HHS-OCIO Policy for Information Technology
This Policy supersedes the HHS Office of the Chief Information Officer (OCIO) Policy for Information Technology (IT) Capital Planning and Investment Control (HHS-OCIO-2005-0005), dated December 30, 2005.
Capital Planning and Investment Control (CPIC) is the primary Information Technology (IT) governance and management methodology at the Department of Health and Human Services (HHS) for selecting, managing, and evaluating the performance of HHS IT investments. It also prescribes the roles and responsibilities for carrying out IT CPIC requirements.
This Policy describes the principles for conducting IT governance and management in HHS. The principles are based on legislation and Office of Management and Budget (OMB) guidance that direct agencies to institute and maintain a disciplined approach to funding and monitoring IT investments. The principles form the basis for efficient and effective management of the Department's IT investments by promoting informed decision making and timely oversight by appropriate level review boards. The goal is to achieve the best balance of the Department's IT investments at the lowest cost with the least risk while ensuring that mission and business goals are met.
This Policy also addresses new and changed requirements, such as the HHS Enterprise Performance Life Cycle (EPLC) framework and the HHS-OCIO Pilot Policy for Performance Baseline Management (PBM) (HHS-OCIO-2009-0005), dated November 3, 2009.
The Clinger-Cohen Act (CCA) of 1996 (Public Law 104-106, formerly known as theIT Management Reform Act (ITMRA) of 1996),requires federal agencies to use a disciplined CPIC process to acquire, use, maintain and dispose of IT assets. Other laws and policies, such as the Paperwork Reduction Act of 1980 and 1995, the Government Performance and Results Act of 1993 (GPRA), the Federal Acquisition Streamlining Act of 1994, and OMB Circular A-130, Management of Federal Information Resources, also require agencies to design and implement a disciplined process to maximize the value and assess and manage IT Investment risks. However, CCA supplements existing law and policies by mandating a specific, more rigorous methodology for managing IT investments than was previously required and an approach that integrates IT capital planning with other agency processes. CCA also elevates the role of what was previously called the Senior Information Resource Management (IRM) Officer (SIRMO) to the more visible Chief Information Officer (CIO) position and gives agencies authority and responsibility for IT acquisition.
CCA mandates that the CPIC process shall: (1) provide for the selection, control, and evaluation of agency IT Investments; (2) be integrated with the processes for budget, financial, and programmatic decision-making; (3) include minimum criteria for considering whether to undertake an IT Investment; (4) identify IT Investments that would result in shared benefits or costs for other Federal agencies or State or local governments; (5) provide for identifying quantifiable measurements for IT Investment net benefits and risks; and, (6) provide the means for senior management to obtain timely information regarding an investment’s progress.
Under CCA, the HHS CIO is responsible for: (1) advising and assisting the HHS Secretary and other HHS senior executives in managing IT resources effectively and efficiently and consistent with HHS priorities; (2) using performance measures to monitor and evaluate HHS IT investments; (3) advising senior management on whether to continue, modify, or dispose of an IT Investment; and, (4) promoting effective and efficient development and operation of all major IT processes in HHS, including work process improvements.
Operationally, HHS is structured into major business areas, with the Operating Divisions (OPDIVs) and Office of the Secretary (OS) and its Staff Divisions (STAFFDIVs) assigned responsibility for accomplishing the HHS goals, objectives, and functions within their respective lines of business. Consistent with this operational structure, the HHS CIO relies on a federated model for HHS IT governance, wherein the OPDIV and OS CIOs are responsible for IT governance within their respective organizations in conformance with this CPIC Policy.
Consistent with the statutes and best practices in IT management, the HHS CIO issued the initial HHS IT CPIC Policy (HHS-OCIO-2005-0005.001) and corresponding CPIC Procedures (HHS OCIO-2005-0005P) in December 2005. Since that date, HHS IT management has matured, including implementation of the HHS EPLC Policy, which establishes ten standard life cycle phases and stage gate reviews for IT projects. The EPLC is significant since it provides an enterprise-wide, standard methodology for planning, managing and overseeing IT project performance. HHS has issued or updated other important internal policies such as IT PBM, Information Security, and Enterprise Architecture (EA). As a result, this HHS IT Policy for CPIC has been updated to incorporate these policies and the recognition that an IT investment may consist of one or more IT projects.
Whereas the HHS IT EPLC Policy addresses IT project requirements, this CPIC Policy addresses IT Investment (i.e., comprising one or more IT projects) and IT portfolio management requirements. This Policy ensures that HHS IT Investments are selected based on their support of HHS business needs and mission requirements; that selected investments meet approved cost, schedule, and performance milestones; and that they successfully achieve specified benefits and outcomes throughout the IT Investment life cycle.
This Policy recognizes that IT Investment management is dynamic: IT Investments are selected and continually monitored and evaluated to ensure that each chosen IT investment effectively and efficiently supports the HHS mission and strategic goals. The HHS IT CPIC model relies on three processes – Select, Control, and Evaluate – to address the following key questions:
§ Select – How do we know we have selected the best IT Investments?
