Office of the Chief Information Officer
Assistant Secretary for Administration
Department of Health and Human Services
HHS OCIO Policy for Information Technology Capital Planning and Investment Control
Project: HHS OCIO CPIC Policy
Document Number: HHS-OCIO-2016-CPIC-01
This Policy supersedes the HHS Office of the Chief Information Officer (OCIO) Policy for Information Technology (IT) Capital Planning and Investment Control (HHS-OCIO-2010-0002), dated February 26, 2010.
Capital Planning and Investment Control (CPIC) is the primary Information Technology (IT) Investment management methodology at the Department of Health and Human Services (HHS) for selecting, managing, and evaluating the performance of HHS IT Investments. It also describes the roles and responsibilities for carrying out IT CPIC requirements.
This Policy describes the principles for conducting IT Investment management and planning in HHS. The principles are based on legislation and Office of Management and Budget (OMB) guidance that direct agencies to institute and maintain a disciplined approach to funding and monitoring IT Investments. Alongside the 25-Point Implementation Plan to Reform Federal IT Management, the Digital Government Strategy, and Office of Management and Budget (OMB) Memorandum M-11-29, HHS leverages the Information Resources Management (IRM) Strategic Plan to shape ongoing tactical planning.
The principles form the basis for efficient and effective management of the Department's IT Investments by promoting informed decision-making and timely oversight by appropriate level review boards. The goal is to achieve the best balance of the Department's IT Investments at the lowest cost with the least risk while ensuring that mission and business goals are met.
This Policy supersedes the HHS Office of the Chief Information Officer (OCIO) Policy for Information Technology (IT) Capital Planning and Investment Control (HHS-OCIO-2010-0002), dated February 26, 2010. The Clinger-Cohen Act (CCA) of 1996 (Division E of Public Law 104-106, formerly known as the IT Management Reform Act of 1996),requires federal agencies to use a disciplined Capital Planning and Investment Control (CPIC) process to acquire, use, maintain and dispose of IT assets. Other laws and policies, such as the Paperwork Reduction Act of 1980 and 1995, the Government Performance and Results Act of 1993, the Federal Acquisition Streamlining Act of 1994, the Federal Information Technology Acquisition Reform Act of 2014, and OMB Circular A-130, Management of Federal Information Resources, also require agencies to design and implement a disciplined process to maximize the value and assess and manage IT Investment risks. However, CCA supplements existing law and policies by mandating a specific, more rigorous methodology for managing IT Investments than was previously required and an approach that integrates IT capital planning with other agency processes. CCA also elevates the role of what was previously called the Senior Information Resource Management Officer to the more visible Chief Information Officer (CIO) position and gives agencies authority and responsibility for IT acquisition.
CCA mandates that the CPIC process shall: (1) provide for the selection, control, and evaluation of agency IT Investments; (2) be integrated with the processes for budget, financial, and programmatic decision-making; (3) include minimum criteria for considering whether to undertake an IT Investment; (4) identify IT Investments that would result in shared benefits or costs for other Federal agencies or State or local governments; (5) provide for identifying quantifiable measurements for IT Investment net benefits and risks; and, (6) provide the means for senior management to obtain timely information regarding an Investment’s progress.
Under the CCA, the HHS CIO is responsible for: (1) advising and assisting the HHS Secretary and other HHS senior executives in managing IT resources effectively and efficiently and consistent with HHS priorities; (2) using performance measures to monitor and evaluate HHS IT Investment; (3) advising senior management on whether to continue, modify, or dispose of an IT Investment; and, (4) promoting effective and efficient development and operation of all major IT processes in HHS, including work process improvements.
Operationally, HHS is structured into major business areas, with the Operating Divisions (OpDivs) and Office of the Secretary (OS) and its Staff Divisions (StaffDivs) assigned responsibility for accomplishing the HHS goals, objectives, and functions within their respective lines of business. Consistent with this operational structure, the HHS CIO relies on a federated model for HHS IT governance, wherein the OpDivs and StaffDivs are responsible for IT governance within their respective organizations in conformance with this CPIC Policy.
HHS and its OpDivs control IT Investment decisions and portfolio management by leveraging enterprise architecture, strategic procurement, and the HHS Enterprise Performance Life Cycle (EPLC).EPLC is HHS’s standard IT project management methodology that provides IT project managers, business owners, functional subject matter experts (known as “Critical Partners” in EPLC), IT governance executives, and other stakeholders a repeatable structure for planning, managing, and overseeing IT projects throughout their entire life cycle.
Whereas the HHS IT EPLC Policy addresses IT project requirements, this CPIC Policy addresses IT Investments (which may be comprised of one or more IT projects) and IT portfolio management requirements. Adherence to this CPIC Policy ensures that HHS IT Investments are selected based on their support of HHS business needs and mission requirements; that selected meet approved cost, schedule, and performance milestones; and that they successfully achieve specified benefits and outcomes throughout the IT Investment life cycle.
