HHS-OCIO Policy for Management of the Enterprise IT System Inventory
Office of the Chief Information Officer
Office of the Assistant Secretary forResources and Technology
Department of Health and Human Services
HHS-OCIO Policy for
Management of the Enterprise IT System Inventory
July 28, 2009
HHS OCIO Policy for MEITSI
The purpose of this Department of Health and Human Services (HHS) Policy is to establish and maintain an enterprise-wide inventory of HHS Information Technology (IT) Systems.
This Policy defines:
- Scope of the Enterprise IT System Inventory
- General Management Principles of the Enterprise IT System Inventory
- Sharing and distributing information from the Enterprise IT System Inventory among IT, business, and oversight communities.
This Policy is first issuance.
The OMB Circular A-130, Management of Federal Information Resources, mandates, among other things, that all federal agencies must maintain "an inventory of the agency's major information systems, holdings, and dissemination products" and "an inventory of the agency's other information resources". Maintaining the Enterprise IT System Inventory involves coordination and collaboration of various business and IT functional areas. It is essential to a number of HHS component organizations to keep an accurate and current inventory of systems. A single comprehensive Enterprise IT System Inventory eliminates issues with maintenance of multiple sources and allows organizations to extract subsets of data based on their reporting and management requirements. The laws and guidance requiring an IT systems inventory may be found in Section 6. Applicable Laws/Guidance.
The HHS-OCIO Policy for Management of the Enterprise IT System Inventory establishes the authoritative source for the HHS Enterprise IT Systems Inventory and the stewards responsible for maintaining the accuracy, integrity and availability of the information.
This Policy applies to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS information technology (IT) resources. This Policy does not supersede any other applicable law, higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.
Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating IT systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this policy shall be incorporated into applicable contract language, as appropriate.
Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive, less comprehensive, or less compliant with this document.
- The establishment and management of a single authoritative source for all HHS IT systems make possible a data source that is accurate, reliable, and readily available to all functional components, such as, IT Security, IT Capital Planning and Investment Control, Records Management, Telecommunications, etc.
- The Enterprise IT System Inventory shall include all systems that meet the HHS definition of an Information Technology (IT) System that are owned by or operated on behalf of any part of the HHS organization. (See the glossary below for the full definition.)
- The Enterprise IT System Inventory and related information shall reside in the HHS Enterprise Architecture Repository (the EA Repository).
- The HHS Office of Enterprise Architecture is responsible for the quality and management of the System Inventory. Business Owners in collaboration with System Owners and other functional stewards (e.g., IT Security, Records Management, IT Capital Planning and Investment Control, Telecommunications, etc.) must maintain up-to-date and accurate information in the IT System Inventory.
- The HHS Office of Enterprise Architecture shall define and maintain a standard process for managing the IT System Inventory data and issue guidance as appropriate.
- The IT System information pertaining to the IT System Inventory must follow specifications in the HHS EA Framework document. The basic set of information shall evolve and extend over time to meet business needs.
- Stakeholders of the IT System information in the IT System Inventory need timely and accurate access to the information in order to meet regulatory and operational requirements.
- An IT System Inventory record in the HHS EA Repository shall be created as authorized by the system owner.
- The HHS Office of Enterprise Architecture will make IT System Inventory information available to all approved users and interfacing IT systems as specified in the HHS EA Framework document.
- Users of the HHS EA Repository must take care to retain the confidentiality and integrity of System Inventory information exported and used for ad-hoc queries, reports, etc.
- IT System Inventory information must be provided by the system owner and be updated as soon as possible upon a change affecting the IT System.
- IT System Inventory records that are deemed to no longer be part of the IT System Inventory shall be designated appropriately and retained for historical purposes as specified in guidance documents and in accordance with Records Management disposition schedules.
The HHS Chief Information Officer is responsible to lead the HHS information technology function to maintain accurate, reliable, business processes and updated data/information for Department-wide use.
The OPDIV Chief Information Officer (CIO) is accountable for ensuring that information pertaining to the IT System Inventory is managed in accordance with this Policy.
The HHS Chief Enterprise Architect leads the HHS Office of Enterprise Architecture (OEA) and is responsible for managing the HHS Enterprise Architecture (EA) program. The Chief Enterprise Architect charters and chairs the Enterprise Architecture Review Board (EARB). The Chief Enterprise Architect is the system owner of the IT System Inventory.
The OPDIV Chief Enterprise Architect is responsible for the OPDIV enterprise architecture program and for maintaining up-to-date information in the EA Repository regarding the OPDIV's IT system records in collaboration with System Owners and other functional stewards (e.g., IT Security, Records Management, IT Capital Planning and Investment Control, Telecommunications, etc.). Additionally, the OPDIV Chief Enterprise Architect is responsible for overseeing the implementation of this Policy and for coordinating the resolution of any issues that arise in complying with this Policy and any companion guidance.
