HHS Policy for Information Technology Acquisition Reviews (ITAR)

Document #: HHS-OCIO-OES-2020-06-006
Version #: 1.2
Last Reviewed: June 2020
Next Review: June 2023
Owner: OCIO/OES
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

  1. Nature of Changes
  2. Purpose
  3. Background
  4. Scope
  5. Authorities
  6. Policy
  7. Roles and Responsibilities
  8. Information and Assistance
  9. Effective Date and Implementation
  10. Approval
  11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

1. Nature of Changes

This is the first issuance of the Department of Health and Human Services (HHS) Policy for Information Technology Acquisition Reviews (ITAR).

2. Purpose

The purpose of this Policy is to establish the Department of Health and Human Services (HHS) Information Technology Acquisition Review (ITAR) Program. The program will ensure HHS conducts its due diligence to manage and maintain oversight and governance over the procurement of Information Technology (IT) therefore contributing to effective planning, budgeting, and execution of IT resources. Further, it is designed to ensure the Department's Chief Information Officer (CIO) has the appropriate visibility and oversight of IT acquisitions across the agency.

This Policy, and its intended purpose, is separate from the Assistant Secretary for Financial Resources (ASFR), Office of Acquisition (OA) requirements set forth under Acquisition Alert 2019-01 and 2019-02, HHS Acquisition Review Pilot Program. Its purpose is not intended to replace nor amend acquisition reviews separately conducted under the oversight and governance of the Deputy Assistant Secretary for the Office of Acquisitions and Senior Procurement Executive.

Further, this Policy is not intended to replace nor amend the terms of the 2017 Memorandum of Understanding (MOU) between HHS and the HHS Office of Inspector General (OIG), which sets forth the agreement between both entities regarding the implementation of the Federal Information Technology Acquisition Reform Act (FITARA). The Inspector General Act of 1978 (IG Act), as amended, 5 U.S.C. App. 3, provides Inspector Generals with certain authorities and responsibilities to oversee the programs and operations of their respective Departments and agencies. The independence created by the IG Act affords the Inspector General with the authority to appoint their own personnel, including establishing the Inspector General as the agency head for purposes of appointing members of the Senior Executive Service; a process to submit and comment on any changes made to the Inspector General's budget; and the authority to enter into contracts and other agreements. The Office of Management and Budget (OMB) issued implementation guidance for departments and agencies regarding implementation of FITARA. The OMB guidance recognizes that the enhanced CIO authorities established by FITARA are not to be applied to OIGs in a manner that would adversely impact these offices' independence and authorities over personnel, performance, procurement, and budget, as delineated in the IG Act.

3. Background

The Federal Information Technology Acquisition Reform Act (FITARA) of 2014, passed by Congress through the National Defense Authorization Act (NDAA) of 2014, was designed to improve the manner with which the federal government procures and manages its IT. Additionally, this law increased the authority and responsibility of CIOs with the intent to promote and strengthen their influence and effectiveness amongst agency leadership as it relates to IT budgeting and governance; to include IT procurements. Section 831 of this mandate expands on this and states that agencies may not enter into a contract or other agreement for IT products or services unless the contract or agreement is reviewed and approved by the HHS CIO or delegated approver.

HHS fulfills its IT compliance responsibilities by developing and implementing robust policies that comply with federal mandates. This Policy is in place to formalize, streamline and refine the manner in which HHS IT acquisitions are forecasted, budgeted, governed, planned, and documented, as well as sufficiently supported in the pre-award phase of the acquisition lifecycle. 

4. Scope

This Policy sets forth roles and responsibilities, requirements, and a formal process for the HHS CIO and the HHS Operating Division (OpDiv) CIOs to optimize tools and procedures, as well as develop a more mature IT acquisition management and governance program.

This Policy applies to the Department and all HHS OpDivs and Staff Divisions (StaffDivs) seeking to purchase goods or services. These acquisitions can either be IT acquisitions or other acquisitions or agreements containing IT components. For further information, see the HHS IT Decision Criteria Matrix located on the HHS Intranet. For guidance regarding applicable clauses for consideration, reference the Federal Acquisition Regulation (FAR), Department of Health and Human Services Acquisition Regulation (HHSAR), and HHS Acquisition Policy, Guidance and Instructions (PGI). In accordance with FITARA, the HHS CIO is a full participant in the ITAR governance process. IT contract review will be conducted prior to award, the Acquisition Strategy (AS) and Acquisition Planning (AP) phases, (see Section 6. Policy for more information). 

To ensure the proper oversight and collaboration is conducted in the formal review process, and to improve the integrity of the process, the scope of this Policy also applies to the ongoing engagement between the Legislative Compliance Division (LegCom) ITAR reviewers and additional critical partner experts, (see Appendix A for additional information).

Supersessions

  • This Policy does not supersede any applicable law or regulation
  • This Policy does not supersede the 2017 MOU between HHS and the HHS OIG
  • This Policy supersedes HHS Memorandum OCIO IT Acquisition Reform Act (FITARA) Approval Guidance, December 2016
  • This Policy supersedes the HHS Information Technology Acquisition Review (ITAR) Process for OS and OCIO Acquisition Packages, Version 1.5, October 2017

Major IT Investments

HHS OpDivs and StaffDivs pursuing a Major IT investment, (see Glossary and Acronyms section of this Policy for definitions), are subject to Department CIO review and approval in accordance with FITARA.

All OpDivs that have a CIO and have been given delegated authority in accordance with the HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019, are responsible for implementing an internal review, approval and reporting process for, at minimum, all major acquisitions under IT investments below the ITAR review threshold located in section six (6) of this Policy.

OpDivs may create a supplemental policy that is more stringent, but not less stringent.

5. Authorities

Legislation, Federal Regulation, and Executive Orders:

  • Clinger-Cohen Act, 40 U.S.C. § 11101, et. Seq.
  • Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
  • Executive Order 13833, Enhancing the Effectiveness of Chief Information Officers, May 15, 2018
  • Federal Acquisition Regulation (FAR), 48 C.F.R. ch 1
  • Department of Health and Human Services Supplemental Acquisition Regulation (HHSAR), 48 C.F.R ch 3

Federal Guidance:

  • OMB Circular A-11, Preparation, Submission and Execution of the Budget, Section 55, June 28, 2019
  • OMB Circular A-130, Managing Information as a Strategic Resource, July 28, 2016
  • OMB M-15-14, Memorandum for Heads of Executive Departments and Agencies: Management and Oversight of Federal Information Technology, June 10, 2015
  • OMB M-16-12, Memorandum for The Heads of Departments And Agencies, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing, June 2, 2016

Departmental Policy and Guidance:

  • HHS Federal Information Technology Acquisition Reform Act (FITARA) Implementation-Revised HHS IT Governance Framework, October 25, 2016
  • HHS Federal Information Technology Acquisition Reform Act (FITARA) HHS Implementation Plan, September 2015
  • HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019
  • HHS Policy for Capital Planning and Investment Control (CPIC), April 26, 2019
  • HHS Policy for IT Enterprise Performance Lifecycle (EPLC), October 6, 2008
  • Department of Health and Human Services (HHS) Procedures, Guidance and Instructions (PGI)
  • Information Technology Decision Criteria and Clause Matrix version 1.3
  • HHS Security and Privacy Language for Information and IT Procurements Guide
  • HHS Standard for Encryption of Computing Devices and Information
  • HHS Minimum Security Configuration Standards Guidance
  • HHS Policy for Software Development Secure Coding Practices
  • HHS Directive for Acquisition Strategy

6. Policy

In accordance with FITARA, the HHS CIO must ensure that its offices and components do not enter into contracts or agreements to procure IT products or services without CIO review and approval. The CIO is executing express authority by implementing the new ITAR Program and supplemental processes as an agency-wide requirement when there is a plan to expend funds for IT resources.