This Policy recognizes that IT Investment management is dynamic – IT Investments are selected and continually monitored and evaluated to ensure that each chosen IT Investment effectively and efficiently supports the HHS mission and strategic goals. The HHS IT CPIC model relies on three processes – Select, Control, and Evaluate – to address the following:
Select – Determine the best IT Investments based on current and future business needs as they relate to the mission.
Control – Ensure that the selected IT Investments will deliver anticipated benefits on time and within budget.
Evaluate – Determine whether operational IT Investments continue to efficiently and cost-effectively support requirements and deliver benefits.
An IT Investment can be active concurrently in more than one CPIC process. After the IT Investment’s initial funding is in the select process, it becomes the subject of evaluation throughout the control processes for the purposes of reselection. Reselection is ongoing and continues for as long as an IT Investment receives funding. A decision must be made to continue to fund or to “de-select” an Investment in the following instances:
- If an IT Investment is not meeting the goals and objectives that were originally established when it was selected, and/or
- If the goals have been modified to reflect changes in mission objectives – and corrective actions are not succeeding.
Once IT Investments are operating, they remain under constant review for reselection.
This Policy applies to all HHS organizational components (i.e., OpDivs and StaffDivs) and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This Policy does not supersede any other applicable law, higher-level agency directive, or existing labor management agreement in effect as of the effective date of this Policy. Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated This Policy also applies to all HHS IT Investments and IT projects throughout their entire life cycle, regardless of funding source, whether owned and operated by HHS or operated on behalf of HHS. OpDivs are expected to manage their IT Investment portfolios using a methodology modeled after the HHS CPIC Program. OpDivs shall use this Policy or may create a more restrictive OpDiv/StaffDiv policy, but not one that is less restrictive or less comprehensive or not compliant with this document.
To maximize the value and to assess and manage the risks of IT Investments, the HHS CIO has established the HHS IT CPIC policies in this section. All IT Investment Managers and all IT Project Managers shall attain the levels of knowledge, skills, and experience required for their respective roles in accordance with applicable HHS training and certification requirements, the Office of Federal Procurement Policy (OFPP) Act, 41 U.S.C. § 1101 et. seq., OFPP Policy Letter 05-01, which established a requirement for Federal acquisition certification programs, the July 2014 HHS Handbook for Federal Acquisition Certification for Program and Project Managers, and the December 16, 2013 OFPP Memorandum on Revisions to the Federal Acquisition Certification for Program and Project Managers (FAC-P/PM).
All IT Investments within HHS, whether managed and funded at the Department level or by the OpDivs, are HHS IT Investments. In the event that an IT Investment is jointly funded by HHS and another agency, then the portion that HHS contributes funding to is considered an HHS investment.
3.1.1 IT Investment Characteristics
An IT Investment is the means through which a discrete and unique set of logically related, business-driven IT products and/or services is delivered. The IT Investment’s justification, cost, schedule, measurement indicators, and other management and technical artifacts shall describe its discrete and unique set of IT products/services.
Two or more HHS IT Investments shall not deliver the same discrete and unique set of IT products/services and shall not serve the same purpose without providing justification to the HHS OCIO as to why consolidation into a single IT investment is not appropriate. When two or more IT Investments deliver IT products/services through the same IT system, each IT Investment’s set of IT products/services shall be discrete and unique and clearly distinguishable from the sets of IT products/services delivered by the other IT Investments through the IT system.
3.1.2 IT Funding
A funding source may fund more than one IT Investment and an IT Investment may be funded by one or more funding sources.
The funds provided through each IT Investment shall be traceable to each
3.2 Cost and Schedule Milestones: The Performance Management Baseline
Performance Management Baseline (PMB) shall be established for each IT Investment with Development, Modernization, and Enhancement (DME) activities. The IT Investment manager shall report, monitor, and implement actions as needed to correct variances from established IT Investment baselines to reduce the risk of cost overruns, schedule delays, and uncontrolled changes in scope.
Cost and schedule milestone data for DME should be tracked for all IT investments, whether funded by DME or Operations and Maintenance funds. Major IT investments with DME are required to report cost and schedule data monthly in the HHS Portfolio Management Tool (PMT).
3.3 IT Investment Classification and Reporting Requirements
3.3.1 IT Investment Classification
Each IT Investment shall be classified in one of two classes: Major or Non-major.
220.127.116.11 Major Investment Classification
An IT Investment is classified as Major when it:
- Is designated by the HHS CIO as critical to the HHS mission or to the administration of programs, finances, property, or other resources.
- Is for financial management (i.e., included in HHS’s Financial Management Enterprise Architecture (EA) Segment) and obligates more than $500K annually as defined by OMB Circular A-127).
- Requires special management attention because of its importance to the mission or function of HHS or an OpDiv.
- Has a significant program or policy implication.
- Has high executive visibility.
- Has high development, operating, or maintenance costs, deemed by HHS as:
- Budget year costs equal to or greater than $10M.
- Estimated life cycle costs equal to or greater than $75M.
FITARA establishes a sub-set of investments within the Major classification that requires review at the Department CIO level. HHS has designated such investments as “Mega-Major”. Mega-Major investments differ from regular Major investments in the following ways:
- A Mega-Major investment must be new in the budget year Capital Planning submission to OMB, and
- Costs must be equal to or greater than:
- $20M per year, or
- $100M over five years.