§ Control – What are we doing to ensure that the selected IT Investments will deliver anticipated benefits on time and within budget?
§ Evaluate – How do we determine whether operational IT Investments still continue to efficiently and cost-effectively support requirements and deliver benefits?
An IT Investment can be active concurrently in more than one CPIC process. After the IT Investment’s initial funding in the select process, it becomes the subject of evaluation throughout the control processes for the purposes of reselection. Reselection is ongoing and continues for as long as an IT Investment receives funding. If an investment is not meeting the goals and objectives that were originally established when it was selected, or if the goals have been modified to reflect changes in mission objectives – and corrective actions are not succeeding – a decision must be made to continue to fund or to “de-select” an investment. Once IT Investments are operating, they remain under constant review for reselection.
This Policy applies to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the Department through contractual relationships when usingHHS information technology (IT) resources. This Policy does not supersede any other applicable law, higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.
Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language or memoranda of agreement under separate cover (e.g., Interim HHSAR guidance), as appropriate.
This Policy also applies to all HHS IT Investments and IT projects throughout their entire life cycle, regardless of funding source, whether owned and operated by HHS or operated on behalf of HHS.
OPDIVs are expected to manage their IT Investment portfolios using a methodology modeled after the HHS CPIC Program.
OPDIVs shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive or less comprehensive or not compliant with this document.
To maximize the value and to assess and manage the risks of IT Investments, the HHS CIO has established the HHS IT CPIC policies in this section.
4.1.1 All IT Investments within HHS, whether managed and funded at the Department level or by the OPDIVs are HHS IT Investments.
4.1.2 IT Investment Characteristics.
188.8.131.52 An IT Investment is the means through which a discrete and unique set of logically related, business-driven IT products and/or services is delivered.
184.108.40.206 An IT Investment’s justification, cost, schedule, measurement indicators, and other management and technical artifacts shall describe its discrete and unique set of IT products/services.
220.127.116.11 Two or more IT Investments shall not deliver the same discrete and unique set of IT products/services and shall not serve the same purpose.
18.104.22.168 When two or more IT Investments deliver IT products/services through the same IT system, each IT Investment's set of IT products/services shall be discrete and unique and clearly distinguishable from the sets of IT products/services delivered by the other IT Investments through the IT system.
4.1.3 IT Funding.
22.214.171.124 A funding source may fund more than one IT Investment and an IT Investment may be funded by one or more funding sources.
126.96.36.199 An IT Investment is the means through which an IT system, project, or program receives funding.
188.8.131.52 The funds provided through each IT Investment shall be traceable to each associated IT system and/or IT project.
4.1.4 IT Investment-to-IT System/IT Project Relationships.
184.108.40.206 One IT Investment shall deliver a unique and discrete set of logically-related, business-driven IT products/services through one or more IT systems and/or IT projects.
220.127.116.11 Multiple IT Investments may each deliver a unique and discrete set of logically-related, business-driven IT products/services through one or more IT systems.
4.1.5 The HHS EPLC framework shall be used as the standard structure for planning, managing and overseeing the IT projects that comprise the IT Investment over the respective IT project life cycles.
4.1.6 All IT Investment Managers and all IT Project Managers shall attain the levels of knowledge, skills, and experience required for their respective roles in accordance with applicable HHS training and certification requirements.
4.1.7 IT Investment Classification and Reporting Requirements
18.104.22.168 Each IT Investment shall be classified in one of three classes: Major, Tactical, or Supporting.
22.214.171.124 An IT Investment shall be classified as Major if it meets at least one of the criteria listed below:
126.96.36.199.1 Is designated by the HHS CIO as critical to the HHS mission or to the administration of programs, finances, property, or other resources.
188.8.131.52.2 Is for financial management (i.e., included in HHS’ Financial Management EA Segment) and obligates more than $500K annually.
184.108.40.206.3 Requires special management attention because of its importance to the mission or function of HHS or an OPDIV.
220.127.116.11.4 Has significant program or policy implications.
18.104.22.168.5 Has high executive visibility.
22.214.171.124.6 Has high development, operating, or maintenance costs, deemed by HHS as:
126.96.36.199.6.1 Budget year costs equal to or greater than $10M
188.8.131.52.6.2 Estimated life cycle costs equal to or greater than $70M.
184.108.40.206.6.3 Is defined as Major by the HHS CIO.
220.127.116.11 An IT Investment shall be classified as Tactical if it is not designated as a Major IT Investment and it meets at least one of the criteria listed below:
18.104.22.168.1 Has total planned development, operating, or maintenance costs of $3 million or more in the budget year.
22.214.171.124.2 Is designated by the HHS CIO as significant to the HHS mission or to the administration of HHS programs, finances, property or other resources.
126.96.36.199 An IT Investment shall be classified as Supporting if it is not designated as Major or Tactical and meets at least one of the criteria listed below:
188.8.131.52.1 Has total planned development, operating, or maintenance costs of less than $3 million in the budget year.
