Program Requirements for the Successful Implementation of the Information Technology Infrastructure Library within the Intelligence Community


Key to most IT organization’s ongoing success is the leadership team’s ability to anticipate, plan for, and adapt to change. With ever changing business/mission requirements, customer/user expectations, new technologies, governmental regulations, economic and budgetary constraints, reorganizations, increasing competition, new business models (e.g. managed services and outsourcing), etc., never before have IT organizations had to deal with so much concurrent change so quickly. Fortunately, while change cannot be prevented and is difficult to control, it can, and must be managed. The degree to which an IT organization can effectively manage change determines the degree to which they are successful. The question then becomes, “how do we best manage change”?

Part of the answer lies in the adoption of standards and repeatable processes. Within most successful IT organizations, there exist well defined standards and integrated processes that help to anticipate, evaluate, estimate, impact, plan for, and implement change in a consistent manner. In world class organizations, these standards and processes were repeatable and over time come to be recognized as “commercial best practices”. The Information Technology Infrastructure Library® (ITIL) and the closely related ISO/IEC 20000 standards embody these commercial best practices and are rapidly being adopted as the IT profession’s standard for supporting and delivering IT services.

The Intelligence Community (IC) is undergoing tremendous change and is considering alternative ways in which the agencies support the mission. New operating models are being considered. Under consideration by defense and many civilian agencies is an operating model that requires the build out of an IT Infrastructure or Service Management framework (based on ITIL) that various service providers can then “plug” into. While the IT services may change based on mission requirements, the processes and procedures used to define, design, transition, operate and improve the services remains fairly constant. There are numerous benefits associated with this approach including:

  • Elimination of redundant processes and process managers/owners
  • Improvement in operational efficiencies thereby reducing the overall cost structure
  • Visibility across the entire enterprise as a whole vs. individual parts
  • Sharper focus on the actual services that are provided to the end user rather than on the various technologies used to support the service
  • Centralized control of data necessary to support the mission
  • Minimized dependency on any particular vendor or integrator
  • Objective and meaningful performance metrics that accurately reflect reality
  • Real time reporting on the current status of the infrastructure

A critical success factor in transforming the organization from a traditional model to a more mature shared services model for IT delivery and support is the OCIO’s ability to clearly define the requirements for the new model (internal and vendor). Without a thoughtful vision that starts with the end in mind, the probability of success is significantly reduced. This white paper outlines the most significant requirements for the OCIO and supporting vendors if the IC is to achieve the desired end state. All requirements can be organized by People, Process, and Technology.



Organizational transformation to commercial best practices revolves around the people. They can either support change, or resist it to the fullest extent that management will allow. Included below are a few of the key people requirements to help ensure that transformation is understood, accepted and supported.

  1. Executive Education & Sponsorship – One of the first requirements is for the OCIO to formally adopt ITIL and ISO/IEC 20000 as the IC de facto standard for IT Service Management and the preferred support and delivery framework to help the agencies achieve a shared services vision. Senior leaders must publicly and privately “buy into” and support proposed changes and they must understand their specific roles in facilitating organizational and cultural change.
  2. Staff Education – Select individuals within the IC and the supporting organizations will need to be formally trained with regard to ITIL.
  3. Contractor Education – Externally, the IC must insist on vendors and integrators that have knowledgeable and experienced leaders and support personnel that have successfully implemented and managed in accordance with ITIL based best practices at the enterprise level. Most important is that the IC/agencies obtain(s) quantifiable data indicating the performance improvements the vendors or integrators were able to achieve in successfully implementing ITIL, and that this data can be customer validated.
  4. Communication – Open and frequent communication to all OCIO staff is critical to the success of the transformation initiative. The communication requirements include distribution and access to the IC’s Service Management master plan; frequent and informal briefings regarding the transformation initiative, and what they can expect on an individual and organizational level; and periodic and formal executive level briefings regarding the transformation initiative and the progress that the team is making towards a well defined end state.
  5. Organization – New areas of accountability and responsibility need to be defined for individuals through their job descriptions, as well as organizations assuming various functional responsibilities. Value, beliefs, and organizational cultures need to be changed from unconstructive departmental competition to Customer-focused cooperation. The organizational structure may need to change in order to accommodate a new operational model.



There are numerous process related requirements associated with the successful implementation of ITIL and ISO standards in accordance with version 3. One of the most critical requirements for the IC is to determine what role they want to play in the ongoing management and delivery of IT services in support of the mission. It is assumed that the IC will own all of the key ITIL processes with designated process owners. With this in mind, there are both general as well as process specific requirements that will need to be met. Outlined below are a few of the major requirements associated with what is described as the ITIL Core. Figure 1 illustrates the five (5) core features of ITIL and their associated processes.

Figure 1 – ITIL v3 Overview


The achievement of strategic goals or objectives requires the use of strategic assets. Service Strategy demonstrates how to transform service management into a strategic asset. Listed below are the key processes and high-level requirements involved in Service Strategy.

  1. Service Portfolio Management – Develop a Portfolio of IT services to be provided to the user community (description, value proposition, business case, priorities, risks, offerings and packages, costs and pricing) including a service catalog containing information regarding all services (products, policies, ordering, support, escalations, pricing and chargeback )
  2. Financial Management – Requires determination of the actual cost of service; the price to charge for all services; reporting ongoing costs and cost recovery; and integration with financial applications
  3. Demand Management – Define how demand for services will be managed to regulate utilization of resources.
  4. Return on Investment (ROI) – Demonstrate value of new and existing services or service improvements by providing ROI information


Service Design is focused on the steps associated with actually designing IT services. This includes the governing of IT practices, processes and policies, to realize the strategy and facilitate the introduction of services into the live environment. A properly designed service helps to ensure quality service delivery, customer satisfaction and cost-effective service provision throughout the lifecycle of a given service. The processes and high-level requirements associated with Service Design are as follows:

  1. Service Catalog Management – Produce and maintain accurate information on all operational services and those being prepared to be offered
  2. Service Level Management- Document IT service targets with customers; monitor and produce reports on the service provider’s ability to deliver the agreed level of service; specific plans and processes to improve service levels; and provide progress reports
  3. Capacity Management- Provide IT capacity plans and processes that demonstrate IT capacity is appropriately matched to current and future needs of the mission, and that additional capacity is readily available as required
  4. Availability Management – Provide network, hardware and software availability plans and processes that demonstrate agreed upon levels of service availability match or exceed current and future needs of the mission.
  5. IT Service Continuity Management – Provide IT service continuity plans and processes that demonstrate the required IT technical and service facilities (including computer systems, networks, applications, data repositories, telecommunications, environment, technical support and service desk) can be resumed within required, and agreed upon, mission timelines
  6. Information Security management – Provide security management plans and processes to ensure information security is effectively managed in all service and service management activities that align IT to security with service and Service Management activities
  7. Supplier Management – Provide plans and processes that demonstrate service providers ability to seamlessly manage suppliers and the services they provide, and do it in an efficient manner that maximizes the value of the service for the money invested



Service Transition involves the development of capabilities for transitioning new and changed services into operations while ensuring the requirements of Service Strategy, encoded in Service Design, are effectively realized in Service Operations. Service Transition helps to control the risk of failure and disruption while introducing new or changed services into production. Outlined below are the key processes and requirements associated with Service Transition.

  1. Change Management – Use a standardized method or process for the efficient and prompt handling of all requested changes; implement a Change Advisory Board that will  review and approve proposed changes and that unauthorized changes are not allowed
  2. Service Asset & Configuration Management – Be able to ID, control, record, report, audit and verify service assets and configuration items, including versions, baselines, constituent components, their attributes, and relationships
  3. Release and Deployment Management – develop release and deployment plans with the customer; Ensure that each release package includes related assets and service components that are compatible with each other; and ensure that the integrity of a release package is maintained throughout the transition activities and recorded accurately in the CMS
  4. Service Validation and Testing – Develop and implement a structured validation and test process that provide objective evidence that new or changed services will support the defined requirements and agreed service levels
  5. Evaluation – Provide a consistent and standardized process to determine the performance of a service change as it relates to existing and proposed services and the IT infrastructure
  6. Knowledge Management – Provide real time access to information that identifies who is currently using what services, service delivery constraints, the current state of consumption, and customer difficulties in realizing service benefits



Service Operation is focused on achieving effectiveness and efficiency in the delivery and support of services to ensure value for the customer and the service provider. Strategic objectives are ultimately realized through Service Operations. Included below are the key processes/functions and high-level requirements associated with Service Operation.

  1. Event Management – Develop and implement a process that monitors all events that occur through the IT infrastructure to allow for normal operation, and to detect and escalate exceptions/conditions
  2. Incident management – Develop and implement a process that is focused on restoring specified services in the shortest amount of time in order to minimize mission related impacts
  3. Problem Management – Develop and implement a process that will identify the root cause of incidents, and proactively detect and prevent future problems/incidences. Those include known Error sub-process to allow quicker diagnosis and resolution if further incidences do occur
  4. Access Management – Develop and implement a process of granting authorized users the right to use a service, while restricting access to non authorized users. Must be able to accurately identify authorized users and then manage their ability to access services as required during different stages of their human resource or contractual lifecycle.
  5. Service Desk – Establish a central point of contact for all users when there is a disruption in service, or a request for a specific and predefined service or change
  6. Technical Management – Provide detailed technical skills and resources needed to support the ongoing operation of the IT infrastructure, as well as provide for the design, testing, releases and improvement of IT services
  7. Application Management – Develop and implement a process to manage applications throughout their lifecycle to ensure the effective design, testing and ongoing improvement of applications that form part of the IT services
  8. Operations Management – Develop processes and procedures for the daily operational activities needed to manage the IT infrastructure in accordance with pre-established performance standards



Continual Improvement is involved in creating and maintaining value for customers through better design, introduction and operation of services, linking improvement efforts and outcomes with Service Strategy, Design, Transition and Operation. Continual Improvement is best represented by a seven step process of defining what should be measured, what can be measured, how measurement data will be gathered, and how to process, analyze and present suggestions for improvement. The last step of the seven step process is actually implementation of the recommendations. The key requirement for Continual Improvement is to implement a defined improvement plan that demonstrates specific activities and initiatives to improve the overall quality of service and service offerings


While there are many things which an organization considering implementing ITIL could do, there is also an order and precedence required for the implementation to be successful. Listed below is a list of general recommendations that should be considered before embarking on an initiative that will transform the traditional IT organization and culture.

1. Conduct an initial baseline assessment that will evaluate the relative maturity of all existing processes against ITIL best practices as reflected in the ISO20000 standards. Assessment deliverables include for example:

  • Identification of gaps between current operation and ISO standards
  • Recommended steps, in priority order, to close the gaps
  • Preliminary overall Service Management (or improvement) Plan
  • Baseline measures of performance to be used later for comparison purposes

2. Based on the assessment results, further define the specific program requirements to effectively manage all programs in accordance with ITIL/ISO standards.

3. Develop process improvement plans (PIP) for each of the key ITIL process in order to meet and/or exceed stated program requirements. For example, the PIP must define the process purpose, goals, resource requirements, timeline for implementation/improvements, performance measures, reporting, roles and responsibilities, owner, etc. Processes must be repeatable, cross –departmental and overlaid across silos and a system- based organizational structures. Each plan must:

  • Be well integrated with clearly defined process inputs and outputs to/from each of the processes
  • Hold process owners accountable for cross-departmental processes and have visible authority in order to manage across multiple silos. The current (hierarchical) and new management models may exist side by side until the change has become institutionalized.
  • Become part of an overall Service Management Plan that is readily available and is used as a basis to determine progress toward the realization of a shared vision

4. Begin to establish an IT governance structure with specific rules of engagement that must be defined and enforced to achieve the proven benefits of an ITIL conforming implementation.

About the Author

Gregory C. Smith is the President and Founder of G2SF, Inc., a premier service management consultancy to the intelligence and defense communities. Gregory has been supporting and managing the successful implementation of ITIL and ISO 20000 processes and standards to the Federal Government for almost a decade.