Mega-Major investments must be reviewed and approved by the HHS OCIO’s Administration and Management Domain IT Steering Committee (ITSC) before submission to OMB.
Classification of an investment as Mega-Major is temporary. Upon approval by the ITSC, a Mega-Major investment is treated the same as, and has the same reporting requirements as any Major investment.
18.104.22.168 Non-Major Investment Classification
An IT Investment is classified as Non-major when it:
- Has total planned development, operating, or maintenance costs of less than $10 million in the budget year.
- Has been designated by the HHS CIO as a Non-major IT Investment.
3.3.2 IT Investment Reporting Requirements
The HHS PMT shall be the source of IT Investment information that supports IT governance, the CPIC process, and the HHS budget submission, with reporting data elements to be specified by the HHS CIO.
Changes in classification, such as upgrades to Major or downgrades to Non-Major, must be approved by the HHS CIO prior to the submission of the IT portfolio budget to OMB.
The following table summarizes investment classification criteria, IT governance levels, and reporting requirements.
|IT Investment Classification||Criteria||IT Governance Review and Approval||Reporting Requirements|
|Mega-Major||Any of the criteria for Major
Budget year costs ≥ $20M, or 5-year costs ≥ $100M
OpDiv IT Investment Review Board
|IT Portfolio Summary; Major IT Business Case; IT Steering Committee Briefing (new investments only)|
|Major||Any of the criteria for Major
Budget year costs ≥ $10M, or life cycle costs ≥ $75M
|OpDiv IT Investment Review Board||IT Portfolio Summary, Major IT Business Case|
|Non-Major||Any of the criteria for Non-Major||OpDiv IT Investment Review Board||IT Portfolio Summary|
4 CPIC Process
The CPIC process integrates all stages of capital programming, including planning, budgeting, procurement, management, and assessment. All IT projects that comprise an IT Investment shall comply with the requirements of the HHS Policy for EPLC.
Each OpDiv shall adopt and implement CPIC procedures consistent with (1) this HHS CPIC Policy, and (2) best practice IT Investment management principles described in OMB Memorandum M-97-02, the OMB Capital Planning Guide (Supplement to Part 7 in OMB Circular A-11), and other CPIC-related Federal and industry IT Investment and project management guidance.
HHS CPIC consists of three phases: Select, Control, and Evaluate.
4.1 Select Phase
IT Investments proposed and selected for funding shall include, but are not limited to the following criteria:
- Support core/priority mission functions that need to be performed by HHS.
- Be consistent with applicable Federal, HHS, and OpDiv enterprise and information architectures.
- Integrate organizational work processes and information flows with technology to achieve the organization’s strategic goals.
- Reflect the organization's technology vision.
- Adhere to standards that enable information exchange and resource sharing, while retaining flexibility in the choice of suppliers and in the design of local work processes.
4.2 Control Phase
The Control Phase consists of continuous management involvement in monitoring a project’s cost, schedule, and performance during development and deployment through the EPLC Process.
- The IT Investment’s periodic PMB reports and reviews may result in a recommendation to the IT Investment’s CIO to modify, suspend, or terminate an IT Investment.
- The results of the EPLC stage gate reviews of an IT Investment’s IT project(s) may include a recommendation to the appropriate IT governance board, the IT Investment’s CIO and Business Owner to modify, suspend, or terminate an IT project.
4.3 Evaluate Phase
Each IT Investment that has received approval to transition to Steady State shall conduct a Post-Implementation Review (PIR) after a period of sustained operation.
HHS OCIO Operational Analysis (OA) Policy provides a Department-wide standard for analyzing and evaluating the performance and continued viability of all Steady State IT Investments during the EPLC Operations and Maintenance (O&M) phase.
- Each IT Investment or IT project within an IT Investment that has been approved for termination before it has transitioned to Steady State shall conduct a final review within 60 days of termination to identify and document lessons learned (see Glossary) and suggestions to improve the HHS CPIC process.
- Each Steady State IT Investment or the Steady State portion of a Mixed Life Cycle IT Investment shall conduct an annual OA, beginning one year after conducting the IT Investment’s or IT project’s PIR.
- The results of the annual OA may lead to a recommendation to the IT Investment’s Business Owner to modify, suspend, or terminate a Steady State IT Investment or the Steady State portion of a Mixed Life Cycle IT Investment.
- A disposition plan for the cessation of operations and distribution and reallocation of IT assets and funds in accordance with HHS Records Management, Security, and all other appropriate HHS CPIC and IT policies and procedures, shall be developed and presented for approval to the IT governance board and IT Investment’s Business Owner for each IT Investment that is approved for retirement or termination.
An approved disposition plan shall be executed by the IT Investment Manager for each IT Investment that is scheduled by the Business Owner for retirement or termination.
5 CPIC Roles and Responsibilities
The key executives, decision boards, and critical partners described in this section are required for HHS IT Investment planning, decision-making, and execution.
5.1 HHS CIO
The HHS CIO oversees the Department's use of IT to improve program performance and to manage risk and advises the HHS Secretary and other HHS senior executives. Under the leadership of the CIO, the OCIO leads the Department’s IT CPIC, EA, governance, security, and IRM programs in collaboration with all organizational components
The HHS CIO shall:
- Ensure that all HHS IT Investments adhere to federally mandated requirements and to the requirements stipulated in the HHS Policies for CPIC, EA, Security, and Records Management.
- Establish, implement, and maintain an effective HHS CPIC process.
- Implement a Portfolio Management suite of tools to enable effective and efficient cost, schedule, and performance data collection, reporting, and analysis.
- Ensure that each OpDiv adopts CPIC policies and procedures that comply with this policy and legislation, regulations, and other guidance in Appendix B, “Applicable Laws and Guidance”.
- Identify IT Investments requiring Departmental CPIC oversight and review.
5.2 OpDiv CIOs
HHS OpDiv CIOs advise their respective executive management on the strategic direction and management of their organizations’ IT programs. The CIOs and their staffs provide leadership for the implementation of technology to create the information foundation for the efficient and effective operation and management of their respective organizations. With delegated authority from the HHS CIO, OpDiv CIOs are responsible within their respective organizations for long-term and short-term IT strategic planning, IT governance, IT architecture management, IT budget and contract review, IT security and privacy, IT performance and results-based management, and where applicable, records management. Within their respective organizations, the OpDiv CIOs shall:
- Ensure that OpDiv IT Investments comply with legislation, regulations, and other guidance stated in Appendix B, “Applicable Laws and Guidance”.
- Ensure that individuals assigned to manage OpDiv IT Investments and IT projects are trained, qualified, and certified as IT Investment Managers or IT Project Managers as appropriate.
- Establish and maintain IT governance structures consistent with this Department Policy to select, control, and evaluate IT Investments.
- Establish effective CPIC processes, appropriately staffed and resourced.
- Approve OpDiv CPIC policies and procedures consistent with this Department Policy.
- Comply with Department reporting requirements for Major and Non-major IT Investments.
5.3 HHS IT CPIC Officer
The HHS IT CPIC Officer is designated by the HHS CIO to direct and coordinate HHS CPIC processes and provide the HHS CIO with IT governance support. The HHS IT CPIC Officer shall:
- Develop, implement, and monitor associated CPIC policies and procedures.
- Provide guidance to OpDiv IT CPIC staff regarding CPIC policy, procedures, and issues.
- Review OpDiv IT CPIC policies and procedures for compliance with this Department Policy and the legislation, regulations, and other guidance identified in Appendix B, “Applicable Laws and Guidance”.
- Assess and report the results of HHS and OpDiv IT Investment performance reviews, as directed by the HHS CIO or HHS IT Steering Committees (ITSC).
- Coordinate, prepare, review, and evaluate the HHS IT Investment data for HHS budget submission and other reporting requirements.
- Coordinate the resolution of issues arising from compliance with this Department Policy and associated procedures, and report issues to the HHS CIO or HHS ITSC for resolution.
- Coordinate the EPLC stage gate reviews of HHS enterprise IT Investments and IT projects to support the HHS ITSC and HHS CIO.
- Ensure IT Project and Program Managers assigned to IT Investments are trained and meet the stipulated qualifications.
- Oversee the Portfolio Management Tool.
5.4 OpDiv IT CPIC Officer
As directed by their respective CIOs under their delegated authority, the OpDiv IT CPIC Officer (also known as the CPIC Manager) coordinates their organization’s CPIC processes and ensures that the appropriate rigor for PBM is fully integrated into their organization’s processes. Moreover, they ensure that required PBM processes are implemented for IT Investments and IT projects, and that PBM information is used effectively. The OpDiv IT CPIC Officer shall:
- Coordinate the collection of their organization’s IT Investment information to support HHS IT Investment reporting requirements.
- Coordinate the resolution of issues that arise in complying with this Department Policy and associated procedures.
- Provide guidance to OpDiv IT Investment Managers and IT Project Managers regarding CPIC policy, procedures, and issues.
- Coordinate the EPLC stage gate reviews of their organization’s IT Investments and IT projects.
- Coordinate the collection of their organization’s IT Investment information to support Departmental IT Investment PBM reporting requirements.
- Assess Non-major IT Investments for risk and where appropriate, conduct performance reviews of high-risk, high-impact Non-major IT Investments. Non-major performance reviews may be modeled on the TechStat format. Should the performance review determine that the Non-major IT Investment merits upgrade to Major, the OpDiv IT CPIC Officer shall make such recommendation to the OpDiv CIO.
5.5 Business Owners
The Business Owner is the organization executive who advocates for the IT Investment and is the primary point of contact to the CIO and the IT governance board. Consistent with approved enterprise and/or OpDiv governance policies and procedures, the Business Owner shall:
- Propose candidate IT Investments that continually meet, the business needs of the organization as well as the performance measurement targets.
- Obtain funding for the IT Investment and monitor IT Investment expenditures.