184.108.40.206.2 Has been designated by the HHS CIO as a Supporting IT Investment.
220.127.116.11 The HHS Portfolio Management Tool (PMT) shall be the source of IT Investment information that supports IT governance, the CPIC process, and the HHS budget submission, with reporting data elements to be specified by the HHS CIO.
4.2.1 The HHS IT Investment Review Board (ITIRB), chaired by the HHS CIO, shall review, validate and approve all HHS IT Investments in the HHS IT Investment portfolio and shall serve as the IT governance board for all HHS enterprise IT Investments. The HHS IT Investment Review Board shall perform these functions either directly or through delegation to OPDIV governance boards.
18.104.22.168 The HHS CIO and the HHS ITIRB shall rely on the federated model for HHS IT governance, wherein the OPDIV CIOs are responsible for IT governance within their respective organizations.
22.214.171.124 The HHS ITIRB may at any time during the life cycle of an IT Investment designate an OPDIV IT Investment that meets one or more of the following criteria as subject to Department review and require an OPDIV to present the IT Investment before the HHS ITIRB for review, validation and approval:
126.96.36.199.1 Does not align with the HHS strategy and priorities
188.8.131.52.2 Is high risk and high value
184.108.40.206.3 Is a high visibility initiative
220.127.116.11.4 Is performing poorly
18.104.22.168.5 Is deemed by the HHS CIO to require Department management attention.
4.2.2 An IT governance structure shall be established by each OPDIV CIO to implement the CPIC processes to select, control, and evaluate their organization’s IT Investments.
22.214.171.124 Each IT governance structure shall include an organizational unit responsible for supporting the CPIC processes to select, control, and evaluate their organization’s IT Investments.
126.96.36.199 Each IT governance structure shall include an IT governance board (or OPDIV-equivalent IT governance body) with authority to:
188.8.131.52.1 Review and select IT Investments for the organization’s IT portfolio at least annually.
184.108.40.206.2 Recommend to the IT Investment’s Business Owner the termination or retirement of an IT Investment from the organization’s IT portfolio.
220.127.116.11.3 Direct corrective actions or changes in the management and operation of an IT Investment within the organization.
18.104.22.168.4 Approve or disapprove the initial and any subsequent changes to the IT Investment’s performance measurement baseline.
22.214.171.124.5 Recommend and present to the HHS ITIRB and to the OPDIV-equivalent executive-level business decision-making authority the list of IT Investments proposed for funding.
4.2.3 The HHS IT Capital Planning and Investment Control function shall provide CPIC support services to the HHS ITIRB and HHS CIO.
4.2.4 Each IT Investment shall have a Business Owner, IT Investment Manager, and IT Project Manager(s).
126.96.36.199 When the IT Investment consists of a single IT project, the IT Project Manager may also serve as the IT Investment Manager.
188.8.131.52 When an IT Investment consists of multiple IT projects, multiple IT Project Managers may be designated.
4.3.1 The CPIC process integrates all stages of capital programming, including planning, budgeting, procurement, management, and assessment.
4.3.2 The CPIC process addresses HHS security requirements and concerns in all stages of IT capital planning.
4.3.3 Each OPDIV shall adopt and implement CPIC Procedures consistent with (a) this HHS CPIC Policy and (b) best practice IT Investment management principles described in OMB M-97-02, the OMB Capital Planning Guide (Supplement to Part 7 in OMB Circular A-11), and other CPIC relevant Federal and industry IT Investment and project management guidance.
4.3.4 HHS CPIC consists of three processes: Select, Control, and Evaluate.
184.108.40.206 IT Investment Select Process.
220.127.116.11.1 IT Investments proposed and selected for funding shall meet the following criteria:
18.104.22.168.1.1 Support core/priority mission functions that need to be performed by HHS.
22.214.171.124.1.2 Fill a performance or capability gap in achieving strategic goals and objectives with the maximum benefits at the lowest life cycle cost among viable alternatives.
126.96.36.199.1.3 Be undertaken because no alternative private sector or government source can more efficiently support the function.
188.8.131.52.1.4 Support work processes that have been simplified or otherwise redesigned to reduce costs, improve effectiveness, and make maximum use of commercial off-the-shelf technology.
184.108.40.206.1.5 Demonstrate a projected best value, based on an analysis of quantifiable and qualitative benefits and costs and projected return on investment, which is clearly equal to or better than alternative uses of available public resources.
220.127.116.11.1.5.1 Best value may include improved mission performance in accordance with GPRA measures; reduced cost; increased quality, speed, or flexibility; and increased customer and employee satisfaction.
18.104.22.168.1.5.2 IT Investment costs shall be adjusted for such risk factors as the IT Investment's technical complexity, the organization’s management capacity, the likelihood of cost overruns, and the consequences of under- or non-performance.
22.214.171.124.1.6 Be consistent with applicable Federal, HHS, and OPDIV enterprise and information architectures.
126.96.36.199.1.6.1 Integrate organizational work processes and information flows with technology to achieve the organization’s strategic goals.
