maturity model for the phased implementation of a quality
TRANSCRIPT
Maturity Model for the Phased Implementation of a Quality Assurance Management System for Private Security Service Providers
A S I S I N T E R N A T I O N A L
STANDARDAMERICAN NATIONAL
1625 Prince StreetAlexandria, Virginia 22314-2818
USA+1.703.519.6200
Fax: +1.703.519.6299www.asisonline.org
ANSI/ASIS PSC.3-2013
42726_Cover-R1.indd 1-2 3/21/2013 9:54:07 AM
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
42726_Cover-R1.indd 3-4 3/21/2013 9:54:07 AM
ANSI/ASIS PSC.3-2013 an American National Standard
MATURITY MODEL FOR THE PHASED IMPLEMENTATION OF A QUALITY ASSURANCE MANAGEMENT SYSTEM FOR PRIVATE
SECURITY SERVICE PROVIDERS
Approved January 29, 2013
American National Standards Institute, Inc.
ASIS International
Abstract
This Standard will benefit private security service providers (PSCs) in improving their quality of services consistent with respect for human rights and legal and contractual obligations. It provides a basis for managing risk while reducing costs, demonstrating legal compliance, enhancing stakeholder relations, and meeting client expectations. The model outlines 6 phases ranging from no process in place for quality assurance management, to going beyond the requirements of the Standard. Criteria based on core elements of ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company Operations - Requirements with Guidance can be used to demonstrate continual improvement and are compatible with rewards and recognition programs.
85869_ASFIS_Rev0_1-52.pdf 185869_ASFIS_Rev0_1-52.pd2.pdff 11 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
ii
NOTICE AND DISCLAIMER The information in this publication was considered technically sound by the consensus of those who engaged in the development and approval of the document at the time of its creation. Consensus does not necessarily mean that there is unanimous agreement among the participants in the development of this document.
ASIS International standards and guideline publications, of which the document contained herein is one, are developed through a voluntary consensus standards development process. This process brings together volunteers and/or seeks out the views of persons who have an interest and knowledge in the topic covered by this publication. While ASIS administers the process and establishes rules to promote fairness in the development of consensus, it does not write the document and it does not independently test, evaluate, or verify the accuracy or completeness of any information or the soundness of any judgments contained in its standards and guideline publications.
ASIS is a volunteer, nonprofit professional society with no regulatory, licensing or enforcement power over its members or anyone else. ASIS does not accept or undertake a duty to any third party because it does not have the authority to enforce compliance with its standards or guidelines. It assumes no duty of care to the general public, because its works are not obligatory and because it does not monitor the use of them.
ASIS disclaims liability for any personal injury, property, or other damages of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or indirectly resulting from the publication, use of, application, or reliance on this document. ASIS disclaims and makes no guaranty or warranty, expressed or implied, as to the accuracy or completeness of any information published herein, and disclaims and makes no warranty that the information in this document will fulfill any person’s or entity’s particular purposes or needs. ASIS does not undertake to guarantee the performance of any individual manufacturer or seller’s products or services by virtue of this standard or guide.
In publishing and making this document available, ASIS is not undertaking to render professional or other services for or on behalf of any person or entity, nor is ASIS undertaking to perform any duty owed by any person or entity to someone else. Anyone using this document should rely on his or her own independent judgment or, as appropriate, seek the advice of a competent professional in determining the exercise of reasonable care in any given circumstances. Information and other standards on the topic covered by this publication may be available from other sources, which the user may wish to consult for additional views or information not covered by this publication.
ASIS has no power, nor does it undertake to police or enforce compliance with the contents of this document. ASIS has no control over which of its standards, if any, may be adopted by governmental regulatory agencies, or over any activity or conduct that purports to conform to its standards. ASIS does not list, certify, test, inspect, or approve any practices, products, materials, designs, or installations for compliance with its standards. It merely publishes standards to be used as guidelines that third parties may or may not choose to adopt, modify or reject. Any certification or other statement of compliance with any information in this document shall not be attributable to ASIS and is solely the responsibility of the certifier or maker of the statement.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written consent of the copyright owner.
Copyright © 2013 ASIS International
ISBN: 978-1-934904-45-9
85869_ASFIS_Rev0_1-52.pdf 285869_ASFIS_Rev0_1-52.pd2.pdf 2f 2 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
iii
FOREWORD The information contained in this Foreword is not part of this American National Standard (ANS) and has not been processed in accordance with ANSI’s requirements for an ANS. As such, this Foreword may contain material that has not been subjected to public review or a consensus process. In addition, it does not contain requirements necessary for conformance to the Standard.
ANSI guidelines specify two categories of requirements: mandatory and recommendation. The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as having distinct compatibility or performance advantages.
About ASIS ASIS International (ASIS) is the preeminent organization for security professionals, with more than 38,000 members worldwide. ASIS is dedicated to increasing the effectiveness and productivity of security professionals by developing educational programs and materials that address broad security interests, such as the ASIS Annual Seminar and Exhibits, as well as specific security topics. ASIS also advocates the role and value of the security management profession to business, the media, government entities, and the public. By providing members and the security community with access to a full range of programs and services, and by publishing the industry’s No. 1 magazine – Security Management – ASIS leads the way for advanced and improved security performance.
The work of preparing standards and guidelines is carried out through the ASIS International Standards and Guidelines Committees, and governed by the ASIS Commission on Standards and Guidelines. An ANSI accredited Standards Development Organization, ASIS actively participates in the International Organization for Standardization. The Mission of the ASIS Standards and Guidelines Commission is to advance the practice of security management through the development of standards and guidelines within a voluntary, nonproprietary, and consensus-based process, utilizing to the fullest extent possible the knowledge, experience, and expertise of ASIS membership, security professionals, and the global security industry.
Suggestions for improvement of this document are welcome. They should be sent to ASIS International, 1625 Prince Street, Alexandria, VA 22314-2818, USA.
Commission Members Charles A. Baley, Farmers Insurance Group, Inc.
Jason L. Brown, Thales Australia
Michael Bouchard, Sterling Global Operations, Inc.
John C. Cholewa III, CPP, Mentor Associates, LLC
Cynthia P. Conlon, CPP, Conlon Consulting Corporation
William J. Daly, Control Risks Security Consulting
Lisa DuBrock, Radian Compliance
Eugene F. Ferraro, CPP, PCI, CFE, Business Controls, Inc.
F. Mark Geraci, CPP, Purdue Pharma L.P., Chair
Bernard D. Greenawalt, CPP, Securitas Security Services USA, Inc.
Robert W. Jones, Socrates Ltd
Glen Kitteringham, CPP, Kitteringham Security Group, Inc.
Michael E. Knoke, CPP, Express Scripts, Inc., Vice Chair
85869_ASFIS_Rev0_1-52.pdf 385869_ASFIS_Rev0_1-52.pd2.pdf 3f 3 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
iv
Bryan Leadbetter, CPP, Bausch & Lomb
Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative
Jose M. Sobrón, United Nations
Roger D. Warwick, CPP, Pyramid International
Allison Wylde, London Metropolitan University Business School
At the time it approved this document, the PSC.3 Standards Committee, which is responsible for the development of this Standard, had the following members:
Committee Members Committee Chairman: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Committee Secretariat: Susan Carioti, ASIS International
Frank P Amoyaw, LandMark Security Limited
William Badertscher, CPP, Georgetown University
Pradeep Bajaj, Professional Industrial Security Management Academy (PRISMA)
Jonathan Bellish, Oceans Beyond Piracy
Inge Black, CPP, CFE, CPO, CanAm Security Risk Group, LLC
Dennis Blass, CPP, PSP, CFE, CISSP, Children's of Alabama
Anne-Marie Buzatu, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
John Casas, PSP, John Casas & Associates, L.L.C.
Rebecca DeWinter-Schmitt, American University
Bobby Dominguez, CPP, CISSP, PMP, CRISC, GSLC, PSCU Financial Services, Inc.
Jack Dowling, CPP, PSP, JD Security Consultants, LLC
André du Plessis, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
Johan du Plooy, CPP, Temi Group
Michael Edgerton, CPP, Good Harbor Consulting, LLC
Thomas Engells, CPP, The University of Texas Medical Branch at Galveston
Glynne Evans, Olive Group Ltd
Windom Fitzgerald, CPP, Pendulum Companies
Stuart Groves, Independent Consultant
Jeffrey Gruber, CPP, CHS-IV, Department of the Army Civilian
Merlin Grue, PSP, Merlin Grue Investigative & Consulting Services
Thomas Haueter, Geneva Centre for the Democratic Control of Armed Forces (DCAF)
Lisa Hole, UK Ministry of Defence
Tom Holmes, Edinburgh International
William Imbrie, DynCorp International, LLC
Randy King, DOD Contractors.org, LLC
Christopher Kinsey, King's College London
Mark Knight, Montreux Solutions - Geneva
Mark LaLonde, Canpro Global
Steven Lente, CPP, Securitas Security Services
85869_ASFIS_Rev0_1-52.pdf 485869_ASFIS_Rev0_1-52.pd2.pdf 4f 4 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
v
Tim Lindsey, CPP, Sidwell Protection Services
William Lutz Jr., NICET Level IV, Fire Alarms, Security On-Line Systems, Inc.
Anthony Macisco, CPP, The Densus Group
Christopher Mayer, U.S. Department of Defense
Allan McDougall, PCIP CMAS CISSP CPP, Evolutionary Security Management
Paul Mitchell, GlobalEdge International
Rodney Pettus, The Jones Group
Tracy Philbert, Plexus Consultancy
Werner Preining, CPP, CMAS, Interpool Security Ltd
William Prentice, Marine Security Initiatives, Inc.
Daniel Puente Pérez, Sociedad de Prevención de Asepeyo
Erik Quist, EOD Technology, Inc. (EODT)
Ian Ralby, I.R. Consilium
Eric Rojo, Magination Consulting International
Maya Siegel, SEMSI
Matt Silcox, CPP
Jeffrey Slotnick, CPP, PSP, Setracon, Inc.
Teresa Stanford, CPP, Security Engineers, Inc.
Barry Stanford, CPP, AEG
Timothy Sutton, CPP, CHSS, Securitas Security Services
Roger Sylvester, CPP, Ensign-Bickford Industries
Karim Vellani, CPP, Threat Analysis Group, LLC
Erika Voss, CBCP, CORM, MBCI, Amazon
Colin Walker, Mclean Walker Security Risk Management Inc.
Roger Warwick, CPP, UNI
Eric Davoine
Dale Wunderlich, CPP, A. Dale Wunderlich & Associates, Inc.
Working Group Members Working Group Co-chairmen: Marc H. Siegel, Ph.D., Commissioner, ASIS Global Standards Initiative Ian Ralby, Ph.D., Executive Director, I.R. Consilium
Frank P Amoyaw, LandMark Security Limited
William Badertscher, CPP, Georgetown University
Pradeep Bajaj, Professional Industrial Security Management Academy (PRISMA)
Dennis Blass, CPP, PSP, CFE, CISSP, Children's of Alabama
John Casas, PSP, John Casas & Associates, L.L.C.
André du Plessis, DCAF
Johan du Plooy, CPP, Temi Group
Glynne Evans, Olive Group Ltd
Jeffrey Gruber, CPP, CHS-IV, Department of the Army Civilian
85869_ASFIS_Rev0_1-52.pd2.pdf 5f 5 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
vi
Lisa Hole, UK Ministry of Defence (representing UK Government)
Mark Knight, Montreux Solutions - Geneva
Steven Lente, CPP, Securitas Security Services
Tim Lindsey, CPP, Sidwell Protection Services
Anthony Macisco, CPP, The Densus Group
Christopher Mayer, Department of Defense
Allan McDougall, PCIP CMAS CISSP CPP, Evolutionary Security Management
Ian Ralby, I.R. Consilium
Maya Siegel, SEMSI
Jeffrey Slotnick, CPP, PSP, Setracon, Inc.
85869_ASFIS_Rev0_1-52.pdf 685869_ASFIS_Rev0_1-52.pd2.pdf 6f 6 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
vii
TABLE OF CONTENTS
0. INTRODUCTION ............................................................................................................................................... IX
0.1 GENERAL .............................................................................................................................................................. IX 0.2 HUMAN RIGHTS PROTECTION .................................................................................................................................... X 0.3 MANAGEMENT SYSTEMS APPROACH ......................................................................................................................... XI
1. SCOPE OF STANDARD ....................................................................................................................................... 1
2. NORMATIVE REFERENCES ................................................................................................................................ 1
3. TERMS AND DEFINITIONS ................................................................................................................................. 2
4. MATURITY MODEL FOR THE PHASED IMPLEMENTATION OF ANSI/ASIS PSC.1-2012 ........................................ 4
4.1 MATURITY MODEL .................................................................................................................................................. 4 4.1.1 What is a Maturity Model? ........................................................................................................................ 4 4.1.2 Why Use a Maturity Model? ...................................................................................................................... 4 4.1.3 Using a Maturity Model with the Management Systems Approach. ......................................................... 5
4.2 PHASES OF THE MATURITY MODEL ............................................................................................................................. 6 4.2.1 Phase One – Pre-awareness ....................................................................................................................... 6 4.2.2 Phase Two – Project Approach ................................................................................................................... 7 4.2.3 Phase Three – Program Approach .............................................................................................................. 7 4.2.4 Phase Four – Systems Approach ................................................................................................................. 8 4.2.5 Phase Five – Management System ............................................................................................................. 8 4.2.6 Phase Six – Holistic Management .............................................................................................................. 9
4.3. MATURITY MODEL MATRIX (MANAGEMENT SYSTEMS APPROACH) ................................................................................. 9
A. USING THE MATURITY MODEL IN AN INTERNAL RECOGNITION PROGRAM ................................................... 34
B. GETTING STARTED USING THE ANSI/ASIS PSC.1-2012 .................................................................................... 35
C. REFERENCES ................................................................................................................................................... 38
TABLE OF FIGURES FIGURE B.1 : UPWARD SPIRAL IMPLEMENTATION OF THE STANDARD (BASED ON THE PDCA MODEL) ............................................... 37
TABLE OF TABLES TABLE 1: MATURITY MODEL FOR THE PHASED IMPLEMENTATION OF THE ANSI/ASIS PSC.1-2012 QUALITY ASSURANCE STANDARD ... 11
85869_ASFIS_Rev0_1-52.pdf 785869_ASFIS_Rev0_1-52.pd2.pdff 77 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
viii
This page intentionally left blank.
85869_ASFIS_Rev0_1-52.pdf 885869_ASFIS_Rev0_1-52.pd2.pdf 8f 8 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
ix
0. INTRODUCTION
0.1 General The Quality Assurance Maturity Model is a methodology designed to help Private Security Service Providers including Private Security Companies (collectively “PSCs”) implement a Quality Assurance Management System (QAMS) consistent with respect for human rights, legal obligations, and good quality assurance practices. This maturity model (referred to here as the Standard) for the phased implementation of the ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company Operations – Requirements with Guidance quality assurance standard (referred to here as the “standard”), may be used by any type of PSC regardless of their size, scope, or complexity; particularly those operating in circumstances of weakened governance where the rule of law has been undermined due to human or naturally caused events. The Standard accommodates diverse jurisdictional, geographical, cultural, operational, and social environments.
Adopting a process for the phased implementation of a QAMS (“maturity model”) helps the organization determine how to manage change and cost-effectively address the uncertainty in achieving its objectives. The purpose of this Standard is to improve and demonstrate consistent and predictable quality of services provided by PSCs while maintaining the safety and security of their operations and clients within a framework that aims to ensure respect for human rights, national and international laws, and fundamental freedoms. Given the finite resources of organizations, it is imperative that they have tools to address the array of threats, hazards, and risks they may face. The maturity model described in this Standard helps organizations establish, implement, and maintain a QAMS (e.g., ANSI/ASIS PSC.1-2012) to better manage the risks of potentially undesirable and disruptive events through anticipation, assessment, prevention, protection, mitigation, response, and recovery.
Throughout this Standard, reference is made to managing risks. PSCs inherently operate in high risk environments. The organization needs not only to manage risks related to its operations and internal stakeholders, but also those related to external stakeholders upon whom the organization impacts and who can impact the organization. Therefore, the organization must also consider the risks related to its clients, as well as impacted communities. Sources of risk include, but are not exclusive to: legal, security, safety, human resources, cultural, environmental, financial, socio-political, and operational factors. In order to provide a quality of service while demonstrating respect for human life and rights and in order to fulfill contractual obligations, the organization should strive to proactively treat risks minimizing the likelihood and consequences of undesirable and disruptive events. Risk management objectives need to support the organization’s quality assurance management objectives.
This Standard identifies six phases of maturity to achieve continual improvement of quality assurance through a management framework. The maturity model helps organizations achieve the benefits of quality assurance management by “phasing in” a system tied to the organization’s business needs and economic realities, emphasizing a priority to protect life and
85869_ASFIS_Rev0_1-52.pdf 985869_ASFIS_Rev0_1-52.pd2.pdf 9f 9 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
x
respect human rights, national and international laws, and fundamental freedoms. The maturity model enhances an organization’s capacity to manage quality assurance to better prevent when possible, mitigate, respond to, and recover from undesirable and disruptive events. The body of this document provides criteria to plan, do, check, and act, in order to drive continual improvement of the management system.
This model outlines six phases of implementation of ANSI/ASIS PSC.1-2012, ranging from a pre-awareness phase (no process in place for quality assurance management) to holistic management (going beyond the requirements of ANSI/ASIS PSC.1-2012), to promote quality assurance management with stakeholders. Using this maturity model, an organization can achieve and maintain an appropriate level of quality assurance management with respect for legal obligations and human rights as part of an organization’s culture.
The maturity model for the phased implementation of ANSI/ASIS PSC.1-2012 is a series of steps designed to help organizations evaluate where they currently are with regard to quality assurance management, create a business case for a QAMS, establish goals for achievement, benchmark where they are relative to those goals, and plot a business-sensible path to attain conformance with ANSI/ASIS PSC.1-2012. Standards are designed to promote managed and repeatable performance. Managed and repeatable performance will be achieved by moving to a level appropriate for the organization with the goal being to achieve full conformance with ANSI/ASIS PSC.1-2012 and going beyond conformance to the sixth step whenever possible.
This Standard is designed so that it can be integrated with quality, safety, environmental, information security, risk, resilience, and other management systems within an organization. A suitably designed maturity model for phased implementation can thus satisfy the requirements of other management systems standards. Organizations that have adopted a management system (e.g., according to ANSI/ASIS SPC.1-2009, ISO 9001:2000, ISO 14001:2004, ISO 28000:2005, and/or ISO/IEC 27001:2005) are encouraged to use this Standard in conjunction with their existing management systems.
0.2 Human Rights Protection While states and their entities must respect, uphold, and protect human rights, all segments of society (public, private, and not-for-profit) have a shared responsibility to act in a way that respects and does not negatively impact upon human rights and fundamental freedoms. States, clients, and PSCs have a shared responsibility to establish policies and controls to assure conformance with the legal obligations and recommended good practices of the Montreux Document and International Code of Conduct (ICoC). Organizations, regardless of their level of maturity, have an obligation to respect human rights in all of their operations and activities.
The PSC.1 standard emphasizes the sanctity of life of all stakeholders, therefore:
At the most basic “Pre-Awareness” level, organizations may not knowingly do anything that would adversely affect the human rights of persons working on their behalf, clients and other persons they are contracted to protect, or local communities and the general population in their theatre of operation. However, from the Project Approach (Phase 2)
85869_ASFIS_Rev0_1-52.pdf 1085869_ASFIS_Rev0_1-52.pd2.pdf 10f 10 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
xi
onwards organizations assess the human rights risks associated with their operations and take appropriate actions;
Starting with the second phase of the six phase maturity model, organizations should establish and communicate a policy describing top management’s commitment to the respect for human rights and the importance of incorporating that respect into the organization’s operations and procedures;
As organizations mature, they will identify and assess human rights risks associated with their operations, and develop risk treatment strategies; beginning with individual projects and maturing to encompass organization-wide activities;
An awareness of the need to proactively manage risks that may result in undesirable and disruptive events and respect human rights increases with each phase of maturity. Organizations move from merely reacting to events as they occur to anticipating the potential for events and initiating pre-emptive measure to minimize their likelihood;
As organizations mature, they establish proactive mechanisms to address undesirable and disruptive events to manage incidents in order to mitigate their impacts, as well as establish methods for the reporting, investigation and remediation of incidents; and
Continual improvement drives a commitment to respect and promote human rights as inseparable from the provision of security services, by all personnel at all levels of the organization.
0.3 Management Systems Approach The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to minimizing the risks of potentially undesirable and disruptive events. A management system provides the framework for continual improvement to increase the likelihood of enhancing the quality of services while assuring the protection of human rights and fundamental freedoms. It provides confidence to both the organization and its clients that the organization is able to manage its safety, security, and legal obligations while clearly demonstrating the integration of the respect for human rights into its activities and operations.
Through the full implementation, ongoing maintenance, and continual improvement of the ANSI/ASIS PSC.1-2012 quality assurance management system, an organization is able to reach the ultimate goal of ensuring quality assurance consistent with respect for human rights, legal obligations, and good practices. The phased approach recognizes that the QAMS must be aligned with the organization’s needs, resources, capabilities, and constraints in order to support continual improvement.
An organization needs to identify and manage many activities in order to function effectively. Any activity using resources that are managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process. The management systems approach considers how local policies, culture, actions, or changes influence the state of the organization as a whole and its environment. The component parts of a system can best be understood in the context of relationships with each other, rather than in isolation. Therefore, a management system
85869_ASFIS_Rev0_1-52.pdf 1185869_ASFIS_Rev0_1-52.pd2.pdf 11f 11 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
xii
examines the linkages and interactions between the elements that compose the entirety of the system. The management systems approach systematically defines activities necessary to obtain desired results and establishes clear responsibility and accountability for managing key activities.
The maturity model approach for a QAMS presented in this Standard encourages its users to emphasize the importance of:
a) Understanding an organization’s internal and external context, risk, as well as human rights and legal obligations;
b) Establishing a policy and objectives to manage risks; c) Implementing and operating controls to manage an organization’s risk and security
requirements while respecting human rights; d) Monitoring and reviewing the performance and effectiveness of the QAMS,
administratively and operationally; and e) Continual improvement based on objective measurement.
The Maturity Model outlines six phases of implementation briefly described below as:
1. Phase One: Pre-awareness – Ad hoc quality assurance activities, no process currently in place, and quality assurance management is absent with no advanced preparation. Top management does not recognize the benefits of quality assurance management.
2. Phase Two: Project Approach – Commonly known as “the awareness phase”, where management is willing to test the concept and establish a trial project to explore the benefits of quality assurance management consistent with respect for human rights, legal obligations and good practices.
3. Phase Three: Program Approach – An expansion of the project approach. The organizational view begins to shift from specific issues to addressing division- or organization-wide issues implementing the core elements of the base standard.
4. Phase Four: Systems Approach – This phase involves integrating the core elements of ANSI/ASIS PSC.1-2012. Proactive quality assurance management is viewed as part of an iterative continual improvement process using the Plan-Do-Check-Act (PDCA) model.
5. Phase Five: Management System – All the core elements of the base standard have been applied, evaluated and validated for bringing the organization into full conformance with ANSI/ASIS PSC.1-2012.
6. Phase Six: Holistic Management – Quality assurance management culture is well-developed and is considered an inseparable part of decision making.
The six phases of the model are focused on the phased implementation of a management system standard, all of which are applicable to any discipline or type of management system that seeks to treat risk. In the maturity model’s application to the QAMS, the phases move from reaction to events to addressing known issues mitigating consequences, to balanced and preemptive strategies for anticipation, assessment, prevention, protection, preparedness, mitigation, and response and recovery appropriate to minimizing the likelihood and consequences of undesirable and disruptive events.
85869_ASFIS_Rev0_1-52.pdf 1285869_ASFIS_Rev0_1-52.pd2.pdf 12f 12 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
AMERICAN NATIONAL STANDARD ANSI/ASIS PSC.3-2013
Maturity Model for the Phased Implementation of a Quality Assurance Management System for Private Security Service Providers
1
1. SCOPE OF STANDARD This Standard provides guidance for the use of a maturity model for phased implementation of ANSI/ASIS PSC.1-2012 as a series of steps designed to help organizations:
Evaluate where they currently are with regard to quality assurance management consistent with respect for human rights, legal obligations, and good practices.
Set goals for where they want to go, and benchmark where they are relative to those goals.
Plot a business/mission appropriate path to get there.
The model outlines six phases ranging from an unplanned approach to managing events, to going beyond the requirements of the Standard, and creating a holistic environment for quality assurance management.
2. NORMATIVE REFERENCES The following standard contains provisions which, through reference in this text, constitute provisions of this American National Standard. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this American National Standard are encouraged to investigate the possibility of applying the most recent editions of the standard indicated below.
a) ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company Operations - Requirements with Guidance 1
b) The Montreux Document on Pertinent International Legal Obligations and Good Practices for States related to Operations of Private Military and Security Companies during Armed Conflict, U.N. doc. A/63/467-S/2008/636 (2008).)2; and
c) International Code of Conduct for Private Security Service Providers (ICoC) (11/2010)3.
1 This document is available at https://www.asisonline.org/guidelines/published.htm. p // g/g /p
2 For the most current version, go to: http://www.eda.admin.ch/psc. p // /p
3 This document is currently available at http://www.icoc-psp.org. p // p p g
85869_ASFIS_Rev0_1-52.pdf 1385869_ASFIS_Rev0_1-52.pdf 13 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
2
3. TERMS AND DEFINITIONS NOTE: The reader is encouraged to read through the terms and definitions prior to reading the body of the document.
For the purposes of this Standard, the following terms and definitions apply:
Term Definition
3.1 community A group of associated organizations sharing common interests.
3.2 event An occurrence or change of a particular set of circumstances. [ISO Guide 73:2009] NOTE 1: Nature, likelihood, and consequence of an event cannot be fully knowable.
NOTE 2: An event can be one or more occurrences, and can have several causes.
NOTE 3: Likelihood associated with the event can be determined.
NOTE 4: An event can consist of a non-occurrence of one or more circumstances.
NOTE 5: An event with a consequence is sometimes referred to as “incident”.
3.3 gap analysis A technique for determining the steps to be taken in moving from a current state to a desired future-state.
NOTE: Can be used to establish a baseline.
3.4 quality assurance management (QAM)
Systematic and coordinated activities and practices through which an Organization manages its operational risks and the associated potential threats and impacts therein; consistent with respect for human rights, legal obligations, and good practices.
3.5 quality assurance management program
Ongoing management and governance process supported by top management, resourced to ensure that the necessary steps are taken to identify the root causes of potential undesirable and disruptive events to minimize their likelihood and consequences; maintain viable adaptive, proactive, and reactive strategies and plans; and promulgate safety and security of their operations and clients within a framework that aims to ensure respect for human rights, national and international laws, and fundamental freedoms. Thorough planning, exercising, testing, training, maintenance, and assurance.
3.6 quality assurance management system
Quality assurance management system - A set of interrelated or interacting elements that organizations use to direct and control how policies are implemented and objectives are achieved for quality assurance management.
85869_ASFIS_Rev0_1-52.pdf 1485869_ASFIS_Rev0_1-52.pd2.pdf 14f 14 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
3
Term Definition
3.7 risk Effect of uncertainty on objectives. [ISO Guide 73:2009] NOTE 1: An effect is a deviation from the expected – positive and/or negative.
NOTE 2: Objectives can have different aspects such as financial, health, safety, and environmental goals and can apply at different levels – such as strategic, organization-wide, project, product, and process.
NOTE 3: Risk is often characterized by reference to potential events, consequences, or a combination of these and how they can affect the achievement of objectives.
NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event or a change in circumstances, and the associated likelihood of occurrence.
3.8 risk treatment Process to modify risk (ISO Guide 73:2009) NOTE 1: Risk treatment can involve:
Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
Taking or increasing risk in order to pursue an opportunity; Removing the risk source; Changing the likelihood; Changing the consequences; Sharing the risk with another party or parties (including
contracts and risk financing); and Retaining the risk by informed choice.
NOTE 2: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
NOTE 3: Risk treatment can create new risks or modify existing risks.
3.9 sustainability The ability to maintain and preserve the activities and functions of an organization.
3.10 top management Person or group of people who directs and controls an organization at the highest level. [ISO 9000:2005]
85869_ASFIS_Rev0_1-52.pdf 1585869_ASFIS_Rev0_1-52.pd2.pdf 15f 15 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
4
4. MATURITY MODEL FOR THE PHASED IMPLEMENTATION OF
ANSI/ASIS PSC.1-2012
4.1 Maturity Model
4.1.1 What is a Maturity Model? A maturity model is a series of structured steps designed to enable the organization to:
Establish goals consistent with the organization’s vision for continual improvement; Benchmark the organization relative to those goals; and Plot a business/mission appropriate path to achieve the goals.
Using a maturity model allows an organization to phase in a quality assurance management system standard in order to achieve a balance between an organization’s needs, time, and financial constraints. It provides a framework to continually improve the capacity to manage risk and maintain respect for human rights.
A maturity model may provide:
A baseline and gap analysis; Benefit from prior experiences, best practices, and lessons learned; A common language and a shared vision; A framework for prioritizing actions; The opportunity to manage implementation costs more effectively; A way to establish achievable and sustainable goals within resource constraints; and A means to define what continual improvement means for your organization.
4.1.2 Why Use a Maturity Model? A maturity model for the phased implementation of the ANSI/ASIS PSC.1-2012 quality assurance standard provides several advantages:
By selecting initial projects to demonstrate the benefits of the ANSI/ASIS PSC.1-2012 management system, it is possible to build and maintain the support and commitment of stakeholders, staff, and management;
Building the system in a phased approach and achieving benchmarks of maturity provides the organization a link between costs and value added; and
It provides a basis for managing risk and assuring quality of services while reducing costs, demonstrating legal and regulatory compliance, enhancing respect for human rights, meeting client requirements, and addressing other stakeholder expectations.
Organizations may have different reasons for pursuing the implementation of ANSI/ASIS PSC.1-2012, from addressing identified problems, to capitalizing on opportunities for improvement, to gaining business/mission advantage, to complying with contractual and legal requirements. All organizations benefit from enhanced quality assurance. The maturity model for phased implementation places the focus on the continual improvement
85869_ASFIS_Rev0_1-52.pdf 1685869_ASFIS_Rev0_1-52.pd2.pdf 16f 16 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
5
of the process approach for quality assurance management. The purpose is to better manage the organization’s risks to promote the safety and security of their operations and clients within a framework that aims to ensure respect for human rights, national and international laws, and fundamental freedoms. The maturity model provides achievable steps tailored to the economic and temporal realities in which the organization must operate. The organization can expand and improve its QAMS consistent with the context in which it operates, the objectives of the organization, and the availability of resources.
The maturity model does not presume an organization will seek third-party certification. Rather, the approach outlined in this Standard assumes that the driving force for pursuing the implementation of the ANSI/ASIS PSC.1-2012 quality assurance standard is to establish a management system for the continual improvement of quality assurance performance. It is a tool to help organizations become better educated and aware of the benefits of quality assurance management and managing the risks of undesirable and disruptive events. The tools in this Standard help organizations phase-in a management system timed to their business/mission needs, economic and socio-political realities, and relevant legal and contractual obligations. The methodology defined in this Standard can be used by any organization, regardless of whether they will eventually make a business decision to seek first, second, or third-party validation of their conformance with the requirements of the ANSI/ASIS PSC.1-2012 quality assurance standard.
4.1.3 Using a Maturity Model with the Management Systems Approach. All organizations face the challenge of managing their risks within the bounds of organizational objectives and available resources. Through the full implementation, ongoing maintenance, and continual improvement of ANSI/ASIS PSC.1-2012, an organization is able to reach the goal of optimizing quality assurance. The phased approach recognizes that risk and quality management needs to be achieved considering the business/mission, management, and operational needs – as well as the constraints – of the organization. Organizations, regardless of their level of maturity, have an obligation to respect human rights.
The maturity model in this Standard is designed to phase in the implementation of the QAMS. Phases are designed to benchmark the establishment of the QAMS consistent with a phased approach that would be used for other management systems standards (e.g., ISO 9001).
For a management system to be effective, it must be implemented by every person within the organization. For this to occur, some organizations may require a significant paradigm shift in culture, where managing risks is no longer seen as just the responsibility of management. Everyone within the organization should take ownership of their part of the risk management process, making risk and quality assurance management and respect for human rights an integral part of the culture of the organization. Implementation of a management system is both by and for the organization and should be fully integrated into
85869_ASFIS_Rev0_1-52.pdf 1785869_ASFIS_Rev0_1-52.pd2.pdff 1177 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
6
all aspects of the organization to motivate full participation. A maturity model for the phased implementation of ANSI/ASIS PSC.1-2012 helps develop momentum supporting quality assurance management, which is needed to encourage persons to manage their risks by clearly seeing the benefits of participation. By carefully setting objectives and targets to maximize chances of early success, it is possible to stimulate top management support and acquire the needed resources to implement the management system. Publicizing and recognizing success breeds the necessary levels of enthusiasm and credibility throughout the organization to move from phase to phase towards the goal of a fully integrated QAMS. Conversely, the phased approach allows the organization to measure where it is at; and as needed, focuses its efforts for improvement on areas of identified weakness.
4.2 Phases of the Maturity Model The maturity model for the phased implementation of ANSI/ASIS PSC.1-2012 is a series of steps designed to help organizations evaluate where they currently are with regard to quality assurance and risk management, to set goals for where they want to go, to benchmark where they are relative to those goals, and to plot a business-sensible path to get there. Standards are designed to promote managed and repeatable performance. This will be achieved by attaining the maturity level of each phase. Each of these phases is composed of some aspect of the actions documented in ANSI/ASIS PSC.1-2012.
4.2.1 Phase One – Pre-awareness4 This is the pre-awareness phase where the organization is not conducting pre-planning, but rather reacting to situations as they arise in an ad hoc fashion. No quality assurance and risk management process or policy is in place; rather, individuals within the organization are reacting to quality assurance, risk management, and human rights issues as they occur. The key barrier in this phase is a lack of – or misunderstanding of – the information, knowledge, and vision about quality assurance management. In order to move from Phase One to Phase Two, the organization needs to recognize the need and the value of quality assurance management. A disruptive event may trigger a realization within the organization that pre-planning might have saved the organization and its stakeholders from physical, financial, and reputational harm. External factors – such as stakeholder concerns, contractual requirements, or government encouragement – may cause the organization to consider exploring a more proactive approach. Once the organization becomes aware of the potential benefits of quality assurance management, it is ready to move on to Phase Two.
4 Lack of an established or formal program does not relieve the PSC from the requirements to adhere to internationally accepted measures and approaches to protect human rights, nor for their accountability should an incident occur.
85869_ASFIS_Rev0_1-52.pdf 1885869_ASFIS_Rev0_1-52.pd2.pdf 18f 18 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
7
4.2.2 Phase Two – Project Approach The project approach is the awareness phase. Management is willing to test the concept and establish a trial project to explore the benefits of quality assurance management. A limited scope project is established to address specific issues using the core elements of ANSI/ASIS PSC.1-2012 as a guide for how to improve performance.
Management should clearly define the objectives and expectations of the project. Management then authorizes and provides resources to a “Project Leader” to conduct a project (see ANSI/ASIS PSC.1-2012, section 6.5). To assure the best outcome of the project, issues addressed must be carefully selected to maximize the likelihood of quick success. The project focus is on demonstrating the need and value of quality assurance management. The underlying assessment of the project is a gap analysis: examining what is needed to achieve the goals of the project in order to recognize, demonstrate, and promote success to generate momentum for a broader quality assurance management program.
Recognizing this project is vital to the success of this phase. Therefore, as with any project, it requires clear definitions of objectives, authorities, roles, responsibilities, budgets, and timeframes, as well as a method to measure and monitor outcomes. To conduct the project successfully, the Project Leader needs to have top management support, including adequate resources. In addition, access to adequate training and expertise are necessary to support the Project Leader and members of the project team.
This Standard provides a structure for approaching and resolving the issues that need to be addressed. Implementation entails applying as many of the core elements of the base standard as possible to improve quality assurance and risk management performance relative to the identified elements. Attention is focused on addressing the “low hanging fruit5” issues, rather than emphasizing the management system framework structure.
4.2.3 Phase Three – Program Approach The program approach is an expansion of the project approach. The view shifts from specific issues to addressing division- or organization-wide issues, implementing the core elements of ANSI/ASIS PSC.1-2012. Focus is placed on the activities outlined in the individual core elements rather than their interrelationships and integration of the elements. Risk and quality assurance management applications are selected for their chances of demonstrating success and awareness. In this phase, top management recognizes the importance of the elements and the need for pre-planning. The application of ANSI/ASIS PSC.1-2012 is still in a pilot-testing mode. Parts of the organization are applying the elements of ANSI/ASIS PSC.1-2012 and testing action plans to make a business case for implementing the management system standard in full.
5 A course of action that can be undertaken quickly and easily as part of a wider range of changes or solutions to a problem.
85869_ASFIS_Rev0_1-52.pd2.pdf 19f 19 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
8
This phase provides the opportunity to increase awareness to a larger portion of the organization. The “Program Manager” is appointed and endorsed by top management, and expands the project to address broader issues related to the organization’s reliability, sustainability, and respect for human rights. The organization identifies and defines authorities, roles, responsibilities, and appropriate resources within the organization (see ANSI/ASIS PSC.1-2012, section 6.5). Emphasis is on developing a series of action plans to deal with events that may impact the organization and its stakeholders. The action plans selected may be in reaction to actual or potential events. When developing the action plans, the organization creates proactive plans to better respond to identified issues. The organization should consider measures to reduce the likelihood of undesirable and disruptive events and their consequences. Typically, more weight is given to pre-emptive planning to address the symptoms and consequences of a disruption.
4.2.4 Phase Four – Systems Approach Phase Four is the systems approach which involves putting the pieces together. Core elements of the base standard are expanded upon with special attention paid to their interrelationships and integration. The core elements are viewed in terms of identifying and addressing root causes of undesirable and disruptive events and creating economically viable solutions which address the root causes. Quality assurance management is viewed as part of an iterative continual improvement process using the PDCA model. Integration and feedback loops of the systems approach encourage learning from experience.
In this phase, top management recognizes, understands, and is committed to the strategic importance of quality assurance management. Top management is actively engaged in the elements of the management system and ANSI/ASIS PSC.1-2012. The organization establishes, implements, and maintains an ongoing formal risk and impact assessment process (see ANSI/ASIS PSC.1-2012, section 7.2), to ensure that operations and activities have been identified, risk criteria are set, and risks are prioritized with an emphasis on proactive and pre-emptive risk treatment measures. The focus is on identifying opportunities for improvement in risk and quality assurance performance. Various parts of the organization are testing the standard’s core elements to refine the implementation of ANSI/ASIS PSC.1-2012. Audit findings are used to identify opportunities for improvement in order to reinforce the competitive and strategic advantage of the organization. By the end of this phase, a culture of risk management and quality assurance consistent with respect for human rights is clearly taking hold within the organization.
4.2.5 Phase Five – Management System By this phase, the management system is now fully implemented consistently throughout the defined scope of the organization. The organization can now demonstrate conformance to ANSI/ASIS PSC.1-2012 (either by first, second, or third party validation). A multi-year perspective recognizing the utility of the management system standard has been visibly endorsed by top management and quality assurance management consistent with respect
85869_ASFIS_Rev0_1-52.pdf 2085869_ASFIS_Rev0_1-52.pd2.pdf 2f 200 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
9
for human rights is fully integrated into the organization’s functions and activities. A quality assurance management culture is promoted within the organization, encouraging persons throughout it to take ownership of risk. This includes pre-emptively acting upon their role in identifying, assessing, and managing risk to promote risk management and quality assurance.
The management of risk uses a pre-emptive approach to address the minimization of both the likelihood and consequences of undesirable and disruptive events. Risk management, risk assessment, and quality assurance management are considered key components of the overall decision-making process in the organization. Training and awareness are routine parts of the human resource management of all persons providing services to the organization.
By now, all the core elements of the standard have been applied and tested. The organization establishes, implements, and maintains documented procedures for internal audits and management reviews (see ANSI/ASIS PSC.1-2012, sections 10-11) to drive opportunities for improvement and increased competitiveness. The management systems approach is extended to new applications, divisions, and parts of the enterprise, as well as subcontractors and supply chain partners. There is a continual drive to make the system processes more efficient and effective, to support continued interest and engagement in the quality assurance and risk management processes.
4.2.6 Phase Six – Holistic Management In phase six, the organization goes beyond conformance to ANSI/ASIS PSC.1-2012 to fully integrate quality assurance into its enterprise-wide business management strategy. The risk and quality assurance management culture is well-developed and is considered an inseparable part of decision-making and day-to-day operations, including its relationships with both its internal and external stakeholders. Quality assurance management and systems principles are expanded to all areas of business and activities.
The organization mentors other stakeholders within an internal, external, and risk management context, as well as enterprise-wide quality assurance management within subcontractor and client interactions, thus recognizing that quality assurance is an integral part of service and client relationships.
4.3. Maturity Model Matrix (Management Systems Approach) The following matrix outlines the perspectives and activities that should be considered for the different phases of implementation of ANSI/ASIS PSC.1-2012. The matrix provides guidance on how an organization can structure a fit-for-purpose program to align with their organization’s business needs and realities. Organizations can use this matrix as a basis for a recognition program to evaluate their level of performance.
When using the matrix it is important to be aware that starting with Phase Two there is a cumulative implementation of the phases. By moving across the matrix for increasing maturity
85869_ASFIS_Rev0_1-52.pdf 2185869_ASFIS_Rev0_1-52.pd2.pdf 2f 211 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
10
for any element, the organization can measure where it is at and determine how to best achieve the next level. Most well-managed organizations have parts of the elements at varying stages of maturity. The matrix can be used to focus resources and efforts to bring all elements up to the same level of maturity to enhance movement to increased phases of maturity.
85869_ASFIS_Rev0_1-52.pdf 2285869_ASFIS_Rev0_1-52.pd2.pdf 2f 222 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
11
Tabl
e 1:
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
AN
SI/A
SIS
PSC
.1-2
012
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
- Gen
eric
C
once
pts
- Key
ele
men
tal
them
e.
- Des
crip
tion
of e
lem
ent.
- N
o fo
rmal
qua
lity
assu
ranc
e m
anag
emen
t. - R
isk
and
qual
ity
assu
ranc
e m
anag
emen
t ac
tions
are
re
actio
nary
in
natu
re.
- Not
yet
re
cogn
izin
g th
e im
porta
nce
and
valu
e of
QA
MS
el
emen
ts.
- Res
pons
e an
d re
cove
ry to
un
desi
rabl
e an
d di
srup
tive
even
ts
depe
nden
t on
the
ad h
oc re
actio
ns
and
resp
onse
s of
si
ngul
ar in
divi
dual
s ba
sed
on th
eir
diffe
rent
ex
perie
nces
and
/or
the
colle
ctiv
e,
how
ever
un
coor
dina
ted,
re
spon
ses
of th
e di
vers
e in
divi
dual
s.
- Ini
tiate
s a
proj
ect
to a
ddre
ss s
peci
fic
issu
e(s)
by
parti
ally
im
plem
entin
g co
re
elem
ents
. - A
ctio
ns g
ener
ally
re
actio
nary
in
natu
re, f
ocus
ing
on
pre-
iden
tifie
d is
sue(
s).
- Rec
ogni
zes
the
impo
rtanc
e of
el
emen
ts a
nd th
e ne
ed fo
r som
e pr
e-pl
anni
ng.
- Foc
us is
on
solv
ing
an id
entif
ied
prob
lem
(s) t
o de
mon
stra
te th
e bu
sine
ss v
alue
of
usin
g th
e S
tand
ard.
- Est
ablis
hes
a di
visi
on
or o
rgan
izat
ion-
wid
e pr
ogra
m to
add
ress
qu
ality
ass
uran
ce
issu
es b
y pa
rtial
ly
impl
emen
ting
core
el
emen
ts.
- Rec
ogni
zes
the
impo
rtanc
e of
ele
men
ts
and
the
need
for p
re-
plan
ning
; how
ever
, fo
cus
is o
n in
divi
dual
el
emen
ts a
nd n
ot th
eir
inte
rrel
atio
nshi
p an
d in
tegr
atio
n (c
heck
list
appr
oach
). - M
ay b
e in
reac
tion
to
an in
cide
nt o
r nea
r m
iss
or b
e dr
iven
by
exte
rnal
con
cern
s.
- QA
M a
pplic
atio
ns
sele
cted
for t
heir
chan
ces
of
dem
onst
ratin
g su
cces
s.
- Pro
gram
driv
en b
y “P
rogr
am M
anag
er”
who
app
lies
a pr
ogra
m
man
agem
ent
appr
oach
.
- QA
M is
vie
wed
as
a m
atte
r of s
trate
gic
valu
e to
the
orga
niza
tion.
- F
ocus
es o
n in
tegr
atio
n an
d in
terr
elat
ions
hips
be
twee
n co
re
elem
ents
. - F
ocus
es o
n m
issi
on-
base
d m
anag
emen
t of
risk
s to
min
imiz
e bo
th li
kelih
ood
and
cons
eque
nces
of
unde
sira
ble
and
disr
uptiv
e ev
ents
. - Q
AM
is v
iew
ed a
s pa
rt of
a c
ontin
ual
impr
ovem
ent p
roce
ss
usin
g P
DC
A m
odel
. - Q
AM
con
sist
ent w
ith
resp
ect f
or h
uman
rig
hts,
lega
l ob
ligat
ions
, and
goo
d pr
actic
es is
see
n as
im
porta
nt a
t all
leve
ls
and
indi
vidu
als
in
orga
niza
tion.
- I
nteg
ratio
n an
d fe
edba
ck lo
ops
of
syst
ems
appr
oach
. - Q
AM
cul
ture
is
deve
lopi
ng a
nd p
art
of d
ecis
ion
mak
ing.
- The
org
aniz
atio
n is
co
nfor
man
t with
the
requ
irem
ents
of t
he
stan
dard
. - T
he o
rgan
izat
ion
esta
blis
hes,
doc
umen
ts,
impl
emen
ts, m
aint
ains
, and
co
ntin
ually
impr
oves
a
QA
MS
in a
ccor
danc
e w
ith
the
requ
irem
ents
of t
he
QA
MS
Sta
ndar
d.
- Exa
min
es th
e lin
kage
s an
d in
tera
ctio
ns b
etw
een
the
QA
MS
ele
men
ts th
at
com
pose
the
entir
ety
of th
e sy
stem
for t
he d
efin
ed
scop
e.
- Man
ages
risk
usi
ng
bala
nced
stra
tegi
es to
ad
aptiv
ely,
pre
empt
ivel
y,
and
reac
tivel
y ad
dres
s m
inim
izat
ion
of b
oth
likel
ihoo
d an
d co
nseq
uenc
es o
f un
desi
rabl
e an
d di
srup
tive
even
ts.
- QA
M is
dem
onst
rabl
y pa
rt of
the
rout
ine
man
agem
ent
of c
ontra
cts,
pro
ject
s, a
nd
busi
ness
pro
cess
es.
- The
org
aniz
atio
n es
tabl
ishe
s an
d m
aint
ains
al
l doc
umen
tatio
n an
d re
cord
s re
quire
d by
the
QA
MS
sta
ndar
d.
- The
org
aniz
atio
n go
es b
eyon
d co
nfor
man
ce to
the
stan
dard
to fu
lly
inte
grat
e qu
ality
as
sura
nce
man
agem
ent i
nto
its
over
all r
isk
man
agem
ent
stra
tegy
. - T
he o
rgan
izat
ion
emph
asiz
es
ente
rpris
e-w
ide,
su
bcon
tract
or, a
nd
supp
ly c
hain
re
latio
nshi
ps in
all
aspe
cts
of it
s Q
AM
S.
- The
org
aniz
atio
n m
ento
rs o
ther
st
akeh
olde
rs (i
n its
su
pply
cha
in,
subc
ontra
ctor
s, a
nd
com
mun
ity).
- Th
e or
gani
zatio
n vi
ews
its q
ualit
y as
sura
nce
as a
n in
tegr
al p
art o
f re
latio
nshi
ps w
ith
loca
l com
mun
ities
and
cl
ient
s.
- QA
MS
cul
ture
is
wel
l-dev
elop
ed a
nd
cons
ider
ed a
n in
tegr
al
part
of o
vera
ll m
anag
emen
t and
de
cisi
on m
akin
g.
- QA
MS
prin
cipl
es a
re
expa
nded
to a
ll ar
eas
of th
e or
gani
zatio
n an
d its
act
iviti
es.
5.2
Con
text
of t
he
Org
aniz
atio
n - U
nder
stan
ds
the
orga
niza
tion
- Ext
erna
l and
inte
rnal
co
ntex
t is
defin
ed a
nd
- No
inte
rnal
or
exte
rnal
con
text
for
- Con
text
of t
he
orga
niza
tion
is
- Int
erna
l and
ext
erna
l co
ntex
t ide
ntifi
ed,
- Int
erna
l and
ext
erna
l co
ntex
t, in
clud
ing
- The
org
aniz
atio
n id
entif
ies,
eva
luat
es, a
nd
- The
org
aniz
atio
n id
entif
ies
and
85869_ASFIS_Rev0_1-52.pdf 232.pdf 23 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
12
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
and
its in
tern
al
and
exte
rnal
co
ntex
t.
docu
men
ted.
- S
uppl
y ch
ain
and
subc
ontra
ctor
risk
iden
tifie
d an
d do
cum
ente
d.
the
QA
MS
is
esta
blis
hed.
- N
o ev
alua
tion
of
inte
rnal
and
ex
tern
al fa
ctor
s w
hich
can
in
fluen
ce th
e w
ay
an o
rgan
izat
ion
man
ages
risk
. - N
o su
pply
cha
in
or s
ubco
ntra
ctor
an
alys
is.
defin
ed fo
r the
lim
ited
scop
e of
the
proj
ect a
nd is
sue
bein
g ad
dres
sed.
- P
redo
min
ate
focu
s is
on
inte
rnal
con
text
w
ith li
mite
d ev
alua
tion
of d
irect
in
fluen
ce o
f the
su
pply
cha
in o
r su
bcon
tract
ors.
incl
udin
g su
pply
cha
in
or s
ubco
ntra
ctor
an
alys
is a
s it
rela
tes
to
the
scop
e of
the
prog
ram
, but
not
thei
r in
terr
elat
ions
hip.
supp
ly c
hain
and
su
bcon
tract
or n
odal
an
alys
is is
con
duct
ed
and
eval
uate
d in
re
latio
n to
how
eac
h af
fect
s th
e ob
ject
ives
an
d fu
nctio
ns o
f the
or
gani
zatio
n an
d se
rves
as
inpu
t to
the
risk
asse
ssm
ent.
- Org
aniz
atio
n ev
alua
tes
inte
rnal
and
ex
tern
al fa
ctor
s w
hich
ca
n in
fluen
ce th
e w
ay
the
orga
niza
tion
man
ages
risk
.
docu
men
ts it
s in
tern
al a
nd
exte
rnal
con
text
. - C
onte
xt p
rovi
des
inpu
t for
es
tabl
ishi
ng q
ualit
y as
sura
nce
and
risk
man
agem
ent c
riter
ia.
- Nod
al a
naly
sis
is
cond
ucte
d an
d do
cum
ente
d fo
r the
sup
ply
chai
n an
d su
bcon
tract
ors.
docu
men
ts it
s up
stre
am a
nd
dow
nstre
am s
uppl
y ch
ain,
em
phas
izin
g th
e ro
le o
f su
bcon
tract
ors,
to
prev
ent u
ndes
irabl
e or
dis
rupt
ive
even
ts.
- Org
aniz
atio
n un
ders
tand
s its
role
w
ithin
the
cont
ext o
f th
e en
viro
nmen
t in
whi
ch it
func
tions
. -
Ana
lysi
s pr
ovid
es a
ba
sis
for p
reem
ptiv
e ac
tions
to a
void
un
desi
rabl
e ev
ents
by
shar
ing
risk
conc
erns
w
ith th
e su
pply
cha
in
and
loca
l co
mm
uniti
es.
5.3
Nee
ds a
nd
Req
uire
men
ts
- Clie
nts
requ
irem
ents
are
id
entif
ied.
- Und
erst
andi
ng th
e cl
ient
’s
need
s to
ach
ieve
con
tract
ob
ject
ives
and
min
imiz
e ris
k.
- Ope
ratio
nal
cont
ract
ual
oblig
atio
ns o
f cl
ient
s ar
e m
et;
clie
nt a
nd lo
cal
com
mun
ities
’ ob
ject
ives
, con
text
, an
d ris
ks a
re n
ot
anal
yzed
and
un
ders
tood
.
- Im
pact
on
clie
nt
and
loca
l co
mm
uniti
es fr
om
prev
ious
inci
dent
s ar
e un
ders
tood
but
ev
alua
tion
limite
d to
is
sues
add
ress
ed in
sc
ope.
- Clie
nt a
nd lo
cal
com
mun
ity
requ
irem
ents
are
id
entif
ied
and
eval
uate
d w
ithin
the
scop
e of
the
issu
es
addr
esse
d.
-Clie
nt, l
ocal
co
mm
unity
, and
oth
er
stak
ehol
der
requ
irem
ents
are
id
entif
ied,
eva
luat
ed,
and
met
to a
chie
ve
the
obje
ctiv
es o
f its
co
ntra
cts
and
min
imiz
e th
e ris
ks.
- Sta
tuto
ry,
regu
lato
ry, a
nd
hum
an ri
ghts
re
quire
men
ts a
re
iden
tifie
d.
- Ide
ntifi
ed
requ
irem
ents
are
us
ed a
s in
puts
to th
e ris
k as
sess
men
t and
tre
atm
ent p
roce
sses
.
- Clie
nt, l
ocal
com
mun
ity,
and
othe
r sta
keho
lder
re
quire
men
ts a
re id
entif
ied,
ev
alua
ted,
and
do
cum
ente
d an
d lin
ked
to
the
risk
asse
ssm
ent a
nd
treat
men
t pro
cess
es to
ac
hiev
e th
e ob
ject
ives
of
its c
ontra
cts
and
min
imiz
e th
e ris
ks.
- Clie
nt b
ecom
es
awar
e of
the
hum
an
and
com
mun
ity
impa
cts
of it
s re
quire
men
ts o
f the
or
gani
zatio
n.
- Fee
dbac
k is
pr
ovid
ed to
the
clie
nt
to b
ette
r ena
ble
risk
man
agem
ent o
f un
desi
rabl
e an
d di
srup
tive
even
ts.
- Clie
nt c
ontra
cts
are
mod
ified
con
side
ring
risk
asse
ssm
ent.
5.4
Def
inin
g R
isk
Crit
eria
- T
he
orga
niza
tion
defin
es c
riter
ia to
be
use
d to
ev
alua
te th
e
- The
risk
crit
eria
pro
vide
a
refe
renc
e ag
ains
t whi
ch
the
sign
ifica
nce
of ri
sk is
ev
alua
ted.
- Ris
k cr
iteria
are
no
t def
ined
. - R
isk
crite
ria fo
r sp
ecifi
c is
sues
ad
dres
sed
are
defin
ed b
y th
e pr
ojec
t man
ager
.
- R
isk
crite
ria fo
r sp
ecifi
c is
sues
ad
dres
sed
are
defin
ed
by th
e pr
ogra
m
man
ager
in
- R
isk
crite
ria re
flect
th
e or
gani
zatio
n’s
risk
attit
udes
con
side
ring
the
view
s of
st
akeh
olde
rs.
- Ris
k cr
iteria
ana
lyze
d,
eval
uate
d, a
nd
docu
men
ted.
- R
isk
crite
ria a
re
cons
iste
nt w
ith th
e
- Ris
k cr
iteria
are
co
nsis
tent
with
the
orga
niza
tion’
s cl
ient
’s
risk
man
agem
ent
polic
y.
85869_ASFIS_Rev0_1-52.pdf 2485869_ASFIS_Rev0_1-52.pd2.pdf 2f 244 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
13
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
sign
ifica
nce
of
risk.
co
nsul
tatio
n w
ith to
p m
anag
emen
t. - R
isk
crite
ria
cons
ider
ed w
ithin
the
cont
ext o
f leg
al a
nd
othe
r req
uire
men
ts.
- R
isk
crite
ria
deve
lope
d in
co
nsul
tatio
n w
ith to
p m
anag
emen
t and
in
tegr
ated
into
the
risk
asse
ssm
ent p
roce
ss.
- Ris
k cr
iteria
m
onito
red
and
revi
ewed
for
appr
opria
tene
ss.
orga
niza
tion’
s ris
k m
anag
emen
t pol
icy
and
docu
men
ted
as p
art o
f the
sy
stem
eva
luat
ion
and
revi
ew p
roce
ss.
- Ris
k cr
iteria
are
sy
nchr
oniz
ed w
ith
subc
ontra
ctor
s an
d su
pply
ch
ain
partn
ers.
- Ris
k cr
iteria
are
sy
nchr
oniz
ed w
ith
subc
ontra
ctor
s an
d su
pply
cha
in p
artn
ers.
5.5
Sco
pe o
f the
M
anag
emen
t S
yste
m
- Def
ines
the
scop
e of
the
QA
MS
.
- Bas
ed o
n th
e in
tern
al,
exte
rnal
, and
qua
lity
assu
ranc
e m
anag
emen
t co
ntex
t of t
he o
rgan
izat
ion,
th
e sc
ope
and
boun
darie
s fo
r dev
elop
men
t and
im
plem
enta
tion
of Q
AM
S
are
defin
ed.
- No
proc
ess
to
iden
tify
inte
rnal
and
ex
tern
al c
onte
xt fo
r qu
ality
ass
uran
ce.
- No
defin
ition
of
scop
e.
- Pro
ject
s of
lim
ited
scop
e fo
cusi
ng o
n on
e or
a li
mite
d nu
mbe
r of i
ssue
s vi
ewed
as
havi
ng
sign
ifica
nt in
tere
st.
- Int
erna
l, ex
tern
al,
and
qual
ity
assu
ranc
e co
ntex
t lim
ited
to p
roje
ct
scop
e de
finiti
on.
- Sco
pe d
efin
ed
base
d on
min
imiz
ing
unde
sira
ble
and
disr
uptiv
e ev
ents
, an
d en
surin
g re
spec
t for
hum
an
right
s w
ithin
a
spec
ific
proj
ect o
r as
pect
of t
he
orga
niza
tion.
- Pro
gram
s ar
e es
tabl
ishe
d to
add
ress
co
re e
lem
ents
bas
ed
on th
e or
gani
zatio
n’s
obje
ctiv
es, a
ctiv
ities
, in
tern
al a
nd e
xter
nal
oblig
atio
ns (i
nclu
ding
th
ose
rela
ted
to
stak
ehol
ders
and
lega
l re
spon
sibi
litie
s).
- Sco
pe d
efin
ed b
ased
on
min
imiz
ing
unde
sira
ble
and
disr
uptiv
e ev
ents
, and
en
surin
g re
spec
t for
hu
man
righ
ts fo
cusi
ng
on th
e is
sues
ad
dres
sed
in th
e pr
ogra
m.
- Org
aniz
atio
n de
fines
an
d do
cum
ents
the
inte
rnal
, ext
erna
l, an
d ris
k m
anag
emen
t co
ntex
t. - T
he o
rgan
izat
ion’
s ob
ject
ives
, act
iviti
es,
inte
rnal
and
ext
erna
l ob
ligat
ions
(inc
ludi
ng
thos
e re
late
d to
st
akeh
olde
rs),
and
lega
l res
pons
ibili
ties
are
defin
ed w
ithin
the
scop
e.
- Bou
ndar
ies
of s
cope
ar
e de
fined
and
do
cum
ente
d ba
sed
on th
e or
gani
zatio
n’s
activ
ities
and
ob
ligat
ions
, inc
ludi
ng
activ
ities
of
subc
ontra
ctor
s.
- Sco
pe is
eva
luat
ed
and
refin
ed b
ased
on
the
risk
asse
ssm
ent.
- Org
aniz
atio
n de
fines
and
do
cum
ents
the
inte
rnal
, ex
tern
al, a
nd q
ualit
y as
sura
nce
cont
ext.
- Sub
cont
ract
or a
nd
outs
ourc
ed p
roce
sses
that
fa
ll w
ithin
the
scop
e ar
e co
ntro
lled.
- B
ound
arie
s of
sco
pe
defin
ed a
nd d
ocum
ente
d,
cons
ider
ing
the
orga
niza
tion’
s m
issi
on,
goal
s, in
tern
al a
nd e
xter
nal
oblig
atio
ns, r
isk
asse
ssm
ent,
and
lega
l re
spon
sibi
litie
s.
- S
cope
of t
he Q
AM
S
defin
ed in
term
s of
and
ap
prop
riate
to th
e si
ze,
natu
re, a
nd c
ompl
exity
of
the
orga
niza
tion
from
a
pers
pect
ive
of c
ontin
ual
impr
ovem
ent.
- Bou
ndar
ies
of s
cope
de
fined
and
doc
umen
ted.
- Org
aniz
atio
n de
fines
an
d do
cum
ents
the
inte
rnal
, ext
erna
l, an
d ris
k m
anag
emen
t co
ntex
t, as
wel
l as
ente
rpris
e-w
ide
risk
man
agem
ent
inte
ract
ions
and
su
bcon
tract
or a
nd
supp
ly c
hain
co
mm
itmen
ts, a
nd
rela
tions
hips
. -
Any
out
sour
ced
proc
esse
s ar
e co
ntro
lled.
D
efin
ing
the
qual
ity
assu
ranc
e w
ith a
n in
tern
al, e
xter
nal,
and
risk
man
agem
ent
cont
ext r
elat
ed to
the
com
mun
ity.
6.2
Man
agem
ent
Com
mitm
ent
- Man
agem
ent
man
date
and
co
mm
itmen
t.
-Top
man
agem
ent
com
mitm
ent t
o m
eetin
g th
e re
quire
men
ts o
f QA
MS
. - T
op m
anag
emen
t pr
ovis
ions
app
ropr
iate
re
sour
ces
and
defin
es
auth
oriti
es fo
r QA
MS
.
- Man
agem
ent
ambi
vale
nt o
r un
rece
ptiv
e.
- Con
cern
ed w
ith
ackn
owle
dgin
g ris
k, q
ualit
y, a
nd
unce
rtain
ty.
- No
guid
ance
from
- Man
agem
ent
auth
oriz
atio
n an
d re
sour
ces
prov
ided
to
“Pro
ject
Lea
der”
to
con
duct
pro
ject
. - R
esou
rces
re
stric
ted
to a
ddre
ss
limite
d sc
ope.
- Top
man
agem
ent
spon
sors
hip.
- E
ndor
sem
ent o
f es
tabl
ishe
d pr
ogra
ms
for Q
AM
. - O
ne o
r mor
e in
divi
dual
s ap
poin
ted
as P
rogr
am M
anag
er.
- Top
man
agem
ent
parti
cipa
tion.
- A
ctiv
e en
dors
emen
t of
QA
MS
by
top
man
agem
ent.
- Est
ablis
hes
a Q
AM
S
polic
y.
- One
or m
ore
- Top
man
agem
ent l
eads
by
exa
mpl
e, d
ocum
entin
g ev
iden
ce o
f its
sup
port
of
the
QA
MS
man
date
and
co
mm
itmen
t to
the
esta
blis
hmen
t, im
plem
enta
tion,
ope
ratio
n,
mon
itorin
g, re
view
,
- Top
man
agem
ent
emph
asiz
es it
s co
mm
itmen
t to
QA
MS
in
org
aniz
atio
n –
clie
nt a
nd o
ther
ex
tern
al s
take
hold
er
rela
tions
hips
. -
Top
man
agem
ent
85869_ASFIS_Rev0_1-52.pdf 2585869_ASFIS_Rev0_1-52.pdf 252.pdf 25 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
14
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
the
top
of
orga
niza
tion.
- O
stric
h ef
fect
.
- Res
ourc
e al
loca
tion
linke
d to
pe
rcei
ved
bene
fit.
- Pro
ject
aim
s to
en
cour
age
mor
e m
anag
emen
t su
ppor
t and
buy
-in.
- Man
agem
ent s
ets
prio
ritiz
atio
n an
d tim
efra
mes
to a
ddre
ss
risks
of u
ndes
irabl
e or
di
srup
tive
even
ts fo
r is
sues
iden
tifie
d.
- Res
ourc
es a
lloca
ted
to s
uppo
rt pr
ogra
m.
indi
vidu
als
appo
inte
d to
be
resp
onsi
ble
for
QA
MS
. - D
ecid
es c
riter
ia fo
r ac
cept
ing
risk,
and
ac
cept
able
leve
ls o
f ris
k fo
r pre
vent
ing
unde
sira
ble
and
disr
uptiv
e ev
ents
. - S
ets
prio
ritiz
atio
n an
d tim
efra
mes
for
man
agin
g th
e ris
ks o
f un
desi
rabl
e an
d di
srup
tive
even
ts.
- Res
ourc
es a
lloca
ted
to s
uppo
rt Q
AM
S.
mai
nten
ance
, and
im
prov
emen
t of t
he Q
AM
S.
- Def
ines
and
doc
umen
ts
crite
ria to
be
used
to
eval
uate
the
sign
ifica
nce
of
risk
and
qual
ity a
ssur
ance
fo
r the
pre
vent
ion
unde
sira
ble
and
disr
uptiv
e ev
ents
and
mai
ntai
ning
re
spec
t for
hum
an ri
ghts
. - S
uffic
ient
reso
urce
s al
loca
ted
and
com
pete
ncie
s as
sure
d.
proa
ctiv
ely
prom
otes
Q
AM
S w
ithin
the
indu
stry
. - S
harin
g be
st
prac
tices
with
ext
erna
l st
akeh
olde
rs
(sub
cont
ract
ors
and
othe
r PS
Cs)
. - D
efin
es a
nd
docu
men
ts c
riter
ia to
be
use
d to
eva
luat
e th
e si
gnifi
canc
e of
ris
k, d
eter
min
atio
n of
ap
prop
riate
risk
tre
atm
ents
to p
reve
nt
unde
sira
ble
and
disr
uptiv
e ev
ents
, and
se
tting
of t
imef
ram
es
for m
anag
ing
the
risks
of
und
esira
ble
disr
uptiv
e ev
ents
of
orga
niza
tion
and
rele
vant
sta
keho
lder
s.
6.3
Sta
tem
ent o
f C
onfo
rman
ce
- Set
ting
a S
tate
men
t of
Con
form
ance
.
- Con
form
ance
to th
e pr
inci
ples
of a
pplic
able
in
tern
atio
nal h
uman
itaria
n la
w, l
ocal
law
s, h
uman
rig
hts,
and
cus
tom
ary
law
s in
clud
ing
Mon
treux
D
ocum
ent a
nd
Inte
rnat
iona
l Cod
e of
C
ondu
ct fo
r Priv
ate
Sec
urity
Ser
vice
Pro
vide
rs
is d
ocum
ente
d.
- No
Sta
tem
ent o
f C
onfo
rman
ce.
- Sta
tem
ent l
imite
d to
spe
cific
issu
es.
- Sta
tem
ent i
s co
mm
unic
ated
and
co
nfirm
ed b
y ap
prop
riate
peo
ple
wor
king
on
the
Pro
ject
.
- Sta
tem
ent i
s co
mm
unic
ated
and
co
nfirm
ed b
y ap
prop
riate
peo
ple
wor
king
on
the
Pro
gram
issu
es.
- Sta
tem
ent i
s es
tabl
ishe
d an
d co
mm
unic
ated
to
pers
ons
wor
king
on
beha
lf of
the
orga
niza
tion.
- S
tate
men
t is
visi
bly
endo
rsed
by
top
man
agem
ent.
- Sta
tem
ent i
s vi
sibl
y en
dors
ed b
y to
p m
anag
emen
t. - S
tate
men
t is
com
mun
icat
ed a
nd
conf
irmed
by
all
appr
opria
te p
eopl
e w
orki
ng
for o
r on
beha
lf of
the
orga
niza
tion.
- S
tate
men
t is
avai
labl
e to
st
akeh
olde
rs.
- Con
form
ance
is
docu
men
ted,
impl
emen
ted,
an
d m
aint
aine
d.
- Sta
tem
ent i
nteg
rate
d in
to a
ll m
anag
emen
t st
ruct
ures
, lev
els,
and
in
divi
dual
re
spon
sibi
litie
s.
- Sta
tem
ent i
s co
mm
unic
ated
to
pote
ntia
l clie
nts
as a
co
nditi
on fo
r ac
cept
ing
cont
ract
s.
- Con
form
ance
do
cum
ente
d,
impl
emen
ted,
and
m
aint
aine
d th
roug
hout
the
orga
niza
tion’
s su
pply
ch
ain,
esp
ecia
lly w
ith
resp
ect t
o su
bcon
tract
ors.
6.4
Pol
icy
- S
ettin
g a
polic
y fra
mew
ork.
- T
op m
anag
emen
t pol
icy
to p
rovi
de a
fram
ewor
k fo
r - N
o de
fined
QA
M
polic
y.
- Pol
icy
limite
d to
ad
dres
sing
iden
tifie
d - D
rafte
d by
“Pro
gram
M
anag
er” a
nd s
igne
d - P
olic
y es
tabl
ishe
s fra
mew
ork
for q
ualit
y - P
olic
y es
tabl
ishe
s fra
mew
ork
for q
ualit
y - P
olic
y in
tegr
ated
into
al
l man
agem
ent
85869_ASFIS_Rev0_1-52.pdf 262.pdf 26 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
15
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
setti
ng o
bjec
tives
and
pr
ovid
e th
e di
rect
ion
and
prin
cipl
es fo
r act
ion.
- Lac
k of
top
leve
l go
vern
ance
. is
sue(
s).
- Driv
en b
y “P
roje
ct
Lead
er”,
may
or m
ay
not h
ave
top
man
agem
ent
invo
lvem
ent b
eyon
d ap
prov
al o
f pro
ject
.
by to
p m
anag
emen
t. - C
lear
com
mitm
ent t
o co
mpl
y w
ith a
pplic
able
le
gal,
hum
an ri
ghts
, an
d ot
her
requ
irem
ents
. - P
olic
y ad
dres
ses
qual
ity a
ssur
ance
m
anag
emen
t in
divi
sion
s de
fined
in
scop
e.
- Com
mun
icat
ed to
re
leva
nt d
ivis
ions
.
assu
ranc
e m
anag
emen
t by
setti
ng o
bjec
tives
and
pr
ovid
ing
dire
ctio
n.
- Cle
ar c
omm
itmen
t to
com
ply
with
ap
plic
able
lega
l, hu
man
righ
ts, a
nd
othe
r req
uire
men
ts.
- Sup
porte
d by
top
man
agem
ent.
- Com
mun
icat
ed
thro
ugho
ut
orga
niza
tion.
assu
ranc
e m
anag
emen
t by
setti
ng o
bjec
tives
and
pr
ovid
ing
dire
ctio
n.
- Cle
ar c
omm
itmen
t to
com
ply
with
app
licab
le
lega
l, hu
man
righ
ts, a
nd
othe
r req
uire
men
ts.
- Sup
porte
d an
d pr
omot
ed
by to
p m
anag
emen
t. - C
omm
unic
ated
th
roug
hout
org
aniz
atio
n an
d to
sta
keho
lder
s,
mak
ing
them
aw
are
of
cont
ent a
nd m
eani
ng.
stru
ctur
es, l
evel
s, a
nd
indi
vidu
al
resp
onsi
bilit
ies.
- C
lear
com
mitm
ent t
o ho
listic
QA
M.
- Com
mun
icat
ed
thro
ugho
ut
orga
niza
tion,
en
terp
rise,
and
to
exte
rnal
sta
keho
lder
s (s
uppl
y ch
ain
and
com
mun
ity).
6.5
Org
aniz
atio
nal
Rol
es,
Res
pons
ibili
ties,
an
d A
utho
ritie
s
- QA
MS
role
s an
d re
spon
sibi
litie
s ar
e as
sign
ed a
nd
com
mun
icat
ed
with
in th
e or
gani
zatio
n.
- Rol
es, r
espo
nsib
ilitie
s,
and
auth
oriti
es fo
r ass
urin
g im
plem
enta
tion
of th
e Q
AM
S a
re e
stab
lishe
d,
com
mun
icat
ed, a
nd
mai
ntai
ned
with
in th
e or
gani
zatio
n.
- No
spec
ified
role
s an
d re
spon
sibi
litie
s re
late
d to
QA
MS
es
tabl
ishe
d w
ithin
an
org
aniz
atio
n.
- No
form
al ro
les
and
resp
onsi
bilit
ies
assi
gned
. - R
oles
are
ass
igne
d w
ithin
the
proj
ect b
ut
not t
hrou
ghou
t the
or
gani
zatio
n.
- One
or m
ore
indi
vidu
als
are
appo
inte
d to
co
mm
unic
ate
the
role
s an
d ne
eds
for Q
AM
S
thro
ugho
ut th
e pr
ogra
m.
- Res
ourc
es a
re
allo
cate
d fo
r the
pr
ogra
m.
- Rol
es,
resp
onsi
bilit
ies,
and
au
thor
ities
for Q
AM
S
are
assi
gned
and
co
mm
unic
ated
th
roug
hout
the
orga
niza
tion.
- O
ne o
r mor
e in
divi
dual
s ar
e ap
poin
ted
to e
nsur
e re
leva
nt Q
AM
S ro
les
are
com
mun
icat
ed
with
in th
e sy
stem
. - N
eeds
and
ex
pect
atio
ns o
f in
tern
al a
nd e
xter
nal
stak
ehol
ders
are
id
entif
ied.
- A
war
enes
s of
Q
AM
S ro
les
are
prom
oted
thro
ugh
the
orga
niza
tion.
- One
or m
ore
indi
vidu
als
are
appo
inte
d to
ens
ure
rele
vant
QA
MS
role
s ar
e co
mm
unic
ated
with
in th
e or
gani
zatio
n, a
nd e
nsur
e th
at a
dequ
ate
reso
urce
s ar
e m
ade
avai
labl
e fo
r Q
AM
S.
- Rol
es w
ithin
the
QA
MS
ar
e es
tabl
ishe
d,
impl
emen
ted,
and
m
aint
aine
d in
acc
orda
nce
with
requ
irem
ents
for t
he
stan
dard
s.
- Com
mun
icat
ion
with
top
man
agem
ent f
or re
view
as
a ba
sis
for c
ontin
ual
impr
ovem
ent.
- Nee
ds a
nd e
xpec
tatio
n of
in
tern
al a
nd e
xter
nal
stak
ehol
ders
are
iden
tifie
d an
d ap
prop
riate
act
ion
is
take
n to
man
age
thes
e ne
eds
and
expe
ctat
ions
.
-Rol
es w
ithin
QA
MS
ar
e kn
own
and
com
mun
icat
ed
thro
ugho
ut th
e or
gani
zatio
n an
d to
re
leva
nt s
take
hold
ers.
- S
harin
g be
st
prac
tices
and
role
s w
ith e
xter
nal
stak
ehol
ders
(sup
ply
chai
n an
d co
mm
unity
). - C
omm
unic
atio
n w
ith
clie
nt fo
r con
tinua
l im
prov
emen
t.
7.1
Lega
l and
O
ther
R
equi
rem
ents
- Ide
ntifi
es a
nd
asse
sses
lega
l, re
gula
tory
, and
ot
her
requ
irem
ents
to
whi
ch th
e or
gani
zatio
n
- Id
entif
icat
ion
of le
gal a
nd
othe
r re
quire
men
ts
(inte
rnat
iona
l, na
tiona
l, an
d lo
cal).
-
Eva
luat
ion
of in
tern
al a
nd
exte
rnal
re
quire
men
ts
perti
nent
to
th
e
- No
proc
ess
for
iden
tifyi
ng a
nd
unde
rsta
ndin
g of
le
gal a
nd o
ther
re
quire
men
ts
asso
ciat
ed w
ith
QA
M.
- Inf
orm
al p
roce
ss
initi
ated
to id
entif
y le
gal a
nd o
ther
re
quire
men
ts re
late
d to
iden
tify
issu
es
bein
g ad
dres
sed.
- Leg
al a
nd
hum
anita
rian
requ
irem
ents
ap
plic
able
to th
e ac
tiviti
es, f
unct
ions
, an
d se
rvic
es in
the
scop
e of
the
prog
ram
- Est
ablis
hes
and
mai
ntai
ns p
roce
dure
s to
iden
tify
lega
l and
ot
her r
equi
rem
ents
in
clud
ing
rele
vant
in
tern
atio
nal
hum
anita
rian
law
,
- Est
ablis
hes
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
to id
entif
y le
gal
and
othe
r req
uire
men
ts
incl
udin
g re
leva
nt
inte
rnat
iona
l hum
anita
rian,
hu
man
righ
ts, a
nd
- Est
ablis
hes
and
mai
ntai
ns p
roce
dure
s to
iden
tify
lega
l and
ot
her r
equi
rem
ents
, in
clud
ing
rele
vant
in
tern
atio
nal
hum
anita
rian
law
,
85869_ASFIS_Rev0_1-52.pdf 2785869_ASFIS_Rev0_1-52.pd2.pdf 2f 277 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
16
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
subs
crib
es.
or
gani
zatio
n.
-Iden
tific
atio
n of
re
leva
nt
inte
rnat
iona
l hu
man
itaria
n la
w,
hum
an
right
s,
and
cust
omar
y la
ws
and
agre
emen
ts.
- Com
mun
icat
ion
of
rele
vant
info
rmat
ion
on
lega
l and
oth
er
requ
irem
ents
to
stak
ehol
ders
.
are
iden
tifie
d.
hum
an ri
ghts
, and
cu
stom
ary
law
s an
d ag
reem
ents
. - D
eter
min
es h
ow th
e le
gal a
nd o
ther
re
quire
men
ts a
pply
to
the
orga
niza
tion.
- C
omm
unic
ates
re
quire
men
ts to
ap
prop
riate
par
ties.
- L
egal
and
oth
er
requ
irem
ents
co
nsid
ered
in ri
sk
man
agem
ent
proc
ess.
cust
omar
y la
ws
and
agre
emen
ts.
- Det
erm
ines
how
the
lega
l an
d ot
her r
equi
rem
ents
ap
ply
to th
e or
gani
zatio
n’s
risks
and
obl
igat
ions
. - E
nsur
es th
at a
pplic
able
le
gal,
regu
lato
ry, a
nd o
ther
re
quire
men
ts a
re
cons
ider
ed in
dev
elop
ing,
im
plem
entin
g, a
nd
mai
ntai
ning
its
QA
MS
. - D
ocum
ents
info
rmat
ion
and
keep
s it
up-to
-dat
e.
hum
an ri
ghts
, and
cu
stom
ary
law
s an
d ag
reem
ents
, rel
evan
t to
the
orga
niza
tion
and
appr
opria
te
stak
ehol
ders
(in
clud
ing
supp
ly
chai
n pa
rtner
s,
subc
ontra
ctor
s, a
nd
com
mun
ity).
- Det
erm
ines
how
the
lega
l and
oth
er
requ
irem
ents
app
ly to
th
e or
gani
zatio
n an
d st
akeh
olde
r ris
ks a
nd
oblig
atio
ns.
7.2
Ris
k A
sses
smen
t -R
isk
Ass
essm
ent
(Iden
tific
atio
n,
Ana
lysi
s,
Eva
luat
ion)
.
- Ris
k id
entif
icat
ion,
an
alys
is, a
nd e
valu
atio
n in
clud
ing
the
orga
niza
tion’
s ris
ks re
late
d to
inte
rnal
and
ex
tern
al s
take
hold
ers
and
in re
latio
n to
ens
urin
g ad
here
nce
to p
rinci
ples
of
hum
an ri
ghts
. - E
valu
ates
the
effe
ct o
f un
certa
inty
on
the
orga
niza
tion
and
its
obje
ctiv
es (a
naly
ze
likel
ihoo
d an
d co
nseq
uenc
es o
f un
desi
rabl
e an
d di
srup
tive
even
ts).
- D
eter
min
es w
hich
risk
s ha
ve a
sig
nific
ant i
mpa
ct
on a
ctiv
ities
, fun
ctio
ns,
serv
ices
, clie
nts,
sup
ply
chai
n, s
ubco
ntra
ctor
s,
stak
ehol
der r
elat
ions
hips
, lo
cal p
opul
atio
ns, a
nd th
e en
viro
nmen
t. -S
yste
mat
ical
ly e
valu
ates
an
d pr
iorit
izes
risk
con
trols
an
d tre
atm
ents
and
thei
r re
late
d co
sts.
- No
proc
ess.
- I
ndic
atio
ns o
f ris
ks, p
robl
ems,
ne
ar m
isse
s, a
nd
war
ning
sig
ns
iden
tifie
d re
troac
tivel
y.
- No
form
al p
roce
ss.
- Rea
ctiv
e in
nat
ure
with
issu
e(s)
ta
rget
ed a
s pr
oble
mat
ic o
r re
quiri
ng im
med
iate
at
tent
ion.
- A
gap
ana
lysi
s to
ad
dres
s pr
ojec
t is
sues
, rat
her t
han
a ris
k as
sess
men
t ex
amin
ing
wha
t is
need
ed
orga
niza
tiona
lly.
- Dev
elop
s an
d im
plem
ents
a
proc
edur
e to
iden
tify,
an
alyz
e, a
nd e
valu
ate
esse
ntia
l ass
ets,
risk
s,
and
impa
cts.
- P
riorit
ies
base
d on
ou
tcom
es o
f ris
k as
sess
men
t.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
an
ongo
ing
form
al ri
sk a
nd im
pact
as
sess
men
t pro
cess
. - P
riorit
ized
risk
s an
d im
pact
s ar
e ta
ken
into
ac
coun
t in
esta
blis
hing
, im
plem
entin
g, a
nd
oper
atin
g th
e Q
AM
S.
- Ris
k as
sess
men
t re
cogn
ized
as
prov
idin
g th
e fo
unda
tion
for
elem
ents
of t
he
QA
MS
and
for
orga
niza
tiona
l de
cisi
on-m
akin
g.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns a
n on
goin
g fo
rmal
and
doc
umen
ted
risk
asse
ssm
ent p
roce
ss.
- Prio
ritiz
es a
nd d
ocum
ents
ris
ks.
- Per
iodi
cally
revi
ews
whe
ther
QA
M s
cope
, po
licy,
and
risk
as
sess
men
t are
stil
l ap
prop
riate
giv
en th
e or
gani
zatio
ns’ i
nter
nal a
nd
exte
rnal
con
text
. - R
e-ev
alua
tes
risk
and
pote
ntia
l con
sequ
ence
s w
ithin
the
cont
ext o
f in
tern
al a
nd e
xter
nal
chan
ge o
r mad
e to
the
orga
niza
tion’
s op
erat
ing
envi
ronm
ent,
proc
edur
es,
func
tions
, ser
vice
s, c
lient
s,
partn
ersh
ips,
and
sup
ply
chai
ns.
-Org
aniz
atio
n ha
s re
quire
men
ts re
gard
ing
risk
asse
ssm
ent f
or s
uppl
ier
and
subc
ontra
ctor
con
trols
.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
an
ongo
ing
form
al a
nd
docu
men
ted
risk
asse
ssm
ent p
roce
ss
whi
ch in
clud
es
exte
rnal
sta
keho
lder
s (s
uppl
y ch
ain
and
com
mun
ity).
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
a fo
rmal
an
d do
cum
ente
d co
mm
unic
atio
n an
d co
nsul
tatio
n pr
oces
s w
ith e
xter
nal
stak
ehol
ders
(sup
ply
chai
n, c
lient
s, a
nd
com
mun
ity) i
n th
e ris
k as
sess
men
t pro
cess
. - E
stab
lishe
s,
impl
emen
ts, a
nd
mai
ntai
ns a
form
al
and
docu
men
ted
proc
ess
for m
onito
ring
and
revi
ewin
g th
e ris
k as
sess
men
t pro
cess
. - I
nteg
rate
s ris
k as
sess
men
t
85869_ASFIS_Rev0_1-52.pdf 2885869_ASFIS_Rev0_1-52.pd2.pdf 2f 288 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
17
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
proc
esse
s w
ith
exte
rnal
sta
keho
lder
s (c
lient
s, s
uppl
y ch
ain,
su
bcon
tract
ors,
and
co
mm
unity
).
7.2.
1 In
tern
al a
nd
Ext
erna
l Ris
k C
omm
unic
atio
n an
d C
onsu
ltatio
n
- Ris
k co
mm
unic
atio
n an
d co
nsul
tatio
n w
ith in
tern
al a
nd
exte
rnal
st
akeh
olde
rs.
- E
nsur
e ch
anne
ls
of
com
mun
icat
ion
and
cons
ulta
tions
ar
e es
tabl
ishe
d w
ith
inte
rnal
an
d ex
tern
al r
egar
ding
ris
k as
sess
men
t pro
cess
es.
- P
roce
ss
cons
iste
nt
with
op
erat
iona
l sec
urity
.
- No
com
mun
icat
ion
and
cons
ulta
tions
pr
oces
s w
ith
inte
rnal
and
ex
tern
al
stak
ehol
ders
in th
e ris
k as
sess
men
t pr
oces
s.
- Inf
orm
al p
roce
ss
initi
ated
for
com
mun
icat
ing
and
cons
ultin
g w
ith
stak
ehol
ders
rela
ted
to is
sue(
s) id
entif
ied
for c
ontro
l.
- Ris
ks a
re u
nder
stoo
d an
d co
mm
unic
ated
to
som
e in
tern
al a
nd
exte
rnal
sta
keho
lder
s in
the
scop
e of
the
prog
ram
iden
tifie
d.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
a
com
mun
icat
ion
and
cons
ulta
tion
proc
ess
cons
iste
nt w
ith
oper
atio
nal s
ecur
ity
with
inte
rnal
and
ex
tern
al s
take
hold
ers
in th
e ris
k as
sess
men
t pro
cess
. -O
pera
tiona
l ob
ject
ives
and
in
tere
sts
of th
e cl
ient
s ar
e un
ders
tood
. -C
omm
unic
atio
n an
d co
nsul
tatio
n pr
oces
s is
inte
grat
ed w
ith ri
sk
asse
ssm
ent p
roce
ss.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns a
form
al a
nd
docu
men
ted
com
mun
icat
ion
and
cons
ulta
tion
proc
ess
cons
iste
nt w
ith o
pera
tiona
l se
curit
y w
ith in
tern
al a
nd
exte
rnal
sta
keho
lder
s in
th
e ris
k as
sess
men
t pr
oces
s.
-Ope
ratio
nal o
bjec
tives
and
in
tere
sts
of th
e cl
ient
s (in
clud
ing
the
pers
ons,
or
gani
zatio
ns,
com
mun
ities
, and
/or
activ
ities
bei
ng p
rote
cted
) ar
e un
ders
tood
. -D
epen
denc
ies
and
linka
ges
with
su
bcon
tract
ors
and
with
in
the
supp
ly c
hain
are
un
ders
tood
. -Q
AM
S ri
sk a
sses
smen
t pr
oces
s in
terfa
ces
with
ot
her m
anag
emen
t di
scip
lines
.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
a fo
rmal
an
d do
cum
ente
d co
mm
unic
atio
n an
d co
nsul
tatio
n pr
oces
s co
nsis
tent
with
op
erat
iona
l sec
urity
w
ith in
tern
al a
nd
exte
rnal
sta
keho
lder
s (in
clud
ing
depe
nden
cies
and
lin
kage
s w
ith c
lient
s,
subc
ontra
ctor
s, a
nd
with
in th
e su
pply
ch
ain)
in th
e ris
k as
sess
men
t pro
cess
. -R
isk
with
in b
oth
inte
rnal
and
ext
erna
l co
ntex
ts a
re
unde
rsto
od, a
nd
qual
ity a
ssur
ance
risk
as
sess
men
t pro
cess
in
terfa
ces
with
oth
er
man
agem
ent
disc
iplin
es.
7.3
Obj
ectiv
es
and
Pla
ns to
A
chie
ve T
hem
- Sel
ect a
nd
prio
ritiz
e ris
k tre
atm
ent
optio
ns.
- Prio
ritiz
atio
n of
the
issu
es
iden
tifie
d as
a re
sult
of th
e ris
k as
sess
men
t.
- Obj
ectiv
es a
nd ta
rget
s (in
clud
ing
time
fram
es)
base
d on
the
prio
ritiz
atio
n of
issu
es w
ithin
the
cont
ext
of a
n or
gani
zatio
n’s
QA
MS
po
licy
and
mis
sion
. - S
trate
gic
plan
s fo
r pr
even
tion,
pro
tect
ion,
pr
epar
edne
ss, m
itiga
tion,
re
spon
se, c
ontin
uity
, and
- No
proc
ess
to
defin
e ob
ject
ives
an
d ta
rget
s.
- No
risk
prio
ritiz
atio
n.
- Def
ines
targ
ets
and
obje
ctiv
es fo
r de
mon
stra
ting
proj
ect s
ucce
ss.
- Dev
elop
s ta
rget
s,
obje
ctiv
es, a
nd
stra
tegi
c ac
tion
plan
s to
ach
ieve
im
med
iate
qua
lity
assu
ranc
e pe
rform
ance
im
prov
emen
t rel
ated
to
iden
tifie
d is
sue(
s)
and
to d
emon
stra
te
- Qua
lity
assu
ranc
e pe
rform
ance
obj
ectiv
es
for p
rogr
am
man
agem
ent a
re s
et
base
d on
the
risk
asse
ssm
ent.
- Stra
tegi
c ac
tion
plan
s de
sign
ate
actio
ns,
resp
onsi
bilit
ies,
ac
coun
tabi
lity,
re
sour
ces,
and
tim
efra
mes
for
achi
evin
g ob
ject
ives
an
d ta
rget
s co
nsis
tent
- Obj
ectiv
es a
re
cons
iste
nt w
ith th
e Q
AM
pol
icy
and
risk
asse
ssm
ent
cons
iste
nt w
ith
resp
ectin
g in
tern
atio
nal a
nd lo
cal
law
s an
d hu
man
rig
hts.
- D
ocum
ents
ob
ject
ives
and
targ
ets
to m
anag
e ris
ks in
or
der t
o av
oid,
pr
even
t, pr
otec
t,
- Doc
umen
ted
obje
ctiv
es
and
targ
ets
are
esta
blis
hed
to m
anag
e qu
ality
as
sura
nce
by a
void
ing,
ac
cept
ing,
rem
ovin
g th
e so
urce
, cha
ngin
g th
e lik
elih
ood,
cha
ngin
g th
e co
nseq
uenc
es, a
nd
shar
ing
and/
or re
tain
ing
the
risk,
whi
le re
spec
ting
inte
rnat
iona
l and
loca
l law
s an
d hu
man
righ
ts.
- Obj
ectiv
es p
rovi
de a
ba
sis
for s
elec
ting
one
or
- Doc
umen
ted
obje
ctiv
es a
nd ta
rget
s es
tabl
ish
inte
rnal
and
ex
tern
al e
xpec
tatio
ns
for t
he o
rgan
izat
ion
and
its s
take
hold
ers
(sub
cont
ract
ors,
su
pply
cha
in, a
nd
com
mun
ity) t
hat r
elat
e to
mis
sion
ac
com
plis
hmen
t, se
rvic
e de
liver
y, a
nd
func
tiona
l ope
ratio
ns.
-Com
mun
icat
ion
with
85869_ASFIS_Rev0_1-52.pdf 2985869_ASFIS_Rev0_1-52.pdf 292.pdf 29 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
18
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
reco
very
from
und
esira
ble
and
disr
uptiv
e ev
ents
. - I
dent
ifica
tion
of re
sour
ces
need
ed.
- Ide
ntifi
catio
n of
role
s,
resp
onsi
bilit
ies,
aut
horit
ies,
an
d th
eir i
nter
rela
tions
hips
w
ithin
the
orga
niza
tion
need
ed fo
r QA
M.
- Pla
nnin
g th
e op
erat
iona
l pr
oces
ses
for a
ctio
ns
effe
ctin
g ho
w th
e ob
ject
ives
and
targ
ets
are
achi
eved
.
busi
ness
and
/or
hum
anita
rian
valu
e.
- Act
ion
plan
s fo
r id
entif
ied
issu
es
incl
ude
requ
ired
reso
urce
s,
resp
onsi
bilit
ies,
and
tim
esca
les.
with
resp
ectin
g in
tern
atio
nal a
nd lo
cal
law
s an
d hu
man
righ
ts.
dete
r, m
itiga
te,
resp
ond
to, a
nd
reco
ver f
rom
un
desi
rabl
e an
d di
srup
tive
even
ts.
- Tar
gets
are
m
easu
rabl
e an
d de
rived
from
the
obje
ctiv
es.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
act
ion
plan
s fo
r pre
vent
ion,
pr
otec
tion,
de
terr
ence
, m
itiga
tion,
resp
onse
, re
cove
ry, a
nd
cont
inui
ty.
- Stra
tegi
c pl
ans
desi
gnat
e ac
tions
, re
spon
sibi
litie
s,
acco
unta
bilit
y,
reso
urce
s, a
nd
timef
ram
es fo
r ac
hiev
ing
obje
ctiv
es
and
targ
ets.
mor
e op
tions
for m
anag
ing
risk
incl
udin
g as
set v
alue
, op
portu
nitie
s fo
r red
ucin
g lik
elih
ood
and/
or
cons
eque
nces
, co
st/b
enef
it, a
nd to
lera
ble
leve
ls o
f res
idua
l ris
k.
- Tar
gets
are
doc
umen
ted,
m
easu
rabl
e, a
chie
vabl
e,
rele
vant
, and
tim
e-ba
sed.
- D
ocum
ents
and
mai
ntai
ns
stra
tegi
c ac
tion
plan
s fo
r ris
k tre
atm
ent i
n or
der t
o ac
hiev
e its
obj
ectiv
es a
nd
targ
ets.
- D
ocum
ente
d ris
k tre
atm
ent o
ptio
ns.
-Com
mitm
ent t
o co
ntin
ual
impr
ovem
ent,
incl
udin
g pe
riodi
cal r
evie
w.
all a
ppro
pria
te
pers
ons
wor
king
on
beha
lf of
the
orga
niza
tion
incl
udin
g su
bcon
tract
ors
and
supp
ly c
hain
par
tner
s w
ith th
e in
tent
that
th
ese
pers
ons
are
mad
e aw
are
of th
eir
indi
vidu
al o
blig
atio
ns,
and
enco
urag
es
subc
ontra
ctor
s ot
her
mem
bers
of t
he
supp
ly c
hain
to d
o so
as
wel
l.
- Sha
ring
best
pr
actic
es w
ith e
xter
nal
stak
ehol
ders
(s
ubco
ntra
ctor
s an
d su
pply
cha
in
partn
ers)
.
7.4
Act
ion
to
Add
ress
Issu
es
and
Con
cern
s
- Ass
uran
ce
prog
ram
s fo
r ac
hiev
ing
its
obje
ctiv
es a
nd
risk
treat
men
t go
als.
- Est
ablis
hing
, im
plem
entin
g, a
nd
mai
ntai
ning
a fo
rmal
and
do
cum
ente
d ris
k tre
atm
ent
proc
ess.
- A
sses
sing
ben
efits
and
co
sts
of d
iffer
ent o
ptio
ns
for r
isk
treat
men
t.
- No
docu
men
ted
risk
treat
men
t pr
oces
s.
- Act
ions
co
nduc
ted
in a
n ad
-hoc
fash
ion
in
reac
tion
to
inci
dent
s.
- Bas
ed o
n id
entif
ied
issu
es, r
isk
treat
men
t pro
cess
es
are
back
-eng
inee
red
to m
inim
ize
cons
eque
nces
and
th
eir l
ikel
ihoo
d.
- Ide
ntifi
es v
ario
us
way
s to
trea
t ris
k ad
dres
sing
issu
es
iden
tifie
d in
the
prog
ram
sco
pe.
- Ris
k as
sess
men
t pr
oces
s el
ucid
ates
tre
atm
ent p
roce
sses
to
redu
ce li
kelih
ood
and
cons
eque
nces
of
iden
tifie
d is
sues
.
- Est
ablis
hes
a fo
rmal
ris
k tre
atm
ent p
roce
ss
base
d on
the
outp
ut
from
the
risk
asse
ssm
ent t
o re
mov
e ris
k at
the
sour
ce, t
he li
kelih
ood,
an
d/or
har
mfu
l co
nseq
uenc
es,
shar
ing
risk,
ac
cept
ing
risk,
and
/or
avoi
ding
act
iviti
es th
at
give
rise
of r
isk.
- M
anag
emen
t is
invo
lved
with
the
asse
ssm
ent a
nd
sele
ctio
n of
the
risk
treat
men
t opt
ions
.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns a
form
al
docu
men
ted
risk
treat
men
t pr
oces
s tre
atm
ent p
roce
ss
to re
mov
e ris
k at
the
sour
ce, t
he li
kelih
ood
and/
or h
arm
ful
cons
eque
nces
, sha
ring
risk,
acc
eptin
g ris
k, a
nd/o
r av
oidi
ng a
ctiv
ities
that
giv
e ris
e of
risk
. - R
isk
treat
men
ts a
re
asse
ssed
by
top
man
agem
ent a
nd
eval
uate
d to
det
erm
ine
if th
e m
easu
res
have
in
trodu
ced
new
risk
. - R
isk
treat
men
ts a
re
perio
dica
lly re
view
ed to
ev
alua
te e
ffect
iven
ess
and
oppo
rtuni
ties
for
- Coo
rdin
ates
risk
tre
atm
ent p
roce
ss
with
inte
rnal
and
ex
tern
al s
take
hold
ers
incl
udin
g co
ntra
ctor
s an
d su
bcon
tract
ors.
- S
hare
s be
st
prac
tices
trea
tmen
t pl
ans
with
ext
erna
l st
akeh
olde
rs (c
lient
s,
subc
ontra
ctor
s, a
nd
loca
l com
mun
ity,
whe
re a
ppro
pria
te) t
o re
duce
ove
rall
risk.
85869_ASFIS_Rev0_1-52.pdf 3085869_ASFIS_Rev0_1-52.pd2.pdf 3f 300 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
19
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
impr
ovem
ent.
8.1
Org
aniz
atio
nal
Stru
ctur
e
- Def
inin
g th
e m
anag
emen
t st
ruct
ure.
- Ide
ntify
ing
role
s,
resp
onsi
bilit
ies,
aut
horit
ies,
an
d ac
coun
tabi
lity
for a
n or
gani
zatio
n’s
oper
atio
ns
and
serv
ices
.
- Lac
k of
cle
ar
orga
niza
tiona
l st
ruct
ure.
- Som
e do
cum
enta
tion
of
orga
niza
tiona
l st
ruct
ure,
focu
sing
on
issu
es id
entif
ied.
- Doc
umen
tatio
n of
or
gani
zatio
nal
stru
ctur
e.
- Ide
ntifi
es a
nd
esta
blis
hes
its
orga
niza
tiona
l st
ruct
ure
with
in
show
ing
dutie
s,
resp
onsi
bilit
ies,
and
au
thor
ities
of
man
agem
ent.
- Cle
ar d
efin
ition
of
lega
l ent
ity.
- Org
aniz
atio
nal s
truct
ure
and
lega
l sta
tus
clea
rly
iden
tifie
d an
d do
cum
ente
d.
- Rol
es, r
espo
nsib
ilitie
s,
auth
oriti
es, a
nd
acco
unta
bilit
ies
for i
ts
oper
atio
ns a
nd s
ervi
ces
are
iden
tifie
d an
d do
cum
ente
d.
- Org
aniz
atio
nal
stru
ctur
e (in
clud
ing
that
of o
rgan
izat
ions
w
orki
ng o
n be
half
of
the
orga
niza
tion)
, as
wel
l as
role
s,
resp
onsi
bilit
ies,
au
thor
ities
, and
ac
coun
tabi
litie
s pu
blic
ally
tran
spar
ent.
8.2
Insu
ranc
e - S
uffic
ient
in
sura
nce.
- D
emon
stra
ting
the
orga
niza
tion
has
suffi
cien
t in
sura
nce.
- Ins
uran
ce
cove
rage
on
an a
d ho
c ba
sis.
- Ins
uran
ce
cove
rage
for i
ssue
s ad
dres
sed
in
proj
ect.
- Ins
uran
ce c
over
age
need
ed w
ithin
the
scop
e of
the
proj
ect.
- Org
aniz
atio
n de
mon
stra
tes
that
it
has
suffi
cien
t in
sura
nce
to c
over
ris
ks a
nd a
ssoc
iate
d lia
bilit
ies
aris
ing
from
its
ope
ratio
ns a
nd
activ
ities
con
sist
ent
with
its
risk
asse
ssm
ent.
- Org
aniz
atio
n de
mon
stra
tes
that
it h
as
suffi
cien
t ins
uran
ce to
co
ver r
isks
and
ass
ocia
ted
liabi
litie
s ar
isin
g fro
m it
s op
erat
ions
and
act
iviti
es
cons
iste
nt w
ith it
s ris
k as
sess
men
t.
- Org
aniz
atio
n de
mon
stra
tes
that
it
has
insu
ranc
e to
co
ver r
isks
and
as
soci
ated
liab
ilitie
s ar
isin
g fro
m it
s op
erat
ions
and
ac
tiviti
es c
onsi
sten
t w
ith it
s ris
k as
sess
men
t.
8.3
Out
sour
cing
an
d S
ubco
ntra
ctin
g.
- Def
inin
g th
e pr
oces
s fo
r ou
tsou
rcin
g or
su
bcon
tract
ing.
- Def
ined
pro
cess
es fo
r su
bcon
tract
ing
and
outs
ourc
ing.
- O
rgan
izat
iona
l kno
wle
dge
of s
uppl
y ch
ain
and
resp
onsi
bilit
y fo
r all
activ
ities
out
sour
ced
to
anot
her e
ntity
.
- No
resp
onsi
bilit
y or
ove
rsig
ht o
f ou
tsou
rced
or
subc
ontra
cted
op
erat
ions
.
- Ass
ess
the
need
s an
d ac
coun
tabi
lity
for o
utso
urce
d or
su
bcon
tract
ed
oper
atio
ns re
late
d to
id
entif
ied
issu
es.
- Dev
elop
s pr
oces
s in
w
hich
it d
escr
ibes
the
cond
ition
s un
der w
hich
it
outs
ourc
es a
ctiv
ities
, fu
nctio
ns, o
r op
erat
ions
.
- Est
ablis
hed
proc
ess
in w
hich
it d
escr
ibes
th
e co
nditi
ons
unde
r w
hich
it o
utso
urce
s ac
tiviti
es, f
unct
ions
, or
oper
atio
ns.
- Est
ablis
hes,
mai
ntai
ns,
and
docu
men
ts a
pro
cess
in
whi
ch it
des
crib
es th
e co
nditi
ons
unde
r whi
ch it
ou
tsou
rces
act
iviti
es,
func
tions
, or o
pera
tions
. - O
rgan
izat
ion
has
a le
gally
en
forc
eabl
e ag
reem
ent
cove
ring
outs
ourc
ing
arra
ngem
ents
ens
urin
g a
com
mitm
ent b
y su
bcon
tract
ors
to a
bide
by
oblig
atio
ns in
the
stan
dard
, co
nfid
entia
lity
and
conf
lict
of in
tere
st a
gree
men
ts,
clea
r def
initi
on o
f pro
visi
on
of s
ervi
ces,
and
co
nfor
man
ce to
the
Sta
ndar
d.
- Est
ablis
hes
and
mai
ntai
ns a
pro
cess
in
whi
ch it
des
crib
es
the
cond
ition
s un
der
whi
ch it
out
sour
ces
activ
ities
, fun
ctio
ns, o
r op
erat
ions
and
su
bcon
tract
ors
and
exte
rnal
sta
keho
lder
s ad
here
to th
e po
licy.
- P
rom
ote
a Q
AM
po
licy
thro
ugho
ut
subc
ontra
ctor
s an
d su
pply
cha
in a
nd in
re
latio
nshi
ps w
ith
clie
nts.
8.4.
1 G
ener
al
Doc
umen
tatio
n - I
dent
ifyin
g an
d ad
dres
sing
do
cum
enta
tion.
- Pro
cess
es a
nd
proc
edur
es fo
r m
anag
emen
t of d
ocum
ents
- Inf
orm
al, i
f any
. - D
evel
ops
docu
men
ted
proc
edur
es to
- Dev
elop
s a
docu
men
t m
anag
emen
t pro
gram
. - D
ocum
enta
tion
- Est
ablis
hes
qual
ity
assu
ranc
e m
anag
emen
t
- Doc
umen
tatio
n sy
stem
is
cons
iste
nt w
ith d
ocum
ent
cont
rol r
equi
rem
ents
.
- Eva
luat
es d
ocum
ent
and
info
rmat
ion
need
s of
ext
erna
l
85869_ASFIS_Rev0_1-52.pdf 3185869_ASFIS_Rev0_1-52.pd2.pdf 3f 311 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
20
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
whi
ch a
re e
ssen
tial t
o th
e Q
AM
S.
- Pro
cedu
res,
pro
cess
es,
wor
k pl
ans,
to s
uppo
rt th
e Q
AM
S a
nd it
s el
emen
ts, t
o su
ppor
t nor
mal
ope
ratin
g co
nditi
ons
and
disr
uptiv
e ev
ents
.
supp
ort a
ctio
n pl
ans.
- M
aint
ains
do
cum
enta
tion
to
supp
ort p
roje
ct
scop
e.
-Doc
umen
tatio
n su
ppor
ts e
lem
ents
ad
dres
sed
in
proj
ect.
supp
orts
ele
men
ts
addr
esse
d in
pro
gram
ac
tion
plan
s.
docu
men
tatio
n sy
stem
. - D
eter
min
es s
ecur
ity,
sens
itivi
ty, a
nd
info
rmat
ion
inte
grity
ne
eds
and
take
s ap
prop
riate
ste
ps to
pr
otec
t inf
orm
atio
n an
d do
cum
enta
tion.
- Pre
pare
s a
form
al m
anua
l do
cum
entin
g th
e st
ruct
ure
of th
e Q
AM
S.
stak
ehol
ders
(clie
nts,
su
bcon
tract
ors,
su
pply
cha
in, a
nd
com
mun
ity) f
or
shar
ing
of
docu
men
tatio
n be
st
prac
tices
.
8.4.
2 D
ocum
enta
tion:
R
ecor
ds
- Dev
elop
ing
and
impl
emen
ting
reco
rds
cont
rol.
- Rec
ords
to d
emon
stra
te
conf
orm
ity to
the
requ
irem
ents
of t
he Q
AM
S
and
the
resu
lts a
chie
ved.
- Onl
y as
requ
ired
by n
orm
al b
usin
ess
prac
tices
.
- Col
lect
s an
d re
tain
s ev
iden
ce
addr
essi
ng p
roje
ct
impl
emen
tatio
n an
d re
sults
.
- Col
lect
s an
d re
tain
s ev
iden
ce a
ddre
ssin
g pr
ogra
m
impl
emen
tatio
n an
d re
sults
.
- Col
lect
s an
d re
tain
s ev
iden
ce a
ddre
ssin
g Q
AM
S
impl
emen
tatio
n an
d re
sults
.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
to c
olle
ct a
nd
reta
in e
vide
nce
addr
essi
ng
QA
MS
impl
emen
tatio
n an
d re
sults
.
- Est
ablis
h sh
ared
re
cord
con
trols
with
in
tern
al a
nd e
xter
nal
stak
ehol
ders
.
8.4.
3 C
ontro
l of
Doc
umen
ted
Info
rmat
ion
- Dev
elop
ing
and
impl
emen
ting
docu
men
tatio
n co
ntro
l.
- Pro
cess
es a
nd
proc
edur
es fo
r con
trol o
f do
cum
ents
and
reco
rds
(incl
udin
g ba
ck-u
p).
- Pro
tect
ion
of th
e in
tegr
ity
of e
ssen
tial i
nfor
mat
ion.
- No
docu
men
t co
ntro
l sys
tem
ot
her t
han
that
us
ed in
gen
eral
or
gani
zatio
nal
oper
atio
ns.
- Doc
umen
t con
trol
with
som
e pr
oced
ures
de
velo
ped
to h
elp
dem
onst
rate
su
cces
s an
d bu
sine
ss b
enef
it.
- Lim
ited
back
-up
of
criti
cal i
nfor
mat
ion.
- Est
ablis
hes
proc
esse
s an
d pr
oced
ures
for c
ontro
l of
doc
umen
ts a
nd
reco
rds
in th
e sc
ope
of
the
prog
ram
.
- Est
ablis
hes
proc
esse
s an
d pr
oced
ures
for c
ontro
l of
doc
umen
ts a
nd
reco
rds
in th
e sc
ope
of th
e m
anag
emen
t sy
stem
, inc
ludi
ng
acce
ss, b
ack-
up
conf
iden
tialit
y,
stor
age,
rete
ntio
n,
arch
ivin
g, a
nd
dest
ruct
ion.
- For
mal
ly d
ocum
ents
pr
oces
ses
and
proc
edur
es
for c
ontro
l of d
ocum
ents
an
d re
cord
s, in
clud
ing
info
rmat
ion
secu
rity
and
prot
ectio
n an
d do
cum
ent
inte
grity
.
- Im
plem
entin
g be
st
prac
tice
docu
men
t co
ntro
l with
ext
erna
l st
akeh
olde
rs.
9.1.
1 G
ener
al
Ope
ratio
nal
Con
trol
- Dev
elop
ing
and
impl
emen
ting
oper
atio
nal
cont
rol.
- Ope
ratio
nal c
ontro
l m
easu
res
and
proc
edur
es
need
ed to
impl
emen
t the
Q
AM
dur
ing
norm
al
oper
atin
g co
nditi
ons
and
unde
sira
ble
or d
isru
ptiv
e ev
ents
. - R
isk
avoi
danc
e,
miti
gatio
n, re
duct
ion,
sh
arin
g, a
nd tr
eatm
ent
proc
edur
es to
min
imiz
e th
e lik
elih
ood
and
cons
eque
nces
of a
n un
desi
rabl
e or
dis
rupt
ive
- Pro
cedu
res
and
proc
esse
s ar
e un
defin
ed.
- Som
e in
divi
dual
s m
ay a
ddre
ss
perc
eive
d di
srup
tive
even
ts
on a
n ad
hoc
bas
is.
- Em
phas
is o
n ac
com
plis
hing
the
mis
sion
not
fo
cuse
d on
clie
nt’s
re
puta
tion,
loca
l or
appl
icab
le
- Ope
ratio
nal
cont
rols
and
pr
oced
ures
es
tabl
ishe
d to
ac
hiev
e ob
ject
ives
an
d ta
rget
s ad
dres
sed
with
in th
e pr
ojec
t sco
pe.
- Ris
k or
impa
ct
anal
ysis
is u
sed
to
dete
rmin
e pr
oper
op
erat
iona
l con
trols
w
ithin
the
scop
e of
the
prog
ram
. - C
ompl
ianc
e w
ith
rele
vant
and
ap
prop
riate
lega
l, in
tern
atio
nal,
and
cust
omar
y la
ws.
Ope
ratio
nal c
ontro
ls
for r
isk
redu
ctio
n an
d en
surin
g w
ell-b
eing
an
d rig
hts
of b
oth
pers
ons
wor
king
on
its b
ehal
f and
loca
l co
mm
uniti
es a
re
base
d on
the
risk
asse
ssm
ent,
obje
ctiv
es, t
arge
ts,
and
prog
ram
s.
- Con
side
rs w
ays
of
min
imiz
ing
risk
in d
ay-
to-d
ay o
pera
tions
,
- Est
ablis
hes,
impl
emen
ts,
mai
ntai
ns, a
nd d
ocum
ents
ad
aptiv
e an
d pr
e-em
ptiv
e pr
oced
ures
for t
hose
op
erat
ions
that
are
as
soci
ated
with
the
iden
tifie
d si
gnifi
cant
risk
s,
cons
iste
nt w
ith it
s qu
ality
as
sura
nce
man
agem
ent
polic
y, ri
sk a
sses
smen
t, su
pply
cha
in re
quire
men
ts,
obje
ctiv
es, a
nd ta
rget
s.
- Con
trol p
roce
dure
s ar
e w
ritte
n an
d/or
revi
ewed
by
- Dem
and
sign
als
are
inco
rpor
ated
in
capa
city
pla
nnin
g.
- Prio
rity
is g
iven
to
adap
tive
appr
oach
es.
- Pro
cess
es a
re in
pl
ace
to v
alid
ate
subc
ontra
ctor
re
spon
ses.
- I
mpl
emen
ts b
est
prac
tices
ope
ratio
nal
cont
rol t
hrou
ghou
t the
su
pply
cha
in a
nd w
ith
85869_ASFIS_Rev0_1-52.pdf 3285869_ASFIS_Rev0_1-52.pd2.pdf 3f 322 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
21
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
even
t. in
tern
atio
nal l
aws,
no
r int
erna
tiona
l hu
man
itaria
n,
hum
an ri
ghts
, or
cust
omar
y la
ws.
incl
udin
g en
gine
erin
g co
ntro
ls,
adm
inis
trativ
e co
ntro
ls, t
echn
ical
sp
ecifi
catio
ns, a
nd
cont
ract
ual
agre
emen
ts.
- Prio
rity
is g
iven
to
pree
mpt
ive
appr
oach
es.
pers
ons
invo
lved
in
oper
atio
ns a
nd
com
mun
icat
ed e
ffect
ivel
y to
oth
ers,
incl
udin
g ex
tern
al s
take
hold
ers
– in
clud
ing
subc
ontra
ctor
s an
d ou
tsou
rced
jobs
. - E
nsur
e th
e w
ell-b
eing
and
rig
hts
of b
oth
pers
ons
wor
king
on
its b
ehal
f and
lo
cal c
omm
uniti
es.
exte
rnal
sta
keho
lder
s (in
clud
ing
subc
ontra
ctor
s an
d ou
tsou
rced
act
iviti
es).
9.1.
2 E
stab
lishi
ng
Nor
ms
of B
ehav
ior
and
Cod
es o
f E
thic
al C
ondu
ct
- Def
inin
g an
d im
plem
entin
g a
code
of e
thic
al
beha
vior
.
- Est
ablis
hing
and
co
mm
unic
atin
g a
Cod
e of
E
thic
al B
ehav
ior t
o pe
rson
s w
orki
ng o
n be
half
of th
e or
gani
zatio
n.
- No
Cod
e of
E
thic
al B
ehav
ior.
- C
ode
of E
thic
al
Beh
avio
r is
deve
lope
d w
ithin
the
scop
e of
the
proj
ect.
- Cod
e of
Eth
ical
B
ehav
ior i
s es
tabl
ishe
d in
the
orga
niza
tion
for
issu
es a
ddre
ssed
in
prog
ram
s.
- Est
ablis
hes
Cod
e of
E
thic
s w
ith s
uppo
rt fro
m to
p m
anag
emen
t. - C
omm
unic
ates
cod
e to
per
sons
wor
king
on
beha
lf of
the
orga
niza
tion.
- C
lear
ly
com
mun
icat
es
resp
ect f
or th
e hu
man
rig
hts
and
dign
ity o
f hu
man
bei
ngs.
- Cod
e of
Eth
ical
Beh
avio
r fo
r nor
ms
of b
ehav
ior f
or a
ll pe
rson
s w
orki
ng o
n be
half
of th
e or
gani
zatio
n (in
clud
ing
empl
oyee
s,
subc
ontra
ctor
s, a
nd
outs
ourc
e pa
rtner
s) is
es
tabl
ishe
d, im
plem
ente
d,
docu
men
ted,
and
m
aint
aine
d.
- Cod
e of
Eth
ical
Beh
avio
r co
mm
unic
ated
as
cond
ition
fo
r acc
eptin
g co
ntra
cts.
- Cod
e of
Eth
ics
is
com
mun
icat
ed w
ith a
ll st
akeh
olde
rs b
oth
exte
rnal
and
inte
rnal
. - S
trong
or
gani
zatio
nal c
ultu
re
rega
rdin
g re
spec
t for
th
e hu
man
righ
ts a
nd
dign
ity o
f hum
an
bein
gs.
- Enc
oura
ges
subc
ontra
ctor
s an
d cl
ient
s to
ado
pt C
odes
of
Eth
ical
Beh
avio
r.
9.2
Res
ourc
es,
Rol
es,
Res
pons
ibili
ty,
and
Aut
horit
y
- Ava
ilabi
lity
and
acco
unta
bilit
y of
re
sour
ces
esse
ntia
l for
the
impl
emen
tatio
n of
the
QA
MS
and
to
faci
litat
e ef
fect
ive
QA
M.
- Pro
cedu
res,
role
s, a
nd
resp
onsi
bilit
ies
to c
over
all
norm
al o
pera
ting
cond
ition
s an
d un
desi
rabl
e or
dis
rupt
ive
even
ts.
- Tec
hniq
ues
for
man
agem
ent o
f fun
ctio
nal,
tact
ical
, and
stra
tegi
c te
ams.
- P
rovi
sion
s fo
r ade
quat
e fin
ance
and
adm
inis
trativ
e re
sour
ces
to s
uppo
rt no
rmal
ope
ratin
g co
nditi
ons
and
unde
sira
ble
or d
isru
ptiv
e ev
ents
. - D
eter
min
atio
n of
loca
l, re
gion
al, a
nd p
ublic
au
thor
ities
’ rol
es,
rela
tions
hips
, and
in
tera
ctio
ns.
- Not
def
ined
. - N
o de
dica
ted
pers
onne
l for
Q
AM
S.
- Nee
ded
reso
urce
s no
t id
entif
ied.
- Ass
igns
role
s an
d re
spon
sibi
litie
s to
sp
ecifi
c pe
rson
s to
ad
dres
s is
sue(
s) in
th
e lim
ited
scop
e.
- Allo
cate
s ad
equa
te
reso
urce
s in
ac
cord
ance
with
ac
tion
plan
. - A
“Pro
ject
Lea
der”
is
des
igna
ted
to
over
see
the
proj
ect.
- Par
ticip
atio
n ba
sed
on p
roje
ct s
cope
.
- Ide
ntifi
es a
nd d
efin
es
auth
oriti
es, r
oles
, re
spon
sibi
litie
s, a
nd
appr
opria
te re
sour
ces
with
in th
e or
gani
zatio
n.
- Ide
ntifi
es in
tern
al a
nd
exte
rnal
dep
artm
ents
, di
visi
ons,
bus
ines
s un
its, a
nd p
artn
ers
that
w
ill p
lay
a ro
le in
ad
dres
sing
an
unde
sira
ble
disr
uptiv
e ev
ent.
- Ide
ntifi
es a
QA
M
prog
ram
team
and
le
ader
. - A
lloca
tes
adeq
uate
re
sour
ces
in
acco
rdan
ce w
ith th
e ac
tion
plan
.
- Top
man
agem
ent
appo
ints
a s
peci
fic
man
agem
ent
repr
esen
tativ
e re
spon
sibl
e fo
r the
Q
AM
S.
- For
mal
QA
M
resp
onsi
bilit
ies
and
rela
tions
hips
are
de
fined
and
adh
ered
to
. - T
eam
s w
ith d
efin
ed
role
s an
d ad
equa
te
reso
urce
s ar
e es
tabl
ishe
d to
sup
port
QA
M a
ctio
n pl
ans.
- E
stab
lishe
s ar
rang
emen
ts fo
r st
akeh
olde
r as
sist
ance
,
- Rol
es, r
espo
nsib
ilitie
s,
and
auth
oriti
es a
re d
efin
ed,
docu
men
ted,
and
co
mm
unic
ated
in o
rder
to
faci
litat
e ef
fect
ive
QA
M,
cons
iste
nt w
ith th
e ac
hiev
emen
t of i
ts Q
AM
po
licy,
obj
ectiv
es, t
arge
ts,
and
prog
ram
s.
- Doc
umen
ted
qual
ity
team
(s) w
ith d
efin
ed ro
les,
ap
prop
riate
aut
horit
y, a
nd
adeq
uate
reso
urce
s.
- Est
ablis
hes
and
docu
men
ts lo
gist
ical
ca
pabi
litie
s an
d pr
oced
ures
id
entif
y an
d ev
alua
te th
e ne
eds
of th
e cl
ient
with
re
spec
t to
QA
MS
. - F
orm
al a
nd d
ocum
ente
d
- Rol
es,
resp
onsi
bilit
ies,
and
au
thor
ities
are
de
fined
, doc
umen
ted,
an
d co
mm
unic
ated
in
orde
r to
faci
litat
e ef
fect
ive
QA
M w
ithin
th
e or
gani
zatio
n,
ente
rpris
e-w
ide
and
with
in th
e co
mm
unity
co
nsis
tent
with
ac
hiev
ing
orga
niza
tion’
s an
d ex
tern
al s
take
hold
ers’
(s
uppl
y ch
ain
and
com
mun
ity)
obje
ctiv
es, t
arge
ts,
and
prog
ram
s.
85869_ASFIS_Rev0_1-52.pdf 3385869_ASFIS_Rev0_1-52.pdf 332.pdf 33 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
22
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
co
mm
unic
atio
n,
stra
tegi
c al
lianc
es,
and
mut
ual a
id.
- Ide
ntifi
es fi
nanc
ial
and
adm
inis
trativ
e pr
oced
ures
nee
ded
to
supp
ort t
he Q
AM
pr
ogra
ms.
- R
oles
, rel
atio
nshi
ps,
and
inte
ract
ions
with
ex
tern
al re
sour
ces
(mem
bers
of t
he
supp
ly c
hain
, su
bcon
tract
ors,
loca
l, re
gion
al, a
nd p
ublic
au
thor
ities
–in
clud
ing
first
resp
onde
rs) a
re
defin
ed.
- Ade
quat
e re
sour
ces
allo
cate
d in
ac
cord
ance
with
ac
tion
plan
.
proc
edur
es fo
r sta
keho
lder
as
sist
ance
and
co
mm
unic
atio
ns.
9.2.
1 P
erso
nnel
- P
erso
nnel
re
quire
men
ts a
nd
para
met
ers
defin
ed.
- Req
uire
men
ts fo
r pe
rson
nel c
ompe
tenc
e,
rem
uner
atio
n, a
nd h
uman
re
sour
ce d
ocum
enta
tion
esta
blis
hed.
- No
docu
men
tatio
n m
aint
aine
d fo
r all
pers
onne
l. - P
erso
nnel
hire
d an
d co
mpe
nsat
ed
in a
n ad
hoc
bas
is.
- Ade
quat
e pe
rson
nel t
o fu
lfill
the
requ
irem
ents
of
the
scop
e.
- Doc
umen
tatio
n on
pe
rson
nel w
ithin
the
proj
ect s
cope
.
- Ini
tiate
s pr
oced
ures
fo
r ens
urin
g su
ffici
ent
pers
onne
l with
ap
prop
riate
co
mpe
tenc
e.
- Ini
tiate
s pr
oced
ures
fo
r mai
ntai
ning
co
nfid
entia
lity
of
pers
onne
l’s p
rivat
e in
form
atio
n.
- Est
ablis
hes
proc
edur
es fo
r en
surin
g su
ffici
ent
pers
onne
l with
ap
prop
riate
co
mpe
tenc
e.
- Est
ablis
hes
proc
edur
es fo
r m
aint
aini
ng
conf
iden
tialit
y of
pe
rson
nel’s
priv
ate
info
rmat
ion.
- E
stab
lishe
s do
cum
enta
tion
of a
ll pe
rson
nel c
onta
ct
info
rmat
ion.
- Mai
ntai
ns a
nd d
ocum
ents
pr
oced
ures
for e
nsur
ing
suffi
cien
t per
sonn
el w
ith
appr
opria
te c
ompe
tenc
e.
- Mai
ntai
ns a
nd d
ocum
ents
pr
oced
ures
for m
aint
aini
ng
conf
iden
tialit
y of
pe
rson
nel’s
priv
ate
info
rmat
ion.
- M
aint
ains
doc
umen
tatio
n of
all
pers
onne
l and
pr
ovid
es re
leva
nt
docu
men
ts in
lang
uage
th
at is
read
ily
com
preh
ensi
ble
for a
ll pa
rties
.
- Sha
res
best
pr
actic
es w
ith re
leva
nt
stak
ehol
ders
.
9.2.
1.1
Uni
form
s an
d M
arki
ngs
- Uni
form
s an
d m
arki
ngs
for
iden
tific
atio
n of
pe
rson
nel a
nd
equi
pmen
t.
- Pro
cedu
res
for t
he u
se o
f un
iform
s an
d m
arki
ngs
for
iden
tific
atio
n.
- No
visi
ble
or
cons
iste
nt u
nifo
rms
or m
arki
ngs
for
pers
onne
l.
- Uni
form
s an
d m
arki
ngs
need
ed
with
in th
e pr
ojec
t sc
ope
are
iden
tifie
d.
- Est
ablis
h re
quire
men
ts fo
r un
iform
s an
d m
arki
ngs
whi
ch a
re c
lear
ly
dist
ingu
isha
ble
from
th
ose
used
by
mili
tary
an
d po
lice
forc
es fo
r
- Est
ablis
h re
quire
men
ts a
nd
proc
edur
es fo
r un
iform
s an
d m
arki
ngs
whi
ch a
re
clea
rly d
istin
guis
habl
e fro
m th
ose
used
by
- Est
ablis
h, d
ocum
ent,
and
mai
ntai
n re
quire
men
ts a
nd
proc
edur
es fo
r uni
form
s an
d m
arki
ngs
with
in th
e or
gani
zatio
n th
at a
re
clea
rly d
istin
guis
habl
e fro
m
thos
e us
ed b
y m
ilita
ry a
nd
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g un
iform
s an
d m
arki
ngs
with
ex
tern
al s
take
hold
ers
and
mem
bers
of t
he
surr
ound
ing
85869_ASFIS_Rev0_1-52.pdf 3485869_ASFIS_Rev0_1-52.pd2.pdf 3f 344 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
23
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
activ
ities
def
ined
in th
e pr
ogra
m s
cope
. m
ilita
ry a
nd p
olic
e fo
rces
. po
lice
forc
es.
com
mun
ity.
9.2.
2 S
elec
tion,
B
ackg
roun
d S
cree
ning
, and
V
ettin
g of
P
erso
nnel
- Est
ablis
hing
pr
oced
ures
for
sele
ctio
n,
scre
enin
g, a
nd
vetti
ng o
f pe
rson
nel.
- Req
uire
men
ts to
ens
ure
that
all
pers
ons
wor
king
on
an o
rgan
izat
ion’
s be
half
are
fit a
nd p
rope
r for
the
task
s th
ey w
ill c
ondu
ct.
- No
proc
edur
es fo
r ba
ckgr
ound
sc
reen
ing
and
vetti
ng o
f per
sons
w
orki
ng o
n be
half
of th
e or
gani
zatio
n.
- Pro
cedu
res
are
iden
tifie
d fo
r ba
ckgr
ound
sc
reen
ing
and
vetti
ng o
f peo
ple
with
in th
e sc
ope
of
the
proj
ect.
- Est
ablis
h pr
oced
ures
fo
r bac
kgro
und
scre
enin
g (in
clud
ing
scre
enin
g fo
r act
ions
in
the
past
or p
rese
nt
whi
ch w
ould
con
tradi
ct
the
orga
niza
tion’
s C
ode
of E
thic
al
Con
duct
, Sta
tem
ent o
f C
onfo
rman
ce, a
nd
adhe
renc
e to
the
PS
C.1
Sta
ndar
d.
- Est
ablis
hed
proc
edur
es a
re b
ased
on
def
ined
co
mpe
tenc
ies
incl
udin
g kn
owle
dge,
sk
ills,
abi
litie
s, a
nd
attri
bute
s.
- Est
ablis
h pr
oced
ures
to
appr
opria
tely
and
st
rictly
sec
ure
the
conf
iden
tialit
y of
in
form
atio
n, b
oth
inte
rnal
ly a
nd
exte
rnal
ly.
- Est
ablis
hed
and
docu
men
ted
proc
edur
es
are
base
d on
def
ined
co
mpe
tenc
ies
incl
udin
g kn
owle
dge,
ski
lls, a
bilit
ies,
an
d at
tribu
tes.
- E
stab
lish
impl
emen
t, m
aint
ain,
and
doc
umen
t pr
oced
ures
to a
ppro
pria
tely
an
d st
rictly
sec
ure
the
conf
iden
tialit
y of
in
form
atio
n, b
oth
inte
rnal
ly
and
exte
rnal
ly.
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g se
lect
ion,
ba
ckgr
ound
sc
reen
ing,
and
vet
ting
of p
erso
nnel
with
ex
tern
al s
take
hold
ers,
in
clud
ing
subc
ontra
ctor
s.
9.2.
3 S
elec
tion,
B
ackg
roun
d S
cree
ning
, and
V
ettin
g of
S
ubco
ntra
ctor
s
- Def
inin
g pr
oced
ures
for
subc
ontra
ctin
g ac
tiviti
es.
- Req
uire
men
ts fo
r se
lect
ing
subc
ontra
ctor
s to
en
sure
all
activ
ities
by
an
orga
niza
tion
(sub
cont
ract
ed o
r ot
herw
ise)
adh
ere
to th
e A
NS
I/AS
IS.P
SC
.1
stan
dard
.
- No
proc
edur
e fo
r se
lect
ion
or v
ettin
g of
sub
cont
ract
ors.
- Ide
ntifi
es
appr
opria
te
agre
emen
ts n
eede
d fo
r sub
cont
ract
ors
with
in th
e sc
ope
of
the
proj
ect.
- Ini
tiate
s pr
oced
ures
fo
r cre
atin
g ap
prop
riate
w
ritte
n co
ntra
ctua
l ag
reem
ents
with
su
bcon
tract
ors.
- O
rgan
izat
ion
ackn
owle
dges
that
it is
lia
ble,
as
appr
opria
te
and
with
in a
pplic
able
la
w, f
or th
e co
nduc
t of
subc
ontra
ctor
s.
- Est
ablis
hes
proc
edur
es fo
r se
lect
ion,
scr
eeni
ng,
and
vetti
ng o
f su
bcon
tract
ors.
- E
stab
lishe
s pr
oced
ures
for
ensu
ring
appr
opria
te
writ
ten
cont
ract
ual
agre
emen
ts w
ith
subc
ontra
ctor
s,
advi
sing
the
clie
nt o
f th
e ag
reem
ent,
and
mai
ntai
ning
do
cum
enta
tion
on a
ll su
bcon
tract
ors.
- Mai
ntai
ns, i
mpl
emen
ts,
and
docu
men
ts p
roce
dure
s fo
r sel
ectio
n, s
cree
ning
, an
d ve
tting
of
subc
ontra
ctor
s-
Impl
emen
ts, M
aint
ains
, an
d do
cum
ents
pro
cedu
res
for e
nsur
ing
appr
opria
te
writ
ten
cont
ract
ual
agre
emen
ts w
ith
subc
ontra
ctor
s, a
dvis
ing
the
clie
nt o
f the
agr
eem
ent,
and
mai
ntai
ning
do
cum
enta
tion
on a
ll su
bcon
tract
ors.
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g se
lect
ion,
ba
ckgr
ound
sc
reen
ing,
and
vet
ting
of s
ubco
ntra
ctor
s’
pers
onne
l and
en
surin
g co
mpe
tenc
y of
sub
cont
ract
ors
with
ex
tern
al s
take
hold
ers
and
clie
nts.
9.2.
4 Fi
nanc
ial
and
Adm
inis
trativ
e P
roce
dure
s
- Def
inin
g fin
anci
al a
nd
adm
inis
trativ
e pr
oced
ures
.
- Pro
cedu
res
to s
uppo
rt qu
ality
ass
uran
ce
man
agem
ent p
rogr
am
befo
re, d
urin
g, a
nd a
fter a
di
srup
tive
or u
ndes
irabl
e ev
ent.
- No
finan
cial
or
adm
inis
trativ
e pr
oced
ures
.
- Ide
ntifi
es th
e ne
ed
for p
roce
dure
s an
d es
tabl
ishe
s pr
oced
ures
with
in
the
proj
ect s
cope
.
- Det
erm
ines
pr
oced
ures
nec
essa
ry
so th
at fi
scal
dec
isio
ns
can
be e
xped
ited.
- C
onsu
lts w
ith th
e cl
ient
.
- Est
ablis
hes
proc
edur
es to
sup
port
qual
ity a
ssur
ance
m
anag
emen
t pro
gram
be
fore
, dur
ing,
and
af
ter a
dis
rupt
ive
or
unde
sira
ble
even
t, en
surin
g fis
cal
deci
sion
s ca
n be
ex
pedi
ted.
- E
stab
lishe
d in
- Im
plem
ents
, doc
umen
ts,
and
mai
ntai
ns p
roce
dure
s to
sup
port
qual
ity
assu
ranc
e m
anag
emen
t pr
ogra
m b
efor
e, d
urin
g,
and
afte
r a d
isru
ptiv
e or
un
desi
rabl
e ev
ent,
ensu
ring
fisca
l dec
isio
ns
can
be e
xped
ited.
- E
stab
lishe
d in
co
nsul
tatio
n an
d
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g fin
anci
al
and
adm
inis
trativ
e pr
oced
ures
with
ap
prop
riate
ext
erna
l st
akeh
olde
rs in
clud
ing
clie
nts.
85869_ASFIS_Rev0_1-52.pdf 3585869_ASFIS_Rev0_1-52.pdf 352.pdf 35 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
24
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
cons
ulta
tion
and
coor
dina
tion
with
the
clie
nt.
coor
dina
tion
with
the
clie
nt.
9.2.
5 P
rocu
rem
ent
and
Man
agem
ent
of W
eapo
ns,
Haz
ardo
us
Mat
eria
ls, a
nd
Mun
ition
s
- Man
agem
ent o
f w
eapo
ns,
haza
rdou
s m
ater
ials
, and
m
uniti
ons
with
in
the
orga
niza
tion.
- Ens
urin
g th
e lif
e-cy
cle
man
agem
ent a
nd u
se o
f w
eapo
ns, m
uniti
ons,
and
ha
zard
ous
mat
eria
ls w
ithin
th
e or
gani
zatio
n is
in
acco
rdan
ce w
ith
appr
opria
te la
ws,
re
gula
tions
, and
mis
sion
ob
ject
ives
.
- No
Pro
cedu
res
for p
rocu
rem
ent
and
man
agem
ent
of w
eapo
ns,
haza
rdou
s m
ater
ials
, ex
plos
ives
, or
mun
ition
s.
- Ide
ntifi
es
proc
edur
es
nece
ssar
y fo
r the
m
anag
emen
t of
wea
pons
, haz
ardo
us
mat
eria
ls,
expl
osiv
es, a
nd
mun
ition
s w
ithin
the
proj
ect s
cope
.
- Det
erm
ines
ap
prop
riate
use
of
wea
pons
, haz
ardo
us
mat
eria
ls, e
xplo
sive
s,
and
mun
ition
s in
ac
cord
ance
with
ac
cept
ed w
eapo
nry
used
by
law
en
forc
emen
t age
ncie
s an
d co
nsis
tent
with
ap
prop
riate
in
tern
atio
nal a
nd
natio
nal l
aw.
- Dev
elop
s pr
oced
ures
fo
r det
erm
inin
g w
eapo
nry
need
ed
with
in a
pro
ject
sco
pe
cons
iste
nt w
ith m
issi
on
obje
ctiv
es.
- Est
ablis
hes
and
initi
ates
pro
cedu
res
for p
rocu
rem
ent a
nd
man
agem
ent o
f w
eapo
ns, h
azar
dous
m
ater
ials
, exp
losi
ves,
an
d m
uniti
ons
cons
iste
nt w
ith ri
sks
and
mis
sion
ob
ject
ives
. - P
roce
dure
s co
nsid
er
loca
l and
inte
rnat
iona
l le
gal a
nd re
gula
tory
re
quire
men
ts a
nd a
re
in a
ccor
danc
e w
ith
acce
pted
wea
ponr
y us
ed b
y la
w
enfo
rcem
ent
agen
cies
. - I
nitia
tes
proc
edur
es
for i
dent
ifica
tion
and
acco
unta
bilit
y fo
r all
amm
uniti
on a
nd
wea
ponr
y.
- Est
ablis
hes
prot
ocol
s th
at
wea
pons
are
to b
e us
ed in
sel
f-def
ense
an
d in
the
defe
nse
of
othe
rs o
nly
and
appr
opria
te to
the
task
.
- Est
ablis
hes,
doc
umen
ts,
and
mai
ntai
ns p
roce
dure
s fo
r the
life
-cyc
le
man
agem
ent a
nd u
se o
f w
eapo
ns, m
uniti
ons,
and
ha
zard
ous
mat
eria
ls.
- Pro
cedu
res
for
iden
tific
atio
n an
d ac
coun
ting
of a
ll w
eapo
nry
are
docu
men
ted
and
mai
ntai
ned.
- C
onsi
ders
all
loca
l and
in
tern
atio
nal l
egal
and
re
gula
tory
requ
irem
ents
. - A
ccou
nts
for m
issi
on
obje
ctiv
es a
nd ri
sks
iden
tifie
d w
hen
proc
urin
g an
d m
anag
ing
wea
pons
. - O
rgan
izat
ion-
wid
e cu
lture
of
onl
y us
ing
wea
pons
for
self-
defe
nse
and
the
defe
nse
of o
ther
s w
hile
ap
prop
riate
to th
e ta
sk a
nd
oper
atio
ns.
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g pr
ocur
emen
t and
m
anag
emen
t of
wea
ponr
y pr
oced
ures
w
ith e
xter
nal
stak
ehol
ders
, in
clud
ing
subc
ontra
ctor
s an
d cl
ient
s.
- Org
aniz
atio
n-w
ide
cultu
re o
f onl
y us
ing
wea
pons
for s
elf-
defe
nse
and
the
defe
nse
of o
ther
s w
hile
app
ropr
iate
to
the
task
and
op
erat
ions
. - P
roce
dure
s fo
r as
sess
ing
whe
ther
w
eapo
ns w
ere
nece
ssar
y af
ter e
ach
time
wea
pons
are
fir
ed.
9.3
Com
pete
nce,
Tr
aini
ng, a
nd
Aw
aren
ess
- Def
inin
g an
d ad
dres
sing
co
mpe
tenc
e.
- Ski
lls a
nd c
ompe
tenc
y re
quire
men
ts to
sup
port
norm
al o
pera
ting
cond
ition
s an
d di
srup
tive
even
ts.
- Tra
inin
g an
d ed
ucat
ion
prog
ram
for t
he
orga
niza
tion’
s pe
rson
nel,
cont
ract
ors,
and
oth
er
rele
vant
sta
keho
lder
s.
- Lac
k of
QA
M
cultu
ral a
war
enes
s.
-Com
pete
ncie
s an
d sk
ills
not i
dent
ified
. - N
o tra
inin
g pr
ogra
m.
- Litt
le o
r no
in-
hous
e ex
perti
se o
r ex
perie
nce.
- W
orkf
orce
- Com
pete
nce,
sk
ills,
and
trai
ning
ne
eds
iden
tifie
d to
ac
hiev
e pr
ojec
t ob
ject
ives
and
ta
rget
s.
- Con
duct
s tra
inin
g w
ith s
ome
mea
sure
of
com
pete
nce
to
achi
eve
obje
ctiv
es
- Det
erm
ines
co
mpe
tenc
e re
quire
men
ts th
at a
re
nece
ssar
y fo
r act
iviti
es
defin
ed in
the
prog
ram
sc
ope.
- D
evel
ops
and
impl
emen
ts tr
aini
ng,
com
pete
nce,
and
aw
aren
ess
proc
edur
es.
- Ide
ntifi
es
com
pete
ncie
s an
d tra
inin
g ne
eds
asso
ciat
ed w
ith
achi
evin
g th
e Q
AM
S
obje
ctiv
es, t
arge
ts,
and
prog
ram
s.
- Dev
elop
s an
d im
plem
ents
pr
oced
ures
to
- Ens
ures
that
any
per
sons
pe
rform
ing
task
s w
ho h
ave
the
pote
ntia
l to
prev
ent,
caus
e, re
spon
d to
, m
itiga
te, o
r be
affe
cted
by
sign
ifica
nt h
azar
ds, t
hrea
ts,
and
risks
are
com
pete
nt
(on
the
basi
s of
app
ropr
iate
ed
ucat
ion,
trai
ning
, or
expe
rienc
e).
- Bui
lds,
pro
mot
es,
and
embe
ds a
qua
lity
assu
ranc
e m
anag
emen
t cul
ture
w
ithin
the
orga
niza
tion,
su
bcon
tract
ors,
su
pply
cha
in, c
lient
s,
and
com
mun
ity.
- Sha
ring
best
85869_ASFIS_Rev0_1-52.pdf 3685869_ASFIS_Rev0_1-52.pdf 362.pdf 36 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
25
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
- Org
aniz
atio
nal a
war
enes
s an
d cu
lture
to s
uppo
rt Q
AM
. - O
rgan
izat
iona
l int
erfa
ce
prot
ocol
, ide
ntifi
catio
n, a
nd
train
ing
requ
irem
ents
, in
clud
ing
wea
pons
trai
ning
. - T
ools
to e
nhan
ce
situ
atio
nal a
war
enes
s.
- Edu
catio
n to
ens
ure
prop
er c
ultu
ral a
war
enes
s an
d kn
owle
dge
of h
uman
rig
hts
and
inte
rnat
iona
l law
.
unaw
are
of q
ualit
y as
sura
nce
and
risk
man
agem
ent
need
s an
d la
cks
train
ing
to
adeq
uate
ly ta
ke
owne
rshi
p an
d co
ntro
l ris
ks.
- No
adeq
uate
tra
inin
g ab
out
cultu
re.
- No
proc
edur
es fo
r w
eapo
ns a
nd u
se
of fo
rce
train
ing.
and
targ
ets.
- T
rain
ing
and
awar
enes
s fo
cus
on
addr
essi
ng th
e id
entif
ied
issu
e(s)
in
the
scop
e.
addr
ess
com
pete
nce
and
train
ing
need
s.
-Dev
elop
s an
d im
plem
ents
pr
oced
ures
for
train
ing
and
eval
uatin
g pe
rson
nel
auth
oriz
ed to
car
ry
any
wea
pons
in th
e pe
rform
ance
of t
heir
dutie
s.
- Ass
esse
s co
mpe
tenc
e ag
ains
t re
quire
men
ts.
- Doc
umen
ts a
nd re
tain
s as
soci
ated
trai
ning
and
co
mpe
tenc
e re
cord
s.
- Doc
umen
ted
leve
l of
com
pete
nce
with
the
spec
ific
wea
pons
au
thor
ized
for a
ll pe
rson
nel
auth
oriz
ed to
car
ry a
w
eapo
n in
the
perfo
rman
ce
of th
eir d
utie
s.
- Ens
ures
the
qual
ity
assu
ranc
e m
anag
emen
t cu
lture
bec
omes
par
t of t
he
orga
niza
tion’
s co
re v
alue
s an
d or
gani
zatio
n go
vern
ance
. - M
akes
sta
keho
lder
s aw
are
of th
e qu
ality
as
sura
nce
man
agem
ent
polic
y an
d th
eir r
ole
in a
ny
plan
s.
prac
tices
with
ext
erna
l st
akeh
olde
rs (e
.g.,
supp
ly c
hain
and
su
bcon
tract
ors)
.
9.4.
1 O
pera
tiona
l C
omm
unic
atio
ns
- Ide
ntify
and
ad
dres
s in
tern
al
and
exte
rnal
op
erat
iona
l co
mm
unic
atio
n re
quire
men
ts.
- Pro
cedu
res,
ar
rang
emen
ts, a
nd to
ols
for c
omm
unic
atio
n to
su
ppor
t nor
mal
ope
ratin
g co
nditi
ons
and
disr
uptiv
e ev
ents
. - R
elia
ble
and
test
ed
com
mun
icat
ions
and
a
war
ning
cap
abili
ty in
the
even
t of a
n un
desi
rabl
e or
di
srup
tive
even
t.
- No
proc
edur
es.
- Com
mun
icat
ions
no
t coo
rdin
ated
in
tern
ally
or
exte
rnal
ly.
- Rea
ctiv
e in
na
ture
. - D
riven
by
dem
ands
for
info
rmat
ion.
- Com
mun
icat
ion
proc
edur
es a
ddre
ss
proj
ect o
bjec
tives
, ta
rget
, and
sco
pe.
- Dev
elop
s co
mm
unic
atio
n pr
oced
ures
for
inte
rnal
and
ext
erna
l st
akeh
olde
rs
(incl
udin
g au
thor
ities
an
d m
edia
) co
nsis
tent
with
the
proj
ect s
cope
.
- Ide
ntifi
es w
hat w
ill b
e co
mm
unic
ated
and
to
who
m.
- Det
erm
ines
co
mm
unic
atio
ns a
nd
war
ning
nee
ds.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
pro
cedu
res
for i
nter
nal a
nd
exte
rnal
co
mm
unic
atio
ns a
nd
war
ning
s.
- Est
ablis
hes
notif
icat
ion
syst
ems
and
role
s in
whi
ch to
us
e th
em.
- Ide
ntifi
es w
hat w
ill
be c
omm
unic
ated
and
to
who
m re
gard
ing
the
QA
M p
olic
y, ri
sks,
ob
ject
ives
, tar
gets
, an
d pr
ogra
ms.
- E
stab
lishe
s in
tern
al,
exte
rnal
, and
Net
-C
entri
c co
mm
unic
atio
n pr
oced
ures
. - I
dent
ifies
targ
et
audi
ence
s fo
r co
mm
unic
atio
ns a
nd
war
ning
s to
ens
ure
effe
ctiv
e tw
o-w
ay
dial
ogue
. - D
eter
min
es
info
rmat
ion
shar
ing
and
secu
rity
need
s.
- Ens
ures
ong
oing
co
mm
unic
atio
ns
capa
city
in th
e ev
ent
of a
n un
desi
rabl
e or
- Est
ablis
hes,
impl
emen
ts,
docu
men
ts, a
nd m
aint
ains
co
mm
unic
atio
ns
proc
edur
es.
- P
repl
anni
ng o
f co
mm
unic
atio
ns fo
r ta
rget
ed a
udie
nces
. - D
evel
ops
and
docu
men
ts
key
mes
sage
s an
d se
t co
mm
unic
atio
n ta
rget
s,
obje
ctiv
es, a
nd
perfo
rman
ce in
dica
tors
. - A
ssig
ns a
nd d
ocum
ents
re
spon
sibi
litie
s an
d es
tabl
ish
timel
ines
for
com
mun
icat
ions
. - E
stab
lishe
s, d
ocum
ents
, an
d m
aint
ains
pro
cedu
res
for i
nter
nal,
exte
rnal
, and
N
et-C
entri
c co
mm
unic
atio
ns.
- Com
mun
icat
ion
on Q
AM
is
sues
occ
urs
thro
ugho
ut
the
orga
niza
tion
and
with
- Dev
elop
men
t of N
et-
Cen
tric
capa
city
for a
ll co
mm
unic
atio
ns w
ith
exte
rnal
sta
keho
lder
s (s
uppl
y ch
ain,
su
bcon
tract
ors,
cl
ient
s, a
nd
com
mun
ity).
- Det
erm
ines
relia
bilit
y of
ext
erna
l co
mm
unic
atio
ns
infra
stru
ctur
e, a
nd to
au
gmen
t the
sys
tem
in
tern
ally
and
ex
tern
ally
in th
e ev
ent
of a
n un
desi
rabl
e or
di
srup
tion.
85869_ASFIS_Rev0_1-52.pdf 3785869_ASFIS_Rev0_1-52.pd2.pdf 3f 377 3/21/13 11:54 AM3/21/13 11:51/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
26
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
disr
uptiv
e ev
ent.
ap
prop
riate
sta
keho
lder
s.
- Doc
umen
ts
com
mun
icat
ion
with
em
erge
ncy
and
first
re
spon
ders
. - S
ets
and
docu
men
ts
com
mun
icat
ions
pro
toco
ls
for n
orm
al a
nd fo
r di
srup
tive
even
ts.
- Reg
ular
ly e
xerc
ises
co
mm
unic
atio
ns s
yste
m
and
docu
men
ts re
sults
.
9.4.
2 R
isk
Com
mun
icat
ion
-Iden
tify
and
addr
ess
inte
rnal
an
d ex
tern
al ri
sk
com
mun
icat
ion
requ
irem
ents
.
- Dev
elop
s ris
k co
mm
unic
atio
ns b
ased
on
safe
guar
ding
life
as
the
first
prio
rity.
- E
xerc
ises
for p
lans
to
com
mun
icat
e in
form
atio
n an
d w
arni
ngs
with
st
akeh
olde
rs (i
nclu
ding
the
med
ia) t
o su
ppor
t nor
mal
op
erat
ing
cond
ition
s an
d di
srup
tive
even
ts.
- No
proc
edur
es.
- Not
coo
rdin
ated
in
tern
ally
or
exte
rnal
ly.
- Rea
ctiv
e in
na
ture
. - D
riven
by
dem
ands
for
info
rmat
ion.
- Dev
elop
s co
mm
unic
atio
n pr
oced
ures
for
com
mun
icat
ing
risk
to e
xter
nal
stak
ehol
ders
(in
clud
ing
auth
oriti
es
and
med
ia)
cons
iste
nt w
ith th
e pr
ojec
t sco
pe.
- Ide
ntifi
es w
hat r
isks
w
ill b
e co
mm
unic
ated
an
d to
who
m.
- Ide
ntifi
es w
hat w
ill
be c
omm
unic
ated
and
to
who
m re
gard
ing
the
QA
M p
olic
y, ri
sks,
ob
ject
ives
, tar
gets
, an
d pr
ogra
ms
rega
rdin
g th
e ris
ks o
f th
ese
prog
ram
s an
d sy
stem
s.
- Dec
isio
n to
co
mm
unic
ate
risk
is
base
d on
sa
fegu
ardi
ng li
fe a
s th
e fir
st p
riorit
y.
- Dev
elop
s an
d do
cum
ents
ke
y m
essa
ges
rega
rdin
g le
vels
of r
isk
with
in th
e or
gani
zatio
n to
ext
erna
l st
akeh
olde
rs.
- Dec
isio
n to
com
mun
icat
e ris
k is
bas
ed o
n sa
fegu
ardi
ng li
fe a
s th
e fir
st p
riorit
y.
- Dec
isio
n on
whe
ther
to
com
mun
icat
e ris
k is
do
cum
ente
d.
- Det
erm
ines
the
impa
ct o
f co
mm
unic
atin
g ris
k an
d he
lps
exte
rnal
st
akeh
olde
rs re
duce
ris
k in
the
futu
re.
9.4.
3 C
omm
unic
atin
g C
ompl
aint
and
G
rieva
nce
Pro
cedu
res
- Ide
ntify
ing
and
addr
essi
ng
grie
vanc
es a
nd
com
plai
nts
with
in
an o
rgan
izat
ion.
- Pro
cedu
res
for
addr
essi
ng g
rieva
nces
and
co
mpl
aint
s.
- No
proc
edur
es fo
r ad
dres
sing
co
mpl
aint
s or
gr
ieva
nces
.
- Dev
elop
s co
mpl
aint
s an
d gr
ieva
nce
proc
edur
es b
ased
on
pas
t inc
iden
ts.
- Ide
ntifi
es p
ossi
ble
obst
acle
s w
hen
subm
ittin
g co
mpl
aint
s, a
nd tr
ies
to re
mov
e th
ese
obst
acle
s (s
uch
as
lang
uage
bar
riers
, fe
ar o
f rep
risal
, and
ed
ucat
ion)
.
- Dev
elop
s pr
oced
ures
to
min
imiz
e ob
stac
les
for s
ubm
ittin
g co
mpl
aint
s, a
nd tr
ied
to
rem
ove
thes
e ob
stac
les
(suc
h as
la
ngua
ge b
arrie
rs, f
ear
of re
pris
al, a
nd
educ
atio
n).
- Com
mun
icat
es
proc
edur
es to
ap
prop
riate
st
akeh
olde
rs.
- Im
plem
ents
act
ions
to
min
imiz
e ob
stac
les
whe
n su
bmitt
ing
com
plai
nts.
- I
mpl
emen
ts
proc
edur
es fo
r ad
dres
sing
co
mpl
aint
s an
d gr
ieva
nces
. - U
ses
risk
asse
ssm
ent t
o pr
oact
ivel
y id
entif
y re
quire
men
ts fo
r co
mpl
aint
s an
d gr
ieva
nce
proc
edur
es.
- Est
ablis
hes,
do
cum
ents
, and
- Est
ablis
hes,
mai
ntai
ns,
and
docu
men
ts a
ctio
ns to
m
inim
ize
obst
acle
s w
hen
subm
ittin
g co
mpl
aint
s.
- Im
plem
ents
pro
cedu
res
for a
ddre
ssin
g co
mpl
aint
s an
d gr
ieva
nces
. - E
stab
lishe
s, d
ocum
ents
, an
d m
aint
ains
co
mm
unic
atio
ns
proc
edur
es fo
r add
ress
ing
grie
vanc
es a
nd c
ompl
aint
s w
ith p
rope
r reg
ard
for
conf
iden
tialit
y an
d pr
ivac
y.
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g ad
dres
sing
gr
ieva
nces
and
co
mpl
aint
s w
hile
re
duci
ng o
bsta
cles
for
filin
g su
ch w
ith
exte
rnal
sta
keho
lder
s an
d m
embe
rs o
f the
co
mm
unity
.
85869_ASFIS_Rev0_1-52.pdf 3885869_ASFIS_Rev0_1-52.pd2.pdf 3f 388 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
27
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
mai
ntai
ns p
roce
dure
s fo
r add
ress
ing
grie
vanc
es a
nd
com
plai
nts
with
pr
oper
rega
rd fo
r co
nfid
entia
lity
and
priv
acy.
9.4.
4 W
hist
lebl
ower
po
licy
- Est
ablis
hing
a
whi
stle
blow
er
proc
edur
e.
- Est
ablis
hing
and
co
mm
unic
atin
g pr
oced
ures
fo
r ind
ivid
ual’s
repo
rt of
a
nonc
onfo
rman
ce in
goo
d fa
ith w
ithou
t rep
ercu
ssio
ns.
- No
whi
stle
blow
er
polic
y in
effe
ct.
- Org
aniz
atio
n co
mm
unic
ates
that
an
onym
ous
whi
stle
blow
ers
will
no
t fac
e an
y ad
vers
e ac
tion
with
in th
e sc
ope
of
the
proj
ect.
- Org
aniz
atio
n co
mm
unic
ates
that
an
onym
ous
whi
stle
blow
ers
will
not
fa
ce a
ny a
dver
se
actio
n w
ithin
the
scop
e of
the
prog
ram
.
- Org
aniz
atio
n co
mm
unic
ates
that
an
onym
ous
whi
stle
blow
ers
mak
ing
a re
port
in
good
faith
inte
rnal
ly
will
not
face
any
ad
vers
e ac
tion.
- Org
aniz
atio
n es
tabl
ishe
s,
com
mun
icat
es, a
nd
docu
men
ts p
roce
dure
s fo
r an
onym
ous
whi
stle
blow
ers
mak
ing
a re
port
in g
ood
faith
inte
rnal
ly o
r ext
erna
lly
to a
ppro
pria
te a
utho
ritie
s w
ill n
ot fa
ce a
ny a
dver
se
actio
n.
- Cul
ture
of
impr
ovem
ent i
s as
su
ch th
at e
mpl
oyee
s fe
el c
omfo
rtabl
e to
re
port
any
poss
ible
no
ncon
form
ance
to
top
man
agem
ent
with
out r
eper
cuss
ions
if
actin
g in
goo
d fa
ith.
9.5.
1 R
espe
ct fo
r H
uman
Rig
hts
- Ens
urin
g re
spec
t for
hu
man
righ
ts a
nd
hum
an d
igni
ty.
- Pro
cedu
res
to tr
eat a
ll pe
rson
s w
ith d
igni
ty a
nd
resp
ect f
or th
eir h
uman
rig
hts.
- No
polic
y co
ncer
ning
hum
an
right
s.
- Pol
icy
stat
emen
t ad
dres
sing
hum
an
right
s is
sues
with
in
the
scop
e of
the
proj
ect.
- Ide
ntifi
es h
uman
rig
hts
risks
and
ta
kes
actio
n to
m
anag
e th
at ri
sk
with
in th
e sc
ope
of
that
pro
ject
.
- Ide
ntifi
es p
rogr
am-
wid
e hu
man
righ
ts ri
sk
and
impl
emen
ts ri
sk
treat
men
t pro
cedu
res
that
sup
port
the
reco
mm
ende
d go
od
prac
tices
of t
he
Mon
treux
Doc
umen
t an
d ar
e co
nsis
tent
with
th
e pr
inci
ples
of t
he
ICoC
as
wel
l as
any
cont
ract
ual,
lega
l, an
d re
gula
tory
re
quire
men
ts.
- Ide
ntifi
es a
nd
asse
sses
hum
an
right
s ris
k to
est
ablis
h an
d co
mm
unic
ate
proc
edur
es to
resp
ect
hum
an ri
ghts
and
co
nduc
t all
its
activ
ities
con
sist
ent
with
the
prin
cipl
es o
f th
e M
ontre
ux
Doc
umen
t and
the
ICoC
, as
wel
l as
any
cont
ract
ual,
lega
l, an
d re
gula
tory
re
quire
men
ts.
- Im
plem
ents
, doc
umen
ts,
and
mai
ntai
ns p
roce
dure
s to
resp
ect h
uman
righ
ts
and
cond
uct c
onsi
sten
t w
ith th
e pr
inci
ples
of t
he
Mon
treux
Doc
umen
t and
th
e IC
oC, a
s w
ell a
s an
y co
ntra
ctua
l, le
gal,
and
regu
lato
ry re
quire
men
t ap
plic
able
. - P
roce
dure
s ar
e co
mm
unic
ated
to a
ll pe
rson
s w
orki
ng o
n th
e or
gani
zatio
n’s
beha
lf.
- Pro
cedu
res
to re
port
and
addr
ess
any
nonc
onfo
rman
ce.
- Org
aniz
atio
nal w
ide
cultu
re o
f res
pect
ing
hum
an ri
ghts
and
hu
man
dig
nity
. - S
hare
s be
st
prac
tices
with
sup
ply
chai
n, s
ubco
ntra
ctor
s,
clie
nts,
and
the
com
mun
ity.
9.5.
2 R
ules
for
Use
of F
orce
and
U
se o
f For
ce
Trai
ning
- Est
ablis
hes
the
rule
s fo
r the
use
of
forc
e an
d re
quire
men
ts fo
r us
e of
forc
e tra
inin
g.
- Pro
cess
es a
nd
proc
edur
es fo
r use
of f
orce
co
nsis
tent
with
con
tract
ual
oblig
atio
ns a
nd le
gal
requ
irem
ents
. - E
stab
lishm
ent o
f a u
se o
f fo
rce
cont
inuu
m.
-Tra
inin
g to
sup
port
QA
MS
an
d m
inim
ize
the
use
of
forc
e ex
cept
whe
n ne
cess
ary.
- No
rule
s or
pr
oced
ures
re
gard
ing
use
of
forc
e.
- Ide
ntifi
es w
hat
need
s to
be
incl
uded
in
the
rule
s fo
r usi
ng
forc
e w
ithin
the
proj
ect s
cope
. - I
dent
ifies
co
mpe
tenc
ies
and
train
ing
need
s as
soci
ated
with
the
use
of fo
rce
and
wea
pon-
spec
ific
- Dev
elop
s ru
les
for
usin
g fo
rce
with
in th
e pr
ogra
m s
cope
. - T
rain
s pe
rson
nel t
o ut
ilize
reas
onab
le
step
s to
avo
id th
e us
e of
forc
e.
- Ide
ntifi
es
com
pete
ncie
s an
d tra
inin
g ne
eds
asso
ciat
es w
ith th
e us
e
- Im
plem
ents
rule
s fo
r us
e of
forc
e an
d pr
oced
ures
for
train
ing
pers
onne
l on
use
of fo
rce.
- E
nsur
es ru
les
for t
he
use
of fo
rce
are
com
plia
ble
with
the
clie
nt a
nd a
co
mpe
tent
lega
l au
thor
ity.
- Est
ablis
hes,
doc
umen
ts,
and
mai
ntai
ns ru
les
for u
se
of fo
rce
and
proc
edur
es fo
r tra
inin
g pe
rson
nel o
n us
e of
forc
e.
- All
pers
onne
l are
trai
ned
in re
gard
s to
use
of f
orce
to
ensu
re th
at u
se o
f for
ce is
pr
opor
tiona
te to
the
thre
at
and
appr
opria
te to
the
situ
atio
n.
- Cul
ture
of u
sing
m
inim
um a
mou
nt o
f fo
rce
nece
ssar
y is
th
roug
hout
the
orga
niza
tion
and
supp
orte
d by
top
man
agem
ent.
- Sha
res
best
pr
actic
es w
ith
stak
ehol
ders
and
su
bcon
tract
ors.
85869_ASFIS_Rev0_1-52.pdf 3985869_ASFIS_Rev0_1-52.pdf 392.pdf 39 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
28
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
train
ing
with
in th
e pr
ojec
t sco
pe.
- Tra
ins
pers
onne
l to
utili
ze re
ason
able
st
eps
to a
void
the
use
of fo
rce
with
in
the
proj
ect s
cope
.
of fo
rce
and
wea
pon-
spec
ific
train
ing
with
in
the
prog
ram
sco
pe.
- Use
s fo
rce
cont
inuu
m to
reso
lve
thre
ats
with
min
imum
ne
cess
ary
forc
e.
- Aw
aren
ess
train
ing
on th
e pa
ram
eter
s of
se
lf-de
fens
e.
- Use
of l
etha
l and
non
-le
thal
forc
e is
just
ified
onl
y un
der c
ondi
tions
of
nece
ssity
whe
n th
ere
is a
re
ason
able
bel
ief t
hat a
pe
rson
or p
erso
ns p
rese
nts
an im
min
ent t
hrea
t of d
eath
or
ser
ious
bod
ily h
arm
to
the
indi
vidu
al o
r oth
ers
in
the
vici
nity
.
9.5.
3 O
ccup
atio
nal
Hea
lth a
nd S
afet
y - P
roce
dure
s to
pr
omot
e a
safe
an
d he
alth
y w
ork
envi
ronm
ent.
- Pro
cedu
res
and
proc
esse
s to
pro
mot
e a
safe
and
hea
lthy
wor
king
en
viro
nmen
t, in
clud
ing
prec
autio
ns to
pro
tect
pe
ople
dur
ing
high
risk
or
life-
thre
aten
ing
oper
atio
ns.
- No
or m
inim
al
proc
edur
es fo
r oc
cupa
tiona
l hea
lth
and
safe
ty.
- Ide
ntifi
es
occu
patio
nal h
ealth
an
d sa
fety
risk
s w
ithin
the
scop
e of
th
e pr
ojec
t and
ta
kes
step
s to
m
inim
ize
the
risks
co
nsis
tent
with
lega
l re
quire
men
ts.
- Dev
elop
s pr
ecau
tions
to
pro
tect
peo
ple
wor
king
on
beha
lf of
th
e or
gani
zatio
n in
hig
h ris
k op
erat
ions
. - P
rovi
des
prot
ectiv
e eq
uipm
ent,
appr
opria
te
wea
pons
and
am
mun
ition
with
in th
e sc
ope
of th
e pr
ogra
m.
- Ide
ntifi
es th
e ne
ed fo
r m
edic
al a
nd
psyc
holo
gica
l hea
th
awar
enes
s tra
inin
g,
care
, and
sup
port.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
pre
-em
ptiv
e pr
oced
ures
bas
ed o
n ris
k as
sess
men
t to
prom
ote
a sa
fe a
nd
heal
thy
wor
k en
viro
nmen
t. - E
stab
lishe
s gu
idel
ines
to id
entif
y an
d ad
dres
s w
orkp
lace
vio
lenc
e,
mis
cond
uct,
alco
hol
and
drug
abu
se,
sexu
al h
aras
smen
t, an
d ot
her i
mpr
oper
be
havi
or.
- Im
plem
ent
prec
autio
ns to
pro
tect
pe
ople
wor
king
on
beha
lf of
the
orga
niza
tion
in h
igh
risk
or li
fe-th
reat
enin
g op
erat
ions
. - P
rovi
des
host
ile
envi
ronm
ent t
rain
ing.
- Est
ablis
hes,
impl
emen
ts,
docu
men
ts, a
nd m
aint
ains
pr
oced
ures
to p
rom
ote
a sa
fe a
nd h
ealth
y w
ork
envi
ronm
ent.
- Pro
vide
s pr
oper
pr
otec
tive
equi
pmen
t and
ap
prop
riate
wea
pons
and
am
mun
ition
whe
n ap
prop
riate
. - H
as m
edic
al h
ealth
and
ps
ycho
logi
cal h
ealth
aw
aren
ess
train
ing,
car
e,
and
supp
ort.
- Con
tinuo
usly
ass
essi
ng
occu
patio
nal h
ealth
and
sa
fety
risk
s to
peo
ple
wor
king
on
its b
ehal
f and
th
e ris
ks to
ext
erna
l pa
rties
, and
take
s st
eps
to
redu
ce th
ose
risks
. - P
roce
dure
s an
d pr
ecau
tions
are
con
sist
ent
with
lega
l, re
gula
tory
, and
co
ntra
ctua
l obl
igat
ions
.
- Sha
res
best
pr
actic
es w
ith e
xter
nal
stak
ehol
ders
to
min
imiz
e oc
cupa
tiona
l he
alth
and
saf
ety
risk.
9.5.
4 P
erfo
rman
ce
of S
ecur
ity
Func
tions
- Pro
cedu
res
to
supp
ort t
he
perfo
rman
ce o
f se
curit
y fu
nctio
ns.
- Ope
ratio
nal p
roce
dure
s to
su
ppor
t the
del
iver
y of
se
curit
y se
rvic
es.
- No
or m
inim
al
proc
edur
es fo
r se
curit
y.
- Pro
cedu
res
defin
ed w
ithin
the
scop
e of
the
proj
ect.
- Pro
cedu
res
defin
ed
with
in th
e sc
ope
of th
e pr
ogra
m.
- Pro
cedu
res
base
d on
risk
ass
essm
ent
and
mis
sion
ob
ject
ives
.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
bas
ed o
n ris
k as
sess
men
t and
mis
sion
ob
ject
ives
.
- Sha
res
best
pr
actic
es w
ith e
xter
nal
stak
ehol
ders
.
9.5.
5 In
cide
nt
Man
agem
ent
- P
roce
dure
s to
pr
even
t and
-
Pro
cedu
res
to p
roac
tivel
y pr
even
t, m
itiga
te, a
nd
- No
or m
inim
al
proc
edur
es fo
r - P
roce
dure
s de
fined
with
in th
e - P
roce
dure
s de
fined
w
ithin
the
scop
e of
the
- Pro
cedu
res
for
inci
dent
man
agem
ent
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns p
roce
dure
s - S
hare
s be
st
prac
tices
with
ext
erna
l
85869_ASFIS_Rev0_1-52.pdf 4085869_ASFIS_Rev0_1-52.pd2.pdf 4f 400 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
29
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
man
age
inci
dent
s.
resp
ond
to in
cide
nts.
- R
isk
avoi
danc
e,
miti
gatio
n, re
duct
ion,
sh
arin
g, a
nd tr
eatm
ent
proc
edur
es to
min
imiz
e th
e lik
elih
ood
and
cons
eque
nces
of a
di
srup
tive
even
t. - P
reve
ntio
n an
d pr
otec
tion
tech
niqu
es to
min
imiz
e ris
k.
- Tec
hniq
ues
for a
re
spon
se s
truct
ure.
- A
ctio
n pl
ans
for i
ncre
ased
th
reat
leve
ls.
- Rec
over
y st
rate
gies
and
pl
ans
base
d on
risk
and
im
pact
ass
essm
ent a
nd
cond
ition
s of
the
disr
uptiv
e ev
ent.
inci
dent
m
anag
emen
t. - D
epen
denc
e on
th
e re
activ
e be
havi
or o
f in
divi
dual
s in
the
orga
niza
tion
(and
ho
pe fo
r the
bes
t).
scop
e of
the
proj
ect.
- Def
ines
pr
oced
ures
to
achi
eve
obje
ctiv
es
and
targ
ets
of
issu
e(s)
add
ress
ed
with
in th
e sc
ope
of
the
proj
ect.
- Dev
elop
s pr
oced
ures
to
supp
ort a
ctio
n pl
ans
incl
udin
g m
easu
res
to re
duce
like
lihoo
d an
d/or
co
nseq
uenc
es.
- Dev
elop
s pr
oced
ures
bas
ed
on id
entif
ied
issu
e(s)
. - M
ay b
e pr
edom
inat
ely
reac
tive
in n
atur
e gi
ven
that
no
form
al
risk
asse
ssm
ent w
as
cond
ucte
d.
prog
ram
. - D
evel
ops
and
impl
emen
ts p
roce
dure
s th
at p
reve
nt (i
f po
ssib
le),
resp
ond
to,
and
reco
ver f
rom
po
tent
ial d
isru
ptiv
e ev
ents
with
in th
e pr
ogra
m s
cope
. - C
onsi
ders
mea
sure
s th
at e
mph
asiz
e m
inim
izin
g co
nseq
uenc
es.
base
d on
risk
as
sess
men
t and
m
issi
on o
bjec
tives
. - D
evel
ops
and
impl
emen
ts
proc
edur
es li
nked
to
the
risk
asse
ssm
ent,
obje
ctiv
es, t
arge
ts,
and
prog
ram
s, w
ith
deta
iled
wor
k pl
ans
how
the
orga
niza
tion
will
pre
vent
, pre
pare
fo
r, re
spon
d to
, and
re
cove
r fro
m
disr
uptiv
e ev
ents
. - P
erio
dica
lly re
view
s an
d, w
here
ne
cess
ary,
revi
ses
its
inci
dent
pre
vent
ion,
pr
epar
edne
ss,
resp
onse
, and
re
cove
ry p
roce
dure
s.
for i
ncid
ent m
anag
emen
t ba
sed
on ri
sk a
sses
smen
t an
d m
issi
on o
bjec
tives
. - E
stab
lishe
s, im
plem
ents
, m
aint
ains
, and
doc
umen
ts
proc
edur
es to
avo
id,
prev
ent,
prot
ect f
rom
, m
itiga
te, r
espo
nd to
and
re
cove
r fro
m a
dis
rupt
ive
even
t and
con
tinue
its
activ
ities
bas
ed o
n qu
ality
as
sura
nce
obje
ctiv
es
deve
lope
d th
roug
h th
e ris
k as
sess
men
t pro
cess
. - E
nsur
es th
at a
ny p
erso
ns
perfo
rmin
g in
cide
nt
prev
entio
n an
d m
anag
emen
t mea
sure
s on
its
beh
alf a
re c
ompe
tent
. - E
stab
lishe
s, d
ocum
ents
, an
d im
plem
ents
pr
oced
ures
for a
m
anag
emen
t stru
ctur
e to
pr
even
t, pr
epar
e fo
r, m
itiga
te, a
nd re
spon
d to
a
disr
uptiv
e ev
ent.
- Est
ablis
hes
deta
iled
proc
edur
es fo
r how
the
orga
niza
tion
will
reco
ver o
r m
aint
ain
its a
ctiv
ities
to a
pr
edet
erm
ined
leve
l, ba
sed
on m
anag
emen
t-app
rove
d re
cove
ry o
bjec
tives
.
stak
ehol
ders
. - I
ncid
ent p
reve
ntio
n,
prep
ared
ness
, re
spon
se, a
nd
reco
very
is in
tegr
ated
w
ith e
xter
nal
stak
ehol
ders
.
9.5.
6 In
cide
nt
Mon
itorin
g,
Rep
ortin
g, a
nd
Inve
stig
atio
ns
- Rep
ortin
g,
inve
stig
atio
n, a
nd
rem
edia
tion
of
inci
dent
s an
d th
eir
cons
eque
nces
.
- Pro
cedu
res
for i
ncid
ent
mon
itorin
g, in
vest
igat
ions
, di
scip
linar
y ar
rang
emen
t, an
d re
med
iatio
n.
- No
or m
inim
al
proc
edur
es.
- Pro
cedu
res
defin
ed w
ithin
the
scop
e of
the
proj
ect.
- Pro
cedu
res
repo
rting
an
d in
vest
igat
ions
de
fined
with
in th
e sc
ope
of th
e pr
ogra
m.
- Def
ine
proc
edur
es
for m
onito
ring,
re
porti
ng,
inve
stig
atin
g,
rem
edia
tion,
and
di
scip
linar
y ac
tion
for
inci
dent
s.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
incl
udin
g co
rrec
tive
and
prev
entiv
e ac
tions
.
- Sha
res
best
pr
actic
es w
ith e
xter
nal
stak
ehol
ders
. - C
omm
unic
ates
pr
oced
ures
to
rele
vant
sta
keho
lder
s.
9.5.
7 In
tern
al a
nd
Ext
erna
l C
ompl
aint
and
G
rieva
nce
Pro
cedu
res
- Ide
ntify
ing
and
addr
essi
ng
grie
vanc
es a
nd
com
plai
nts
from
in
tern
al a
nd
- Pro
cedu
res
for
addr
essi
ng g
rieva
nces
and
co
mpl
aint
s.
- No
proc
edur
es fo
r ad
dres
sing
co
mpl
aint
s or
gr
ieva
nces
.
- Dev
elop
s co
mpl
aint
s an
d gr
ieva
nce
proc
edur
es b
ased
on
pas
t inc
iden
ts.
- Dev
elop
s pr
oced
ures
to
for i
nves
tigat
ions
an
d re
med
iatio
n.
- Com
mun
icat
es
proc
edur
es to
- Im
plem
ents
act
ions
to
rece
ive
and
addr
ess
com
plai
nts
and
grie
vanc
es.
- Est
ablis
hes
- Est
ablis
hes,
mai
ntai
ns,
and
docu
men
ts a
ctio
ns to
re
ceiv
e an
d ad
dres
s co
mpl
aint
s an
d gr
ieva
nces
. - E
stab
lishe
s m
echa
nism
- Com
mun
icat
es b
est
prac
tice
proc
edur
es
rega
rdin
g ad
dres
sing
gr
ieva
nces
and
co
mpl
aint
s w
ith
85869_ASFIS_Rev0_1-52.pdf 4185869_ASFIS_Rev0_1-52.pd2.pdf 4f 411 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
30
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
exte
rnal
st
akeh
olde
rs.
- Est
ablis
hes
proc
edur
es fo
r in
vest
igat
ions
.
appr
opria
te
stak
ehol
ders
. - E
stab
lishe
s co
mm
unic
atio
ns
prot
ocol
s w
ith
appr
opria
te a
utho
ritie
s.
mec
hani
sm to
iden
tify
root
cau
ses.
- P
roce
dure
s es
tabl
ishe
d fo
r co
rrec
tive,
pre
vent
ive,
an
d di
scip
linar
y ac
tions
. - C
omm
unic
ates
with
ap
prop
riate
au
thor
ities
and
st
akeh
olde
rs.
to id
entif
y ro
ot c
ause
s.
- Pro
cedu
res
esta
blis
hed
for c
orre
ctiv
e, p
reve
ntiv
e,
and
disc
iplin
ary
actio
ns.
- Com
mun
icat
es w
ith
appr
opria
te a
utho
ritie
s an
d st
akeh
olde
rs.
exte
rnal
sta
keho
lder
s an
d m
embe
rs o
f the
co
mm
unity
.
10.1
Mon
itorin
g an
d M
easu
rem
ent
- Per
form
ance
ev
alua
tion.
- M
etric
s an
d m
echa
nism
s by
whi
ch th
e or
gani
zatio
n as
sess
es it
s ab
ility
to
achi
eve
its o
bjec
tives
and
ta
rget
s on
an
ongo
ing
basi
s.
- No
form
al
mon
itorin
g.
- No
form
al
mea
sure
men
t.
- Pro
gres
s ag
ains
t sp
ecifi
c in
dica
tors
is
asse
ssed
pe
riodi
cally
with
pe
rson
s in
volv
ed in
re
leva
nt a
ctiv
ities
de
fined
with
in
proj
ect s
cope
. - P
roje
ct in
dica
tors
an
d m
etric
s ar
e es
tabl
ishe
d an
d m
onito
red
to
dem
onst
rate
pr
ogre
ss a
nd
perfo
rman
ce
impr
ovem
ent.
- Ide
ntifi
es a
nd
impl
emen
ts k
ey
char
acte
ristic
s th
at
need
mon
itorin
g an
d m
easu
ring
with
in th
e pr
ogra
m s
cope
.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
pe
rform
ance
met
rics
and
proc
edur
es to
m
onito
r and
mea
sure
, on
a re
gula
r bas
is,
thos
e ch
arac
teris
tics
of it
s op
erat
ions
that
ha
ve m
ater
ial i
mpa
ct
on it
s qu
ality
as
sura
nce
perfo
rman
ce.
- Doc
umen
ts p
roce
dure
s th
at m
onito
r per
form
ance
, ap
plic
able
ope
ratio
nal
cont
rols
, and
con
form
ity
with
the
QA
MS
obj
ectiv
es
and
targ
ets.
- D
ocum
ents
pro
cedu
res
to
mea
sure
the
perfo
rman
ce
of th
e sy
stem
s w
hich
pr
otec
t ass
ets
(hum
an a
nd
phys
ical
), co
mm
unic
atio
ns,
and
info
rmat
ion
syst
ems.
- Sta
keho
lder
s an
d co
mm
unity
incl
uded
in
mon
itorin
g an
d m
easu
rem
ent
proc
esse
s.
10.2
Eva
luat
ion
of
Com
plia
nce
- Com
plia
nce
eval
uatio
n.
- Leg
al a
nd re
gula
tory
co
mpl
ianc
e pe
rform
ance
ev
alua
tion
on a
n on
goin
g ba
sis.
- No
form
al
proc
edur
es
esta
blis
hed
beyo
nd
thos
e al
read
y in
pl
ace
as p
art o
f no
rmal
ope
ratio
ns.
- Com
plia
nce
eval
uate
d an
d de
mon
stra
ted
rela
ted
to th
e pr
ojec
t sc
ope.
- Com
plia
nce
eval
uate
d an
d de
mon
stra
ted
rela
ted
to p
rogr
am s
cope
.
- Est
ablis
hes,
im
plem
ents
, and
m
aint
ains
pr
oced
ure(
s) fo
r pe
riodi
cally
eva
luat
ing
and
dem
onst
ratin
g co
mpl
ianc
e w
ith
appl
icab
le le
gal,
hum
an ri
ghts
, and
ot
her r
equi
rem
ents
.
- Doc
umen
ts p
roce
dure
s an
d re
cord
s an
d re
ports
th
e re
sults
of t
he
eval
uatio
n w
ith c
orre
ctiv
e m
easu
res
and
reco
mm
enda
tions
for
impr
ovem
ent.
- Sta
keho
lder
s an
d co
mm
unity
incl
uded
in
com
plia
nce
eval
uatio
n.
10.3
Exe
rcis
es
and
Test
ing
- Ass
essi
ng a
nd
valid
atin
g Q
AM
S
elem
ents
.
- Pro
cess
to m
easu
re a
nd
eval
uate
app
ropr
iate
ness
an
d ef
ficac
y of
the
QA
MS
: its
pro
gram
s, p
roce
sses
, an
d pr
oced
ures
(inc
ludi
ng
stak
ehol
der r
elat
ions
hips
an
d su
bcon
tract
or
- Lim
ited
or n
o ex
erci
sing
or
test
ing.
- Exe
rcis
ing
and
test
ing
are
plan
ned
and
cond
ucte
d as
re
quire
d by
pro
ject
sc
ope.
- R
esul
ts o
f ex
erci
ses
and
test
s
- Exe
rcis
ing
and
test
ing
are
plan
ned
and
cond
ucte
d as
requ
ired
by p
rogr
am s
cope
. - R
esul
ts o
f exe
rcis
es
and
test
s de
mon
stra
te
prog
ram
qua
lity
- Tes
ts a
nd e
xerc
ises
de
sign
ed to
val
idat
e ap
prop
riate
ness
and
ef
fect
iven
ess
of
actio
n pl
ans
and
proc
edur
es, a
s w
ell
as in
terr
elat
ions
hip
of
- Com
preh
ensi
ve
docu
men
tatio
n of
exe
rcis
es
and
test
s.
- Pro
duce
s a
form
aliz
ed
post
-exe
rcis
e re
port
that
co
ntai
ns a
ccou
ntab
le
outc
omes
,
- Sta
keho
lder
s an
d co
mm
unity
incl
uded
in
exer
cise
and
test
s.
85869_ASFIS_Rev0_1-52.pd2.pdf 4f 422 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
31
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
inte
rdep
ende
ncie
s) to
driv
e it.
- A
n ex
erci
se p
rogr
am.
- Con
tinua
l im
prov
emen
t pl
an re
view
ed w
ith a
nd
agre
ed to
by
top
man
agem
ent t
o en
sure
ap
prop
riate
act
ion
is ta
ken.
dem
onst
rate
pro
ject
qu
ality
ass
uran
ce
perfo
rman
ce
impr
ovem
ents
and
bu
sine
ss b
enef
its.
assu
ranc
e pe
rform
ance
im
prov
emen
ts a
nd
busi
ness
ben
efits
.
elem
ents
in Q
AM
S –
in
clud
ing
appr
opria
te
exte
rnal
par
ties
(e.g
., fir
st re
spon
ders
) and
st
akeh
olde
rs.
- Tes
ts a
nd e
xerc
ises
co
nduc
ted
in a
m
anne
r tha
t lim
its
disr
uptio
n to
op
erat
ion
and
expo
ses
peop
le,
asse
ts, a
nd
info
rmat
ion
to m
inim
al
risk.
reco
mm
enda
tions
, and
ar
rang
emen
ts to
impl
emen
t im
prov
emen
ts in
a ti
mel
y fa
shio
n.
10.4
N
onco
nfor
mity
C
orre
ctiv
e A
ctio
n,
and
Pre
vent
ive
Act
ion
- Mon
itor a
nd
addr
ess
nonc
onfo
rmiti
es.
- Pro
cess
to id
entif
y no
ncon
form
ities
and
thei
r ro
ot c
ause
. - M
echa
nism
s fo
r el
imin
atin
g th
e ca
uses
of
dete
cted
non
conf
orm
ities
bo
th in
the
QA
MS
and
the
oper
atio
nal p
roce
sses
. - M
echa
nism
s fo
r in
stig
atin
g ac
tion
to
elim
inat
e po
tent
ial c
ause
s of
non
conf
orm
ities
in b
oth
the
QA
MS
and
the
oper
atio
nal p
roce
sses
.
- Min
imum
requ
ired
by la
w.
- Dev
iatio
ns fr
om
actio
n pl
ans,
pr
ogra
ms,
ob
ject
ives
, and
ta
rget
s w
ithin
the
proj
ect s
cope
are
ev
alua
ted
for
oppo
rtuni
ties
for
impr
ovem
ent.
- Ade
quat
e co
rrec
tive
and
prev
enta
tive
actio
ns
take
n (if
nec
essa
ry)
to e
nsur
e th
e pr
ojec
t pr
ogre
sses
ac
cord
ing
to p
lan.
Dev
iatio
ns fr
om a
ctio
n pl
ans,
pro
gram
s,
obje
ctiv
es, a
nd ta
rget
s w
ithin
the
prog
ram
sc
ope
are
eval
uate
d fo
r opp
ortu
nitie
s fo
r im
prov
emen
t. - E
stab
lishe
s a
corr
ectiv
e an
d pr
even
tativ
e ac
tion
proc
ess.
- Est
ablis
hes
proc
edur
es to
de
term
ine
nonc
onfo
rmiti
es in
the
QA
MS
, ris
k as
sess
men
t, ob
ject
ives
, tar
gets
, pr
ogra
ms,
act
ion
plan
s, a
nd th
eir
impl
emen
tatio
n.
- Eva
luat
es a
ctua
l an
d po
tent
ial n
on-
conf
orm
ance
s to
el
imin
ate
the
caus
es
and
prev
ent t
heir
occu
rren
ce o
r re
curr
ence
.
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
for d
ealin
g w
ith
actu
al a
nd p
oten
tial
nonc
onfo
rmiti
es a
nd fo
r ta
king
cor
rect
ive
actio
n an
d pr
even
tive
actio
n.
- Rev
iew
s ef
fect
iven
ess
of
corr
ectiv
e ac
tions
and
take
pr
even
tativ
e ac
tions
.
- Sta
keho
lder
s an
d co
mm
unity
incl
uded
in
nonc
onfo
rmity
, co
rrec
tive,
and
pr
even
tive
actio
ns.
10.5
Inte
rnal
Aud
it - C
ondu
ct
man
agem
ent
syst
em a
udits
.
- Int
erna
l aud
its o
f sys
tem
an
d pr
ogra
ms.
- A
udit
repo
rts re
view
ed b
y to
p m
anag
emen
t.
- Not
con
duct
ed fo
r qu
ality
ass
uran
ce
man
agem
ent.
- Per
form
ance
of
proj
ect a
udite
d in
form
ally
. - P
roje
ct L
eade
r ov
erse
es
deve
lopm
ent o
f au
dit p
roce
dure
s.
- Con
duct
s au
dit o
f pr
ogra
m w
ithin
def
ined
sc
ope,
incl
udin
g al
l el
emen
ts o
f the
pr
ogra
m.
- Det
erm
ines
wha
t ne
eds
to b
e au
dite
d.
- Pla
ns a
nd
impl
emen
ts a
n au
dit
prog
ram
. - A
sses
ses
whe
ther
th
e Q
AM
S m
eets
re
leva
nt le
gal,
regu
lato
ry, h
uman
rig
hts,
and
con
tract
ual
oblig
atio
ns.
- Rep
orts
aud
it fin
ding
s to
- Est
ablis
hes,
impl
emen
ts,
and
mai
ntai
ns d
ocum
ente
d pr
oced
ures
for i
nter
nal
audi
ts.
- Res
pons
ibili
ty o
f aud
it pr
ogra
m a
ssig
ned
to a
n in
divi
dual
that
has
kn
owle
dge
and
unde
rsta
ndin
g of
aud
it pr
inci
ples
. - D
eter
min
es w
heth
er th
e co
ntro
l obj
ectiv
es, r
isk
cont
rols
, pro
cess
es, a
nd
- Aud
it in
clud
es
stak
ehol
der a
nd
com
mun
ity
inte
ract
ions
, as
wel
l as
sub
cont
ract
ors
and
the
supp
ly c
hain
.
85869_ASFIS_Rev0_1-52.pdf 4385869_ASFIS_Rev0_1-52.pdf 432.pdf 43 3/21/13 11:54 AM3/21/13 11:54 AM
AN
SI/A
SIS
PS
C.3
-201
3
32
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
man
agem
ent a
nd
acts
upo
n th
em.
proc
edur
es o
f QA
MS
are
co
nduc
ted
prop
erly
and
are
ac
hiev
ing
the
desi
red
resu
lts.
- Ide
ntifi
es o
ppor
tuni
ties
for
impr
ovem
ent.
- Ens
ures
that
act
ions
are
ta
ken
with
out u
ndue
del
ay
to e
limin
ate
dete
cted
no
ncon
form
ities
and
thei
r ca
uses
.
10.6
Man
agem
ent
Rev
iew
- T
op
man
agem
ent
revi
ew.
- Man
agem
ent r
evie
w o
f th
e Q
AM
S’s
per
form
ance
, ad
equa
cy, a
nd
effe
ctiv
enes
s to
iden
tify
oppo
rtuni
ties
for
impr
ovem
ent.
- Prio
ritie
s, p
olic
y,
obje
ctiv
es, a
nd ta
rget
s to
su
ppor
t con
tinua
l im
prov
emen
t.
- No
man
agem
ent
revi
ew o
f qua
lity
assu
ranc
e m
anag
emen
t.
- Pro
ject
Lea
der
supe
rvis
or (a
nd
othe
r app
ropr
iate
m
embe
rs o
f the
m
anag
emen
t tea
m)
revi
ews
the
perfo
rman
ce o
f pr
ojec
t and
repo
rts
to p
roje
ct s
pons
or.
- Col
lect
s an
d re
tain
s ev
iden
ce
addr
essi
ng p
roje
ct
impl
emen
tatio
n an
d re
sults
.
- Pro
gram
Lea
der (
and
othe
r app
ropr
iate
m
embe
rs o
f the
m
anag
emen
t tea
m)
revi
ews
the
prog
ram
pe
rform
ance
and
re
ports
to p
rogr
am
spon
sor.
- Use
s re
view
to
dem
onst
rate
bus
ines
s ca
se fo
r QA
MS
and
pr
ovid
e a
basi
s to
see
k fu
rther
effi
cien
cies
by
linki
ng c
ore
elem
ents
in
a s
yste
ms
appr
oach
. -P
roje
ct le
ader
(and
ot
her a
ppro
pria
te
mem
bers
of t
he
man
agem
ent t
eam
) m
odifi
es p
roce
dure
s th
at e
ffect
risk
s as
ne
cess
ary
to re
spon
d to
eve
nts
(inte
rnal
or
exte
rnal
) tha
t may
af
fect
QA
MS
. - C
olle
cts
and
reta
ins
evid
ence
add
ress
ing
prog
ram
im
plem
enta
tion
and
resu
lts.
- Rev
iew
s in
tegr
atio
n of
QA
MS
ele
men
ts.
- Rev
iew
s th
e su
itabi
lity,
ade
quac
y,
and
effe
ctiv
enes
s of
th
e Q
AM
S.
- Top
man
agem
ent
revi
ews
the
polic
ies,
ob
ject
ives
, eva
luat
ion
of p
rogr
am
impl
emen
tatio
n, a
udit
resu
lts, a
nd c
hang
es
resu
lting
from
pr
even
tive
and
corr
ectiv
e ac
tions
. - T
op m
anag
emen
t re
view
incl
udes
an
upda
te o
f the
risk
as
sess
men
t and
po
ssib
le
impr
ovem
ents
to th
e ef
fect
iven
ess
of th
e Q
AM
S.
- Col
lect
s an
d re
tain
s ev
iden
ce a
ddre
ssin
g Q
AM
S
impl
emen
tatio
n an
d re
sults
.
- Top
man
agem
ent
parti
cipa
tes
in d
ocum
ente
d re
view
s of
the
QA
MS
at
plan
ned
inte
rval
s to
ens
ure
its c
ontin
uing
sui
tabi
lity,
ad
equa
cy, a
nd
effe
ctiv
enes
s.
- Ass
esse
s op
portu
nitie
s fo
r im
prov
emen
t and
the
need
for c
hang
es to
Q
AM
S, i
nclu
ding
the
QA
MS
pol
icy
and
obje
ctiv
es, t
arge
ts, a
nd ri
sk
crite
ria.
-Top
Man
agem
ent r
evie
w
incl
udes
dec
isio
ns a
nd
actio
ns re
late
d to
pos
sibl
e ch
ange
s to
pol
icy
obje
ctiv
es, t
arge
ts, a
nd
othe
r ele
men
ts o
f the
Q
AM
S, w
ith th
e ai
m o
f pr
omot
ing
cont
inuo
us
impr
ovem
ent.
- Add
ress
es re
sour
ce
need
s fo
r im
prov
emen
ts.
- Add
ress
es im
prov
emen
t of
how
the
effe
ctiv
enes
s of
co
ntro
ls is
mea
sure
d.
- Int
egra
tes
revi
ew
with
ove
rall
risk
man
agem
ent a
nd
fisca
l rev
iew
pr
oces
ses.
- R
evie
w in
clud
es
eval
uatio
n of
su
itabi
lity,
ade
quac
y,
and
effe
ctiv
enes
s w
ith
rega
rd to
st
akeh
olde
rs, c
lient
s,
subc
ontra
ctor
s,
com
mun
ity, a
nd
supp
ly c
hain
. - T
op m
anag
emen
t pr
omot
es q
ualit
y as
sura
nce
with
ex
tern
al s
take
hold
ers
(sup
ply
chai
n an
d co
mm
unity
).
85869_ASFIS_Rev0_1-52.pdf 4485869_ASFIS_Rev0_1-52.pd2.pdf 4f 444 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
AN
SI/A
SIS
PS
C.3
-201
3
33
Mat
urity
Mod
el fo
r the
Pha
sed
Impl
emen
tatio
n of
the
ANSI
/ASI
S PS
C.1
-201
2
AN
SI/A
SIS
PSC
.1
Stan
dard
C
laus
e
Cor
e El
emen
t Is
sues
Add
ress
ed
by C
ore
Elem
ent
(est
ablis
h,
impl
emen
t, an
d m
aint
ain)
Pre-
awar
enes
s (P
hase
One
)
Proj
ect
App
roac
h (P
hase
Tw
o)
Prog
ram
A
ppro
ach
(Pha
se T
hree
)
Syst
ems
App
roac
h (P
hase
Fou
r)
Man
agem
ent
Syst
em
(Pha
se F
ive)
Hol
istic
M
anag
emen
t (P
hase
Six
)
11.1
Cha
nge
Man
agem
ent
- QA
M c
hang
e m
anag
emen
t. - C
hang
e m
anag
emen
t pr
ovis
ions
for i
mpr
ovem
ent
of Q
AM
S p
rogr
ams,
sy
stem
s, a
nd/o
r op
erat
iona
l pro
cess
es.
- No
QA
MS
to
mai
ntai
n or
link
to
chan
ge
man
agem
ent
proc
ess.
- Pro
ject
out
com
es
that
impr
ove
qual
ity
assu
ranc
e pe
rform
ance
be
com
e st
anda
rd
oper
atin
g pr
oced
ures
.
- Pro
gram
and
act
ion
plan
s ou
tcom
es th
at
impr
ove
qual
ity
assu
ranc
e pe
rform
ance
bec
ome
stan
dard
ope
ratin
g pr
oced
ures
.
- Any
inte
rnal
or
exte
rnal
cha
nges
(in
clud
ing
outp
uts
from
exe
rcis
es,
audi
ts, a
nd re
view
s)
that
impa
ct th
e or
gani
zatio
n ar
e re
view
ed in
rela
tion
to
the
QA
MS
.
- Est
ablis
h do
cum
ente
d ch
ange
man
agem
ent
proc
edur
es fo
r QA
MS
tied
to
oth
er c
hang
e m
anag
emen
t pro
gram
s.
- Int
egra
te c
hang
e m
anag
emen
t for
Q
AM
S w
ith e
xter
nal
stak
ehol
ders
(sup
ply
chai
n cl
ient
s,
subc
ontra
ctor
s, a
nd
com
mun
ity).
11.2
Opp
ortu
nitie
s fo
r Im
prov
emen
t - E
valu
ate
and
impl
emen
t op
portu
nitie
s fo
r im
prov
emen
t.
- Con
tinua
l im
prov
emen
t pr
oces
s fo
r the
QA
MS
, ris
k m
anag
emen
t, an
d qu
ality
as
sura
nce
perfo
rman
ce.
- No
QA
MS
to li
nk
to c
ontin
ual
impr
ovem
ent
proc
ess.
- Opp
ortu
nitie
s fo
r im
prov
emen
t id
entif
ied
for u
se in
ot
her p
roje
cts.
- Im
plem
ent
proc
edur
es fo
r co
ntin
uous
im
prov
emen
t of
prog
ram
.
- Con
tinua
lly
impr
oves
the
effe
ctiv
enes
s of
Q
AM
S th
roug
h th
e us
e of
the
qual
ity
assu
ranc
e m
anag
emen
t pol
icy,
ob
ject
ives
, aud
it re
sults
, ana
lysi
s of
m
onito
red
even
ts,
corr
ectiv
e an
d pr
even
tive
actio
ns,
and
man
agem
ent
revi
ew.
- Con
tinua
l im
prov
emen
t is
a pa
rt of
the
orga
niza
tion’
s cu
lture
, dem
onst
rate
d at
all
leve
ls.
- Int
egra
te c
ontin
ual
impr
ovem
ent o
f Q
AM
S w
ith e
xter
nal
stak
ehol
ders
(sup
ply
chai
n, c
lient
s,
subc
ontra
ctor
s, a
nd
com
mun
ity).
85869_ASFIS_Rev0_1-52.pdf 452.pdf 45 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
34
Annex A
(informative)
A. USING THE MATURITY MODEL IN AN INTERNAL
RECOGNITION PROGRAM The maturity model can serve as the basis for a recognition program within the organization. Attainment of a maturity level serves as the performance indicator for the recognition program. By using a recognition program, the organization can incentivize its stakeholders to continually improve resilience and preparedness performance. The maturity model establishes realistic achievable goals for the organization to maintain the level of performance within resource constraints. Organizations, regardless of their level of maturity, have an obligation to respect human rights.
Using a simple recognition structure, the stages can be translated into the following achievement levels:
Phase One: Pre-awareness Phase Two: Bronze Phrase Three: Silver Phase Four: Gold Phase Five: Platinum6 Phase Six: Diamond
6 At this level, an organization is ready for certification and should consider going to a certification body for validation.
85869_ASFIS_Rev0_1-52.pdf 4685869_ASFIS_Rev0_1-52.pdf 462.pdf 46 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
35
Annex B (informative)
B. GETTING STARTED USING THE ANSI/ASIS PSC.1-2012 Beginning with Stage 2, the organization executes a spiral implementation of the standard (see Figure B.1), initially identifying the organizations’ strategic context, and then moving through a broadening implementation cycle, applying similar steps first at the project level, then program, and then finally to the organization overall.
Step 1: Identify the goals you wish to achieve.
Start with your organization’s overall strategic goals: What are the objectives you are supposed to achieve?
Identify a project that will allow demonstration of your organization’s ability to achieve these overall goals within the context of a single project.
Overall organizational goals may change over time as the strategic context changes or as the result of experience at the project or program level.
Step 2: Identify stakeholders’ expectations. Others involved in the quality assurance process may include clients, subcontractors, employees, local populations, shareholders, and government agencies.
Start with stakeholders at the strategic level, those that influence your organization’s overall mission, success, and continued existence.
Identify stakeholders at the project level. Some stakeholders will be the same as those at the strategic level. Others will have less impact at the project level, while new stakeholders will appear.
Step 3: Review ANSI/ASIS PSC.1-2012 within the context of your organization’s: strategic goals, its stakeholders’ goals, and the identified project to begin initial implementation of the standard.
Step 4: Tailor ANSI/ASIS PSC.1-2012 to meet the needs of your clients and your management system (where one exists). Depending on the context of your organization and its operations, not every requirement of the standard may apply with equal weight to your organization or the initiating project. Review the standard to determine which requirements best address identified risks and process improvements.
Step 5: Perform a gap analysis between your current QAMS (or existing management policy) and ANSI/ASIS PSC.1-2012. Evaluate the existing QAMS for each element against ANSI/ASIS PSC.1-2012 using either an internal assessment or one performed by an external organization. Although you should look across the organization, conduct a detailed analysis of the initiating project. Rate each element according to the Maturity Model Matrix as follows:
The existing system is adequate; The existing system needs improvement; or
85869_ASFIS_Rev0_1-52.pdf 4785869_ASFIS_Rev0_1-52.pd2.pdf 4f 477 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
36
The existing system is inadequate or does not exist.
If no QAMS exists or the existing elements of QAM are inadequate, then a QAMS implementation strategy must be developed to address each element. Identify actions needed to close the gaps. Assign resources to perform the needed actions. Assign responsibilities and establish a completion schedule. A document control system should be designed if none exists. Document the QAMS design and review the design with top management and the element owners.
Step 6: Obtain guidance on special topics within the QAMS. Topic-specific standards include:
ISO 19011:2011, Guidelines for auditing management systems. ISO 10006:2003, Quality management systems - Guidelines for quality management in projects. ISO 10015:1999, Quality management - Guidelines for training. ISO/TR 10013:2001, Guidelines for quality management system documentation. ISO 10007:2003, Quality management systems - Guidelines for configuration management. ISO 10014:2006, Quality management - Guidelines for realizing financial and economic benefits.
Step 7: Write the draft QAMS manual for the initiating project.
Step 8: Create procedure and work instruction documents for the initiating project.
Assign personnel to identify and design processes and write needed work instructions and procedures.
Train writers on the requirements of ANSI/ASIS PSC.1-2012, the content of the QAMS manual, and its design.
Write the final draft of the QAMS manual. Conduct an internal audit to determine if all of the requirements of ANSI/ASIS PSC.1-
2012 are met by the QAMS manual, procedure documents, and work instructions.
Step 9: Deploy the QAMS.
Deploy the QAMS procedures to all appropriate persons working on behalf of the organization.
Train persons working on behalf of the organization to use each procedure that is applicable to their work.
Train all persons working on behalf of the organization in the use and maintenance of the QAMS manual. Emphasize the requirements for preventative action, document control, and records retention.
Step 10: Use Internal Audits.
Conduct internal audits. Take corrective action whenever necessary where non-compliance is found with the
requirements of the standard, procedures, work instructions, or the QAMS manual. Continue to re-audit areas with continuing non-compliances. Revise any procedure or work instruction which proves to be ineffective or incorrect.
85869_ASFIS_Rev0_1-52.pdf 4885869_ASFIS_Rev0_1-52.pd2.pdf 4f 488 3/21/13 11:54 AM3/21/13 11:54 AM4 AM
ANSI/ASIS PSC.3-2013
37
Step 11: Analyze results and improve the QAMS.
Does performance under the QAMS support the project and strategic goals of the organization?
Does it address local and strategic stakeholder expectations? Are there gaps between performance and standards requirements? If yes, review the
project QAMS and make revisions to processes, documentation, and training. If the project level QAMS system is adequate, the organization can move on to repeat the cycle at the program level.
Figure B.1 : Upward spiral implementation of the standard (based on the PDCA Model)
85869_ASFIS_Rev0_1-52.pdf 4985869_ASFIS_Rev0_1-52.pdf 492.pdf 49 3/21/13 11:54 AM3/21/13 11:54 AM
ANSI/ASIS PSC.3-2013
38
Annex C (informative)
C. REFERENCES ANSI/ASIS PSC.1-2012, Management System for Quality of Private Security Company Operations – Requirements with Guidance for Use.7
ISO 31000:2009, Risk management – Principles and guidelines.8
ISO Guide 73:2009, Risk management – Vocabulary.8
7 This document is available online from ASIS International. < https://www.asisonline.org/guidelines/published.htm >. p // g/g /p
8 This document is available online from the International Organization for Standardization (ISO). < http://www.iso.ch/iso/en/prods-services/ISOstore/store.html > p // / / /p / /
85869_ASFIS_Rev0_1-52.pdf 5085869_ASFIS_Rev0_1-52.pdf 5f 500 3/21/13 11:54 AM3/21/13 11:54 AM
ASIS International (ASIS) is the preeminent
organization for security professionals, with more
than 38,000 members worldwide. Founded in 1955,
ASIS is dedicated to increasing the effectiveness and
productivity of security professionals by developing
educational programs and materials that address
broad security interests, such as the ASIS Annual
Seminar and Exhibits, as well as specific security
topics. ASIS also advocates the role and value of the
security management profession to business, the
media, governmental entities, and the general public.
By providing members and the security community
with access to a full range of programs and services,
and by publishing the industry’s number one
magazine, Security Management, ASIS leads the way
for advanced and improved security performance.
For more information, visit www.asisonline.org.
42726_Cover-R1.indd 3-4 3/21/2013 9:54:07 AM
Maturity Model for the Phased Implementation of a Quality Assurance Management System for Private Security Service Providers
A S I S I N T E R N A T I O N A L
STANDARDAMERICAN NATIONAL
1625 Prince StreetAlexandria, Virginia 22314-2818
USA+1.703.519.6200
Fax: +1.703.519.6299www.asisonline.org
ANSI/ASIS PSC.3-2013
42726_Cover-R1.indd 1-2 3/21/2013 9:54:07 AM