- Approve the initial and subsequent changes to the IT Investment’s cost and schedule milestones and performance goals, in accordance with the HHS Policy for PBM.
- Appoint qualified IT Investment Managers.
- Appoint a qualified IT Project Manager for each IT project within an IT Investment, in consultation with the IT Investment Manager.
- Ensure that the IT Investment Manager and constituent IT project teams comply with EA, Security, Records Management, EPLC, PBM, and Department CPIC Policy as well as legislation, regulations, and other guidance identified in Appendix B, “Applicable Laws and Guidance”.
- Ensure that the IT Investment Manager and Project Manager have appropriate training and qualifications and the support and resources required to successfully plan, execute, and manage IT Investment risk.
- Review and implement, as necessary, IT governance board recommendations.
- Take appropriate action to address IT Investment performance issues, including decisions made collaboratively with the organization’s CIO, IT governance board, and Contracting Officer.
- Review, approve, and direct the IT Investment Manager to plan and execute the disposition plan and appropriate Records Management for an IT Investment that has been approved for retirement or termination.
5.6 IT Investment Manager
The IT Investment Manager is accountable to the Business Owner for ensuring that the IT Investment meets business requirements efficiently and cost effectively, and to the respective IT governance organization for meeting IT Investment management requirements. The IT Investment Manager shall:
- Plan and execute the IT Investment to achieve approved cost, schedule, and scope baselines.
- Manage IT Investment risk and proactively alert IT governance of significant issues and planned corrective action.
- Manage the integration of supporting projects and coordinate EPLC activities.
- Ensure that the IT Investment’s constituent IT project teams comply with legislation, regulations, and other guidance identified in Appendix B, “Applicable Laws and Guidance”.
- Prepare and coordinate execution of the PIR(s) at the project level and annual Operational Analysis (OA) at the investment level.
- Execute CPIC procedures in a timely manner to ensure that all CPIC process milestones are met.
- Collect, analyze, and report IT Investment cost and schedule milestone data and performance to the organization’s IT governance board.
- Prepare Corrective Action Plans when a cost or schedule variance exceeds established thresholds and document justifications of cost or schedule zero variance.
- Prepare and present for approval to the Business Owner, funding authority, and IT governance board a disposition plan for the orderly cessation of operations and the disposition of resources (funds, facilities, staff, hardware, software, etc.) for an IT Investment or system that has been approved for retirement or termination.
- Execute an approved disposition plan, as directed by the Business Owner.
5.7 IT Project Manager
The IT Project Manager reports to the IT Investment Manager. As directed by the IT Investment Manager, the IT Project Manager shall:
- Plan and manage the cost, schedule, and scope of the IT project.
- Comply with legislation, regulations, and other guidance identified in Appendix B, “Applicable Laws and Guidance”, particularly with EPLC requirements for project planning and execution and the HHS OCIO Policy for IT PBM.
- Report project performance to the IT Investment Manager, manage project risk, and proactively alert the IT Investment Manager of significant issues and planned corrective actions.
- Submit IT project Corrective Action Plans when a cost or schedule variance exceeds established thresholds, justifications of a cost or schedule zero variance, and Baseline Change Requests.
- Conduct and report the results of annual OAs of Steady State IT investments as directed by the IT Investment Manager.
5.8 Contracting Officer/Contracting Officer’s Representative
The Contracting Officer and Contracting Officer’s Representative should work with the Business Owner to ensure that all contracts associated with an IT Investment comply with all pertinent rules, policies, and procedures of the Federal Acquisition Regulation and HHS Acquisition Regulation, and incorporate the content and compliance with this Policy into applicable contract language, as appropriate.
6 HHS CPIC Integration with Other IT Governance
6.1 The HHS EPLC Framework
The HHS EPLC framework is the standard structure for planning, managing and overseeing the IT projects that comprise the IT Investment over the respective IT project life cycles. Defining features of EPLC include the following:
- EPLC identifies ten life cycle phases. Each phase has well-defined activities, responsibilities, reviews, and deliverables.
EPLC is tailored by the project type, size, and scope.
- EPLC qualifies interdependencies between project management, Investment management, security, budget, acquisition, and compliance with Section 508 of the Rehabilitation Act of 1973 (29 U.S.C. § 794d).
- EPLC helps to identify potential duplication, reuse, and promotion of shared services.
- EPLC conducts Stage Gate reviews to determine if the project is ready to move forward to the next phase within the life cycle framework.
6.2 Critical Partners
The Critical Partners are subject matter experts in enterprise architecture, security and privacy, acquisition management, finance, budget, human resources, performance, governance, and other areas. Based on the IT Investment Manager or the IT governance board determination, the Critical Partners shall:
- Review the progress of the IT projects associated with IT Investments during EPLC Stage Gate Reviews to ensure compliance with HHS policies, applicable laws and guidance, and HHS-adopted government and industry best practices in their respective functional areas.
- Provide recommendations to the IT governance bodies, Business Owners, and IT Investment Managers on issues identified in those functional areas.
6.3 IT Enterprise Architecture
Working from the standard ‘Strategy, Architecture, Investment, and Implementation’ framework, the Office of Enterprise Architecture shall have the formal role of determining a proposed Investment’s alignment with the HHS Enterprise Architecture. As a Critical Partner in the HHS EPLC framework, EA shall also have a decisional role throughout the IT project lifecycle via the EPLC Stage Gate reviews. To ensure support of the HHS mission, strategic plans, and performance and outcome objectives, IT Investments shall comply with Federal, HHS and OpDiv enterprise architectures.
OMB mandates that Federal agencies review their respective IT Investment portfolios and identify opportunities to consolidate the acquisition and management of IT services, particularly with respect to commodity IT. This process, known as PortfolioStat, is a data driven, evidence-based review of an agency’s IT portfolio that includes data on commodity IT Investments, potential duplications within the agency, IT Investments that do not appear to be well aligned to agency missions or business functions, and other key considerations and data within an agency’s IT portfolio. PortfolioStat empowers CIOs to assess the effectiveness of established IT Investment and IT portfolio management processes, streamline IT portfolios, and augment the CPIC process.
A TechStat is an in-depth review of a single IT Investment. A TechStat can be triggered by the HHS CIO, an OpDiv CIO, or OMB when it is determined that a project or IT Investment is under-performing. Generally, the initial assessment of the necessity of a TechStat is made using data from the HHS Portfolio Management Tool. Two possible TechStat triggers are a high cost and/or schedule variance(s) for projects associated with an IT Investment or an assessment by the HHS CIO that the IT Investment is “High Risk”. Per the June 10, 2015, FITARA implementation guidance released by OMB, a TechStat is mandatory for all Major IT Investments that trend as “High Risk” for three consecutive months. TechStats sessions review the overall management of the IT Investment, examine program performance data, and explore opportunities for corrective action. The outcome of a TechStat session is the establishment of clear action items required in order to correct the issues that triggered the TechStat. These items are tracked by the HHS Office of the CIO until the IT Investment’s program office achieves completion of all action items.
6.6 IT Privacy, Security, and Records Management
To ensure confidentiality, integrity, availability, reliability, and non-repudiation within the HHS infrastructure and its operations, IT Investments shall comply with Federal and HHS privacy, security, and records management requirements for IT Investments and systems. IT Investments shall also demonstrate that costs for appropriate IT privacy, security, and records management controls are explicitly incorporated into the life cycle planning and operational costs of all associated IT systems.
6.7 IT Acquisition Strategy
The primary purpose of IT Investment acquisition-related activities shall be to support the execution of the IT Investment decisions made by the IT Investment’s Business Owner and the IT governance board.
To improve effectiveness and minimize costs/risks, IT Investments shall develop, execute, and maintain a performance-based acquisition strategy that includes an appropriate mix of contract types to minimize risk to the government, reflects approved and updated cost and schedule milestones, and complies with Federal and HHS acquisition requirements for IT Investments and systems.
7 IT Governance
HHS established the domain IT governance model to address the need for providing common delivery of shared services and benefits across the Department. The domain structure replaces the former Department-level IT Investment Review Board (ITIRB), which reviewed, validated and approved all HHS IT Investments in the HHS IT Investment portfolio either directly or through delegation to the OpDiv governance boards, and served as the IT governance board for all HHS enterprise IT Investments. The domain IT governance framework established the IT Steering Committees (ITSCs) to focus on categories of Investments, which enable efficiencies to better align the IT and business communities. The CPIC Officer, as delegated by the CIO, is responsible for overseeing the CPIC processes to select, control, and evaluate for their organization’s IT Investments.
The ITSCs are organized into three distinct business areas, known as “domains”: Health and Human Services, Scientific Research, and Administration and Management. HHS IT Investments within the domain model are structured and mapped according to their business area. The ITSCs are responsible for directing strategy, policy, and standards surrounding these IT Investments.
The mission of each domain ITSC is to:
- Ensure HHS receives optimal value from IT Investments by addressing HHS-wide IT policy, procedure, and architecture issues.
- Maximize knowledge sharing, best practices, assets, and capabilities.
- Collaborate with OpDivs and StaffDivs to implement and execute an expedited IT Investment management process.
This governance framework provides greater visibility into division Investment decisions and allows for collaboration and coordination of HHS-wide initiatives that benefit the entire Department.
7.2 Delegated OpDiv Governance
At the OpDiv level, IT Investments and projects are reviewed and approved through oversight of the OpDiv’s IT Investment Review Board (ITIRB) or other appropriate governance bodies, consistent with HHS policy. OpDivs coordinate IT project governance and Investment management functions within their respective organizations and OpDiv-level ITIRBs. OpDivs shall work directly with their IT project teams to ensure performance and overall compliance with the direction of the ITSCs and conduct the following:
- Establish a governing charter consistent with legislation, regulations, and other applicable guidance.
- Establish an IT governance process consistent with this Department Policy for the selection, control, and evaluation of OpDiv IT Investments.
- Annually evaluate and select (including re-select and de-select) the OpDiv IT Investment portfolio based on the Administration’s and HHS Secretary’s strategic objectives, HHS and OpDiv mission and goals, and OMB directives and guidance.
- Annually recommend to the HHS ITSC the respective OpDiv IT Investment portfolios to be funded.
- Establish and use criteria to select and evaluate an OpDiv IT Investment’s alignment to the HHS and OpDiv mission and priorities and how well it supports the HHS and OpDiv business needs, meets expected performance goals, mitigates risk, and adheres to projected costs and expected benefits throughout the IT Investment’s life cycle.
- Evaluate IT Investment performance and direct corrective actions, where needed, keeping the Department appraised of such Corrective Action Plans.
- Approve exceptions to OpDiv CPIC policy and procedures for OpDiv IT Investments for which the IT governance board has management authority, and recommend changes to HHS CPIC policies, as necessary.
- Recommend to the Business Owner the continuation, acceleration, modification, or suspension of IT Investments.
- Make formal recommendations to the Business Owner and funding authority to terminate an IT Investment with persistent and irreparable performance issues.
- Make formal recommendations to the Business Owner and funding authority to retire an IT Investment that is no longer effectively supporting HHS and OpDiv mission objectives and business needs or is being replaced by another IT Investment.
- Review and formally recommend or conditionally recommend to the IT Investment’s Business Owner the execution of the disposition plan for an IT Investment that has been approved for retirement or termination.
Appendix A CPIC Policy Approval
The undersigned acknowledge they have reviewed the HHS OCIO Policy for Information Technology Capital Planning and Investment Control. Changes to this policy will be coordinated with and approved by the undersigned or their designated representatives.
Print Name: /Beth Anne Killoran/
Title: HHS Chief Information Officer
Print Name: /Christos Skeadas/
Title: Deputy Chief Information Officer
Applicable Laws and Guidance
Applicable laws and guidance include, but are not limited to, the following:
Chief Financial Officers Act of 1990 (Public Law 101-576)
Clinger-Cohen Act (CCA) of 1996 (formerly the IT Management Reform Act of 1996 (Division E of Public Law 104–106) and Federal Acquisition Reform Act of 1996 (Division D of Public Law 104–106)
Federal Information Technology Acquisition Reform Act (FITARA) of 2014 (Public Law 113-291)
American National Standards Institute/Electronic Industries Alliance (ANSI/EIA) Standard 748
E-Government Act of 2002 (Public Law 107-347)
Federal Information Security Management Act (FISMA) of 2002 (Public Law 107-347)
Federal Managers Financial Integrity Act of 1982 (Public Law 97-255)
Federal Financial Management Improvement Act of 1996 (Public Law 104-208)
Federal Acquisition Streamlining Act of 1994 (Public Law 103–355)
Government Performance and Results Act of 1993 (Public Law 103–62)
Paperwork Reduction Act of 1995 (Public Law 104-13)
Records Management Act of 1950
National Archives and Records Administration (NARA) Code of Federal Regulations (CFR) - 36 CFR Subchapter B - Records Management.
Government Accountability Office (GAO) Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G, March 2004
GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, GAO-09-3SP, March 2, 2009
GAO Accounting and Information Management Division (AIMD) Assessing Risks and Returns: A Guide for Evaluating Federal Agencies' IT Investment Decision-making, AIMD-10.1.13, February 3, 1997
HHS Policy for Section 508 Electronic and Information Technology, January 2005
HHS Acquisition Regulation, April 26, 2010
HHS Office of Acquisition Management and Policy (OAMP) – Acquisition Policy Memorandum No. 2008-02, October 1, 2008
HHS-OCIO-2008-0003, IT Policy for Enterprise Architecture, August 7, 2008
HHS-OCIO-2008-004, Policy for IT Enterprise Performance Life Cycle, October 6, 2008
HHS-OCIO-2010-0007, Policy for IT Performance Baseline Management, December 21, 2010
HHS Information Resource Management (IRM) 2003-0002, Policy for Conducting Information Technology Alternative Analysis, June 13, 2003
HHS Information Resource Management (IRM) Strategic Plan 2014-2018, April 2014
HHS-OCIO-2014-0007, HHS Policy for Information Systems Security and Privacy (IS2P), July 30, 2014
HHS-OCIO-2007-0004, Policy for Records Management, January 30, 2008
HHS CIO Roles and Responsibilities - Circular No. IRM-101, March 1999
HHS Section 508 Implementation Policy, January 24, 2005
OMB Circular A-11, Part 7,
Planning, Budgeting, Acquisition and Management of Capital Assets
OMB Circular A-11, Part 7 Supplement, Capital Programming Guide (June 2006)
OMB Circular A-76, Performance of Commercial Activities (May 29, 2003) including changes made by OMB Memorandum M-07-02 (October 31, 2006) and OMB Memorandum M-08-13 (March 11, 2008), and a technical correction made by OMB Memorandum M-03-20 (August 15, 2003)
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of
OMB Circular A-127, Financial Management Systems
OMB Circular A-130, Management of Federal Information Resources
OMB Memorandum 97-02 Funding Information Systems Investments, October 25, 1996
OMB Memorandum 05-23, Improving Information Technology (IT) Project Planning and Execution, August 5, 2005
Appendix C Glossary
|Business Owner||The organizational executive who is the primary IT Investment customer, advocates for the IT Investment, and serves as the primary point of contact to the CIO and the IT Governance Board (or designated governance body).|
|Enterprise Performance Life Cycle||A framework to enhance IT Governance through rigorous application of sound investment and project management principles and industry best practices. The Enterprise Performance Life Cycle (EPLC) provides the context for the HHS IT Governance process and describes interdependencies between its project management, investment management, and capital planning components. The EPLC is comprised of 10 phases – from initiation through disposition – and identifies the activities, roles and responsibilities, Stage Gate Reviews, and exit criteria for each phase. The EPLC framework complies with federal regulations and policies, industry best practices, and HHS policies and standards.|
|Information Technology||Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This includes equipment used by the executive agency directly or used by a contractor under a contract with the executive agency that (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term includes computer, ancillary equipment, software, firmware, and similar procedures, services (including support services), Web sites, subscriptions to electronic services and products, and related resources.|
|Investment Manager||The Investment Manager is responsible for planning and executing the investment to achieve approved baselines. The Investment Manager may or may not be a subject matter expert in the business area supported by the investment.|
|IT Investment||The acquisition of an IT asset and the management of that asset through its life cycle after the initial acquisition. An IT Investment may consist of one or more IT projects.|
|IT Project||A temporary, planned endeavor funded by an approved IT Investment; thus achieving a specific goal and creating a unique product, service, or result.|
|IT Steering Committee (ITSC)||The ITSCs are organized into three distinct business areas, known as “domains”: Health and Human Services, Scientific Research, and Administration and Management. HHS IT Investments within the domain model are structured and mapped according to their business area. The ITSCs are responsible for directing strategy, policy, and standards surrounding these IT Investments. The mission of each domain ITSC is to:
This governance framework provides greater visibility into division decisions and allows for collaboration and coordination of HHS-wide initiatives that benefit the entire Department.
|IT System||A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual, to support HHS’s or OpDiv’s (including OS’s) mission. An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Refers to a set of information resources under the same management control that share common functionality and require the same level of security controls. Includes automated information system applications, enclaves, outsourced IT-based processes, and platform IT interconnections.|
|Lessons Learned||A document that summarizes information gained throughout the course of the Investment that can be used to benefit other Investments and projects in the organization. Lessons learned should draw from positive and negative Investment and project experiences and address the causes of issues, reasoning behind the corrective action chosen, and suggestions for future improvement.|
|Life Cycle||The duration of all activities associated with the Investment from its initiation through disposal of its assets.|
|Life Cycle Costs||All initial costs, plus the periodic or continuing costs of operation and maintenance (including staffing costs), and any costs of decommissioning or disposal.|
|Operational Analysis||An Operational Analysis (OA) evaluates IT Investment performance, user satisfaction with the IT Investment, the IT Investment’s adaptability to changing business needs, and new technologies that might improve the IT Investment. The OA review is diagnostic in nature and can lead to the initiation of development or maintenance activities. Any major IT Investment modifications needed after the IT Investment has been implemented follow the EPLC framework life cycle process from planning through implementation. The OA ultimately determines whether the IT Investment should continue, be modified or be terminated.|
|Performance Baseline Measurement||A primary tool to measure IT Investment, IT project, or IT contract performance and identifying risk. The baseline identifies the work that will be accomplished, and defines the cost and schedule to accomplish that work. The Performance Baseline Measurement, which consists of the cost, schedule, and scope baseline, is derived from the scope of work described in a hierarchical Work Breakdown Structure (WBS) – which, in turn, decomposes the entire project into a logical structure of tasks and activities tied to deliverables and to assigned responsibilities – and the associated WBS dictionary. The Performance Baseline Measurement comprises:
Appendix D List of Acronyms
|AIMD||GAO’s Accounting and Information Management Division|
|AMD||Administration & Management Domain|
|ANSI/EIA||American National Standards Institute/Electronic Industries Alliance|
|CCA||Clinger-Cohen Act of 1996|
|CFR||Code of Federal Regulations|
|CIO||Chief Information Officer|
|CPIC||Capital Planning and Investment Control|
|EPLC||Enterprise Performance Life Cycle|
|FAC-P/PM||Federal Acquisition Certification for Program and Project Managers|
|FISMA||Federal Information Security Management Act of 2002|
|FITARA||Federal Information Technology Acquisition Reform Act of 2014|
|GAO||Government Accountability Office|
|HHS||Health and Human Services, Department of|
|HHSD||Health and Human Services Domain|
|IRM||Information Resources Management|
|ITIRB||Information Technology Investment Review Board|
|ITSC||Information Technology Steering Committee|
|NARA||National Archives and Records Administration|
|OAMP||Office of Acquisition Management and Policy|
|OCIO||Office of the Chief Information Officer|
|OFPP||Office of Federal Procurement Policy|
|OMB||Office of Management and Budget|
|OS||Office of the Secretary|
|PBM||Performance Baseline Management|
|PMT||Portfolio Management Tool|
|SRD||Scientific Research Domain|