Department-level reviews will be conducted on applicable acquisition strategies and acquisition plan packages to ensure the CIO maintains visibility into the management and procurement of IT at HHS. The process will ensure proposed contract actions are properly planned and budgeted, align with approved programs and projects that have been properly vetted by governance boards, are sufficiently supported with required artifacts, and are in alignment with relevant IT laws, regulations, and strategic plans. Recommendations and business advice will be offered to improve pre-award documentation, collaboration, and strategic planning as a part of the review process. Conditions may be set forth and must be satisfied before final approval is granted whenever necessary.

The CIO places the responsibility to manage the ITAR program and related processes under the leadership of the Director of the Legislative Compliance Division (LegCom) within the Office of the Chief Information Officer (OCIO), Office of Enterprise Services (OES) at the Department.

ITAR reviews must be conducted in accordance with the following dollar thresholds:

  1. Department OCIO, HHS Office of the Secretary StaffDivs (OS), and OpDivs without CIO Delegated Authority:
    • Acquisition Strategies for IT investments valued at $10 million total program/project lifecycle
    • Acquisition Plan packages for IT acquisitions valued greater than or equal to $150,000 (inclusive of agreements such as Interagency Agreements (IAA))
    • Acquisition Plan packages for non-IT acquisitions containing IT components - an overall contract value greater than or equal to $150,000 (inclusive of IAAs)
  2. OpDivS with CIO Delegated Authority:
    • Acquisition Strategies (AS) for IT investments of $20 million annually/$100 million over 5 years
    • Acquisition Plans (AP) for contracts that have material variances (major revisions/drastic departure) from an approved AS for IT investments over $20 million annually/$100 million over 5 years.

The CIO delegates IT acquisition approval authority under the ITAR program, to an Executive who directly reports to the CIO and the Director of the LegCom Division as follows:

Approval Authority Threshold Approver
≤ $1,000,000 LegCom Director
> $1,000,000 CIO or CIO Designee (Executive -Direct Report to CIO) (LegCom Director & CIO Designee: Co-Approvers)

Contracts, agreements (such as IAAs), and contract actions (such as modifications) that align with the aforementioned review thresholds must not be executed without evidence of an official ITAR approval, as indicated by an assigned ITAR number along with documented ITAR approval. As a full participant in this governance process, the CIO designates an Executive (direct report to CIO) and the Director of the LegCom Division as approvers for the ITAR program, consistent with the procedures set forth in this Policy under Appendix A2, which aligns with the above approver threshold chart.

7. Roles and Responsibilities

7.1. HHS Chief Information Officer

The HHS CIO, or designee, must:

  • Define IT processes and policies, consistent with FITARA and related statutes, regulations and federal guidance, and make them publicly available
  • Act as the principal accountable owner of the ITAR Program, and hold the authority for approval unless otherwise delegated or designated in accordance with the governance processes set forth in this Policy
  • Review and approve acquisition strategies, acquisition plans, and interagency agreements that include IT
  • Review all cost estimates of IT related costs, and ensure acquisition strategies and acquisition plans, that include IT, apply adequate incremental development principles
  • Ensure there is an agency-wide governance process that confirms all acquisitions that include IT are:
    • led by personnel with appropriate federal acquisition certifications;
    • reviewed for opportunities to leverage acquisition initiatives, such as shared services, category management, strategic sourcing, and incremental or modular contracting, as appropriate;
    • and adequately implementing incremental development
  • Participate on program governance boards to ensure early matching of appropriate IT with program objectives
  • Approve any movement of funds for IT resources that require Congressional notification
  • Collaborate and partner with the HHS cross-functional leadership team who share in these responsibilities, to include the Secretary, Deputy Secretary (DepSec), the Chief Financial Officer (CFO), the Chief Acquisition Officer (CAO), and the Chief Human Capital Officer
  • Ensure IT acquisitions are in compliance with statutes, regulations, federal guidance and HHS policies and governance requirements

7.2. Chief Acquisition Officer (CAO) and Senior Procurement Executive (SPE)

The CAO and the SPE must:

  • Ensure all IT contract actions are consistent with CIO-approved acquisition strategies and plans
  • Notify the CIO when planned acquisition strategies and acquisition plans include IT

7.3. Operating Division Chief Information Officer (OpDiv CIO)

HHS OpDiv CIOs must:

  • Implement OpDiv level policies and procedures to ensure compliance with FITARA, related HHS IT policies and guidance, and all other applicable statutes and regulation
  • At minimum, implement an internal review, approval and reporting process for all major IT acquisitions and investments below the Department CIO review threshold (responsibility applicable to CIOs with delegated authority only)

7.4. HHS Legislative Compliance Division (LegCom)

The HHS LegCom must:

  • Manage and lead the HHS ITAR Program effectively and efficiently
  • Engage internal critical partners while executing ITAR to ensure the proper oversight and governance of IT acquisitions during the pre and post award phases of the acquisition lifecycle
  • Conduct acquisition reviews and provide recommendations in alignment with statutes, regulations, federal and department guidance and policy, and the CIO delegated responsibilities detailed above
  • Oversee compliance with IT laws, regulations, guidance, policies and best practices
  • Strive to maintain the integrity of the ITAR process by doing due diligence to conduct thorough reviews in accordance with laws, regulation, guidance and policies therefore contributing to sustaining the integrity of IT resource management and improved IT governance agency-wide
  • Stay abreast of IT trends, best practices, changes in laws and regulation, congressional shifts, GAO findings/recommendations, etc. in order to ensure HHS IT policies, guidance and procedures remain current.

7.5. HHS Contracting Offices

The HHS Contracting Offices must:

  • Ensure acquisition requirements are not accepted, solicited, nor awarded by the contracting office without requisite CIO or delegate approval within the ITAR process, when applicable
  • Partner with the LegCom Division to oversee compliance with FITARA, the FAR, HHSAR, this Policy and other HHS policies guidance and information (PGI) pertaining to HHS IT acquisitions
  • Ensure all Program Managers and CORs involved with acquisitions that include IT are personnel with the appropriate federal acquisition certifications

7.6. HHS ITAR Critical Partners

HHS ITAR Critical Partners must:

  • Participate in the ITAR review process by providing their expertise, oversight, governance, and recommendations
  • Assist in enhancing IT governance; sound investment decisions and practices; and
  • Help improve the integrity of IT strategic planning, IT acquisition planning and budgeting, and appropriate pre and post award documentation
  • Prevent circumvention of the IT acquisition review requirement

***Critical partners vary dependent upon type, complexity, and uniqueness of each acquisition (Examples: Enterprise Architecture (EA), Capital Planning and Investment Control (CPIC), Privacy Officer, Chief Information Security Officer (CISO), OpDiv Section 508 Program Manager, Chief Product Office (CPO), etc.).

7.7. Program Managers (PMs), Contracting Officer's Representatives (CORs), and Contracting Officers (COs)

HHS PMs, CORs, and COs (in alignment with their respective role and position) must:

  • Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance
  • Ensure AS and AP documentation has been:
    • properly developed within the requiring office without deficiencies or omissions,
    • reviewed and approved by leadership at the program/project level,
    • and properly vet requirements (statement of work/statement of objectives) through program level subject matter experts before submitting the documents to ITAR
  • Ensure the proper program and project governance requirements are satisfied, and component level critical partners have been engaged before pursuing IT acquisitions and/or acquisitions containing IT components
  • Monitor the execution of contracts that procure IT products and services to ensure proper contract administration and efficient use of IT resources

7.8. HHS OpDiv Senior Officials for Privacy (SOP)

HHS OpDiv SOPs must:

  • Evaluate IT investments for privacy risks to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of publicly identifiable information (PII)
  • Approve any required privacy documentation, including the Privacy Solicitation Certification Checklist, as applicable, in accordance with the HHS Security and Privacy Language for Information and Information Technology Procurements Guide (see Appendix A)
  • Review acquisition packages through each procurement phase to verify that privacy requirements have been fulfilled
  • Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance

7.9. HHS OpDiv Section 508 Program Manager (PM)

HHS OpDiv Section 508 PMs must:

  • Evaluate IT investments for compliance to HHS Section 508 requirements to ensure that HHS Section 508 requirements (and associated conformance controls), as well as any associated costs, are explicitly identified and included, with respect to any Information and Communications Technology (ICT) that is developed, procured, maintained, funded, and used by HHS.
  • Provide Section 508 determination for any ICT that is developed, procured, maintained, funded, and used by HHS.
  • Review acquisition packages through each procurement phase to verify that HHS Section 508 requirements have been fulfilled
  • Comply with the provisions of this Policy, the HHS Policy on Section 508 Compliance and Accessibility of Information and Communications Technology, applicable OpDiv level Section 508 policy, and related statutes, regulations, and guidance.

8. Information and Assistance

The HHS Legislative Compliance Division is responsible for the development and management of this Policy. Direct questions, comments, suggestions, and requests for information about this Policy and all related procedures and guidance to [email protected].

9. Effective Date and Implementation

The effective date of this Policy is the date on which the Policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of the Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jose Arietta, Chief Information Officer (CIO)

June 8, 2020

11. Concurrence

/S/

Scott Rowell, Assistant Secretary for Administration (ASA)

June 25, 2020

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

To initiate the ITAR process, a requesting office must submit a complete acquisition strategy or acquisition plan package to the Office of Legislative Compliance (LegCom) via the ITAR Portal (herein referred to as the "Service Portal") which is an online application that must be accessed using the Google Chrome Internet Browser. Packages deficient of supporting documentation and/or appropriate component level approvals will not be accepted. When submitting packages in the ITAR portal, requestors must be sure to reference the appendices of this Policy which provide supplemental procedures and guidance that must be followed.

Appendix A1: ITAR Standard Operating Procedures for Submitters

HHS OpDivs, OS, and OCIO seeking to procure IT products, IT services, or who have acquisitions containing IT components must undergo ITAR when the minimum criteria is met. This SOP is the structured process ITAR submitters will follow to perform the task of submitting a new ITAR request via the Service Portal: (https://hhsasa.servicenowservices.com/ocio).

ITAR requests submitted through the ITAR Service Portal will be reviewed and approved in accordance with LegCom's Service Level Agreements (SLAs) posted in Table 1 below:

Service Description of Service Performance Standards Timer
ITAR Receipt Notification The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom 1 Business Day Starts when an acquisition package is submitted in the portal (An automated email is generated)
Time to Completion/Approval The time LegCom requires to review and route ITARs under $1M through the approval process 7 Business Days Starts when a complete acquisition package has been submitted in the portal
CIO Approval (ITARs >$1M) The time LegCom requires to review and route ITARs over $1M through the approval process Up to 10 Business Days Starts when a complete acquisition package has been submitted in the portal
Hold Time (Suspend) The time period an ITAR is suspended without being reviewed due to missing information Not to exceed 5 business days Starts after an incomplete ITAR package has been submitted in the portal and the LegCom reviewer informs the Submitter that ITAR is on hold
Table 1: LegCom ITAR SLA's

A1.1: ITAR Submission Process for ITAR Requestors

Figure 1 illustrates the four (4) steps that ITAR Requestors will execute to submit a new ITAR using the Service Portal. Each step is detailed below to guide users through the submission process.

Image
ITAR submission process diagram
Figure 1: ITAR Submission Steps

Step 1 - Develop Acquisition Package

Requesting offices are required to develop the acquisition package in accordance with HHS acquisition policy and regulations. As a minimum requirement, and in addition to key artifacts that are required with each submission, IT acquisitions submitted for ITAR must demonstrate IT governance board approval at the OpDiv or StaffDiv level.

When submitting a new ITAR request, users must include all necessary information, supporting documentation, and evidence from critical partners to confirm the acquisition has been reviewed and is within the compliance standards of HHS. Examples of critical partners are: 508 Compliance, Capital Planning and Investment Control (CPIC), Enterprise Performance Life Cycle (EPLC), Privacy Office, or Information Security Officer (ISO).

Complete acquisition packages include the following core documents and/or approvals:

  • Requirements Document (i.e., Statement of Work (SOW), Statement of Objectives (SOO), Performance Work Statement (PWS), Specification Document (SPEC)) to include all applicable Federal Acquisition Regulation (FAR) and HHS Acquisition Regulation (HHSAR) Clauses
  • IT Acquisition Strategy (Signed and Approved by Program Office)1
  • IT Acquisition Plan (Signed and Approved by Program Office)
  • ITAR attestation certification (i.e., Program (PgM) or Project Manager (PM), Business Owner, and OpDiv/StaffDiv Executive Approvals)
  • Limited Sources Justification (Signed and Approved by Program Office), if applicable
  • Independent Government Cost Estimate (IGCE)2
  • Business Cases
  • Market Research Report3
  • Inter-Agency Agreements (IAA)

Table 2 below lists a set of core documents and HHS sanctioned templates that must accompany the ITAR request based on document type.

Document Type Required Content
Acquisition Plan Contains a detailed high-level description of the acquisition to include but not limited to:
  • Copy of signed/approved Acquisition Strategy that the submitted Acquisition Package properly aligns with
  • Background and Objectives
  • Conditions
  • Capability/Performance Standards
  • Brief description of the product or service being procured
  • Sources

ITAR attestation certification: The Program Manager (PgM) or Project Manager (PM), Business Owner, System Owner (if applicable), and OpDiv/StaffDiv office executive's statement validating the IT Acquisition package and supporting documentation submitted for CIO approval.

IGCE: Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required). Must show how the estimate was derived/calculated (i.e., what methodology was used).

Requirements Document (SOW, PWS, SOO):
Describes the product or service being procured.

  • Products: Provides specifications and standards that must be met.
  • Services: Defines the work the government expects a contractor to perform or delineates project objectives that contractor must meet. Deliverables, metrics, standards, applicable laws and regulation etc. are detailed.
Acquisition Strategy Comprehensive, detailed, high-level description of a strategic approach that program management will follow to manage risk and meet program objectives. It governs program execution across the entire program life cycle. It is not specific to one acquisition and can contain high level information regarding several forecasted procurements that may eventually contribute to a single program. Acquisition Strategies include:
  • Business Need
  • Management Approach
  • Business Strategy
  • Risk Management
  • Stability and Resources
  • Procurement Forecasting
  • Testing
  • Milestones
  • Execution Phases
  • ITAR attestation certification
Note: Precedes the acquisition plan development and can have several acquisition plans that support it. Acquisition strategies and acquisition plans are not one in the same.
Table 2: Acquisition Package Contents Required for ITAR

Step 2 - Access Service Portal / Upload Acquisition Documents

Service Portal Access

The ITAR Service Portal page is a secure site that is available to all users on the HHS Network. Users are required to authenticate using their PIV Card and Pin before access is granted. Navigate to the Service Portal by typing (https://hhsasa.servicenowservices.com/ocio) in your Google Chrome browser then follow the login prompts shown in Figure 2.

Figure 2 is a sequenced image of how users will access the tool.

Image
Figure 2 ITAR Submitters Portal Login
Figure 2: ITAR Submitters Portal Login


Figure 3 displays the Service Portal landing page where users will initiate ITAR requests.

Image
Figure 3 Service Portal Page
Figure 3: Service Portal Landing Page


Upload Acquisition Documentation

Table 3 is a list of steps users will perform to access the Service Portal, complete the submittal form, and upload their acquisition documentation.

