Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)

Table of Contents

  1. Version History
  2. Nature of Changes
  3. Purpose
  4. Background
  5. Scope
  6. Policy
  7. Guiding Principles
  8. Roles and Responsibilities
  9. Supporting Documentation
  10. Information and Assistance
  11. Effective Date
  12. Implementation
  13. Glossary
  14. Approvals

1. Version History

Version # Description of Change(s) Change Implemented By Date
1 Baseline OCIO


2 For a description of changes, please see CR-2016-11-02T09:45:35 located on the EPLC CCB Portal. OCIO 11/30/2016

2. Nature of Changes

This policy revises and supersedes the “HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)” dated October 6, 2008.

3. Purpose

This policy mandates the use of the Department of Health & Human Services (HHS) Enterprise Performance Life Cycle (EPLC) framework for information technology (IT) project management at HHS. This policy incorporates the EPLC as a partner to HHS Capital Planning and Investment Control (CPIC) and HHS Enterprise Architecture.

4. Background

In October 2008, HHS issued the HHS OCIO Policy for Information Technology Enterprise Performance Life Cycle along with the EPLC Framework Overview Document that describes a structured approach to planning, managing, and overseeing HHS IT projects over their entire life cycle. The EPLC Policy, together with the EPLC Framework, serves as the authority for EPLC requirements, objectives, responsibilities, and standards for managing all IT projects at HHS. The EPLC Policy is being revised in 2016 to incorporate project management elements FITARA.

Industry and government experience demonstrates that the quality of IT projects is directly proportional to the quality of the management processes used to acquire and operate the IT products those projects produce. Implementing the EPLC framework helps ensure the quality of HHS IT products through improved project management processes.

EPLC establishes a project management and accountability environment for HHS IT projects to achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk.

Managing and governing all IT projects from perspective single, standard project management framework facilitates HHS-wide compliance with the Clinger-Cohen Act, FITARA, and other legislative and regulatory requirements that require HHS to manage and govern its IT projects from an enterprise perspective.

5. Scope

This policy applies to all HHS IT projects throughout the life cycle of the project, regardless of development methodology, funding source, and whether the delivered product is owned and operated by HHS or a third party acting on behalf of HHS.

This policy also applies to all HHS OPDIVs and STAFFDIVs, as well as all organizations conducting business for and on behalf of HHS OPDIVs and STAFFDIVs through contractual relationships. This policy applies to all OPDIV and STAFFDIV employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information or using or operating information systems on behalf of HHS and/or its OPDIVs and STAFFDIVs are also subject to the stipulations of this policy.

This policy will be implemented as appropriate in accordance with applicable HHS Acquisition Regulation (HHSAR) rules that are promulgated on this subject and will be incorporated into applicable HHS policies.

This policy does not supersede any other applicable law or higher level agency directive, or existing labor management agreement in effect as of the effective date of this policy.

6. Policy

All HHS IT projects shall be managed using the HHS EPLC Framework, including life cycle phases, reviews, deliverables, activities, responsibilities, and tailoring, regardless of the specific development methodology used. Please refer to the EPLC Framework Overview Document for specific information about the EPLC.

All HHS IT projects shall use appropriate, proven development methods to ensure that planned and actual delivery of new or modified technical functionality occurs at least every six months, including but not limited to agile methods to ensure incremental delivery. A project that uses newer, less proven methods must have approval by the appropriate HHS or OPDIV IT Governance body.

This policy shall be applied in conjunction with the HHS Enterprise Architecture Policy, the HHS Capital Planning and Investment Control (CPIC) Policy, and the HHS Information Technology (IT) Performance Baseline Management (PBM) Policy.

OPDIVs and STAFFDIVs shall use this Policy or may create a more restrictive policy, but not one that is less restrictive, less comprehensive or less compliant with this Department Policy.

7. Guiding Principles

  • Flexibility: The EPLC is designed to provide the flexibility needed to adequately manage risk while allowing for differences in development methodology, project size, complexity, scope, duration, and acquisition strategy. The EPLC framework allows tailoring to accommodate the specific circumstances of each project.
  • Structure: HHS IT projects will be managed and implemented in a structured manner, using sound project management practices, and ensuring involvement by business stakeholders and technical experts throughout the project’s life cycle.
  • Methodology: Per FITARA, HHS requires incremental and iterative development to be considered first as the preferred methodology to implement all HHS IT projects, as appropriate.
  • Collaboration: Critical Partner and stakeholder functions are performed throughout the life cycle of projects to include timely, effective multi-disciplinary reviews of IT projects.
  • Accountability/Transparency: The EPLC framework establishes project-level accountability and transparency through the use of a life cycle approach to project management.

8. Roles and Responsibilities

8.1. IT Project Managers

Note: IT Project Managers must have the appropriate level of certification given the size, risk, and complexity of the project.

IT Project Managers are responsible for:

  • Ensuring that project staff and contractors comply with the requirements of this policy for day-to-day management of the project.
  • Ensuring that all appropriate Critical Partners, including business stakeholders and technical experts, are involved and their input is effectively adjudicated throughout the life cycle of the IT project.
  • Effectively utilizing an incremental development methodology that produces end-user functionality at least every six months as specified in the Project Process Agreement that is approved by IT Governance.
  • Maintaining information on project status, control, performance, risk, corrective action and outlook.
  • Planning and conducting phase activities and verifying that the set of deliverables for the phase is complete.
  • Conducting formal Project Reviews at specified points in the life cycle.
  • Reporting to the HHS or OPDIV IT Governance organization, missed milestones and/or variances in percentage of project cost, schedule, or performance outside any defined acceptable ranges.
  • Developing Corrective Action Plans and/or Baseline Change Requests, as appropriate.

8.2. Business Owners

Business Owners are responsible for:

  • Complying with CPIC Policy to ensure alignment of projects with mission priorities prior to proceeding with the project.
  • Providing funding for the IT project.
  • Establishing and approving changes to cost, schedule and performance goals.
  • Identifying the business needs and performance measures to be satisfied by the project.
  • Actively participating throughout the IT project life cycle to ensure the project remains targeted on high priority business needs.
  • Validating and endorsing the business process models and requirements documentation for their projects.
  • Participating in Stage Gate Reviews.
  • Approving a baseline tailoring strategy for each project (as documented in the Project Process Agreement) and requesting IT Governance approval for subsequent changes to the baseline.
  • Validating that the resulting IT system or service meets business requirements and continues to meet business requirements.
  • Participating in user acceptance testing to validate system requirements are met.

8.3. HHS Chief Information Officer (CIO)

The HHS CIO is responsible for:

  • Ensuring that the EPLC framework provides the necessary project performance transparency through life cycle reviews and stage gate approvals across all OPDIVs and STAFFDIVs.
  • Implementing appropriate improvements to the EPLC framework to facilitate improved project performance and appropriate engagement levels between program managers and IT stakeholders.
  • Providing guidance to OPDIVs on best practices for determining high-quality performance metrics throughout the project life cycle.
  • Ensuring effective incremental development principles and practices.
  • Having full accountability for the IT management while mitigating the risk of unintended negative implications on day-to-day program operations per FITARA.

8.4. Critical Partners

Critical Partners are responsible for:

  • Providing ongoing advice and counsel to the integrated project team
  • Providing a review of the progress of IT projects and reviewing risks and mitigation plans at specified Stage Gate Reviews to ensure that projects meet their respective requirements.
  • Providing recommendations for improvement, continuation, termination, and reviewing risks and mitigation plans.

8.5. HHS Project/Program Management Office

The HHS Project/Program Management Office is responsible for:

Establishing a minimum set of core activities and deliverables for all IT projects.

Providing project templates and tools to assist with project activities.

Conducting periodic audits of EPLC activities across HHS in order to maintain assurance that projects are being managed according to the EPLC methodology.

Developing and sharing best practices for cost estimation, appropriate metrics and other areas of common interest to help assure successful outcomes of the IT project.

8.6. IT Governance Organizations/Boards (HHS, OPDIV, and STAFFDIV Levels)

IT Governance Organizations/Boards are responsible for:

  • Ensuring that IT projects are technically sound, follow established IT project management practices, and meets the business needs.
  • Conducting Stage Gate Reviews through Critical Partners and defined stakeholders and deciding whether to require additional work to meet exit criteria or to approve advancement of a project to the next life cycle phase of the EPLC.
  • Operating according to an approved charter.


OPDIV CIOs are responsible for:

  • Establishing IT Governance processes that authorize the implementation and operation of the EPLC methodology for project management, including life cycle review processes.
  • Implementing an appropriate level of IT governance that reflects the EPLC framework and requirements for projects under their purview.
  • Ensuring there is active participation of critical partners and IT governance throughout the IT project life cycle to ensure the project remains targeted on high priority business needs.
  • Implementing appropriate measures to monitor the implementation and operation of EPLC.
  • Implementing appropriate improvements to the OPDIV processes to facilitate increased project performance.
  • Ensuring they work closely with their OPDIV CFO, CAO, Division leadership, and mission/program managers using governance processes aligned with their mission responsibilities throughout Division-level planning, execution, and evaluation processes per FITARA.
  • Meeting and maintaining the appropriate conditions indicated in their Delegation of Authority Letter per FITARA.

8.8. HHS EPLC Change Control Board (CCB)

The EPLC CCB is responsible for governing the integrity of the EPLC Framework as an implementation arm of the EPLC Policy. The EPLC CCB is responsible for:

  • Receiving and logging requests for changes to the EPLC Framework and Artifacts;
  • Reviewing EPLC implementation policies and procedures for each Operating Division (OPDIV);
  • Conducting regular reviews of change requests to the EPLC Framework and Artifacts;
  • Accepting or rejecting the requested changes;
  • Requesting additional information on a change request, if needed; and
  • Reviewing and providing feedback on changes to the EPLC Policy.

9. Supporting Documentation

This HHS OCIO IT EPLC Policy is implemented in conjunction with the following guidance:

This HHS OCIO IT EPLC Policy supports:


HHS Acquisition Regulation (HHSAR), December 18, 2015

Federal Acquisition Certification-Program and Project Manager Program (FAC-P/PM), December 16, 2013.

Capital Planning and Investment Control

HHS OCIO Policy for Information Technology Capital Planning and Investment Control, September 2016

HHS IRM Policy for Conducting Information Technology Alternatives Analysis, February 14, 2003

Earned Value Management

OMB Memorandum 05-23, Improving Information Technology (IT) Project Planning and Execution, August 5, 2005

HHS Information Technology (IT) Performance Baseline Management (PBM) Policy, December 21, 2010

Enterprise Architecture

HHS-OCIO Policy for Enterprise Architecture, August 7, 2008

HHS-OCIO Policy for Management of the Enterprise IT System Inventory, July 28, 2009

Federal IT Acquisition Reform Act (FITARA)

OMB Memorandum M-15-14, Management and Oversight of Federal Information Technology, June 10, 2015

FITARA EPLC Addendum, June 13, 2016


GAO Cost Estimating and Assessment Guide, March 2009

Information Resource Management

OMB Circular A-11, Preparation, Submission and Execution of the Budget

OMB Circular A-127, Financial Management Systems

OMB Circular A-130, Management of Federal Information Resources

Records Management

HHS-OCIO Policy for Records Management, November 25, 2015

HHS-OCIO Policy for Records Management for Emails, May 15, 2008

HHS-OCIO Policy for Records Holds, January 20, 2011

Section 508

HHS Policy on Section 508 and Accessibility of Technology

Security & Privacy

HHS Security Policies, Standards, Memorandums, and Guides

HHS-OCIO Policy for Personal Use of Information Technology Resources, August 1, 2013

HHS-OCIO Policy for IT Security and Privacy Incident Reporting and Response, April 5, 2010

HHS-OCIO Policy for Privacy Impact Assessments (PIA), February 9, 2009

10. Information and Assistance

The HHS Office of IT Strategy, Policy and Governance (OSPG) is responsible for the development and management of this policy. Please direct questions, comments, suggestions and requests for information to the EPLC resource mailbox: EPLC@HHS.gov.

11. Effective Date

The effective date of this policy is the date it is approved.

The HHS OPDIVs are responsible for preparing implementing documentation within 120 days of the effective date of this policy and providing a copy to the HHS CIO.

12. Implementation

This Policy will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, IT investments and projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

12.1. Key Effectiveness Indicators

The following areas of focus will help to determine the effectiveness of this policy implementation:

Percentage of IT projects using the EPLC

Percentage of IT projects using an iterative/incremental development methodology

13. Glossary

Please refer to the EPLC Glossary.

14. Approvals

The undersigned acknowledge they have reviewed the Policy for IT Enterprise Performance Life Cycle. Changes to this policy will be coordinated with and approved by the undersigned or their designated representatives.

Beth Anne Killoran
HHS Deputy Assistant Secretary for Technology and Chief Information Officer


Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed