Production Readiness Review Presentation Template Version 24.0

This document is a template guide for creating presentations for Production Readiness Reviews (PRR). It outlines essential activities, including business background, testing activities, infrastructure diagram, schedule overview, security considerations, and more. Advanced planning is recommended to tailor the template to fit specific project implementations. Remove placeholder text and customize each slide with project-specific information to ensure clarity and relevance. Follow ED Standards for CUI//ISVI when completing and sharing the presentation.

• PRR
• Production Readiness Review
• Template
• Presentation
• Implementation

lawranced Follow

Uploaded on Oct 11, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PRODUCTION READINESS REVIEW TEMPLATE Production Readiness Review Presentation Template Version 24.0 July 31, 2024 Template Instructions: The following slides are provided as a guide to developing PRR presentations. Many activities of the PRR require advance planning; These activities are expected to be included in the project schedule at the inception of the project. Advanced planning is strongly encouraged. It is expected that the slides will be adjusted to fit the needs of specific implementations and releases; information requested by this template should be included in the presentation in a way that is understandable within the context of the implementation/release. Information in [brackets] is to be filled out or provides guidance to be followed. All the brackets and guidance text should be removed from the final presentation. Please remove this cover slide when using the template to create a PRR Presentation. Detailed slide-by-slide guidance is included in the PRR Process Description Document. Please refer to that document when preparing for a PRR. Items in the PRR should not be marked N/A or Not Applicable unless specified in the guidance; instead, an explanation should be provided as to why an item does not apply. When completing this template, follow ED Standards for CUI//ISVI for marking, encrypting, and naming the file. 1

2. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI [SYSTEM NAME (ACRONYM)AND VERSION NUMBER] Production Readiness Review FSA Release Request Number [Insert RR Number] [Date] Controlled by: US Department of Education, Office of Federal Student Aid, [Insert name of Information System Owner] 2

3. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI AGENDA Business Background of System PRR Appendix: 1. Scope of Release Testing Activities and Results 2. 9. Infrastructure Diagram Enterprise Change Management 3. 10. Schedule Overview Data Center Readiness 4. 11. LMM Tailoring and Technical Stage Gate Completion End User Support and Communication 5. 12. Review of Open Issues Roll Back Plan 6. 13. Review of Open Risks Security & Privacy 7. 14. Meeting Closure and Sign-off Security & Privacy Documentation 8. 15. Security Vulnerability Scans 16. Operations and Maintenance 17. System Documentation 18. Release Documentation 19. Lessons Learned 20. 3

4. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI BUSINESS BACKGROUND OF SYSTEM [Describe the business purpose of the system in general. Describe major FSA functions that are performed by the system. Describe legislative requirements that the system supports. Describe technology used by the system at a high level. This includes development tools, software languages, database system used, and major components that are being leveraged. Example: ABC was developed in Drupal and uses MySQL Enterprise database. ABC utilizes the General Service Administration USA Search engine. Describe number and type of users supported by the system. The business background on this slide must match/align with the approved system narrative in GRCT.] 4

5. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SCOPE OF RELEASE [Describe the scope of the release that is being implemented. Describe the business benefits that will be realized by implementing this release. Describe the technology changes being implemented by this release. Examples: new functionality to meet a legislative requirement, improvements to the user experience, moves the system to a more current version of a product, expands capacity, etc.] 5

6. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SCOPE OF RELEASE (CONTINUED) Business Impact of delaying implementation of this release: [Describe the business impact of delaying implementation. Include the maximum implementation delay that could be tolerated and still meet FSA s business objectives. If there is a legislative or regulatory deadline associated with this implementation, please include that information.] Interfacing/Other FSA Systems impacted by this release: [System name describe impact] [System name describe impact] [System name describe impact] FSA employee impact of this release: The changes and technical details that have been impacted [have/have not] been provided to the FSA Workforce Relations for review on [Not Required / mm/dd/yyyy]. [Please submit changes to FSA Workforce Relations a minimum of 60-90 days prior to implementation to avoid unnecessary delays. Please list the Business Unit Impacted, number of employees impacted, how employee s will be impacted, what training is required to use the system, and what training is provided. Contact e-mail: FSAWorkforceRelationsDivision@ed.gov] 6

7. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI INFRASTRUCTURE DIAGRAM [Insert a high-level infrastructure diagram for the system that clearly identifies the system boundary. For implementations that modify the system infrastructure (i.e. beyond application code changes), please insert two diagrams one showing the existing infrastructure and one showing the new infrastructure to be implemented. Systems in FSA s NGDC may use the diagram(s) maintained in the Application Specific Information (ASI) document. The legend must also include the source of the diagram. Systems in FSA s NGDC may use the diagram(s) maintained in the Application Specific Information (ASI) document. The legend on the infrastructure diagram must include a date that the diagram was produced or is accurate to. The diagram should provide at least a basic overview of the physical architecture that is being deployed. This may include a virtualized environment for major cloud providers. Note: The System Security Plan should be updated to reflect the new date requirement on the infrastructure diagram.] 7

8. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SCHEDULE OVERVIEW Planned (Baseline) Completion Actual Completion Requirements [date] [date] Design [date] [date] Development [date] [date] System Testing [date] [date] Intersystem Testing (IST) [date] [date] 508 Compliance Testing [date] [date] Performance Testing [date] [date] User Acceptance Testing (UAT) [date] [date] Code Freeze (start and end) [date]-[date] [date]-[date] Security Vulnerability Scanning (final completion date for all non-prod scan activities) [date] [date] Transition to Operations (TOPS) [date] [date] Production Readiness Review Presentation [date] [date] Production Cutover [date] [done] 8

9. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI LMM TAILORING AND TECHNICAL STAGE GATE COMPLETION Stage Gate Stage Gate Owner Completed (Yes/No) Date Completed Notes and Comments LMM Tailoring Plan Trey Wiesenburg [Yes/No] [Date] [Provide the name of the LMM Tailoring plan and status comments. This plan describes the approach for the LMM Stage Gates and LMM Documentation Artifacts.] Requirements Review Karen Edwards [Yes/No] [Date] [Describe the approach used to review the requirements for this release and to ensure that sound requirements management practices are in place for the system.] Technical Design Stage Gate Pat Fedorowicz [Yes/No] [Date] [If stage gate was completed, please indicate the sign-off document(s) that can be provided. If stage gate not conducted, please explain the design stage gate criteria identified in the LMM Tailoring Plan for the system.] Test Readiness Review (TRR) System Test Karen Edwards [Yes/No] [Date] [If stage gate was completed, please indicate the sign-off document(s) that can be provided. If stage gate not conducted, please explain the test readiness stage gate criteria identified in the LMM Tailoring Plan for the system. For Test Readiness Review , there should be a completed and signed TRR checklist following the format in FSA s Enterprise Test Management Standards.] Test Readiness Review (TRR) User Acceptance Test Karen Edwards [Yes/No] [Date] [If stage gate was completed, please indicate the sign-off document(s) that can be provided. If stage gate not conducted, please explain the test readiness stage gate criteria identified in the LMM Tailoring Plan for the system. For Test Readiness Review , there should be a completed and signed TRR checklist following the format in FSA s Enterprise Test Management Standards.] Production Readiness Review (PRR) Darryl Duncan Yes [Date] The final signed version of this PRR Presentation documents the completion of the Production Readiness Review . System Retirement and Disposal Mike Burke No No system being retired. This stage gate was not completed because this release does not retire a system. [Generally PRRs will not retire a system, adjust this text if necessary] 9

10. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI REVIEW OF OPEN ISSUES Open Issues related to this implementation/release Definition of Issue: A point or matter in question or in dispute, or a point or matter that is not settled and is under discussion or over which there are opposing views or disagreements. As of the PRR, issues are matters that have occurred and are currently impacting the implementation of the release. Issue Description Issue Resolution Approach Notes / Comments Issue Owner [describe open issue, if none please indicate No Open Issues and leave other columns blank. ] [describe how the issue is being resolved (i.e. a work-around, accepting the impact of the issue, etc.). ] [include any notes or comments that may inform management about this issue] [Name of Federal Staff Member and their role] [open issue] [open issue] 10

11. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI REVIEW OF OPEN RISK Open Risks related to this implementation/release Definition of Risk: An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more release objectives. Note: If an event has occurred or is a certainty then it becomes an issue rather than a risk. Risk Category Risk Description Probability Impact Mitigation Strategy Risk Owner [Ex: Technical Obsolescence] [Describe Open Risk, if none please indicate No Risks Identified and leave other columns blank ] [High, Moderate, Low] [High, Moderate, Low] [Describe strategy that is being used to mitigate the risk in conjunction with the implementation of the release] [Name of Federal Staff Member and their role] [Ex: Schedule] [Ex: Security] Probability Impact Scale Definition Scale High Definition If realized, the risk results in an inability to meet business mission/outcomes of the system. Risk has a 50% or greater chance of occurring. Risk is more likely to occur than not. High If realized, the risk results in a degraded ability to meet business mission/outcomes of the system. Risk has a greater than 10% and less than 50% chance of occurring Moderate Moderate If realized, the risk results in annoyance or inconvenience, but the business mission/outcomes of the system will continue to be met. Low Risk has a 10% or less chance of occurring Low 11

12. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SUPPORT CONTRACTOR SIGN-OFF [Support Contractor Company Name] confirms that the information included in this PRR for [System / Release Name and Version] thatis scheduled for implementation on [implementation date] is correct and accurate to the best of our knowledge. We confirm that testing and validation activities appropriate to the release have been completed. Further, [Support Contractor Company Name] confirms that all risks that we are aware of have been disclosed to the government in this PRR. ____________________________ [Name] Program Executive ____________________________ [Name] Project Manager 12

13. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PRR APPROVAL (PAGE 1 OF 2) Federal Student Aid approves implementation of [System / Release Name and Version] on [implementation date] based on the information included in this Production Readiness Review. ______________________________ [Name] Release Project Manager ______________________________ [Name] System Technical Lead ____________________________ [Name] Test Lead ____________________________ [Name] Information System Security Officer ____________________________ [Name] System Owner ____________________________ [Name] Information Owner (Business Owner) ____________________________ Sanjay Gupta or designee Next Generation Data Center ____________________________ Davon Tyler or designee FSA Chief Information Security Officer [Note: For releases outside of the NGDC, the NGDC sign-off is still is required to support coordination of system support and interfaces across the FSA organization.] 13

14. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PRR APPROVAL (PAGE 2 OF 2) Federal Student Aid approves implementation of [System / Release Name and Version] on [implementation date] based on the information included in this Production Readiness Review. ___________________________________ Trey Wiesenburg or designee IT Standards Management and Oversight Based on the operational risk associated with implementation of this release, sign-off by FSA Senior Management may be required as indicated below. Factors considered in determining operational risk include system criticality, end-user type and volume, number and complexity of system interfaces, release size, technology used by the release, implementation team maturity, and timing of the release implementation within FSA s business cycle. __________________________________ Pardu Ponnapalli or designee Chief Engineer Determination by IT Standards Management and Oversight : Senior Management Sign-off is required. Senior Management Sign-off is not required. ___________________________________ Margaret Glick, FSA CIO or designee FSA Technology Directorate ___________________________________ [Name] Business Area Senior Executive 14

15. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PRR APPENDIX: Testing Activities and Results 9. Enterprise Change Management 10. Data Center Readiness 11. End User Support and Communication 12. Roll Back Plan 13. Security & Privacy 14. Security & Privacy Documentation 15. Security Vulnerability Scans 16. Operations and Maintenance 17. System Documentation 18. Release Documentation 19. Lessons Learned 20. Controlled by: US Department of Education, Office of Federal Student Aid, [Insert name of Information System Owner] 15

16. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI TESTING ACTIVITIES Test Phase Organization Status of Testing Executing Tests System Testing System Testing evaluates the integrated system (application) as a whole. The Testing Team performs tests to ensure that each function of the system works as expected and that any errors are documented, analyzed, and resolved appropriately. [Complete [date]] [Company Name of Contractor / Federal Student Aid Team] [Not Performed / In Progress / Complete For responses of Not Performed or In Progress, please provide explanation.] Intersystem Testing Testing of the interfaces between systems. [Complete [date]] [Company Name of Contractor / Federal Student Aid Team] [Not Performed / In Progress / Complete For responses of Not Performed or In Progress, please provide explanation.] Accessibility (508) Testing Testing to ensure that employees and members of the public with disabilities have access to and use of information that is comparable to that available to individuals without disabilities. [Complete [date]] [Not Performed / In Progress / Complete For responses of Not Performed or In Progress, please provide explanation.] ED OCIO Assistive Technology Team [Only the ED OCIO Assistive Technology Team can determine that 508 testing is not needed for a release. If this determination is made, please include an e-mail from that team confirming the decision.] Performance testing Test the performance characteristics of the system, including user load and throughput for the user interface, transaction/batch processing, and database. [Complete [date]] FSA Enterprise Performance Test (EPT) Team [Not Performed / In Progress / Complete For responses of Not Performed or In Progress, please provide explanation.] User Acceptance Testing Formal testing with respect to Application Owner needs, requirements, and processes conducted to determine whether a system satisfies the acceptance criteria and to enable the user, customers, or other authorized entity to determine whether to accept the system. [Complete [date]] Federal Student Aid [FSA Office Name] [Not Performed / In Progress / Complete For responses of Not Performed or In Progress, please provide explanation.] 16

17. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI TEST RESULTS SUMMARY # Test Cases/ Scripts DEFECTS OPENED DEFECTS CLOSED DEFECTS DEFERRED DEFECTS RESULTING IN ENHANCEMENTS Type of Testing Urgent High Med Low Total Urgent High Med Low Total Urgent High Med Low Total Urgent High Med Low Total System 50 4 4 4 4 16 1 1 1 1 4 1 1 1 1 4 2 2 2 2 8 Intersystem 30 4 4 4 4 16 1 1 1 1 4 1 1 1 1 4 2 2 2 2 8 Accessibility 20 4 4 4 4 16 1 1 1 1 4 1 1 1 1 4 2 2 2 2 8 Performance User Acceptance 10 4 4 4 4 16 1 1 1 1 4 1 1 1 1 4 2 2 2 2 8 100 4 4 4 4 16 1 1 1 1 4 1 1 1 1 4 2 2 2 2 8 TOTALS 210 20 20 20 20 80 5 5 5 5 20 5 5 5 5 20 10 10 10 10 40 Defect Severity Levels Urgent Prevents the accomplishment of an operational or mission essential capability High Adversely affects the accomplishment of an operational or mission essential capability and no work around solution is known.. Medium Adversely affects the accomplishment of an operational or mission essential capability, but a work around solution is known and productivity is negatively impacted. Low Results in user inconvenience or annoyance but does not affect a required operational or mission essential capability. Note: FSA generally does not implement releases with open urgent or high severity defects. 17

18. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SYSTEM TEST RESULTS System Test Results Open/Deferred Defects: Intersystem Test Results Open/Deferred Defects: Urgent: [provide description of defect(s) and impact to business functionality] High: [provide description of defect(s) and impact to business functionality] Urgent: [provide description of defect(s) and impact to business functionality] High: [provide description of defect(s) and impact to business functionality] Medium: [provide description of defect(s) and impact to business functionality] Medium: [provide description of defect(s) and impact to business functionality] Low: [provide description of defect(s) and impact to business functionality] Low: [provide description of defect(s) and impact to business functionality] Closed/Resolved Defects: Closed/Resolved Defects: Urgent: [provide high level description of urgent defects that were closed] Urgent: [provide high level description of urgent defects that were closed] High: [provide high level description of urgent defects that were closed] High: [provide high level description of urgent defects that were closed] 18

19. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI USER TEST RESULTS Accessibility (508) Results Open/Deferred Defects: User Acceptance Test Results Open/Deferred Defects: Urgent: [provide description of defect(s) and impact to business functionality] High: [provide description of defect(s) and impact to business functionality] Urgent: [provide description of defect(s) and impact to business functionality] High: [provide description of defect(s) and impact to business functionality] Medium: [provide description of defect(s) and impact to business functionality] Medium: [provide description of defect(s) and impact to business functionality] Low: [provide description of defect(s) and impact to business functionality] Low: [provide description of defect(s) and impact to business functionality] Closed/Resolved Defects: Closed/Resolved Defects: Urgent: [provide high level description of urgent defects that were closed] Urgent: [provide high level description of urgent defects that were closed] High: [provide high level description of urgent defects that were closed] High: [provide high level description of urgent defects that were closed] 19

20. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PERFORMANCE TEST RESULTS GUIDANCE [Please contact the Enterprise Performance Test Team (EPT). When performance testing is conducted, EPT will provide slides to insert for performance test results. This slide and the following slide should be replaced with the slides provided by the EPT Team. The following slide is provided as a format for teams that conduct performance testing internally, rather than through EPT.] 20

21. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI PERFORMANCE TEST RESULTS Type of Test Description of Test Performed Performance Targets Performance Results Peak Stress Perf. Over Time Failover 21

22. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI ENTERPRISE CHANGE MANAGEMENT (ECM) Organizational Need Requests (ONRs) related to this release ONR# Title [#####] [Title] [multiple ONRs may be associated with one release] Release Request (RR) for this release RR# Title [#####] [Title] [Typically a PRR covers only one release with only one associated RR] NGDC Change Requests (NGDC CRs) related to this release NGDC CR# Title Environment State [#####] [Title] [i.e. Production] [i.e. scheduled] [multiple NGDC CRs may be linked to a release] [multiple NGDC CRs may be linked to a release] [multiple NGDC CRs may be linked to a release] [multiple NGDC CRs may be linked to a release] [multiple NGDC CRs may be linked to a release] [Note: For Change Requests (CR) impacting the Next Generation Data Center (NGDC) affected and configured items, such as infrastructure, system software, middleware, business applications, and network, which reside at the NGDC and do not require NGDC vendor support, are required to be submitted into the NGDC Enterprise Configuration Management (ECM) Tool and labeled by the submitter as an For Your Information (FYI) Change Request (CR). The FYI NGDC CR ticket is required for audits, trouble- shooting incidents, and impact to the NGDC contractual SLAs.] 22

23. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI DATA CENTER READINESS This release will be implemented in FSA s Next Generation Data Center in Clarksville, VA. [identify other data center if applicable] Operational roles and responsibilities between different teams (data center, middleware, application support) have been defined and communicated to [POC or team receiving communication]. The release will be implemented [during / outside of] the normal maintenance window [state outage period if outside of maintenance window]. Hour-by-Hour Plan has been completed and all resources understand the actions required to complete implementation. The hour-by-hour plan has been distributed to all parties involved, including the NGDC Manager. Disaster recovery objectives revalidated based on this release: Recovery Time Objective (RTO): [Mission Essential = 48 hours or Essential = 72 hours or Non- Essential = 72 hours] Recovery Point Objective (RPO): [Mission Essential = 24 hours or Essential = 24 hours or Non- Essential = 48 hours] 23

24. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI DATA CENTER READINESS(CONTINUED) A Transition to Operations (TOPS) is required by the NGDC if a system/system component or infrastructure is added and the NGDC provider s support and/or processes are changed. [ This release completed a TOPS on [date.] // OR// A TOPS was not required for this release because FSA and the NGDC provider determined that it did not meet the TOPS criteria, as confirmed by e-mail dated [date] from [person]. // OR // If the application is hosted outside of NGDC, explain the infrastructure/cloud provider s process for ensuring that they are ready to support FSA s business/application. ] Configuration Management Database (CMDB) review and validation completed on [date usually done in conjunction with TOPS, if release does not have a TOPS this validation still needs to occur]. Application Specific Information (ASI) Document or SSP, including infrastructure diagram, was last updated on [date]. 24

25. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI END USER SUPPORT AND COMMUNICATION Outage window for end users will be [date/time] to [date/time]. [describe how end users will be notified of the release] Application help desk [is/ is not] aware of the release and [has / has not] updated their procedures. The help desk phone number is [phone number]. Call center scripts and procedures have been updated to support calls from end users. The Customer Call Center phone number is [phone number]. [describe any additional end user support / communication activities] 25

26. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI ROLL-BACK PLAN The Roll-back Plan will be executed if [describe conditions that would cause the release to be rolled back, for example if production validation testing fails ] The Roll-back Plan consists of [describe how release will be rolled back if needed] Roll-back Plan [can / cannot] be completed within the maintenance window. [if extension would be required, indicate how long]. The decision to execute the roll-back plan will be made by the technical team implementing the release based on the criteria described in this PRR, with approval from the System Owner and [NGDC Manager or another responsible location POC]. 26

27. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SECURITY AND PRIVACY System Name Type of System System Owner Information System Security Officer (ISSO) [Insert Official System Name] [GSS / System / Sub-system] Primary: [Name] Alternate: [Name] Primary: [Name] Alternate: [Name] FIPS 199 Security Categorization Confidentiality Integrity Availability [High / Moderate / Low] [High / Moderate / Low] [High / Moderate / Low] System ATO Date Ongoing Security Authorization (OSA) Program FedRAMP High Value Asset [MM/DD/YYYY] [Yes/No] [Yes/No] [Yes/No] System Contains PII SORN [Yes/No] [Yes/No] [If Yes: Federal Register Publication Date: MM/DD/YYYY] 27

28. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SECURITY AND PRIVACY (CONTINUED) The System Owner and ISSO evaluated the changes implemented in this release and determined that there [is no / is a positive / is a negative] impact to the security posture and assessed controls of the system. {Explain why the impact is positive/negative or leave blank if no change} The System Owner and ISSO verified this release [does/does not] involve the collection of any new data elements or data collection from new data subjects, all data collection and sharing are done only in accordance with what is listed in [PIAs / SORN / and other written agreements] and that this release [does/does not] involve the sharing of data with new business partners. [state the new data/partners if applicable] The System Owner verifies that that the PIA for this system has been reviewed/updated in the past two years and sent to the OM Privacy Safeguards Division. The ISSO reviewed the website(s) for the system and validated that a Human and Machine Readable Privacy Policy [is / is not] in place. [if not in place, please explain] In accordance with OMB M-15-13 and NIST 800-52, the System Owner and ISSO confirm that all websites and services provided by this system [are available only through a secure connection (HTTPS utilizing TLS 1.2 or higher and HSTS) //OR// have an approved RAF.] The System Owner and ISSO verified that all system personnel are aware of the incident response procedures contained in IAS-04: OCIO/IAS Policy Framework Instruction - Respond and incorporated within system documentation. In accordance with OMB M-21-31, the System Owner and ISSO ensure that this system provides basic logging capabilities EL1 are retained in acceptable formats for specified timeframes by August 27, 2022. [if date is past August 27,2022 add text: [System name] has been granted an extension and POAM#ID has been entered into GRCT against logging controls. The System Owner and ISSO reviewed the documents on the following PRR slide entitled Security Documentation and verify that all appropriate updates occurred. 28

29. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SECURITY & PRIVACY DOCUMENTATION Document Status -Created Document - Updated Existing Document - Part of Another Document - Document Reviewed and no update needed - No document exists (explain in comments) Document Version Number of Final Accepted Document Date of Final Accepted Document Comments (If included in another document, indicate the name of that document) 1 Information System Security Officer (ISSO) Appointment Letter [fill in document status from choices above] [version #] [date] [comments] [document status] [version #] [date] [comments] 2 Privacy Threshold Analysis (PTA) [document status] [version #] [date] [comments] 3 Privacy Impact Assessment (PIA) 4 Business Impact Analysis (BIA) [document status] [version #] [date] [comments] [document status] [version #] [date] [comments] 5 Information Technology (IT) Contingency Plan (Includes Test Plan) Categorization worksheet(optional form-but data fields required in GRCT) [document status] [version #] [date] [comments] 6 7 System Authorization Boundary [document status] [version #] [date] [comments] 8 System Security Plan [document status] [version #] [date] [comments] Authority To Operate Letter and Briefing 9 [document status] [version #] [date] [comments] Incident Response Plan 10 [document status] [version #] [date] [comments] [document status] [version #] [date] [comments] Security Impact Analysis (SIA) 11 [All GRCT documentation should be indicated in the Comments sections, as well as, the current status (Created / Update / etc.) For example, DSW, boundary information, and boundary should be indicated that it resides in the GRCT repository.] 29

30. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SECURITY VULNERABILITY SCANS Scans occurring before PRR Scan Tool(s) Scan Completed Date Application Scan of Non-Production Environments (Dev, Test, Stage, etc.) Database Scan of Non-Production Environments (Dev, Test, Stage, etc.) OS/Infrastructure Scan of Non-Production Environments (Dev, Test, Stage, etc.) Scans occurring after PRR Scan Tool(s) Scan Scheduled Date Application Scan of Production Database Scan of Production Operating System / Infrastructure Scan of Production 30

31. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SECURITY VULNERABILITY SUMMARY Critical High Moderate Low New scan findings resulting from this release/project (New CAP or New AR) Existing POA&Ms 4 0 0 0 10 0 0 0 (Existing CAP or Existing AR) 14 0 0 0 Total Note: Validated false positive findings are not included in the counts above and are recorded by the POA&M Team and stored on a shared drive for future reference. Additional finding details will be included in the following slides. [Guidance: It is a best practice to hold a detailed meeting with the CISO and ITRM support staff prior to the PRR. This ensures that the security team is aware of any security issues and the PRR goes smoothly. It is likely that the PRR will not be approved if there are substantive security findings that the ITRM group is unaware of prior to the PRR. New scan findings line should contain the number of findings reported on the injection template. Please indicate (by annotation) how many New or Existing POAMs require an AR. Existing POA&Ms line should contain number of findings in the vulnerability management tool (GRCT).] 31

32. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI DETAILS OF SECURITY VULNERABILITY FINDINGS GRCT ID New or Existing Finding Risk Level Description of Finding Affected System Mitigation Strategy: Scan Type I=Infrastructure /OS A=Application D=Database Corrective Action Plan (CAP) or Accepted Risk (AR) [describe finding] [describe finding] [describe finding] [describe finding] [describe finding] [describe finding] [describe finding] 32

33. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI OPERATIONS AND MAINTENANCE Operations and Maintenance support for [System Name] is provided by [Contractor Name, FSA TO Application Support Team, etc.] The contract covering O&M support for this system is [contract name and number] [System Name] requires [number] of full-time equivalents (FTEs) to support the system. [Note: This bullet is required for FSA In-House Development, but should be omitted for already- contracted O&M activities] The System Owner validates that the Configuration Management Plan for the system has been followed for this release and that appropriate configuration management practices are in place for the system. The System Owner has reviewed the backup schedule that is on file with the infrastructure provider (data center) and validated that appropriate backups are scheduled to occur. The System Owner validates that Capacity Planning activities have occurred or are scheduled for the system. 33

34. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI SYSTEM DOCUMENTATION [Most recent version and update date should be identified in the table below, but changes are only needed on the condition changes, not necessarily with each release] Document Status -Created Document - Updated Existing Document - Part of Another Document - Document Reviewed and no update needed - No document exists (explain in comments) Document Version Number of Final Accepted Document Date of Final Accepted Document Comments (If included in another document, indicate the name of that document) 1 [fill in document status from choices above] [version #] [date] [comments] System of Records Notice (SORN) [document status] [version #] [date] [comments] 2 Memorandum of Understanding (MOU) [document status] [version #] [date] [comments] 3 Computer Matching Agreement (CMA) [document status] [version #] [date] [comments] 4 Interconnection Security Agreement (ISA) [document status] [version #] [date] [comments] 5 Record Retention Schedule for System Data [document status] [version #] [date] [comments] 6 Requirements Management Plan 7 [document status] [version #] [date] [comments] Configuration Management Plan 8 [document status] [version #] [date] [comments] Detailed Design Document 9 [document status] [version #] [date] [comments] Operations and Maintenance Plan 10 [document status] [version #] [date] [comments] Training Plan [document status] [version #] [date] [comments] 11 OMB Information Collection Clearance (approval) 34

35. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI RELEASE DOCUMENTATION [Documentation that should be new/changed/updated with each release] Document Status -Created Document - Updated Existing Document - Part of Another Document - Document Reviewed and no update needed - No document exists (explain in comments) Document Version Number of Final Accepted Document Date of Final Accepted Document Comments (If included in another document, indicate the name of that document) 1 Detailed Requirements Document [fill in document status from choices above] [version #] [date] [comments] [document status] [version #] [date] [comments] 2 Requirements Traceability Matrix [document status] [version #] [date] [comments] 3 Data Migration Plan [document status] [version #] [date] [comments] 4 Solution Source Code and Deployable Packages [document status] [version #] [date] [comments] 5 Solution User Manual [document status] [version #] [date] [comments] 6 Release Version Description Document 7 Master Test Plan [document status] [version #] [date] [comments] 8 Test Suites [document status] [version #] [date] [comments] 9 User Acceptance Test Summary Report [document status] [version #] [date] [comments] 10 System Test Summary Report [document status] [version #] [date] [comments] [document status] [version #] [date] [comments] 11 Defect Management Report [document status] [version #] [date] [comments] 12 Implementation Plan 35

36. PRR Template Version 24.0 | When filled in, this document should be marked as CUI//ISVI LESSONS LEARNED [Describe how lessons learned were captured for this release.] A lessons learned meeting [is/is not] planned for [date/if not planned, explain approach for eliciting lessons] Lessons Learned for this release will be entered in FSA s Lessons Learned Database on or before [date]. The [name and role of the submitter project manager, system owner, system technical lead, etc.] will be responsible for collecting the lessons learned and entering the lessons in the database. [Note: This slide should inform readers of the process for identifying and capturing lessons learned. It should not include the specific lessons.] 36