Chapter 26 - End-of-Life (EOL) operating systems, software, and applications

8-26.1 INTRODUCTION.

1. Purpose. This chapter establishes the Indian Health Service (IHS) policy governing the responsibilities for End-of-Life (EOL) operating systems, software, and applications to ensure compliance with Federal law and mandates, Department of Health and Human Services (HHS) guidance, and strong managerial control required by IHS leadership to support the IHS mission. This chapter is designed to operate mutually with additional IHS policies in the Indian Health Manual (IHM) related to records and information management.
2. Background. Information Technology (IT) products reach the end of their life cycle (obsolescence) for various reasons, including market demand, technological innovation, inability to source critical components, substitution by functionally superior technology, deviation in vendor’s business direction, end of warranty, or system age-related instability. While this step is a normal part of the entire product life cycle because all products eventually reach an “end-of-life,” the IHS System Owners must consider EOL throughout the solution’s lifecycle from before acquisition through completion of phase out. Additionally, System Owners must proactively mitigate EOL milestone impacts on all IT assets across the IHS. Unsupported IT products pose unacceptable operational and security vulnerability risks to IHS IT assets used to deliver quality health care.
3. Scope. This chapter applies to all IHS organizational components, including but not limited to the IHS Headquarters, Area Offices, Service Units, Urban Indian Health Programs, and others who are conducting business on behalf of and for the IHS and use the IHS IT and Health IT resources. The policies contained in this chapter apply to all IHS IT and Health IT activities, including the equipment, procedures, and technologies employed in managing these activities. The policy includes telework, travel, and off-site locations, and all IHS office locations.
4. Authorities and Guidance.
   1. HHS Office of the Chief Information Officer Policy:

      HHS End-of-Life Operating Systems, Software and Applications Policy, May 19, 2016. (If the HHS policy cannot be accessed, please contact IHSEnterpriseArchitecture@ihs.gov for a copy of the policy.)

   2. Related Authorities:
      1. Clinger-Cohen Act of 1996 (formerly Information Technology 
         Management Reform Act), Public Law (P.L.) 104-106, Division E
      2. Federal Information Security Modernization Act of 2014, L. 113-283
      3. Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015, P.L. 113-291, Title VIII, “Acquisition Policy, Acquisition Management, and Related Matters,” Subtitle D, “Federal Information Technology Acquisition Reform” as codified in relevant part at 40 United States Code (U.S.C.) § 11319
      4. Title 44, S.C., Chapter 35, “Coordination of Federal Information Policy”
      5. Federal Acquisition Regulation, Part 39, “Acquisition of Information Technology”
   3. National Institute of Standards and Technology (NIST) Guidance:
      1. NIST Special Publication (SP) 800-160 1 Rev. 1 - Engineering Trustworthy Secure Systems
   4. Office of Management and Budget (OMB) Circulars:  
      1. Office of Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource”
      2. OMB Memorandum M-15-14, “Management and Oversight of Federal Information Technology”

         To obtain OMB circulars that are not available on-line, please call the OMB information line at (202) 395-3080.

5. Acronyms.
   1. CIO Chief Information Officer
   2. EOL End-of-Life
   3. IHS Indian Health Service
   4. IT Information Technology
6. Definitions.
   1. IT Product. An IT product is hardware, software, firmware, and tools ready-made by commercial vendors and available for sale, lease, or license to the public and the Federal Government. An IT product includes, but is not limited to, workstations, laptops, servers, medical devices, switches, routers, firewalls, Intrusion Detection Systems, storage, tools, applications, operating systems, and back-office software that supports IHS systems.

8-26.2 POLICY.

It is the policy of the IHS that all IT products in use across the Agency shall be vendor supported. The level of vendor support required shall be such that identified operational problems and security vulnerabilities are rapidly mitigated by vendor provided support.

This policy applies to all IT products, whether used as a standalone product, acquired or used as a result of a services contract, or as a component of a more extensive IT system, such as a major automated information system acquisition program. All IT investments that use IT products shall fully comply with this policy and ensure continued support of IT products as part of their lifecycle management planning process.

8-26.3 PROCEDURES.

1. Waivers. Waiver requests must be submitted to the IHS Chief Information Officer (CIO) or their designee(s) for approval. All such requests must include a plan with a timeline for remediation by defining identifiable, measurable activities and achievable completion dates. The IHS Information Security Policy/Standard Waiver Request Form is available in the IHS ServiceNow portal at https://www.ihs.gov/itsupport/.
2. Remediation and Internal Controls. The waiver request must assign responsibility for remediation and development of internal controls to monitor and update the Plan of Action and Milestones as described in the IHM Part 10, Chapter 4 at https://www.ihs.gov/ihm/pc/part-10/p10c4/#10-4.4D to demonstrate weekly and monthly progress.

8-26.4 RESPONSIBILITIES.

1. Chief Information Officer.
   1. The IHS CIO retains the right to disable, disconnect, or otherwise revoke access to all IT products that violate this policy without notice. Revoked products must be remedied, reviewed, and approved by the IHS CIO or their designee(s) before reinstatement for continued use.
   2. Per guidance contained in the “HHS End-of-Life Operating Systems, Software, and Applications Policy, May 19, 2016,” the IHS CIO or their designee(s) is authorized to approve or disapprove Agency-wide waiver requests.
2. System Owner.
   1. The System Owner is responsible for monitoring the lifecycle of all IT products deployed within IT systems and assets owned or operated within their portfolio.
   2. The System Owner is also responsible for developing and executing migration plans to mitigate any operational and security impacts before IT products reach EOL.
   3. If an EOL timeframe does not yet exist, the System Owner must estimate and document an estimated timeframe based on previous experiences, similar products, or industry standards.
   4. When the vendor announces an EOL timeframe, the System Owner must update its documentation to reflect the latest information.
   5. If an IT product is no longer under vendor standard support and has entered an extended support phase, the System Owner who desires continued use of the IT product must make the necessary arrangements for support, including funding, so that the vendor’s extended support agreement adequately covers the continued safe, secure use of the Before entering such an agreement, the IHS CIO or their designee(s) must approve justification for extended support.
   6. If the IT product is no longer under any type of support from the vendor (standard or extended), meaning the IT product has reached the commercial EOL, and the System Owner requires continued use of the IT product, then the System Owner must request and receive a waiver for the IT product. See Section 8-26.3A. Waivers.