XLC Artifacts & Templates

Your project’s complexity will determine which artifacts are needed for a project—as documented in the Project Process Agreement (PPA). It is unlikely that any single project will need all of the artifacts, reviews, and tests.

Page Contents

• Artifact overview
• Figure mapping artifacts to phases and reviews
• Artifact descriptions & templates  A – H  | I – P  | Q – Z

ARTIFACTS OVERVIEW

The life cycle of possible artifacts is mapped to the XLC phases and associated stage gate reviews in the figure below. For artifacts spanning phases, it is expected that updates to the artifact (usually increased detail reflecting work accomplished in the phase) will be available for review. Artifacts evolve in maturity through the XLC:

• Preliminary – the first instance of an artifact that contributes to a stage gate review.  Detailed expectations are provided in the various reviews’ templates.
• Interim – a “point in time” snapshot of an artifact that contributes to a stage gate review.  This updated snapshot should represent progress from the last time the artifact was reviewed.  Detailed expectations are provided in the various review’s templates.
• Baseline – a version of the artifact that is under initial configuration management control. It is possible but usually difficult to change a baselined artifact.  Such a change requires a change request which ensures implications to cost, schedule, and technical baselines are addressed. The expectation is that all sections of the artifact have been completed, reviewed and approved in order to declare a baseline for the artifact.
• Final - a baseline version of the artifact that is deemed complete and cannot be changed in later XLC phases.  It is deemed unchangeable for a particular release of a system.  The expectation is that all sections of the artifact have been completed, reviewed and approved.  A Final version of an artifact is used for hand off to Operations and Maintenance.
• Updated Yearly – Several security artifacts are updated on a yearly basis in the Operations and Maintenance phase.

back to top

XLC ARTIFACTS & TEMPLATES  back to top

Click on the artifact name to download the template for that artifact.

Artifacts A – H back to top

• Action Items: Records and manages assignments that generally result from meeting discussions.
• Annual Operational Analysis Report: Documents elements from the Capital Planning and Investment Control (CPIC) evaluation and results from monitoring the performance of the system/application during normal operations against original user requirements and any newly implemented requirements or changes.  The document assists in the analysis of alternatives for deciding on new functional enhancements and/or modifications to the system/application, or the need to dispose of or replace the system/application altogether.
• Authorization Package: Demonstrates and validates that appropriate security controls exist to safeguard the system. Please note that there is no template for this artifact.
• Business Case: Describes the basic aspects of the proposed IT project: why, what, when, and how.
• Business Product / Code: Documents the implemented system (hardware, software, and trained personnel) that addresses a business need. Please note that there is no template for this artifact.
• CMS CIO-Issued Authorization to Operate (ATO): Provides CIO approval of System Certification and System Accreditation authorizing the system to become operational. Please note that there is no template for this artifact.
• Computer Matching Agreement (CMA) / Interagency Agreement (IA): Documents agreements permitting computerized comparison of systems of records which contain personally identifiable information.
• Contingency Plan: Describes the strategy for ensuring system recovery in accordance with stated recovery time and recovery point objectives.
• Contingency Plan Tabletop Test: Documents planned tests of strategies, personnel, procedures, and resources that respond to a supported applications/system interruption.
• Database Design Document: Describes the design of a database and the software units used to access or manipulate the data.
• Data Conversion Plan: Describes the strategies involved in converting data from an existing system/application to another hardware and/or software environment.
• Data Use Agreement: Informs data users of confidentiality requirements and obtains their agreement to abide by these requirements. Note: this template is not available on the public-facing website and is accessible only by CMS employees. Click here for more information about Data Use Agreements.
• Decision Log: Documents the decisions made over the course of the project.
• Enterprise Architecture Analysis Artifacts: Consists of models, diagrams, tables, and narrative, which show the proposed solution’s integration into CMS operations from both a logical and technical perspective. Please note that there is no template for this artifact.
• Enterprise Systems Development (ESD) Section J: Section J is a service delivery guideline tailored for information technology (IT) contracts for the Enterprise Systems Development (ESD) Program. The document specifies contractual IT-tailored guidelines and requirements to contractors who have received awards from a predefined list.
• Enterprise Systems Development (ESD) SOW Template: The ESD SOW template is a guideline tailored for information technology (IT) contracts for the Enterprise Systems Development (ESD) Program. The document recommends guidelines and requirements to contractors who have received awards from a predefined list.
• High Level Technical Design: Documents conceptual functions and stakeholder interactions.

Artifacts I – P back to top

• Implementation Plan: Describes how the automated system/application or IT situation will be installed, deployed and transitioned into an operational system or situation.
• Information Security Risk Assessment (ISRA): Contains a list of threats and vulnerabilities, an evaluation of current security controls, their resulting risk levels, and any recommended safeguards to reduce risk exposure.
• Interface Control Document: Describes the relationship between a source system and a target system. Required for review, normally not updated after originally baselined in Design Phase.
• IT Intake Request Form: Collects basic new project information from a Business Owner.
• Issues List: Keeps a record of all issues that occur during the life of a project.
• Lessons Learned Log: Identifies and records lessons learned and future recommendations.
• Logical Data Model: Represents CMS data within the scope of a system development project and shows the specific entities, attributes, and relationships involved in a business function’s view of information. Please note that there is no template for this artifact.
• Operations & Maintenance Manual: Guides those who maintain, support and/or use the system in a day-to-day operations environment.
• Plan of Action Milestones (POA&M): Reports the status of known security weaknesses with associated Plan of Action and Milestones.
• Physical Database / Model: Represents CMS data within the scope of a system development project and shows the specific tables, columns, and constraints involved in a physical implementation’s view of information. Please note that there is no template for this artifact.
• Post Implementation Report: Documents results from monitoring the performance of a system/application during normal operations against the original user requirements and any newly implemented requirements or changes.
• Privacy Impact Assessment: Ensures no collection, storage, access, use or dissemination of identifiable respondent information that is not both needed and permitted.
• Project Charter: Authorizes the existence of a project and provides the authority to proceed and apply organizational resources.
• Project Closeout Report: Assesses the project, ensures completion, and derives lessons learned and best practices to be applied to future projects.
• Project Management Plan: Provides detailed plans and schedule, processes, and procedures for managing and controlling the life cycle activities.
• Project Process Agreement (PPA): Authorizes and documents the justifications for using, not using, or combining specific reviews and the selection of specific work products.
• Project Schedule: Shows the Integrated Master Schedule which includes all activities required to complete a project and their interdependencies.

Artifacts Q – Z back to top

• Quality Management Plan: The Quality Management Plan (QMP) is developed during the Planning Phase in conjunction with the Project Management Plan by the Project Manager. The Quality Management Plan documents the necessary information required to effectively manage quality during the life cycle of the project. It defines the project's quality policies, procedures, areas of application and associated criteria, and roles and responsibilities.If it is determined that a separate Quality Management Plan is not required, this information should be conveyed in the Project Management Plan.
• Release Plan: Describes what portions of the system functionality will be implemented in which release and why.
• Requirements Document: Identifies the business and technical capabilities and constraints of the IT project. Also see Requirements Writer's Guide.
• Risk Register: Captures the results of a qualitative and quantitative risk analysis and the results of planning for response.
• Section 508 Assessment: Provides information regarding compliance with required accessibility standards.
• Security Assessment: Describes the completed assessment phases following established assessment procedure and reporting procedures.
• Security Monitoring Reports: Describes the completed security assessments and documents results following established assessment procedure and reporting procedures.
• System Design Document: Documents both high-level system design and low-level detailed design specifications.
• System Disposition Plan: Documents how the various components of an automated system (software, data, hardware, communications, and documentation) are to be handled at the completion of operations to ensure proper disposition of all the system components and to avoid disruption of the individuals and/or other systems impacted by the disposition.
• System of Records Notice (SORN): Informs the public of collection of information about its citizens from which data are retrieved by a unique identifier.
• System Security Plan (SSP): Documents the system’s security level and describes managerial, technical and operational security controls.
• Test Case Specification: Describes the purpose of a specific test, identifies the required inputs and expected results, provides step-by-step procedures for executing the test, and outlines the pass/fail criteria for determining acceptance.
• Test Plan: Describes the overall scope, technical and management approach, resources, and schedule for all intended test activities associated with validation testing.
• Test Summary Report: Summarizes test activities and results including any variances from expected behavior.
• Training Artifacts: Satisfies the training plan with required products which may include web-based instruction, instructor guides, student guides, exercise materials, and training records. Please note that there is no template for this artifact.
• Training Plan: Describes the overall goals, learning objectives, and activities that are to be performed to develop, conduct, control, and evaluate instruction.
• User Manual: Explains how a novice business user is to use the automated system or application from a business function perspective.
• Version Description Document: Identifies, tracks and controls versions of automated systems and/or applications to be released to the operational environment.