Service Portal Steps: Access Service Portal / Upload Documents
Step Description
1 Use Google Chrome to log into the Service Portal Page: (https://hhsasa.servicenowservices.com/ocio);
2 Navigate to "ITAR Packages" at the top of landing page and select "Submit New ITAR";
3 Complete the ITAR submittal form;
4 Attach documents by clicking the paper clip button at the top right corner of form;
5 Locate the acquisition document(s) within local folder(s), OneDrive, SharePoint, Team's, etc.;
6 Click "Open" to attach file(s) once identified in folder(s);
7 Repeat steps 6 and 7 to upload additional files;
8 To remove a file, select "Edit" above the uploaded document(s);
9 Click the (X) to remove document(s) then click "Done" when finished.
Table 3: Create New ITAR Request in Service Portal

Figure 4 below is a partial image of the ITAR submittal form ITAR Requestors will complete to initiate IT Acquisition Reviews. Guidance and links to resources are provided to ensure submissions are completed correctly. Contact information is also provided in the event assistance with the tool is needed.

Image
Figure 4: ITAR Submission Form
Figure 4: ITAR Submission Form

Step 3 - Submit ITAR Package

The ITAR submittal form can only be submitted after all mandatory fields contain a value. Fields containing a red asterisk in the upper left corner are mandatory and require a response. When the ITAR submittal form contains adequate information, follow the steps in Table 4 to submit the ITAR request.

Service Portal Steps: Submit ITAR Package
Step Description
1 Verify that the ITAR Submission form has been completed by ensuring each field contains data;
2 Verify that the required ITAR supporting documents for the acquisition has been attached;
3 Scroll to bottom of form and click "Submit";
4 Submission is confirmed when user is redirected to landing page. (as see in figure 3, above)
Table 4: Steps to Submit ITAR Package

ITAR submissions will trigger the ITAR Attestation certification process that must be completed electronically by the following certifiers: PgM or PM, Business Owner, System Owner (if applicable), and Office Executive.

Step 4 - ITAR Attestation Certification

Moving forward, the ITAR Attestation certification process will be used in lieu of the legacy pdf ITAR Approval form. Each stakeholder will be required to respond by either Approving or Rejecting the ITAR package.

All ITAR submissions are subject to ITAR Attestation certification. ITAR Requestors must identify the stakeholders who are the official attestation certifiers for their ITAR package by providing their names in the following data fields: 1) Program/Project Manager, 2) Business Owner, 3) System Owner (if applicable); and 4) OpDiv/StaffDiv Executive. Once the names are entered, the identified certifiers will receive an automated email notification with instruction to complete their action. Note: These fields are connected to MS Outlook's Global Address Book; therefore, you must begin completing these fields in a manner similar to inserting an email address in the "to" field of the new email message.

Attestation certifiers will be required to respond by either approving or rejecting the ITAR package. Attestation certifiers will have two (2) business days to register their concurrence (approval) or non-concurrence (rejection).

Rejections will trigger an automated notification transmitted by email to the ITAR Requestor, ITAR Requestor's Alternate POC, and the ITAR Reviewer group.

A member of the ITAR Reviewer group will reach out to Attestation approvers who reject an ITAR to determine if the request should be closed. When responding to an email from the ITAR Reviewer group users must reply all. Replies should provide sufficient information for why the ITAR was rejected and, if remediation action is required. If updates are required the ITAR Reviewer group will coordinate changes to the ITAR record with the ITAR Requestor.

Certifiers who approve the ITAR prior to a rejection will be omitted from future attestation certification review cycles that can potentially stem from a rejection.

Figure 5 is an image of the ITAR Certification page Certifiers will use to approve or reject the IT Acquisition requiring ITAR.

Image
Figure 5: ITAR Attestation Certification Form
Figure 5: ITAR Attestation Certification Form
Service Portal Steps: Attestation Certification
Step Description
1 Open the email notification received via MS Outlook;
2 Click the URL provided in the body of the email (Ensure Google Chrome is the browser used to open the Service Portal);
3 Log into the Service Portal Page with PIV credentials (See Figure 2 for step-by-step illustration);
4 Review the Attestation declarations then verify the IT Acquisition details;
5a Select Accept to certify the ITAR;
5b Select "Reject" to request closure or revisions to the ITAR record;
6 Await contact from the ITAR Reviewer group seeking a rejection rational
7 'Reply All' with rejection rationale and correction steps (if applicable)
Table 5: Stakeholder ITAR Attestation Certification Steps


Post Attestation Certification Activities

When the Attestation process completes, and the overall outcome is an approval, the ITAR Reviewer group is notified. At that time, an individual ITAR Reviewer is assigned to the ITAR package which will trigger a new notification to the ITAR Requestor and ITAR Requestor's Alternate POC. The notification will include the ITAR Number and ITAR Reviewer's name who will perform the ITAR analysis and review.

  • Prior to performing a full ITAR review the ITAR Reviewer will conduct a completeness review.
  • Packages found to be incomplete or not in alignment with HHS IT policy and guidance will be placed in a hold status and a request for additional information will be sent to the ITAR Requestor and Requestor's Alternate POC. A valid response with documentation (if required) is due within five (5) business days.
  • Hold status cannot exceed five (5) business days. If a hold exceeds five (5) business days, the ITAR package will be closed out without further action. The ITAR Requestor and ITAR Requestor' alternate POC will be notified accordingly. Closed requests still requiring ITAR will have to be resubmitted under a new ITAR number. Resubmittals must include the initial ITAR number. Note: It is incumbent upon the ITAR Requestor to proactively track the hold time, ensure their alternate ITAR POC actively engages with the ITAR Reviewer in lieu of the original ITAR Requestor when necessary, and keep the ITAR Reviewer abreast of any challenges that may impact their ability to meet the five (5) business day suspense.
  • Requests for information and/or documentation will be sent by the ITAR Reviewer from the ITARNow Portal which uses MS Outlook mailbox to deliver the email messages. When the ITAR Requestor or other members of the Program Office are responding to a request from the ITAR Reviewer, all responders must "Reply All" to allow courtesy copied stakeholders to remain informed, while also ensuring all communication continues to be tracked within the ITARNow Portal real-time.

Step 5 - View Submitted ITAR Request

Requestors can check the status of a submitted ITAR by navigating back to the Service Portal page and clicking Submitted ITARs under ITAR Packages. Follow the instructions in Table 6 to execute this action.

Service Portal Steps: View Submitted ITARs
Step Description
1 Use Google Chrome to log into the Service Portal Page: (https://hhsasa.servicenowservices.com/ocio);
2 Navigate to "ITAR Packages" at the top of landing page and select "Submitted ITARs";
3 A list of ITAR(s) submitted with the logged in user listed as "Requestor" will be viewable in a table format;
4 Navigate and select the ITAR from the list to view.
Table 6: View Submitted ITARs on Service Portal

A1.2 Quality Control/Quality Assurance

The ITAR Application is built in a software module with a set of business rules that are designed to improve ITAR process quality measures. This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur. Use of the Service Portal feature to receive ITAR request will also eliminate much of the human intervention involved with communicating the status of each ITAR. Users will now have transparency into their requests in real-time and will be able to quickly identify where the package is in the workflow.

Several of the ITAR Submission Business Rules are described in the table below:

Rule Description
Check Mandatory fields for values Checks for:
  1. Acquisition Title is true
  2. Requestor is true
  3. OpDiv is true
  4. Requesting Office is true
  5. ITAR Send attestation is true?
  6. Contract Type is true
  7. Signed IT Security Cert. Checklist Attached is true
  8. Acquisition Amount equal to $0 is false
  9. Acquisition Amount is equal to or greater than $150K
  10. Period of Performance is true
  11. Total Number of Option Years is true
If any of the above values are false, the ITAR request is prevented from being submitted and the user will be notified to enter the required information.
Set ITAR Number Submitting a new record triggers the system to assign an ITAR Number
Set Submitted Date Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins.
Table 7: ITAR Submission Business Rules - Service Portal

A1.3 ITAR Submitter Checklists

Table 8, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting IT Acquisition Packages for ITAR approval:

Develop Acquisition Package Complete
Do you have a complete Acquisition Package? See Section 3.2.1 for guidance.
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHS Acquisition Request and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?
Enter Acquisition Data in ITAR Service Portal Complete
Use Google Chrome to log into the Service Portal Page: (https://hhsasa.servicenowservices.com/ocio)
Follow the instructions on Portal Page to complete the ITAR Submission form
Ensure all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field
Requestor's Alternate POC identified and entered with Acquisition data
Submit Request to LegCom Complete
Click "Submit" button at bottom of form to send ITAR request to LegCom ITAR team
ITAR Attestation Certification status is 'Approved'
Receive Microsoft Outlook email confirmation of ITAR submission, ITAR Number, and ITAR POC assignment
Respond to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner
Table 8: New ITAR Submission Checklist

Appendix A2: ITAR Standard Operating Procedures for Reviewers and Approvers

ITAR Reviewers and Approvers will interact with the ITARNow application in its native view - which differs from the graphical user interface designed for submitters. To review a new or existing ITAR, open Google Chrome then paste the following URL: hhsasa.servicenowservices.com.

