HHS OCIO Policy for Information Technology (IT) Policy Development

November 28, 2006

Project: HHS OCIO Policy
Document Number: HHS-OCIO-2006-0004

Table of Contents

  1. Purpose
  2. Background
  3. Scope
  4. Policy
  5. Roles and Responsibilities-Department
  6. Applicable Laws/Guidance
  7. Information and Assistance
  8. Effective Date/Implementation
  9. Approved
  10. Glossary

1. Purpose

The purpose of this Department of Health and Human Services (HHS) Information Technology (IT) Policy is to establish IT policy standards of content, uniform format and style for all IT policies written by the Department or on behalf of the Department.

This IT Policy also formally establishes the HHS Three Level IT Policy Review Process for the Department IT policy (or any IT policy written on behalf of the Department) development and review.

Operating Division (OpDiv) or Staff Division (StaffDiv) IT policy development and review shall use this policy and follow its standards of content, uniform format and style. The development functionality and review processes described, reflect the Department’s organizational structures. OpDiv s/StaffDivs, to the extent practicable, based on their organizational structure and culture, shall modify this IT Policy to insert their relevant, equivalent titles and functions. See the “Policy” chapter below. Barring this one exception, all other facets of IT Policy development and review, as stated in this Policy, are in effect and shall apply to OpDiv/StaffDiv IT policy development and review.

This Policy is a first issuance establishing the content, format, style and review requirements of all IT policy written subsequent to the effective date of this document.

2. Background

Establishing IT policy-level requirements in a uniform manner yields consistent documentation and sets the expectations of the targeted audience. This Policy is meant to establish a standard set of IT policy development criteria by which compliance can be measured.

Uniform policy development in the technology arena raises new opportunities for universal use by all employees to conduct business in a more balanced, informative manner, and to receive the maximum benefit of their efforts.

3. Scope

This Policy applies to all Department Operating Divisions (OpDivs), including the Office of the Secretary, and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This Policy does not supersede any other applicable law or higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.

Agency officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees by incorporating references in contracts or memorandums of agreement as conditions for establishing Government IT policy documents, under the instruction and direction of Government management. Agencies shall use this Policy or may create a more restrictive OpDiv/StaffDiv policy, but not one that is less restrictive, less comprehensive or less compliant with this Department IT Policy.

4. Policy

It is recommended that all IT policy writing, to the extent possible and practicable, employ a collaborative effort during development and actively engage an even wider distribution during the policy’s review period, to gather a broad perspective of input upfront.

A policy is defined as conveying “what” is to be done; “who” is to do it; and, “when” it is to be done. In contrast to and to clarify terminology, procedures are defined as conveying instruction on “how” it is to be done. Please refer to the Glossary.

All published policies shall be Section 508 compliant (i.e. fully accessible by disabled and non-disabled individuals).

The following parameters establish the minimum requirements for IT policy standard language, content, and format. It also conveys the HHS Three Level IT Policy Review Process specific for Department-level policy written by, or on behalf of, the Department. Standards are categorized below as “Content”, “Format”, and “Style” (font, headers & footers, margins, pagination, etc.).

4.1. Department vs OpDiv/StaffDiv IT Policy Development and Review

OpDivs/StaffDivs writing IT policy specifically for, or internal to that OpDiv/StaffDiv, shall modify the organizational and staff titles used in this Policy and the HHS Three Level Review Process presented here, to accurately reflect who in the OpDiv/StaffDiv shall perform the functions described. OpDivs/StaffDivs shall establish like review processes to accomplish the same, stated, desired, coordinated and collaborative effect. For example: the HHS CIO title would be replaced with the OpDiv CIO title while performing the same functionality of the HHS CIO regarding IT policy development and review.

These organization appropriate changes shall not deteriorate the desired consistent policy content, format and style; shall adhere to the standard Table of Contents (TOC) format; and shall establish an IT policy review process that effectuates the desired collaborative, coordinated IT policy development and review processes established by the Department.

The requisite Comment Matrix preparation shall also be established by the OpDivs/StaffDivs and maintained for historic purposes.

To acknowledge and facilitate the differences between the Department and the OpDiv/StaffDiv organizations, a statement is made at the end of relevant paragraphs in this Department IT Policy that highlights the need for OpDiv/StaffDiv adjustments in title.

