Enterprise Performance Life Cycle Glossary
Authority to Operate (ATO)
Business Needs Statement
Capital Planning and Investment Control (CPIC)
Certification & Accreditation (C&A)
Chief Information Officer (CIO)
Commercial Off-the-Shelf (COTS)
Computer Match Agreement (CMA)
Contingency/Disaster Recovery Plan
Contract Fund Status Report
Contractor Performance Report
Data Use Agreement (DUA)
Earned Value Management (EVM)
Enterprise Architecture (EA)
Enterprise Performance Life Cycle
Government Off-the-Shelf (GOTS)
Independent Verification & Validation (IV&V)
Independent Verification & Validation (IV&V) Reports
Information Technology (IT)
Information Technology Investment Review Board (ITIRB)
Integrated Baseline Documentation
Integrated Project Team (IPT)
Investment Manager (IM)
IT Governance Organization
Operation & Maintenance Manual
Performance Baseline Management (PBM)
Performance Measurement Baseline (PMB)
Periodic Investment Status Report
Plan of Action and Milestones (POA&M)
Privacy Impact Assessment (PIA)
Project Completion Report
Project Management Plan (PMP)
Project Manager (PM)
Project Process Agreement (PPA)
Project Schedule (Updated)
Requirements Document with components
Rough Order of Magnitude (ROM)
Security Risk Assessment (SRA)
Service Level Agreement(s)
System of Record (SOR)
System of Record Notice (SORN)
Systems Security Plan (SSP)
|Term / Acronym||Description|
The Annual Operational Analysis (AOA) combines elements from the CPIC evaluation and results from monitoring the performance of the Business Product during normal operations against original user requirements and any newly implemented requirements or changes. This document assists in the analysis of alternatives for deciding on new functional enhancements and/or modifications to the business product, or the need to dispose of or replace the business product altogether.
The use of information resources (information and information technology) to satisfy a specific set of user requirements (OMB A-130, App. III). In particular, an application is usually considered to be the software component of a system. An application runs on, and may or may not be part of, a general support system. The terms “application” and “information system” are sometimes used interchangeably although the latter has a broader definition to include general support systems.
Authority to Operate (ATO)with components
An Authority to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of information security controls. Though not security-specific, formal documentation of Section 508 Certification or Exception is also required before a Business Product can be released into operation.
Baselines are the standard against which actual work is measured. Baselines are used in the annual report to Congress required by Federal Acquisition Streamlining Act Title V on variances of 10 percent or more from cost and schedule goals and any deviation from performance (scope) goals. Baseline cost and schedule goals should be realistic projections of total cost, total time to complete the project, and interim cost and schedule goals. Performance (scope) goals should be realistic assessments of what the investment or project is intended to accomplish, expressed in quantitative terms, if possible.
The Business Case is a documented, structured proposal for business improvement that is prepared to facilitate a selection decision for a proposed investment or project by organizational decision makers. The Business Case describes the reasons and justification for the investment or project in terms of business process performance, needs and/or problems, and expected benefits. It identifies the high-level requirements that are to be satisfied, an analysis of proposed alternative solutions (with reasons for rejecting or carrying forward each option), assumptions, constraints, a risk-adjusted cost-benefit analysis, and preliminary acquisition strategy.
A Business Needs Statement identifies the business need for a proposed investment or project. It includes a brief description of the proposed project’s purpose, goals, and scope. The Business Needs Statement provides sufficient information to justify a decision whether or not the organization should move forward with the development of a full business case.
The executive in charge of the organization, who serves as the primary customer and advocate for an IT project. The Business Owner is responsible for identifying the business needs and performance measures to be satisfied by an IT project; providing funding for the IT project; establishing and approving changes to cost, schedule and performance goals; and validating that the IT project initially meets business requirements and continues to meet business requirements.
The Business Product is the primary result from the development effort that satisfies the established requirements. In software development efforts, it includes the original source code and machine-compiled, executable computer instructions and data repository (ies). It also includes an identification and description of all configuration items that comprise a specific build or release of the Business Product.
The CPIC process is an integrated, structured methodology to managing IT investments, which ensures that IT investments align with HHS’ mission and support business needs while minimizing risks and maximizing returns throughout the investment’s life cycle. CPIC uses a systematic selection, control, and continual evaluation process to ensure that an investment supports HHS’ mission and business needs.
C&A is composed of those activities and processes required to maintain security of information systems, periodically review the information security controls, and maintain the certification and authorization of the information system to operate. This process includes activities involved in the information security planning and security testing certification and authorization processes. The C&A phase of the information security process is where the system staff (outlined in the information security documentation) performs the day-to-day functions required to maintain an appropriate level of information security to protect the system. This phase is ongoing while the system is in operation.
The Office of the Chief Information Officer advises the Secretary and the Assistant Secretary for Resources and Technology (ASRT) on matters pertaining to the use of information and related technologies to accomplish Departmental goals and program objectives. The mission of the Office is to establish and provide: Assistance and guidance on the use of technology-supported business process reengineering; investment analysis; performance measurement; strategic development and application of information systems and infrastructure; policies to provide improved management of information resources and technology; and better, more efficient service to our clients and employees.
Chief Information Officer
The HHS CIO Council, a cross-OPDIV review committee comprised of the OPDIV CIOs and chaired by the HHS CIO, is responsible for reviewing the technical and managerial soundness of IT investments and providing technical recommendations to the ITIRB.
Computer Match Agreement
COTS refer to a product available in the commercial market place. COTS products are sold to the general public in the course of normal commercial business operations at prices based on established catalog or market prices (Federal Acquisition Regulations). COTS products are delivered with pre-established functionality, although some degree of customization is possible.
A Computer Match Agreement (CMA) is a written accord that establishes the conditions, safeguards, and procedures under which a Federal organization agrees to disclose data where there is a computerized comparison of two or more automated System of Records (SORs). In conjunction with a CMA, an nter/Intra-agency Agreement (IA) is also prepared when the SOR(s) involved in the comparison are the responsibility of another Federal agency.
The Contingency/Disaster Recovery Plan describes the strategy and organized course of action that is to be taken if things don’t go as planned or if there is a loss of use of the established business product (e.g., system) due to a disaster such as a flood, fire, computer virus, or major failure. The plan describes the strategy for ensuring recovery of the business product in accordance with stated recovery time and recovery point objectives.
Resulting from a periodic review of an operating Business Product, a Continued ATO is a formal declaration by a DAA that a Business Product is approved to continue to operate at an acceptable level of risk in the designated production environment.
Contract Fund Status Report(CFSR), or acceptable equivalent, if full EVM standards compliance is not required
A status report that provides investment and project managers with the following information necessary to:
Update and forecast contract fund requirements.
Plan and decide on funding changes.
Develop fund requirements and budget estimates to support approved investments or projects.
Determine funds in excess of contract needs and available for de-obligation.
Develop rough estimates of termination costs.
Determine if sufficient funds are available by fiscal year to execute the contract.
Typically, the investment or project manager requires only the minimum data necessary for effective management control. The contracting officer and contractor negotiate reporting provisions in the contract, including level of detail and reporting frequency. In addition, the CFSR is not applied to Firm-Fixed Price contracts unless unusual circumstances dictate specific funding visibility.
The Contracting Officer has the authority to enter into, administer, and/or terminate contracts and make related determinations and findings. The term includes certain authorized representatives of the contracting officer acting within limits of their authority as delegated by the contracting officer. The contracting officer and/or his representative are accountable for preparing solicitation documents with technical support from the Project Manager and acting on behalf of the Head of the Contracting Activity.
Contractor Performance Report(CPR), or acceptable equivalent, if full EVM standards compliance is not required
The Contract Performance Report (CPR), a periodic Earned Value report, presents the cost, schedule, and performance data for the current period and cumulatively. Typically, the CPR presents costs organized by WBS element at a level pre-determined by the HHS IT Project team, and includes explanations for cost and schedule variances that have exceeded thresholds and descriptions of contractor plans to resolve variance causes.
