2140.3 CIO Systems Development Life Cycle (SDLC) Policy

  • Date: 09/29/2006
  • Status: Validated
  • Outdated on: 09/29/2016

       Washington, DC 20405

CIO 2140.3
September 29, 2006

SUBJECT: Systems Development Life Cycle (SDLC) Policy

1.  Purpose.  This Order sets forth policy for use of disciplined SDLC processes, practices, and procedures for planning and managing IT systems being developed or operated by and for GSA. This policy has been developed to assure SDLC discipline is used by Service and Staff Offices (SSO) and including Regional Offices that is consistent with the stated SDLC guiding principles and policy.

SDLC is a continuum of information technology planning, acquisition, and resource management activities. This SDLC policy document does not require or forbid a specific SDLC methodology. Services and staff offices may use any SDLC methodological approach that upholds the SDLC principles and policies in this Order and that assures periodic structured formal decisions are made. The periodic SDLC decisions are called Milestones and they are to be made by business owners, project management, and governance bodies about whether to proceed to the next phase of system development, not proceed to the next development phases but to take further actions, or to stop the system’s development effort.

2.  Cancellation.  Order CIO P 2140.2, Systems Development Life Cycle Handbook, is cancelled.

3.  Background. In accordance with the Clinger-Cohen Act of 1996, the GSA Chief Information Officer (CIO) provides IT policy, planning, programming, and budgeting guidelines for IT investments. The CIO governs GSA IT practices in cooperation with SSOs who are responsible for implementing SDLC policy and practice in compliance with this SDLC policy.

4.  Objectives.  This SDLC policy applies to all GSA IT project managers, system owners, and other GSA staff responsible for defining, delivering, and supporting information technology-based systems. The objectives of this SDLC policy are to:

       a.  Apply a disciplined SDLC policy across the enterprise;

       b.  Allow SDLC methodological customization to accommodate different system types, costs, risk levels, mission-criticalities, and complexities; and

       c.  Align the SDLC processes with GSA’s IT Capital Planning and Investment Control and Enterprise Architecture processes.

5.  Applicability.  SDLC policy applies to development, management and disposal of IT systems of any size, complexity, or significance that are part of the Agency’s IT portfolio as defined in Order 2135.2, GSA IT Capital Planning and Investment Control.  The SDLC policy allows for alternative implementations of SDLC processes and controls that are appropriately scoped to ensure effective management control and authority over IT projects.  

6.  Organizational Governance Responsibilities. The GSA CIO establishes IT governance mechanisms to assure system development, modernization and enhancement remain consistent with Agency objectives and are consistent with the enterprise architecture.

       a.  The GSA CIO assumes the following responsibilities to assure IT is well governed in GSA:

               (1)  Develops and issues SDLC policy and guidance to serve as the foundation for agency-wide practices, processes, and governance;

               (2)  May participate in SSO milestone reviews or similar SDLC monitoring and control activities; and

               (3)  Monitors system lifecycle activities and progress through IT capital planning and investment control processes.

               (4)  SSO and Regional IT officials assume the following responsibilities to assure IT is well governed in GSA:

               (5)  Establish and maintain local SDLC processes, practices, standards, and governance consistent with this SDLC Order and including business, IT, and other stakeholder participation;

               (6)  Consistently apply the SSO and Regional SDLC processes and governance activities to IT project development and system maintenance;

               (7)  Periodically report on SDLC activities, including advance notice of formal milestone reviews or other similar control activities for major systems, to the GSA Office of the CIO (OCIO); and

               (8)  Provide GSA OCIO with SSO adopted SDLC guidance and give timely notice of approved revisions to SSO SDLC guidance.

7.  SDLC Guiding Principles.  The SDLC guiding principles are tenets that provide a foundation for shared understanding and application of systems development lifecycle requirements.  All SDLC implementations will comply with these guiding principles:

       a.  Agency systems are corporate assets that must be effectively managed from inception to disposal.

       b.  Disciplined SDLC practices, processes, and governance are essential to effective management control of IT system projects.

       c.  Application of disciplined SDLC practices, processes, and governance will enable successful system development projects, increasing the quality, minimizing the cost, and maximizing the level of business functionality of GSA IT systems.

       d.  While SDLC rigor can and should vary as a function of project size, complexity, risk, cost, and other factors, the basic elements of SDLC remain applicable for all IT system development projects.

8.  Policy.

       a.  The SDLC policy applies to any GSA IT system, regardless of size, complexity or significance, in all of its life cycle phases.  As defined in CIO Order 2135.2, GSA IT Capital Planning and Investment Control, a major IT investment is one which requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources. All other IT investments are designated non-major.  Both major and non-major IT systems are covered by this SDLC policy.  Life cycle milestone decisions for major IT systems are to be reported throughout the investment control processes.  All system development, modernization and enhancement efforts should follow a SDLC disciplined methodological approach.  Failure to follow this SDLC policy or associated SSO processes and procedures may result in unacceptable deviations from planned cost, schedule, and performance expectations, and could ultimately result in project termination.  

       b.  To implement this SDLC policy SSO and Regional Offices must:

               (1)  Implement a structured methodology for developing, implementing and operating new or revised IT systems, from initial concept planning through system disposal.

               (2)  Provide a structured and formalized process that establishes discrete system development phases, including definition of appropriate tasks and activities within each phase.

               (3)  Establish formal approval milestones when the business owner and project management assess progress and make decisions on continuing the IT investment.

               (4)  Establish entrance and exit criteria for assessing and approving investments through all the system development lifecycle phases.

               (5)  Establish the necessary SSO governance bodies and mechanisms for managing and controlling the progress of and changes to IT systems throughout their lifecycles.

               (6)  Establish and maintain system development lifecycle documentation for each budgeted IT system.

               (7)  Establish appropriate quality control and assurance mechanisms throughout the system lifecycle.

               (8)  Incorporate necessary coordination requirements within the SSO, across SSOs, and with GSA OCIO and governance bodies such as the IT Council, IT Architecture Planning Committee, or the GSA Business Systems Council.

               (9)  Align SDLC processes with the IT Capital Planning and Investment Control Process, and comply with its reporting requirements.

               (10)  Align SDLC processes with the One GSA EA, ensuring appropriate linkages among business and IT strategy, business processes, and the IT that supports them (see CIO 2110.1, The “One GSA” Enterprise Architecture Policy, July 23, 2004).

               (11)  Support an IT Portfolio Management approach that ensures increased efficiency in technology investment management.

9.  References.  The GSA Solutions Life Cycle Handbook available on the OCIO PMO site.  The Handbook should be used as a reference and checklist for planning and executing system development, modernization or enhancement.  It contains guidance and templates for standard SDLC documentation for the SDLC lifecycle.  Additional guidance and policy documents are available as Reference Resources on GSA InSite.  Topics of potential interest would include but are not limited to the following:

Managing Electronic Information Technology for People with Disabilities
Capital Planning and Investment Control
Enterprise Architecture
Information Technology Security
Records Management
Privacy Act

Related OMB policy, guidance, memoranda, and reference information can be found at

Related National Institute of Standards and Technology (NIST) reference materials can be found at

Michael W. Carleton
Chief Information Officer