The HHS Chief Information Security Officer (CISO) directs IT Security at HHS as mandated by the Federal Information Security Management Act of 2002 (FISMA). The HHS CISO requires timely and accurate information from the IT System Inventory for use in the derivation of the HHS FISMA inventory and various reporting and oversight requirements.
The OPDIV Chief Information Security Officer (CISO) is responsible for ensuring that IT System Inventory information is maintained in a timely manner in conjunction with the OPDIV Chief Enterprise Architecture.
The HHS IT Capital Planning Officer ensures that the appropriate rigor for Capital Planning and Investment Control (CPIC) is fully integrated into Department processes, required CPIC processes are implemented, and CPIC information, including IT System related information, is used effectively to support IT Investment decisions. The HHS IT Capital Planning and Investment Control Officer requires timely and accurate information from the IT System Inventory for identifying IT systems as they pertain to IT Investment management and funding.
The OPDIV IT Capital Planning and Investment Control Officer is responsible for ensuring that IT System Inventory information is maintained in a timely manner in conjunction with the OPDIV Chief Enterprise Architecture.
The HHS Records Officer is responsible for promulgating Department-wide records management oversight, policy, and high-level training for the Department (OPDIV and Regions). The E-Government Act of 2002 (Title III Section 3505 as amended), and the related requirements issued and monitored by OMB and the National Archives and Records Administration (NARA), requires Federal agencies to inventory and secure their records disposition authorization for electronic records. The HHS Records Officer requires timely and accurate information from the HHS IT System Inventory to identify systems that contain records.
The Business Owner is the executive in charge of the organization who serves as the primary customer and advocate for an IT investment. The Business Owner is responsible for identifying the business needs and performance measures to be satisfied by an IT project; providing funding for the IT project; establishing and approving changes to cost, schedule and performance goals; and validating that the IT project meets business requirements.
The System Owner is the technical manager of an IT System and manages the system under the direction of a Business Owner. The System Owner is responsible for supplying the OPDIV Chief Enterprise Architect with the required IT System information as specified in the HHS EA Framework regarding a record in the IT System Inventory.
The EARB is an expert decision-making body providing standards, configuration management, and oversight for HHS EA in establishing an integrated EA consistent with the goals and objectives of HHS. The EARB serves as the OPDIV contact for HHS EA updates and dissemination of initiatives and activities. The EARB is authorized to meet, review, render opinions, and establish committees and working groups. The EARB will provide the coordination and validation of System Inventory information.
Applicable laws and guidance:
- 44 U.S.C. Chapter 21 - National Archives and Records Administration
- 44 U.S.C. Chapter 29 - Records Management by the Archivist of the United States and by the Administrator of General Services
- 44 U.S.C. Chapter 31 –Records Management by Federal Agencies (Federal Records Act)
- 44 U.S.C. Chapter 33 – Disposal of Records
- Clinger-Cohen Act of 1996 (CCA), Public Law 104 – 106
- E-Government Act of 2002, Public Law 107 - 347
- FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
- Federal Information Security Management Act (Title III of E-Gov Act of 2002)
- HHS-OCIO Policy for Records Management (HHS-OCIO-2007-0004, dated January 30, 2008)
- OMB Circular A-130, Management of Federal Information Resources
- Paperwork Reduction Act of 1980, Public Law 96-511
Direct questions, comments, suggestions, or requests for further information to the Deputy Assistant Secretary for Information Technology, who serves as the HHS CIO, at (202) 690-6162.
The effective date of this Policy is the date the policy is approved.
Requirements stated in this Policy are consistent with law, regulations and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS’ policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
July 28, 2009
Michael W. Carlton
HHS Chief Information Officer
Enterprise IT System Inventory (AKA: IT System Inventory): The subset of the EA Repository, which documents information about all information technology systems owned by or operated on behalf of the HHS organization.
General Support System: An interconnected set of information resources under the same direct management control which shares common functionality
HHS Enterprise Architecture Repository (The EA Repository): The HHS-wide repository of information in support of enterprise architecture development and analysis.
Information Dissemination Product: Any book, paper, map, machine-readable material, audiovisual production, or other documentary material, regardless of physical form or characteristic, disseminated by an agency to the public.
Information Technology (IT) System: A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual to support HHS’ or OPDIV’s mission. An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Refers to a set of information resources under the same management control that share common functionality and require the same level of security controls.
Usage and Context: The term IT system is used in context of security. The term IT system, information system, and application are often used interchangeably while the term application has the more narrow focus of software to meet user requirements. Types: Major IT System, Non-Major IT Systems, and General Support System (GSS).
Source: HHS Glossary of Key Enterprise Terms
IT System Inventory: Alias for Enterprise IT System Inventory.
Major IT System: An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources
Non-Major IT System: A system that requires appropriate attention to security when a compromise of the information or application would cause limited adverse harm (low or medium impact as defined in FIPS 199) on the HHS mission, business functionality, public health function and/or employee and citizen welfare, due to the loss of confidentiality, integrity, or availability of the information in the application.