4.2. Policy Content:

All IT policies shall clearly and specifically address the purpose for the policy and describe the logical, sequential tasks necessary to accomplish the stated goals/end state. Each IT policy shall address one subject and, when appropriate, provide points of reference to other subject area materials or references, e.g., relevant regulations, legislation, oversight mandates, or Department authority. Policy-level documents shall address functions, tasks, and requirements that are specific enough to be measured, are observable, and address outcomes and effects that demonstrate that the policy is being followed. IT policy content shall contain at a minimum:

4.2.1. A standard Table of Contents (TOC):

A TOC for a new and/or revised IT policy contains nine (9) chapters and a Glossary. A TOC for a revised or updated IT policy shall also address a standard Nature of Changes page described below, numbered as “ii” following the TOC page which is number “i”. Chapter titles, in their order of presentation and standard numbering, are uniform and fixed.

A chapter may have as many sub-chapters or breakdowns as needed to arrange the content in a logical, organized manner, especially in the Roles and Responsibilities chapter and in the Applicable Laws and Guidance chapter.

4.2.1.1. Standard content pagination and chapter numbering for a new policy:
  • Table of Contents (appears on page # “i”)
  • Chapter 1. Purpose (starts the document pagination: “1 of X”)
  • Chapter 2. Background
  • Chapter 3. Scope
  • Chapter 4. Policy
  • Chapter 5. Roles and Responsibilities (as many breakdowns as needed)
  • Chapter 6. Applicable Laws and Guidance (as many breakdowns as needed)
  • Chapter 7. Information and Assistance
  • Chapter 8. Effective Date/Implementation
  • Chapter 9. Approved
  • Glossary (unnumbered)
  • Appendices or Figures (lettered)
4.2.1.2. Standard content pagination and chapter content for a revised policy:
  • Table of Contents (appears on page # “i”)
  • Nature of Changes (appears as page # “ii” and & describes specifically what was changed, per changed chapter)
  • Chapter 1. Purpose (starts the document pagination: “1 of X”)
  • Chapter 2. Background
  • Chapter 3. Scope
  • Chapter 4. Policy
  • Chapter 5. Roles and Responsibilities (as many breakdowns as needed)
  • Chapter 6. Applicable Laws and Guidance (as many breakdowns as needed)
  • Chapter 7. Information and Assistance
  • Chapter 8. Effective Date/Implementation
  • Chapter 9. Approved
  • Glossary (unnumbered)
  • Appendices or Figures (lettered)

“Nature of Changes”: Required only if the policy is a revision (as opposed to a new issuance). The Nature of Changes lists each change numbered 1-X, in chapter order of reference; and, includes a brief description of the change.

Each standard required chapter is described below:

4.2.2. Purpose:

Describes the specific reason that the IT policy is being written. That detail is whatever internal or external force(s) prompted the IT policy. For instance: Public Law XX, dated MMDDYYYY requires; OMB memorandum M-YY-NN, dated MMDDYYYY, entitled:, requires, etc. Additionally, the “Purpose” chapter contains a statement specific for new IT policies: “this IT policy is a “first issuance”; or, for revised IT policies: “this IT policy is being revised to address new or changed requirements and this issuance supersedes the former IT policy (Title), numbered (HHS-OCIO-YYYY-NNNN.VVV) dated (MMDDYYYY).”

4.2.3. Background:

It provides the author and/or the Subject Matter Expert (SME) with the opportunity to further clarify the need for the policy that is not mandated or legislative, as contained in the “Purpose” chapter. Perhaps there is a story, or some historic reference, that adds or further explains why this policy is being written. For example: “this IT policy establishes the Deputy Assistant Secretaries (DAS) as critical partners for Capital Planning and Investment Control (CPIC) purposes.” Or “this IT policy also provides alternative methods of meeting the requirements of Public Law (P.L.) XXXX.”

4.2.4. Scope:

There are two standard statements in the “Scope” chapter. The first regards to whom this Policy applies: “This policy applies to all Department Operating Divisions, including the Office of the Secretary, and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This policy does not supersede any other applicable law or higher level agency directive or policy guidance. Agency officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees through incorporation by reference in contracts or memorandums of agreement as conditions for establishing Government IT policy documents, under the instruction and direction of Government management.” OpDivs/StaffDivs shall modify these standard statements to reflect their organizational and functional structures.

The second states: “Agencies shall use this Policy or may create a more restrictive OpDiv/StaffDiv policy, but not one that is less restrictive, less comprehensive or less compliant with the Department’s XXX (title of the policy), XXX (number of the policy), dated MMDDYYYY requirements”.

4.2.5. “Policy”:

Where the specific subject tasks and requirements are delineated. The delta between the mandate or public law goals/end state and where the organization (Department; OpDiv/StaffDiv) is at this point in time is addressed in specific terms, steps, and/or tasks that will achieve the desired goal/end state. This is the heart of the IT policy and it is where both the compliance and performance criteria are set. The oversight mandate or Department/agency authority requirement, as well as the tasks or plans that the organization (Department, OpDiv/StaffDiv, etc.) shall take in pursuit of meeting, addressing, those requirements, are stated here. This portion of the IT policy can be viewed as a verbal, major task “Work Breakdown Structure (WBS)” in the sense that this is the “what”, the “who” and the “when”. (In contrast, Procedures are the “how” and would be described in this example scenario as the lower level (work package level) or detailed tasks of a WBS). The “policy” chapter is also where criteria for compliance are set and performance is also addressed in terms of timeliness, frequency, due dates, effectiveness, outcomes, outputs, etc. Another parallel example for those who are not familiar with a WBS is the “Statement of Work” portion of a contract. Those requirements, deliverables, timetables, frequencies, delivery locations, outcomes and outputs, etc., are examples of what is captured in the “policy” chapter.

4.2.6. “Roles and Responsibilities”:

Where each affected functional area and each level of management/executive involved in the process is described in relationship to this specific IT policy subject. Do not exclusively describe a functional area’s mission or the manager’s/executive’s job description. This is where a functional area and/or the management/executive develops, creates, manages, sponsors, approves, reviews and performs a specific role in this subject IT policy process. For example: “the executive officer is required to attend the monthly meetings and to preside over the workgroup councils to coordinate their products and services.” Or, “the chair of the board votes only when there is a quorum and there is a tie.”

4.2.7. “Applicable Laws and Guidance”:

Where specific and applicable overarching references are listed. This list also serves to backup and confirm the statement in the “Scope” chapter: “This Policy does not supersede any other applicable law or higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.”

4.2.8. “Information and Assistance”:

For the Department the statement: “Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Technology, who serves as the HHS CIO, (202) 690-6162.” Each OPDIV/STAFFDIV shall create its own organizationally correct statement.

4.2.9. “Effective Date/Implementation” chapter:

For Department level policies ONLY, all three of the statements in this chapter are standard. OpDivs/StaffDivs shall create similar statements that suit their IT Policy process and reflect their bargaining unit agreements. IHS is the only OpDiv that shall use the last statement: “Indian Rights”, in addition to their versions of statements 1 and 2. The three Department statements are:

4.2.9.1. The effective date of the IT policy:

“The effective date of this policy is the date the policy is approved.”

4.2.9.2. Bargaining unit rights:

“These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights”.

4.2.9.3. Indian Rights:

“The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.”

4.2.10. “Approved”:

A standard format shall be used with the appropriate title of signature for OpDivs/StaffDivs, etc. At the Department, it is the HHS CIO who signs and dates an IT policy, as demonstrated by the “Approved” chapter of this IT Policy. Both the signature and the date fields are required fields of the format.

4.2.11. “Glossary”:

Unnumbered and defines terms particular to the IT policy. Each named term shall be bolded, with the corresponding definition unbolded.

4.2.12. “Appendices” or “Figures”:

Any “Appendices” or “Figures”, etc., included in the IT policy shall be referenced at the end of the TOC and be listed in lettered format “A” to “Z” after the Glossary, with corresponding page numbers.

4.3. Policy Format:

All policies shall follow a standard format as described below:

4.3.1. Cover Page: Mandatory

A standard policy cover page shall be used as demonstrated by the cover page of this Policy.

4.3.2. Table of Contents: mandatory

A standard “Table of Contents” shall be used for both new and revised policy. TOCs have the page number “i”. Each chapter listed in the TOC contains the start page number for that chapter.

4.3.3. Nature of Changes: mandatory for revised policy only.

A Nature of Changes describes, by chapter, the specific changes that this revised policy conveys. Revised policies contain this additional Nature of Changes page, numbered as “ii” following the TOC. See chapters 4.2.1.1 and 4.2.1.2 for further details.

4.3.4. Policy chapters: Standard titles, order and numbering of chapters are mandatory.

See chapters 4.2.1.1 and 4.2.1.2. Note: for the chapters titled: “Roles and Responsibilities” and “Applicable Laws and Guidance”, the number of sub-chapters or breakdowns are at the policy authors’ discretion and the number may vary.

4.3.5. Glossary: mandatory.

4.3.6. Appendices or Figures: optional.

4.4. Policy Style:

4.4.1. Policy Text

All policy text shall be in type style Times New Roman.

4.4.2. Policy text (excluding specific headers)

All policy text (excluding specific headers) shall use font size 12.

4.4.3. Header 1

All “header 1” shall be bolded and in font size 16. (Example: 4. Policy).

4.4.4. Chapters or Header 2

All chapters or “header 2” shall be bolded and in font size 14. (Example: 4.1 Policy Content).

4.4.5. Chapter Sections

All chapter sections shall be unbolded and in font size 12. (Example: 4.1.1 A standard Table of Contents (TOC)).

4.4.6. Subsections

All subsections shall be unbolded, indented and in font size 12. (Example: 4.1.1.1 Standardized numbering of the chapters for a new policy).

4.4.7. Pagination

Pagination: Page numbers are in the footer at the lower right hand corner of each page in the format of “X of Y.”

4.4.8. Footers

Footers also contain the proper name of the policy, such as: HHS-OCIO Policy for XXXXXXXXXX in the lower left hand corner of each page, as demonstrated by this policy.

4.4.9. Headers

At the Department, are entered by the HHS OCIO IT Policy Officer and contain the HHS-OCIO (policy number (CY and sequence) plus a version (.001) in the upper right hand corner, along with the date that the HHS CIO signs the IT policy. OpDivs/StaffDivs shall ensure that the same functions are accomplished by their appropriate staff.

4.4.10. The Policy Date

At the Department, is entered by the HHS OCIO IT Policy Officer and is shown in two places: on the Cover Page as well as in the Policy Header. The Policy Date is determined by the actual signature date of the HHS CIO. During the IT policy review process (see 4.5, the HHS Three Level IT Policy Review Process) a temporary date is entered by the HHS OCIO IT Policy Officer and is used in both places. Once through the IT Policy Review Process and the HHS CIO signs and dates the IT policy, the HHS OCIO IT Policy Officer removes the “DRAFT” status from the Cover Page and replaces the projected date with the actual signature date of the HHS CIO on the Cover Page and in the header. OpDivs/StaffDivs shall ensure that the same functions are accomplished by their appropriate staff.

4.4.11. Version Control for IT policy

At the Department, is determined by the HHS OCIO IT Policy Officer and entered onto the DRAFT and final IT policy by the HHS OCIO IT Policy Officer based on policy issuance status (first or revised) and the number of published versions of that IT policy. The HHS OCIO IT Policy Officer uses the following numbering schema: the Calendar Year (CY) in YYYY format, the sequence number of this policy within that CY and the number of versions within this CY and sequence, plus the date of the HHS CIO signature. Version Control is shown in the upper right hand corner of the policy as well as on the Cover Page in the lower right hand corner. OpDivs/StaffDivs shall ensure that the same functions are accomplished by their appropriate staff.

4.4.12. The policy numbering schema

The policy numbering schema is also part of the numbering schema used to identify separate documents that house appendices or procedures that are specifically related to that IT policy. The appendices numbering schema uses its related IT policy number and suffixes it with the letter “A” for appendices. Likewise, the related procedures numbering schema is suffixed with the letter “P” for procedures. Again, these numbering schemes are devised to associate the appendices and/or procedures documents with their related “parent” IT policy. Not all IT policies have either separate appendices or procedures, but each appendix or procedure document must have an associated IT policy or parent document.

4.5. The HHS Three Level IT Policy Review Process

IT policy may be initiated by the HHS OCIO IT Policy Officer

IT policy may be initiated by the HHS OCIO IT Policy Officer, serving as the Subject Matter Expert (SME) or leading a group of SMEs, or IT policy may be developed by other SMEs. In either case, SMEs are responsible for composing the subject matter content of the IT policy and work with the HHS OCIO IT Policy Officer to prepare the DRAFT IT Policy and its review schedule. It is recommended that all IT policy development, when practicable, be a collaborative effort with all stakeholders/critical partners (Department Deputy Assistant Secretary (DAS): Budget; Finance; Information Technology; Human Resources; and, Acquisition counterparts as well as the OpDivs) in order to leverage the knowledge that an Integrated Product Team (IPT) can lend. Stakeholders/critical partners who have first-hand knowledge or expertise of the subject matter, if not part of the IPT, shall be conferred with and given the opportunity for first review of the product before it begins the formal IT policy review process by the HHS IT Policy Officer. All IT policies written at the Department or on behalf of the Department shall comply with the following formal HHS Three Level IT Policy Review Process facilitated and coordinated by the HHS OCIO IT Policy Officer.

4.5.1. After IPT reviews are completed and the DRAFT IT policy is updated

After IPT reviews are completed and the DRAFT IT policy is updated as agreed, the HHS OCIO IT Policy Officer receives the DRAFT IT Policy to begin the formal IT Policy Review Process. The HHS OCIO IT Policy Officer reviews the DRAFT for content, format and consistency with other existing IT policies, provides comments and reviews any updates. The HHS OCIO IT Policy Officer establishes the review schedule, and facilitates and coordinates the DRAFT IT policy through the HHS Three Level IT Policy Review Process, as described below:

4.5.2. