseline indicator from RTM for Sprint 0/Requirements phase.
Removed PCI Impact Assessment artifact requirement. PCI Impact Assessment is retired.
|1.3.1||06.15.2015||The annual review for functional accuracy and current PCI DSS requirements has been completed: No changes. CR 81805|
|1.3.2||06.26.2015||Non-substantive update: Update CR for annual review. Remove link and version of PCI DSS.|
|1.3.3||03.14.2016||Annual Review: No changes. The annual review for functional accuracy and current PCI requirements has been completed. CR 154951|
|1.3.4||10.31.2016||Annual Review: The annual review for functional accuracy and current PCI requirements has been completed. CR 223948|
|1.4||05.03.2017||Artifacts were updated as a result of the 2016 Lean Six Sigma
effort to improve the TSLC process (approved by Manager, Business Relationship
Management and Manager, Solutions Development and Support):
Process Owner: Added Manager, Solutions Development and Support.Removed references to Waterfall methodology. CR 269601