188.8.131.52.1.6.2 Reflect the organization's technology vision.
184.108.40.206.1.6.3 Adhere to standards that enable information exchange and resource sharing, while retaining flexibility in the choice of suppliers and in the design of local work processes.
220.127.116.11.1.6.4 Demonstrate conformance with the HHS segment architecture and transition plan.
18.104.22.168.1.7 Reduce risk by employing measures such as avoiding or isolating custom-designed components to minimize the potential adverse consequences on the overall project; using fully tested pilots, simulations, or prototype implementations before going into production; establishing clear measures and accountability for project progress; and, securing substantial involvement and buy-in throughout the project from the program officials who will use the system.
22.214.171.124.1.8 Be implemented in phased, successive segments, modules, or other useful units as narrow in scope and brief in duration as practicable, each of which solves a specific part of an overall mission problem and delivers a measurable net benefit independent of future segments or modules.
126.96.36.199.1.9 Employ an acquisition strategy that allocates risk between government and contractor, effectively uses competition, ties contract payments to accomplishments, and takes maximum advantage of commercial technology.
188.8.131.52.2 Annually, all IT Investments shall be reviewed and proposed for funding based on predefined selection criteria that include the factors specified in paragraph 184.108.40.206.1.
220.127.116.11.2.1 The selection criteria shall provide the basis for evaluating an IT Investment’s alignment to the HHS or OPDIV mission and priorities and how well it supports the HHS or OPDIV business needs, meets expected performance goals, mitigates risk, and adheres to projected costs and expected benefits throughout the IT Investment’s life cycle..
18.104.22.168.2.2 Selection criteria to assess an ongoing IT Investment’s performance shall include the following as factors:
22.214.171.124.2.2.1 The results of periodic PBM reports and reviews from the CPIC Control process
126.96.36.199.2.2.2 The results of the annual Operational Analysis (OA) conducted as part of the CPIC Evaluate Process for Steady State IT Investments or the Steady State portion of Mixed Life Cycle IT Investments, and
188.8.131.52.2.2.3 The results of the IT Investment’s associated IT projects’ EPLC stage gate reviews and performance, in accordance with EPLC Policy.
184.108.40.206.2.3 The selection criteria shall provide the basis for comparing and selecting IT Investments for the HHS IT portfolio.
220.127.116.11.3 Annually, the selection criteria itself shall be reviewed and, if needed, revised based on changes in organizational priorities.
18.104.22.168.4 An outcome of the annual IT Investment Select process may be a recommendation to the IT Investment’s Business Owner to:
22.214.171.124.4.1 Modify, suspend, or terminate an IT Investment.
126.96.36.199.4.2 Modify, suspend, or terminate an IT Investment’s IT project.
188.8.131.52 IT Investment Control
184.108.40.206.1 All IT Investments shall comply with the requirements of the HHS Policy for PBM.
220.127.116.11.2 All IT projects that comprise an IT Investment shall comply with the requirements of the HHS Policy for EPLC.
18.104.22.168.3 The IT Investment’s periodic PBM reports and reviews may result in a recommendation to the IT Investment’s Business Owner to modify, suspend, or terminate an IT Investment.
22.214.171.124.4 The results of the EPLC stage gate reviews of an IT Investment’s IT project(s) may include a recommendation to the IT governance board and the IT Investment’s Business Owner to modify, suspend, or terminate an IT project.
126.96.36.199 IT Investment Evaluate
188.8.131.52.1 Each IT Investment or IT project within an IT Investment that has received approval from the HHS or OPDIV IT governance board to transition to Steady State shall conduct a Post-Implementation Review (PIR) after a period of sustained operation, which is defined as after the completion of at least one full processing and reporting cycle.
184.108.40.206.2 Each IT Investment or IT project within an IT Investment that has been approved for termination before it has transitioned to Steady State shall conduct a final review within 60 days of termination to identify and document lessons learned (see Glossary) and suggestions to improve the HHS CPIC process.
220.127.116.11.3 Each Steady State IT Investment or the Steady State portion of a Mixed Life Cycle IT Investment shall conduct an annual OA, beginning one year after conducting the IT Investment’s or IT project’s PIR.
18.104.22.168.4 The results of the annual OA may lead to a recommendation to the IT Investment’s Business Owner to modify, suspend, or terminate a Steady State IT Investment or the Steady State portion of a Mixed Life Cycle IT Investment.
22.214.171.124.5 A disposition plan for the cessation of operations and distribution and reallocation of IT assets and funds in accordance with HHS Records Management, Security, and all other appropriate HHS CPIC and IT policies and procedures, shall be developed and presented for approval to the IT governance board and IT Investment’s Business Owner for each IT Investment that is approved for retirement or termination.
126.96.36.199.6 An approved disposition plan shall be executed by the IT Investment Manager for each IT Investment that is scheduled by the Business Owner for retirement or termination.
To ensure support of the HHS mission, strategic plans, and performance and outcome objectives, IT Investments shall comply with Federal, HHS and OPDIV enterprise architectures.
4.5.1 To ensure confidentiality, integrity, availability, reliability, and non-repudiation within the HHS infrastructure and its operations, IT Investments shall:
188.8.131.52 Comply with Federal and HHS privacy, security, and records management requirements for IT Investments and systems; and,
184.108.40.206 Demonstrate that costs for appropriate IT privacy, security, and records management controls are explicitly incorporated into the life cycle planning and operational costs of all associated IT systems.
4.6.1 The primary purpose of IT Investment acquisition-related activities shall be to support the execution of the IT Investment decisions made by the IT Investment’s Business Owner and the IT governance board.
4.6.2 To improve effectiveness and minimize costs/risks, IT Investments shall:
220.127.116.11 Develop, execute, and maintain a performance-based acquisition strategy that includes an appropriate mix of contract types to minimize risk to the government and reflects approved and updated cost and schedule milestones; and,
18.104.22.168 Comply with Federal and HHS acquisition requirements for IT Investments and systems.
The key executives, decision boards and critical partners described in this section are required for HHS IT Investment planning, decision-making, and execution:
The HHS CIO oversees and advises the HHS Secretary and other HHS senior executives about the Department's use of IT to improve program performance and to manage risk. Under the leadership of the CIO, the OCIO leads the Department’s IT CPIC, EA, electronic government, security, and IRM programs in collaboration with all organizational components of the Department. The HHS CIO chairs the HHS Information Technology Investment Review Board (ITIRB).
The HHS CIO shall:
5.1.1 Ensure that all HHS IT Investments adhere to Federally mandated requirements and to the requirements stipulated in the HHS Policies for CPIC, EA, Security, and Records Management;
5.1.2 Establish, implement and maintain an effective HHS CPIC process;
5.1.3 Ensure that individuals assigned to manage HHS enterprise IT Investments and IT projects are trained, qualified, and, as appropriate, certified as IT Investment or IT Project Managers;
5.1.4 Implement a Portfolio Management suite of tools to enable effective and efficient cost, schedule, and performance data collection, reporting, and analysis;
5.1.5 Ensure that each OPDIV adopts CPIC policies and procedures that comply with this policy and legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”; and,
5.1.6 Identify IT Investments requiring Departmental CPIC oversight and review.
HHS OPDIV CIOs advise their respective executive management on the strategic direction and management of their organizations’ IT programs. The CIOs and their staffs provide leadership for the implementation of technology to create the information foundation for the efficient and effective operation and management of their respective organizations. The HHS OPDIV CIOs are responsible within their respective organizations for IT long-term strategic planning, IT architecture management, IT budget review, IT security and privacy, IT performance and results-based management, IT CPIC, and, where applicable, records management.
Within their respective organizations, the OPDIV CIOs shall:
5.2.1 Ensure that OPDIV IT Investments comply with legislation, regulations, and other guidance stated in Section 6 “Applicable Laws and Guidance”;
5.2.2 Ensure that individuals assigned to manage OPDIV IT Investments and IT projects are trained, qualified, and, as appropriate, certified as IT Investment Managers or IT Project Managers;
5.2.3 Establish and maintain IT governance structures consistent with this Department Policy to select, control, and evaluate IT Investments;
5.2.4 Establish effective CPIC processes, appropriately staffed and resourced;
5.2.5 Approve OPDIV CPIC policies and procedures consistent with this Department Policy; and,
5.2.6 Comply with Department reporting requirements for Major, Tactical, and Supporting IT Investments.
The HHS IT Capital Planning and Investment Control Officer directs and coordinates HHS CPIC processes and provides the HHS CIO with IT governance support. The HHS IT CPIC Officer shall:
5.3.1 Develop, implement and monitor associated CPIC policies and procedures;
5.3.2 Provide guidance to OPDIV IT CPIC staff regarding CPIC policy, procedures, and issues;
5.3.3 Review OPDIV IT CPIC policies and procedures for compliance with this Department Policy and the legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.3.4 Assess and report the results of HHS and OPDIV IT Investment performance reviews, as directed by the HHS CIO or HHS IT governance board;
5.3.5 Coordinate, review and evaluate and prepare the HHS IT Investment data for HHS budget submission and other reporting requirements;
5.3.6 Coordinate the resolution of issues arising from compliance with this Department Policy and associated procedures, and reporting issues to the HHS CIO or HHS ITIRB for resolution; and
5.3.7 Coordinate the EPLC stage gate reviews of HHS enterprise IT Investments and IT projects to support the ITIRB and CIO.
5.3.8 Ensure IT Project and Program Managers assigned to IT Investments are trained and meet the stipulated qualifications.
As directed by their respective CIOs, the OPDIV IT CPIC Staff coordinate their organization’s CPIC processes. Within their respective organizations and as directed by their CIOs, the OPDIV IT CPIC Staff shall:
5.4.1 Oversee effective implementation of this Department Policy;
5.4.2 Coordinate the collection of their organization’s IT Investment information to support HHS IT Investment reporting requirements;
5.4.3 Coordinate the resolution of issues that arise in complying with this Department Policy and associated procedures;
5.4.4 Provide guidance to IT Investment Managers and IT Project Managers regarding CPIC policy, procedures, and issues; and
5.4.5 Coordinate the EPLC stage gate reviews of their organization’s IT Investments and IT projects to support the OPDIV IT governance board.
The Business Owner is the organization executive who advocates for the IT Investment and is the primary point of contact to the CIO and the IT governance board. The Business Owner shall:
5.5.1 Propose a candidate IT Investment that meets, and continues to meet, the business needs and performance measurement targets;
5.5.2 Obtain funding for the IT Investment and monitor IT Investment expenditures;
5.5.3 Approve the initial and subsequent changes to the IT Investment’s cost and schedule milestones and performance goals, in accordance with the HHS Policy for PBM;
5.5.4 Appoint IT Investment Managers;
5.5.5 Appoint a qualified IT Project Manager for each IT project within an IT Investment, in consultation with the IT Investment Manager;
5.5.6 Ensure that the IT Investment Manager and constituent IT project teams comply with EA, Security, Records Management, EPLC, PBM and CPIC Department Policy as well as legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.5.7 Ensure that the IT Investment Manager and Project Manager have training and qualifications and the support and resources required to successfully plan, execute, and manage IT Investment risk;
5.5.8 Review IT governance board recommendations;
5.5.9 Take appropriate action to address IT Investment performance issues; and,
5.5.10 Review, approve, and direct the IT Investment Manager to plan and execute the disposition plan and appropriate Records Management for an IT Investment that has been approved for retirement or termination.
The IT Investment Manager is accountable to the Business Owner for ensuring that the IT Investment meets business requirements efficiently and cost effectively and to the respective IT governance organization for meeting IT Investment management requirements. The IT Investment Manager shall:
5.6.1 Plan and execute the IT Investment to achieve approved cost, schedule, and scope baselines;
5.6.2 Manage IT Investment risk and proactively alert IT governance of significant issues and planned corrective action;
5.6.3 Manage the integration of supporting projects and coordinate EPLC activities;
5.6.4 Ensure that the IT Investment’s constituent IT project teams comply with legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.6.5 Prepares and coordinates execution of the IT Investment-level PIR and annual OA;
5.6.6 Execute CPIC procedures in a timely manner to ensure that all CPIC process milestones are met;
5.6.7 Prepare and present for approval to the Business Owner, funding authority, and IT governance board a disposition plan for the orderly cessation of operations and the disposition of resources (funds, facilities, staff, hardware, software, etc) for an IT Investment that has been approved for retirement or termination; and,
5.6.8 Execute an approved disposition plan, as directed by the Business Owner.
The IT Project Manager reports to the IT Investment Manager. As directed by the IT Investment Manager, the IT Project Manager shall:
5.7.1 Plan and manage the cost, schedule, and scope of the IT project;
5.7.2 Comply with legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”, particularly with EPLC requirements for project planning and execution and the HHS-OCIO Policy for IT PBM ;
5.7.3 Report project performance to the IT Investment Manager; and,
5.7.4 Manage project risk and proactively alert the IT Investment Manager of significant issues and planned corrective action.
The HHS ITIRB is chaired by the HHS CIO and provides IT governance oversight of all HHS IT Investments. The ITIRB also serves as the IT governance board for HHS enterprise IT Investments. The ITIRB shall:
5.8.1 Establish a governing charter consistent with this Department Policy and legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.8.2 Select the HHS IT Investment portfolio annually based on the Administration’s and HHS Secretary’s strategic objectives, OMB directives and guidance, and HHS mission and goals;
5.8.3 Recommend annually to the HHS Secretary’s Budget Council the HHS IT Investment portfolio to be funded;
5.8.4 Evaluate IT Investment performance and direct corrective actions, where needed;
5.8.5 Ensure that IT Investments comply with legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.8.6 For HHS enterprise IT Investments:
22.214.171.124 Establish criteria to select and evaluate an HHS enterprise IT Investment’s alignment to the HHS mission and priorities, support of HHS business needs, performance, risk, and expected benefits throughout the IT Investment’s life cycle;
126.96.36.199 Select HHS enterprise IT Investments proposed for funding based on the predefined criteria;
188.8.131.52 Recommend to the Business Owner the continuation, acceleration, modification, or suspension of HHS IT Investments;
184.108.40.206 Make formal recommendations to the Business Owner and funding authority to terminate an IT Investment with persistent and irreparable performance issues;
220.127.116.11 Make formal recommendations to the Business Owner and funding authority to retire an IT Investment that is no longer supporting HHS mission objectives and business needs effectively or is being replacing by another IT Investment;
18.104.22.168 Review and formally recommend or conditionally recommend to the IT Investment’s Business Owner the execution of the disposition plan for an IT Investment that has been approved for retirement or termination; and
5.8.7 Approve exceptions to HHS Policy and procedures for CPIC and recommend changes to such, as necessary.
The OPDIV IT governance boards (or equivalent IT governance bodies) provide IT governance oversight of all IT Investments within their respective organizations. Each OPDIV IT governance board shall:
5.9.1 Establish a governing charter consistent with legislation, regulations, and other applicable guidance;
5.9.2 Establish an IT governance process consistent with this Department Policy for the selection, control, and evaluation of OPDIV IT Investments;
5.9.3 Annually evaluate and select (including re-reselect and de-select) the OPDIV IT Investment portfolio based on the Administration’s and HHS Secretary’s strategic objectives, HHS and OPDIV mission and goals, and OMB directives and guidance;
5.9.4 Annually recommend to the HHS ITIRB the respective OPDIV IT Investment portfolios to be funded;
5.9.5 Establish and use criteria to select and evaluate an OPDIV IT Investment’s alignment to the HHS and OPDIV mission and priorities and how well it supports the HHS and OPDIV business needs, meets expected performance goals, mitigates risk, and adheres to projected costs and expected benefits throughout the IT Investment’s life cycle;
5.9.6 Evaluate IT Investment performance and direct corrective actions, where needed, keeping the Department apprised of such corrective action plans;
5.9.7 Ensure that OPDIV IT Investments comply with legislation, regulations, and other guidance in Section 6 “Applicable Laws and Guidance”;
5.9.8 Approve exceptions to OPDIV CPIC policy and procedures for OPDIV IT Investments for which the IT governance board has management authority, and recommend changes to HHS CPIC policies, as necessary;
5.9.9 Recommend to the Business Owner the continuation, acceleration, modification, or suspension of IT Investments;
5.9.10 Make formal recommendations to the Business Owner and funding authority to terminate an IT Investment with persistent and irreparable performance issues;
5.9.11 Make formal recommendations to the Business Owner and funding authority to retire an IT Investment that is no longer supporting HHS and OPDIV mission objectives and business needs effectively or is being replacing by another IT Investment; and
5.9.12 Review and formally recommend or conditionally recommend to the IT Investment’s Business Owner the execution of the disposition plan for an IT Investment that has been approved for retirement or termination.
The Critical Partners are subject matter experts in enterprise architecture, security and privacy, acquisition management, finance, budget, human resources, performance, human resources, and other areas. Based on the IT Investment Manager or the IT governance board determination, the Critical Partners shall:
5.10.1 Review the progress of the IT projects associated with IT Investments during EPLC Stage Gate Reviews to ensure compliance with HHS policies, applicable laws and guidance, and HHS-adopted government and industry best practices in their respective functional areas;
5.10.2 Provide recommendations to the IT governance bodies, Business Owners, and IT Investment Managers on issues identified in those functional areas.
§ Chief Financial Officers Act of 1990 (Public Law 101-576)
§ Clinger-Cohen Act (CCA) of 1996 (formerly the IT Management Reform Act of 1996 (Division E of Public Law 104–106) and Federal Acquisition Reform Act of 1996 (Division D of Public Law 104–106))
§ E-Government Act of 2002 (Public Law 107-347)
§ Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347)
§ Federal Managers Financial Integrity Act of 1982 (Public Law 97-255)
§ Federal Financial Management Improvement Act of 1996 (Public Law 104-208)
§ Federal Acquisition Streamlining Act of 1994 (Public Law 103–355)
§ Government Performance and Results Act of 1993 (Public Law 103–62)
§ Paperwork Reduction Act of 1995 (Public Law 104-13)
§ Records Management Act of 1950
§ National Archives and Records Administration (NARA) Code of Federal Regulations (CFR) - 36 CFR Subchapter B - Records Management.
§ Government Accountability Office (GAO) Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G, March 2004
§ GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, GAO-09-3SP, March 2, 2009
§ GAO Accounting and Information Management Division (AIMD) Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decision-making, AIMD-10.1.13, February 3, 1997
§ HHS Policy for Section 508 Electronic and Information Technology, January 2005
§ HHS Acquisition Regulation, December 20, 2006
§ HHS Office of Acquisition Management and Policy (OAMP) – Acquisition Policy Memorandum No. 2008-02, October 1, 2008
§ HHS-OCIO-2008-0003, IT Policy for Enterprise Architecture, August 7, 2008
§ HHS-OCIO-2008-004, Policy for IT Enterprise Performance Life Cycle, October 6, 2008
§ HHS-OCIO-2009-0005, Pilot Policy for IT Performance Baseline Management, November 30, 2009
§ HHS Information Resource Management (IRM) 2003-0002, Policy for Conducting Information Technology Alternative Analysis, June 13, 2003
§ HHS-OCIO-2009-0003, Policy for Information Systems Security and Privacy, June 25, 2009
§ HHS-OCIO-2007-0004, Policy for Records Management, January 30, 2008
§ HHS CIO Roles and Responsibilities - Circular No. IRM-101, March 1999
§ HHS Section 508 Implementation Policy, January 6, 2005
§ OMB Circular A-11, Part 7Planning, Budgeting, Acquisition and Management of Capital Assets
§ OMB Circular A-11, Part 7 Supplement, Capital Programming Guide (June 2006)
§ OMB Circular A-76, Performance of Commercial Activities (05/29/2003) including changes made by OMB MemorandumM-07-02(10/31/2006) and OMB Memorandum M-08-13 (03/11/2008), and a technical correction made by OMB MemorandumM-03-20(08/15/2003)
§ OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs (Revised 12/12/2008)
§ OMB Circular A-127, Financial Management Systems
§ OMB Circular A-130, Management of Federal Information Resources
§ OMB Memorandum 97-02 Funding Information Systems Investments, October 25, 1996
§ OMB Memorandum 05-23, Improving Information Technology (IT) Project Planning and Execution, August 5, 2005
The effective date of this Policy is the date the Policy is approved.