ITAR requests submitted through the Service Portal page are immediately received by the LegCom ITAR review team. Notification of a new submission is sent directly to the Outlook mailbox of each ServiceNow user in the ITAR Reviewer group. ITAR requests will be reviewed and approved in accordance with LegCom's posted Service Level Agreements, Table 9.

Service Description of Service Performance Standards Timer
ITAR Receipt Notification The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom 1 Business Day Starts when acquisition package submitted in portal. Automated email generated
Time to Completion/Approval The time LegCom requires to review and route ITARs under $1M through the approval process 7 Business Days Starts when a complete acquisition package has been submitted in portal.
CIO Approval (ITARs >$1M) The time LegCom requires to review and route ITARs over $1M through the approval process Up to 10 Business Days Starts when a complete acquisition package has been submitted in portal.
Hold Time (Suspend) The time period an ITAR is suspended without being reviewed due to missing information Not to exceed 5 business days Starts after incomplete ITAR package has been submitted in portal and LegCom reviewer informs Submitter that ITAR is on hold.
Table 9: LegCom ITAR SLA's

A2.1 ITAR Reviewer Process

ITAR reviews performed by LegCom ITAR staff follow a four-step process outlined in Figure 6:

Image
Figure 6: ITAR Reviewer Process Steps
Figure 6: ITAR Reviewer Process Steps


When a submitted ITAR is in the intake phase of the process ITAR Reviewers can potentially become involved if the Attestation certification process needs to be relaunched.

Reasons that warrant Re-starting the Attestation approval process are:

  1. An attestation approver inadvertently rejects
  2. The attestation approver requests a minor change to the ITAR record

To Re-Start the attestation certification process follow the directions in Table 10 below.

Step 1a - Re-send Attestation

Attestation Decision

Attestation rejection notices will be delivered to the ITAR Reviewer group. Before beginning the Re-send Attestation process described below, the ITAR Reviewer group must engage the Attestation certifier who rejected the ITAR to seek their rejection reason(s).

If an Attestation Certifier rejects the ITAR for a reason that does not warrant closure an ITAR Reviewer can collaborate with the Requestor or Requestor's Alternate POC to correct the ITAR record. After correcting the ITAR, ITAR Reviewers can manually re-start the ITAR Attestation certification workflow following the instructions in Table 10 below.

ServiceNow Steps: Re-Send Attestation
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Open the ITAR application by clicking "ITAR" then "ITAR Packages" on the Application Navigator menu;
3 Within the ITAR Repository click the matching "ITAR Number" value found in the "ITAR Attestation Rejection Notification" email notification;
4 Scroll to ITAR Attestations at the bottom of the ITAR record to identify the Stakeholder who 'Rejected' (Example shown in Figure 7)
5
Image
Email icon
Use the email function to seek a rejection reason and next steps from the Stakeholder who rejected;
6a If the ITAR can be corrected, and at the discretion of the ITAR Reviewer group, collaborate with the Requestor using the email function in Step 5 to update issue(s) identified by Stakeholder(s);
6b Close the ITAR if the rejection reason warrants closure (Tip: Use Approval Queue field);
7 Restart the attestation workflow by clicking the "Re-Send Attestation" field check box (Example shown in Figure 8);
8 Click "Update" to save changes.
Table 10: Re-Send Attestation Steps
 
Image
Figure 7: ITAR Attestations [Native View]
Figure 7: ITAR Attestations [Native View]
 
Image
Figure 8: Re-Send Attestation
Figure 8: Re-Send Attestation


To advance an Attestation certification due to inactivity in excess of four (4) business days the ITAR Reviewer group can bypass an Attestation Certifier by following the steps in Table 11.

ServiceNow Steps: Bypass Attestation Certifier
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Open the ITAR application by clicking "ITAR" then "ITAR Packages" on the Application Navigator menu;
3 Within the ITAR Repository click the "ITAR Number" requiring intervention;
4 Scroll down to "ITAR Attestations" at the bottom the record;
5 Under "Attestation Title" click the certifier role to be bypassed (Example shown in Figure 7 above);
6 Click "Bypass" button to skip the certifier. (Example shown in Figure 9 below)
Table 11: Bypass Attestation Certifier Steps
 
Image
Figure 9: Bypass an Attestation Contact

Figure 9: Bypass an Attestation Contact

Step 1b - Review Acquisition Package

Completeness Review

IT Acquisition packages are subject to an applicability triage. After attestation approval ITAR Reviewers will use the IT Decision Criteria guidelines (located on the HHS Intranet) to determine if the acquisition package submitted requires ITAR. If it is determined that the requirement(s) require ITAR approval, the ITAR Reviewer performs a completeness check of the acquisition package to ensure it contains the necessary information, supporting documentation, evidence of critical partner engagement, and program office approval before moving forward. Complete acquisition packages will receive further due diligence from the ITAR Reviewer.

Table 12 below provides all directional steps necessary to perform a completeness review within the ITARNow application.

ServiceNow Steps: Completeness Review
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3 Within the ITAR Repository, click the matching "ITAR Number" value found in the "New ITAR Submitted" email notification; (Example shown in Figure 10 below)
4 Review ITAR Data and Attachments;
5a If package meets ITAR requirements, enter ITAR POC name in "ITAR POC" field, then click "Update";
5b If package does not meet ITAR threshold, click the "Does Meet ITAR Criteria" check box located under the "Approval Queue" field, then click "Update at the top of the screen." (Example shown in Figure 11 below)
6 If "Does Not Meet ITAR Criteria" is checked, change the "Approval Queue" field to "Closed" - the "ITAR POC" field does not need to be populated for packages submitted in error
Table 12: ITAR Request Completeness Review Steps
Image
Figure 10: Main ITAR Table / Repository of ITARs
Figure 10: Main ITAR Table / Repository of ITARs
 
Image
Figure 11: ITAR Does Not Meet ITAR Criteria
Figure 11: ITAR Does Not Meet ITAR Criteria


Suspend an Incomplete ITAR Request

Incomplete acquisition packages submitted for review will prompt the Reviewer to reach back to the ITAR Requestor or Requestor's Alternate POC for more information. An acquisition package is considered incomplete when it does not contain the required documentation or determined to be out of alignment with HHS IT policy and guidance.

Follow the steps in Table 13 to place an ITAR on hold.

ServiceNow Process Steps: Suspend ITAR
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3 Click the ITAR Number (e.g., ITAR - 0001234) value;
4 Select the "Workflow" tab then enter the suspend date in the "Suspend Date" field; input a suspend comment - when applicable; (Example shown in Figure 12 below)
5 Input a resume date on the "Workflow" tab once a valid response and/or documentation is provided;
6 If the ITAR does not resume within five (5) business days, change the "Approval Queue" field to "Closed" and document the reason for closure in the "Suspend Comment" under "Workflow".
Table 13: Suspend ITAR and Request Additional Information Steps through Service Portal
 
Image
Figure 12: ITAR Workflow Metrics
Figure 12: ITAR Workflow Metrics


Request Additional Information

Figure 13 is an image of step 1 in Table 14, below. ITAR Reviewers will use the email feature in ServiceNow to engage Requestors, Critical Partners, and/or stakeholders.