This phase of the CPIC process ensures that IT initiatives are developed and implemented in a disciplined, well-managed, and consistent fashion; that project objectives are being met; that the costs and benefits were accurately estimated; and that spending is in line with the planned budget. This promotes the delivery of quality products and results in initiatives that are completed within scope, on time, and within budget.
The Critical Partners are functional managers in CPIC, Enterprise Architecture, Security, Acquisition Management, Finance, Budget, Human Resources, Section 508 and Performance that participate in IT project reviews and governance decisions to ensure compliance with policies in their respective areas and to make timely tradeoff decisions where conflicts arise during the planning and execution of a project.
A Data Use Agreement (DUA) is a legal binding agreement between a Federal agency and an external entity (e.g., contractor, private industry, academic institution, other Federal government agency, or state agency), when an external entity requests the use of personal identifiable data that is covered by the Privacy Act of 1974. The agreement delineates the confidentiality requirements of the Privacy Act, information security safeguards, and the Federal agency’s data use policies and procedures. The DUA serves as both a means of informing data end users of these requirements and a means of obtaining their agreement to abide by these requirements. Additionally, the DUA serves as a control mechanism through which the Federal agency can track the location of its data and the reason for the release of the data. A DUA requires that a System of Records (SOR) be in effect, which allows for the disclosure of the data being used.
Design Document with components(Architectural & detailed elements)
The Design Document describes the technical solution that satisfies the requirements for the Business Product (e.g., system). Either directly or by reference to other documents, the Design Document provides a high-level overview of the entire solution architecture and data design, including external interfaces, as well as lower-level detailed design specifications for internal components of the Business Product that are to be developed.
The Disposition Plan addresses how the various components of an operating Business Product (e.g., system) are to be handled at the completion of operations to ensure proper disposition of all the Business Product components and to avoid disruption of the individuals and/or any other Business Products impacted by the disposition. Includes the planning for the deliberate and systematic decommissioning of the asset with appropriate consideration of records management.
Earned Value Management integrates the scope of work with schedule and cost elements for optimum planning and control. The qualities and operating characteristics of earned value management systems are described in American National Standards Institute (ANSI) /Electronic Industries Alliance (EIA) Standard-748-1998, Earned Value Management Systems.
Enterprise Architecture is a strategic information asset base which defines business mission needs, the information content necessary to operate the business, the information technologies necessary to support business operations, and the transitional processes necessary for implementing new technologies in response to changing business mission needs. Enterprise architecture includes baseline architecture, target architecture and a sequencing plan.
The EPLC is a framework to enhance IT Governance through rigorous application of sound investment and project management principles and industry best practices. The EPLC provides the context for the HHS IT Governance process and describes interdependencies between its project management, investment management, and capital planning components. The EPLC is comprised of 10 phases – from initiation through disposition – and identifies the activities, roles and responsibilities, Stage Gate Reviews, and exit criteria for each phase. The EPLC framework complies with federal regulations and policies, industry best practices, and HHS policies and standards.
This phase of the CPIC process involves comparing actual to expected results once an IT investment has been implemented; evaluating “mature” systems on their continued effectiveness in supporting mission requirements, and evaluating the cost of continued support or potential retirement and replacement.
Functional requirements specify Business Product features and what the Business Product must do. They are directly derived from the objectives defined in the Project Management Plan. A functional requirement is a tangible service, or function, that the Business Product must provide and is a non-technical requirement. See also Non-functional Requirements.
GOTS refers to a product developed by or for a government agency and that can be used by another government agency with the product’s pre-established functionality and little or no customization.
The Implementation Plan describes how the business product will be installed, deployed, and transitioned into the operational environment.
IV&V is a process employing rigorous methodologies for evaluating the correctness and quality of the product, conducted by personnel not directly engaged in the development of the product. IV&V is a way to ensure that the Business Product is developed in accordance with customer requirements, and that the product is well-engineered. Validation is concerned with checking that the product meets the user needs; Verification is concerned with checking that the product is well engineered. This is sometimes expressed as "Are we building the right product (or system)?" and "Are we building the product (or system) right?" Therefore, IV&V typically performs in-depth technical analyses of the products and the processes of system development. IV&V advises the customers when signs of problems begin to emerge so that the customer can make plans to deal with the situations.
Independent Verification &Validation (IV&V) Reports document the findings obtained during a specific IV&V Assessment that is conducted by an independent third party.
Information technology, as defined by the Clinger-Cohen Act of 1996, sections 5002, 5141, and 5142, means any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For purposes of this definition, equipment is “used” by an agency whether the agency uses the equipment directly or it is used by a contractor under a contract with the agency that (1) requires the use of such equipment or (2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract.
The ITIRB is a cross-functional executive review committee responsible for overseeing the management of the HHS IT portfolio, approving and prioritizing IT investments to best achieve HHS strategic goals and objectives, and leveraging opportunities for collaboration across HHS OPDIVs on IT investments that support common lines of business. The HHS ITIRB shall ensure that the HHS IT investment portfolio is of the highest quality and meets the business needs of the Department in the most effective and efficient manner.
Documents include the Work Breakdown Structure (WBS), the WBS Dictionary, the Responsibility Assignment Matrix, Project schedules, Control Account Plans, and Work Authorization Document.
The IPT is established by the manager of each IT project with technical and critical partner expertise appropriate to the size, complexity and operational requirements of the project An IPT typically shall consist of representatives from the business office, including any applicable subject matter experts, technical IT staff, budget, acquisition, security, and Enterprise Architecture.
The Investment Manager is responsible for planning and executing the investment to achieve approved baselines. The IM may or may not be a subject matter expert in the business area supported by the investment.
The IT Governance organization at HHS and at each OPDIV is responsible for ensuring that projects are technically sound, follow established IT project management practices, and meets the Business Owner’s needs. Components of the IT Governance organization are the ITIRB, the CIO Council (Technical Review Board at the OPDIV level), the Chief Information Officer, and CPIC Manager.
An organizational investment employing or producing IT or IT-related assets. Each investment has or will incur costs for the investment, has expected or realized benefits arising from the investment, has a schedule of project activities and deadlines, and has or will incur risks associated with engaging in the investment.
The combination of all IT assets, resources, and investments owned or planned by an organization in order to achieve its strategic goals, objectives, and mission.
A project is a temporary planned endeavor funded by an approved information technology investment; thus achieving a specific goal and creating a unique product, service, or result. A project has a defined start and end point with specific objectives that, when attained signify completion.
Meeting Minutes are a written record of what transpired during a meeting. Meeting minutes provide the purpose of a meeting, list of attendees, topics discussed, decisions made, the status of actions from previous meeting, new action items and the individuals assigned responsibility for the actions.
Memorandum of Understanding
Non-functional requirements specify the criteria that are used to judge the operation of a Business Product, rather than specific behaviors (in contrast to functional requirements, which describe behavior or functions). Typical non-functional requirements are reliability, scalability, accessibility, performance, availability, and cost. Other terms for non-functional requirements are “constraints”, “quality attributes”, and “quality of service requirements". Non-functional requirements also specify the laws, regulations, and standards with which the Business Product must comply.
The Operations & Maintenance Manual clearly describes the Business Product that will be operating in the production environment and provides the operations and support staff with the information necessary to effectively handle routine production processing, ongoing maintenance, and identified problems, issues, and/or change requests.
Performance Baseline Management (PBM) is the primary HHS CPIC methodology for measuring, reporting, and evaluating the performance of all HHS Major and Tactical IT Investments, and of all HHS Supporting IT Investments with budget year costs equal to or greater than $1M.
The Performance Measurement Baseline (PMB) is a time-phased budget plan for accomplishing work, against which contract performance is measured. It includes the budgets assigned to scheduled control accounts and the applicable indirect budgets. For future effort, not planned to the control account level, the PMB also includes budgets assigned to higher level Contractor Work Breakdown Structure (CWBS) elements, and to undistributed budgets. It does not include management reserve.
Periodic Status Report describes work accomplished as of the reporting period, work planned for the next reporting period, and any issues that require management attention. The status report also typically includes project cost and schedule data for the reporting period and cumulatively
A management process that outlines weaknesses and delineates the tasks necessary to mitigate them. The HHS Information Security Program POA&M process will be used to facilitate the remediation of information security program- and system-level weaknesses, and will provide a means for:
Planning and monitoring corrective actions;
Defining roles and responsibilities for weakness resolution;
Assisting in identifying the information security funding requirements necessary to mitigate weaknesses;
Tracking and prioritizing resources;
Identifying those risks deemed acceptable that will not be mitigated, and
Informing decision makers.
Based on the initial FIPS 199 categorization and the identification of the need or potential to collect Privacy Act data/information, the assessment required by the Privacy Act and/or E-Government Act of 2002 to conduct assessments on projects before developing or procuring information technology that collects, maintains, or disseminates personal information in identifiable form. A PIA is an agency review of how collected information is handled by and protected in a manner consistent with Federal standards for privacy and information security. The PIA determines what kind of information in identifiable form is contained within a system, what is done with that information, and how that information is protected. Though the PIA specifically refers to "privacy", a PIA also typically covers confidentiality, access to data, and use of data.
A project is a temporary planned endeavor funded by an approved investment; thus achieving a specific goal and creating a unique product, service, or result. A project has a defined start and end point with specific objectives that, when attained signify completion.
Project Archives preserve vital information, including both documentation of project execution and the data from the production system.
The Project Charter formally authorizes a project, describes the business need for the project and the product to be created by the project. It provides the project manager with the authority to apply up to a certain level of organizational resources to project activities.
The Project Completion Report describes any differences between proposed and actual accomplishments, documents lessons learned, provides a status of funds, and provides an explanation of any open-ended action items, along with a certification of conditional or final closeout of the development project.
The Project Management Plan (PMP) is a dynamic formal approved document that defines how the project is executed, monitored and controlled. It may be summary or detailed and may be composed of one or more subsidiary management plans and other planning documents. The main objective of the PMP is to document assumptions and decisions for how the project is to be managed, to help in communication between all of the concerned parties and to document the scope, costs and time sequencing of the project.
The Project Manager is responsible for project performance in relation to approved cost, schedule and performance baselines. The Project Manager maintains information project status, control, performance, risk, corrective action and outlook. This person is accountable to the Business Owner for meeting business requirements and to IT Governance for meeting IT project management requirements. The Project Manager shall develop the business case in conjunction with the Business Owner to clearly define and capture business need requirements, conduct project planning to adequately define and execute the tasks required to meet approved cost, schedule and performance baselines and conform to HHS policies that apply to IT projects. Project Managers shall be responsible for timely reporting of significant variances from approved baselines and providing corrective action plans or rebaselining proposals as appropriate.
The Project Process Agreement (PPA) is used to authorize and document the justifications for using, not using, or combining specific Stage Gate Reviews and the selection of specific deliverables applicable to the investment/project, including the expected level of detail to be provided.
The project schedule is developed so that tasks and milestones are clearly defined. It is updated regularly to identify IT project elements that are behind as well as those ahead of schedule. The project schedule maps directly to the WBS, providing the project management team with a single point of reference for all activities.
Records Management consists of the planning, controlling, directing, organizing, training, promoting, and other managerial activities involved in records creation, maintenance and use, and disposition in order to achieve adequate and proper documentation of the policies and transactions of the Federal Government and effective and economical management of agency operations (44 U.S.C. 2901).
Requirements specify what should be produced. They are descriptions of either how the Business Product should behave (functional requirements), or of how the Business Product must comply with laws, regulations, and standards (non-functional requirements).
The Requirements Document describes both the project and product requirements. It outlines the technical, functional, performance and other requirements necessary to deliver the end business product.
An uncertain event that may affect the performance objectives (i.e., cost, schedule, scope or quality) of a project, usually negatively.
An approach for addressing the risks associated with project. Risk management includes identification, analysis, prioritization, and control of risks. Especially critical are those techniques that help define preventative measures to reduce the probability of these factors from occurring and identify countermeasures to successfully deal with these constraints if they develop.
Cost and schedule estimates based on high-level requirements, and an overall prediction of work to be done to satisfy those requirements. Typically, ROM estimates are based on approximate cost models or expert analysis, and presented as a range.
Requirements Traceability Matrix
Section 508 refers to Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. 794d), which requires Federal agencies to develop, procure, maintain, or use electronic and information technology that is accessible to Federal employees and members of the public with disabilities.
A Security Risk Assessment will document the analysis of the security functional requirements and will identify the protection requirements for the system using a formal risk assessment process. The risk assessment includes the identification of threats to and vulnerabilities in the information system; the potential impact or magnitude of harm that a loss of confidentiality, integrity, or availability would have on agency assets or operations and the identification and analysis of information security controls for the information system.
This phase of the CPIC process ensures that IT investments are chosen that best support the Agency’s mission and align with HHS’ approach to enterprise architecture.
Service Level Agreement(s) (SLAs)and/or Memorandum(s) of Understanding (MOU)
A Service Level Agreement(s) (SLAs) is a contractual agreement between a service provider and their customer specifying performance guarantees with associated penalties should the service not be performed as contracted. A Memorandum(s) of Understanding (MOU) is a legal document that outlines the terms and details of an agreement between parties, including each parties requirements, responsibilities and period of performance.
A comprehensive architectural response to a business problem. Solutions address all layers of the Enterprise Architecture - strategy, business, data, applications and technology/information security.
Phase-driven go/no-go decision points where EPLC activities are reviewed to ensure that appropriate OMB and HHS requirements are observed. A system cannot proceed without a “go” decision or a conditional approval granted by the appropriate senior manager for the specific control gate.
The Privacy Act defines a SOR as a group of any records under the control of a Federal agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Additionally, the Privacy Act requires that the Federal government inform the public of any collection of information about its citizens from which data are retrieved by a unique identifier as described above
The Privacy Act defines a System of Record (SOR) as a group of any records under the control of a Federal agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Additionally, the Privacy Act requires that the Federal government inform the public of any collection of information about its citizens from which data are retrieved by a unique identifier as described above. The System of Record Notice (SORN) fulfills this requirement to inform the public via the publication of a system notice in the Federal Register. This notice describes the SOR and gives the public an opportunity to comment. Without the written consent of the subject individual, the Privacy Act prohibits the release of protected information maintained in a SOR unless one of the 12 defined disclosure exceptions is applicable.
The SSP describes managerial, technical and operational security controls (defined by the National Institute of Standards and Technology) that are designed and implemented within the system.
The Test Plan defines the types of tests (e.g. unit, function, integration, system, information security, performance (load and stress), regression, user acceptance, and/or independent verification and validation) to be carried out. The document describes the acceptance criteria for those tests, roles and responsibilities of individuals involved in the testing process, traceability matrix, resources required (hardware and software environments), and other elements relevant to test planning and execution. This plan details the manner of testing (test cases, simulation, etc) of the integrated software/hardware system. It must include as part of the main document or as a separate document detailed Test Case Specifications that describe the purpose and manner of each specific test, the required inputs and expected results for the test, step-by-step procedures for executing the test, and the pass/fail criteria for determining acceptance.
Test Reports are completed at the end of each test to verify expected results. A summary report should be created at the end of the testing phases to document the overall test results. These reports summarize the testing activities that were performed and describe any variances between the expected test results and the actual test results and includes identification of unexpected problems and/or defects that were encountered.
Training Materials include the documentation associated with the deployment of the Business Product. This includes instructor and student guides, audio-visual aids, and computer-based or other media used to disseminate information about the final product to the target audience that is in need of the instruction.
The Training Plan describes the overall goals, learning objectives, and activities that are to be performed to develop, conduct, control, and evaluate instructions that are to be provided to end users, operators, administrators, and support staff who will use, operate, and/or otherwise support the solution.
The User Manual clearly explains how a business user is to use the established Business Product from a business function perspective.
Content last reviewed on September 24, 2014