Requirements stated in this Policy are consistent with law, regulations and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS policy to consult with members of the American Indian/Alaska Native Tribes and Indian Organizations to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, IT Investments and projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments and members of the American Indian/Alaska Native Tribes and Indian Organizations.
___ ___________/s/_______________________ _February 26, 2010
Michael W. Carleton
HHS Chief Information Officer DATE
Table 1 – Definitions of Terms
Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This includes equipment used by the executive agency directly or used by a contractor under a contract with the executive agency that (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term includes computer, ancillary equipment, software, firmware, and similar procedures, services (including support services), Web sites, subscriptions to electronic services and products, and related resources.
The acquisition of an IT asset and the management of that asset through its life cycle after the initial acquisition. An IT Investment may consist of one or more IT projects.
A temporary, planned endeavor funded by an approved IT Investment; thus achieving a specific goal and creating a unique product, service, or result.
A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual to support HHS’ or OPDIV’s [including OS’] mission. An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Refers to a set of information resources under the same management control that share common functionality and require the same level of security controls. Includes automated information system (AIS) applications, enclaves, outsourced IT-based processes, and platform IT interconnections.
A document that summarizes information gained throughout the course of the investment that can be used to benefit other investments and projects in the organization. Lessons learned should draw from positive and negative investment and project experiences and address the causes of issues, reasoning behind the corrective action chosen, and suggestions for future improvement.
The duration of all activities associated with the investment from its initiation through disposal of its assets.
Life Cycle Costs
All initial costs, plus the periodic or continuing costs of operation and maintenance (including staffing costs), and any costs of decommissioning or disposal.
Major IT Investment
An IT Investment that meets at least one of the criteria listed below:
· Is designated by the HHS CIO as critical to the HHS mission or to the administration of programs, finances, property, or other resources.
· Is for financial management and obligates more than $500K annually.
· Requires special management attention because of its importance to the mission of function of HHS or an OPDIV.
· Has significant program or policy implications.
· Has high executive visibility.
· Has high development, operating, or maintenance costs, deemed by HHS as:
o Budget year costs equal to or greater than $10M
o Estimated life cycle costs equal to or greater than $70M.
o Is defined as Major by the HHS CIO.
Performance Measurement Baseline
A primary tool to measure IT Investment, IT project, or IT contract performance and identify risk. The baseline identifies the work that will be accomplished, and defines the cost and schedule to accomplish that work. The Performance Measurement Baseline, which consists of the cost, schedule, and scope baseline, is derived from the scope of work described in a hierarchical Work Breakdown Structure (WBS) – which, in turn, decomposes the entire project into a logical structure of tasks and activities tied to deliverables and to assigned responsibilities – and the associated WBS dictionary. The Performance Measurement Baseline comprises:
· The cost baseline, which defines the approved, projected, time-phased, life-cycle costs for acquiring, operating, and disposing of the physical and/or logical system represented by the scope baseline.
· The schedule baseline, which is the approved timeline for acquiring, operating, and disposing of the physical and/or logical IT asset/system.
· The scope baseline, which represents the configuration of the product of the project as developed and described in the project’s technical documentation.
The Performance Measurement Baseline is integrated where the time-phased cost baseline is consistent with the schedule baseline, and the costs are related to acquiring, operating, and disposing of the physical and/or logical IT asset represented by the scope baseline.
Supporting IT Investment
An IT Investment that is not designated as Major or Tactical and meets at least one of the following criteria: (1) Has total planned development, operating, or maintenance costs of less than $3 million in the budget year; (2) Has been designated by the HHS CIO as a Supporting IT Investment.
Tactical IT Investment
An IT Investment that is not designated as Major and meets at least one of the following criteria: (1) Has total planned development, operating, or maintenance costs of $3 million or more in the budget year; (2) Is designated by the HHS CIO as significant to the HHS mission or to the administration of HHS programs, finances, property or other resources.
Table 2 – List of Acronyms
GAO’s Accounting and Information Management Division
Clinger-Cohen Act of 1996
Chief Information Officer
Capital Planning and Investment Control
Enterprise Performance Life Cycle
Federal Information Security Management Act of 2002
Government Accountability Office
Government Performance and Results Act of 1993
Health and Human Services, Department of
Information Resource Management or Information Resources Management
Information Technology Investment Review Board
Office of Acquisition Management and Policy
Office of the Chief Information Officer
Office of Management and Budget
Office of the Secretary
Performance Baseline Management
Portfolio Management Tool
Senior Information Resource Management Officer
Work Breakdown Structure