Image
Figure 13: Service Portal Email Function
Figure 13: Service Portal Email Function
ServiceNow Process Steps: Request Additional Information
Step Description
1 Within the ITAR Record navigate to banner and click the ellipsis (…) to the immediate left of "Update" button; (Example shown in Figure 13 above)
2 Select Email option from menu;
3 Draft Email with courtesy copy to any other stakeholder(s) that need to be informed, including the ITAR reviewer who is sending the email;
4 Click "Send."
Table 14: Request information via email within ServiceNow


Table 15 lists the required content for Acquisition Plans (AP) and Acquisition Strategies (AS).

Document Type Required Content
Acquisition Plan Contains a detailed high-level description of the acquisition to include but not limited to:
  • Copy of signed/approved Acquisition Strategy that the submitted Acquisition Package properly aligns with
  • Background and Objectives
  • Conditions
  • Capability/Performance Standards
  • Brief description of the product or service being procured
  • Sources

ITAR attestation certification: The Program Manager (PgM) or Project Manager (PM), Business Owner, System Owner (if applicable), and OpDiv/StaffDiv office executive's statement validating the IT Acquisition package and supporting documentation submitted for CIO approval.

IGCE: Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required). Must show how the estimate was derived/calculated (i.e., what methodology was used).

Requirements Document (SOW, PWS, SOO): Describes the product or service being procured.

  • Products: Provides specifications and standards that must be met.
  • Services: Defines the work the government expects a contractor to perform or delineates project objectives that contractor must meet. Deliverables, metrics, standards, applicable laws and regulation etc. are detailed.
Acquisition Strategy Comprehensive, detailed, high-level description of a strategic approach that program management will follow to manage risk and meet program objectives. It governs program execution across the entire program life cycle. It is not specific to one acquisition and can contain high level information regarding several forecasted procurements that may eventually contribute to a single program. Acquisition Strategies include:
  • Business Need
  • Management Approach
  • Business Strategy
  • Risk Management
  • Stability and Resources
  • Procurement Forecasting
  • Testing
  • Milestones
  • Execution Phases
  • ITAR attestation certification
Note: Precedes the acquisition plan development and can have several acquisition plans that support it. Acquisition strategies and acquisition plans are not one in the same.
Table 15: Acquisition Package Contents Required for ITAR


Full ITAR Review

ITAR Reviewers must review the full acquisition package in-depth by examining all contents of the acquisition package for compliance with federal laws, regulations, policy, and best practices. The reviewer must also verify that HHS standards are being met in the areas of Information Security and Information Technology policy.

Major Investments:

  • Details for IT major investments must be provided by the requesting office
  • Engage the CPIC team to validate the IT investment name and number in the eCPIC Folio. Contact the requestor if this information is not provided. Missing information constitutes an incomplete package

IT Security Certification Checklist attached?

Click the "Recommendations" Tab to verify:

  • The submitter has a completed and signed certification form attached to the acquisition package
  • If not, send submitter an email from the ITARNow portal and advise this document was omitted from the acquisition package but is required. It must be completed and signed. Place package on hold for no more than five (5) business days to allow submitter an opportunity to email document (see Table 13 of this SOP for instructions on how to place package on hold).

Security/Privacy Compliance Assessment

Click the "Recommendations" Tab to indicate the results of the Security/Privacy Compliance Assessment:

  • Reviewer must conduct an analysis and select the applicable assessment indicating whether the content of the requirements document (i.e., SOO, SOW, PWS) aligns with the Office of Information Security's Security and Privacy Language for Information and Information Technology Procurements policy and guidance.

Follow the steps outlined in Table 16 below to begin a full ITAR Review within the ITARNow application:

ServiceNow Process Steps: Full ITAR Review
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3 From the ITAR Repository, click the "ITAR Number" value of an ITAR Record without a value in "ITAR POC" column;
4 Assign the Reviewer by typing POC name or using the magnify glass icon to look up "ITAR POC" in active directory;
5 Click "Save" in top right corner of screen to save changes;
6 Review Acquisition Package attachments for compliance, FAR, Privacy and Security clauses, HHS Acquisition Regulations, and executive sponsor signatures;
7 Review the "Basic", "Period of Performance", and "Financial" tabs to confirm the data entered in the Service Portal matches the information provided in the acquisition documents;
8 Modify the ticket as necessary by adding any supplemental data discovered in the acquisition documentation;
9 Enter an ITAR POC Recommendation using the "Recommendation" Tab.
Table 16: ITAR Review Steps in Service Portal


Step 2 - Engage Critical Partners

Critical partner engagement is a key activity in the ITAR process. Critical partners are subject matter experts that contribute expertise in a specific knowledge area; and will provide verification that the requirement(s) have been vetted by the appropriate acquisition lifecycle groups necessary to move an acquisition package through each procurement phase. A few examples of ITAR critical partners are 508 Compliance, Information Security and Privacy, EPLC, and Cybersecurity.

LegCom requires customers of ITAR to engage critical partners prior to submitting an acquisition package for ITAR processing. Compliance with this requirement may reduce approval cycle-time if documentation that supports IT governance review, for example, is provided with the ITAR submission.

Critical Partner engagement is applicable to all OpDivs/StaffDivs, OS, and OCIO acquisition packages submitted for ITAR.

The process for engaging Critical Partners is outlined in Table 13 above. Correspondence to and from critical partners will become part of the ITAR record in the Service Portal. Critical Partner feedback is required (when applicable and based upon the details of each acquisition package) before the review process can move forward.

ServiceNow Process Steps: Critical Partner Engagement
Step Description
1 Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2 Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3 Click the ITAR Number (e.g., ITAR - 0001234) value;
4 Next, navigate to banner and click the ellipsis (…) to the immediate left of "Update" button; (Example shown in Figure 13 above)
5 Select Email option from menu;
6 Draft Email to Critical Partner(s) with courtesy copy to any other stakeholder(s) / user(s) that need to be informed, including the ITAR reviewer;
7 Click "Send."
Table 17: Critical Partner Engagement Steps


Document Critical Partner Engagement

ITAR Reviewers must document their engagement and the results of that engagement with internal HHS ITAR Critical partners. Use the "Critical Partner" Tab to indicate which critical partners were engaged as well as to provide high-level details of those exchanges. Entries will be stored in the ITAR record as a journal log - shown in Figure 14.

Detailed summaries of critical partner engagements and information that supports the ITAR analysis and review should be typed or pasted into the Summary tab data field (See Step 3 below). Descriptions of critical partner exchanges must include the date of engagement, feedback received, and the outcome. Content entered in the summary field, under the Summary tab, will roll into the final summary email sent to Requestors, their alternate POC, and the CIO and CIO Designee after an approval decision is entered.

If a new ITAR Critical Partner is engaged and they are not represented in the exiting list of options, simply notate the partner, POC name and related details under the summary tab of the ITAR Record.

ServiceNow Process Steps: Document Critical Partner Engagement(s)
Step Description
1 Click the check box adjacent to the critical partner acronym if engaged;
2 Provide a brief but details summary of the outcome in the "Critical Partner Log" field;
3 Click the check box adjacent to the critical partner acronym if engaged;
4 In the "Critical Partner Log" provide a brief but detailed summary of the critical partner engagement purpose and outcome; (Example shown in Figure 14 below)
5 Log entry must include:
  • Name of POC;
  • Date of exchange and detail of what was discussed;
  • Follow-up action (if any);
6 Click "Save" to insert and store log entry with the ITAR Record.
Table 18: Steps to Document Critical Partner Engagement(s)
 
Image
Figure 14: Critical Partner Engagement Log
Figure 14: Critical Partner Engagement Log


Step 3: Develop Review Summary

ITAR Reviewers must use information from the acquisition documentation, critical partner feedback, and ITAR data entered in the ServiceNow to develop an ITAR summary. ITAR summaries are developed in ServiceNow using the "Recommendations" and "Summary" tab's shown in Figures 15 and 16, below.

The ITAR summary should be an abstract of the requirement under review. A standard ITAR Summary will include a background statement and a recommendation that provides feedback to aid with improving the contractual details of the acquisition. The ITAR summary will offer one of two recommendation types: conditional or non-conditional recommendation.4

Content entered in the "Recommendation" tab will be automatically pulled into a final disposition email that will be sent to the ITAR Requestor, Requestor's Alternate POC, HHS CIO, and Deputy CIO once a final approval or rejection decision is entered by the HHS CIO. A subset of the ITAR summary is shown in Figure 16, below.

ITAR Reviewers can provide additional information about the ITAR analysis in the "Summary Tab". Enter additional content to be included in the final disposition email under the bolded "Recommendation" heading found in the "Full Summary" text field displayed in Figure 16.

Image
Figure 15: ITAR Review Summary
Figure 15: ITAR Review Summary


ServiceNow supports copy and paste functions that allow users to draft content in their tool of choice, then paste into ServiceNow. Table 19 describes the steps Reviewers will follow to draft the ITAR Summary.

Image
Figure 16: Sample of Disposition Email w/ Recommendations
Figure 16: Sample of Disposition Email w/ Recommendations
ServiceNow Process Steps: Develop Review Summary
Step Description
1 In the ITAR record, click the "Summary" tab;
2a Draft ITAR "Background" and "Recommendations" within the ServiceNow and in the Full Summary field; or
2b Draft ITAR Summary outside of the ServiceNow Portal then paste into the ServiceNow "Full Summary" field;
3 Click the "Save" button to save work and return later to make further inputs;
4 Click "Ready for Approval" radio button then "Save" to run approval workflow.
Table 19: Develop Review Summary and Approval Recommendation Steps in ServiceNow

A2.2: ITAR Approver Process

ITAR Approvers

LegCom Director: Performs the steps described in Table 20 below to complete pending approval(s). Approvers are cautioned to not "Reject" ITARs until an unequivocal final decision is reached on whether to allow the acquisition to move forward. Prematurely rejecting the ITAR will end the workflow immediately. Instead, use the comment feature of the approval form to seek additional information about the package under review prior to postulating an approval decision.

CIO or CIO Designee (Executive, Direct Report to CIO): The CIO or CIO Designee will access pending ITAR Approvals following steps 1 through 4 of Table 20. However, the comment function is configured differently for the CIO and CIO Designee. Comments entered on the approval form by the CIO or CIO Designee will populate the "CIO / CIO Designee Conditions" field within the ITAR record, thereby making that comment a part of the approval email sent to the Requestor.

To request additional information prior to making a review decision, follow the steps in Table 14 to send the ITAR Reviewer an email to open discussions for clarification.

Approving ITARs

Table 15, below, lists the steps each approval authority will take to complete their action of approving the ITAR.

ServiceNow Process Steps: Approve ITAR
Step Description
1 Use Google Chrome to log into the ServiceNow: https://hhsasa.servicenowservices.com;
2 Next, click "ITAR" then "My Approvals" in Application Navigator menu;
3 Click the "Requested" value under the "State" Column; (Shown in Figure 18 below)
4 Review the ITAR Approval form and acquisition documents; (Shown in Figure 19 below)
5 Optional: Add comments using the comment feature within the ServiceNow; (Shown in Figure 21 below): Post comment by clicking "Post" button under comment field;
6 Click "Approve" or "Reject" at the top right corner of the page to submit an approval decision. Approval decisions will end the workflow;
7 Rejecting an ITAR Approval request will end the workflow. Only click "Reject" after it is determined that the acquisition should not move forward. The requesting office will have to resubmit their package if requests are prematurely rejected.
Table 20: Approve ITAR Request Steps


Figure 17, below, identifies the approval users and their respective approval threshold. Additionally, the figure lists the hierarchical order and sequence in which approval notifications will be sent.

Image
Figure 17: ITAR Approvers Process Steps
Figure 17: ITAR Approvers Process Steps
 
Image
Figure 18: Approving ITAR requests
Figure 18: Approving ITAR requests


If an ITAR does not contain enough information for a decision Approvers are cautioned to take no action with regard to approving or rejecting. Instead, engage the ITAR POC following the directions provided in Table 20, above. Return to the approval request once sufficient information about the requirement is provided to complete the approval action.

Figure 19 is an example of the ITAR Summary approvers will review.

Image
Figure 19: ITAR Summary w/ Attachments
Figure 19: ITAR Summary w/ Attachments


Figure 20, sits atop the ITAR Summary and is used to approve or post comments to the ITAR record. Approvers can delve deeper into a requirement by opening the documents attached to the ITAR record. To provide input on the acquisition under review or request an action of the requesting office, approvers can post comments to the record.

Image
Figure 20: ITAR Approval Form with Comment Section
Figure 20: ITAR Approval Form w/ Comment Section


Approval Descriptions

ITAR Approvers can render one of two decisions in the ServiceNow. Approval users have the option to either "Approve" or "Reject" the acquisition under review in the ServiceNow. Table 21 provides a description of each action and the subsequent results.

Decision Description
Approve The CIO or CIO Designee approves, and the acquisition can move forward. OS and OCIO acquisitions must attach the ITAR approval to the requisition in UFMS.
Reject The CIO or CIO Designee does not approve the acquisition; therefore, the procurement cannot move forward. If the requesting office intends to resubmit the acquisition package, it must first take the action of satisfying the disapproval conditions provided in the disapproval notice. Resubmitted ITARs require documentation that disclose the actions taken to remediate identified issues.
Table 21: ITAR Approval Descriptions

A2.3 Quality Control/Quality Assurance

The ITAR Application is built in the ServiceNow with a set of business rules that are designed to improve ITAR process quality measures. This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur. The ServiceNow workflow automation feature will also eliminate much of the human intervention that existed in the legacy ITAR process in terms of management and reporting of performance metrics.

Several of the ITAR Business Rules are described in the table below:

Rule Description
Calculate Number of Days in Process Sets value for Number of Business Days in Process
Calculate Number of Suspended Days Sets Number of suspended days
Cannot be triggered if Suspend Date is empty
Uses the current date if the Resume Date is not set.
Check for No Approval Required 1 Checks for:
  • Requisition Amount is less than $150,000.00
This will notify ITAR reviewer that minimum threshold for ITAR is not met
Check for No Approval Required 2 Checks for:
  • Ready for Approval is true
  • Requisition Amount is less than $150,000.00
  • If both conditions are not satisfied, this prevents saving the ITAR package, there by not allowing the approval workflow to start.
Check for No Approval Required 3 Checks for:
  • Ready for Approval is true
  • ITAR POC field empty
  • If both conditions are not satisfied, this prevents the approval workflow from triggering
Check Mandatory fields for values Checks for:
  1. Acquisition Title is true
  2. Requestor is true
  3. OpDiv is true
  4. Requesting Office is true
  5. ITAR automated attestation is true
  6. Contract Type is true
  7. Signed IT Security Cert. Checklist Attached is true
  8. Security/Privacy Compliance Assessment is true
  9. Acquisition Amount equal to $0 is false
  10. Acquisition Amount is equal to or greater than $150K
  11. Period of Performance is true
  12. Total Number of Option Years is true
If any of the above values are false, the approval workflow is prevented from triggering and the user is notified to enter a required information
Set ITAR Number On Save of a new record
Set Submitted Date Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins
Set ITAR fields when Done Sets Archival Date when the ITAR Package goes to "Done"
Start ITAR Approval Check Records the approval Start Date
Table 22: The ServiceNow Business Rules for ITAR

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are associated with this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No further guidance is associated with this Policy.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Acquisition Plan (AP) Templates:

Acquisition Strategy (AS) Templates:

ITAR Forms: ITAR Submitter Checklists

Table 17, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting IT Acquisition Packages for ITAR approval:

Develop Acquisition Package Complete
Do you have a complete Acquisition Package? See Section 3.2.1 for guidance.
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHSAR and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?
Did you fill out the ITAR Approval Form? Is it signed by your program office?
Enter Acquisition Data in ITAR Service Portal Complete
Accessed ITAR Service Portal Page via the internet
Followed the instructions on Portal Page to complete the ITAR Submission form
Ensured all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field
Used paper clip icon to upload all supporting documentation and signed ITAR Approval Form
Submit Request to LegCom Complete
Clicked "Save" button at bottom of form to send ITAR request to LegCom ITAR team
Checked Microsoft Outlook regularly for delivery confirmation email from Service Portal
Responded to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner
Table 17: New ITAR Submission Checklist


ITAR Reviewer and Approver Checklists

The checklist below is provided to aid ITAR Reviewer and Approvers with executing the task of obtaining ITAR approval for IT acquisitions.

The Service Portal ITAR Application Access - Reviewer and Approver Complete
Ensure ability to access the Service Portal ITAR application
Preliminary Review of Acquisition Package - Reviewer Complete
Ensure ability to edit submitted acquisition data within the ITAR Record
Determine if acquisition meets minimum dollar threshold for ITAR review
Determine if any missing information or clarifications are required
Determine if acquisition is IT or other with IT Components
Determine whether an existing contract or strategic sourcing could be leveraged
Validate that the data entered in the Service Portal matches data in the requirement document(s)
Develop Summary and Recommendations - Reviewer Complete
Name of Acquisition/Program/Project
Description of Goods or Services
Background Information
Period of Performance (PoP)
Cost (Base Year + Options)
Identified Risks
Synopsis of Acquisition
Recommendations and Noteworthy Information
Closing out the Reviewer Process/Prepare for Approver Process - Reviewer Complete
ITAR POC name entered in the Service Portal data field
Confirm the acquisition data fields in the Service Portal are accurate
Engage Critical Partners / Incorporate Critical Partner Input
Finalize the ITAR Review Summary
Review ITAR Review Summary for comprehension and completeness
Check "Ready for Approval" radio button then clicks "Update" to launch workflow
Approval - Approver Complete
Review the comprehensive ITAR Summary provided by ITAR Reviewers
Reference acquisition package documents for further information or to obtain clarity if needed during approval analysis
Determine if you concur with the recommendations provided by the reviewer
Record your recommendations, concerns, conditions for approval and/or concurrence with the reviewer's recommendations using the comment feature on the approval form
Click "Approve" or "Reject" on the approval form to move the ITAR record to the next approver or end the workflow (depending on $ threshold)
Notification - Reviewer/The Service Portal Tool Complete
Notify Requesting Office of CIO or CIO Designee Decision
Provide Requesting Office with ITAR Approval Package
Table 18: Reviewer / Approver Checklist

Glossary and Acronyms

Definitions:

  • Acquisition Plan:
    1. As defined in the Federal Acquisition Regulation (FAR) Part 2 "Definitions" and further explained under FAR Part 7 "Acquisition Planning".
      The process by which the efforts of all personnel responsible for an acquisition are coordinated and integrated through a comprehensive plan for fulfilling the agency need in a timely manner and at a reasonable cost. It includes developing the overall strategy for managing the acquisition.
    2. Definition explained further in supplemental agency guidance: HHS Directive for the Acquisition Strategy (revised February 2018).
      The Acquisition Plan (AP) is a tactical document approved in HALF Phase 3 - Program Development which identifies the steps necessary to implement the approved Acquisition Strategy for the Program/Project (P/P). Unlike the Acquisition Strategy (AS), which is an overall strategy for all acquisitions that might be necessary for a P/P, the AP outlines the specific actions necessary to acquire resources. An approved AP serves as a formal agreement between the various parties as to how the acquisition will proceed. An AP is execution-oriented and contract-focused and therefore very different than the AS.
  • Acquisition Strategy: As defined in the HHS Directive for the Acquisition Strategy (revised February 2018).
    The AS, an essential part of the overall Program/Project Lifecycle Document (PLD) for each P/P, is a strategic document approved in HALF Phase 2 - Program Definition. The AS describes the entire mission/portfolio or program, defines the mission and business needs for the mission/portfolio or program, and provides the critical foundation necessary to determine the plans for the acquisition(s). The approval of the AS is required before developing management plans for the P/P structure and other details summarizing success factors and expected outcomes/results. The AS also provides the basis for meeting the organization's mission and business needs and established P/P objectives, thereby acting as an aid for the P/PM to gain acceptance, support, and approval for an acquisition. Development of the AS is a logical, systematic way of transforming a defined mission/business need into a comprehensive, top-level plan to direct the P/P management. Even though overarching strategies are required for all P/Ps, the AS is only required if the P/P will be augmented by contractor services/support. The AS Development Process consists of a series of iterative steps for identifying, analyzing, and resolving issues related to the essential elements of an AS. Documenting the AS is a means of performing adequate strategic planning in the beginning and throughout the program, thereby reducing potential diversions from program objectives that could adverse cost, schedule, and technical consequences.
  • Information Technology (IT): As defined in OMB M-15-14: Management Oversight of Federal Information Technology
    1. Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency; where
    2. Such services or equipment are 'used by an agency' if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.
    3. The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources.
    4. The term "information technology" does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.
  • Major Information Technology (IT) Investment: As defined OMB M-15-14: Management Oversight of Federal Information Technology
    An IT investment requiring special management attention because of its importance to the mission or function to the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agency's capital planning and investment control process. Agencies should also include all "major automated information system" as defined in 10 U.S.C. 2445 and all "major acquisitions" as defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources. OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices (RMOs) regarding which investments are considered "major." Investments not considered "major" are "non-major."

Acronyms:

  • AP - Acquisition Plan
  • AS - Acquisition Strategy
  • ASFR - Assistant Secretary for Financial Resources
  • CFO - Chief Financial Officer
  • CIO - Chief Information Officer
  • CPIC- Capital Planning and Investment Control
  • EA - Office of Enterprise Architecture
  • FAR - Federal Acquisition Regulation
  • FITARA - Federal Information Technology Acquisition Reform Act
  • HHS - Department of Health and Human Services
  • HHSAR - Department of Health and Human Services Acquisition Regulation
  • IGCE: Independent Government Cost Estimate
  • IAA - Inter-Agency Agreement
  • IT - Information Technology
  • LegCom - Legislative Compliance Division
  • OA - Office of Acquisition
  • OES - Office of Enterprise Services (OES)
  • OCIO - Office of the Chief Information Officer
  • OIS - Office of Information Security
  • OMB - Office of Management and Budget
  • OpDiv - HHS Operating Division
  • MOU - Memorandum of Understanding
  • P/P - Program/Project
  • PLD - Program/Project Lifecycle Document
  • PSC - Program Support Center
  • StaffDiv - HHS Staff Division
  • SOW - Statement of Work
  • VMO - Vendor Management Office
  • 1. If submitting an approved Acquisition Strategy for ITAR approval in the early phases of the program and acquisition lifecycle, it is acceptable to submit it with just the supporting documentation that contributed to the development of the strategy content. It is understood that you will not yet have the Acquisition Plan package(s) developed in the strategy phase of the lifecycle because you are not yet ready to begin pre-award activities for specific products and services.
  • 2. IGCE: This must reflect how the estimate was derived using historical procurement pricing within HHS of similar products or services within three (3) years or current market research pricing all, of which must factor in at least 3% inflation for current pricing.
  • 3. Market Research Report: A mandatory document containing details that must be in alignment with the complexity or simplicity of the acquisition and must contain actual research results.
  • 4. Conditional recommendations are CIO conditions that must be satisfied through documentation before final approval. Non-conditional recommendations are CIO, or other, recommendations that are left up to the requesting office to build into their acquisition package.
Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed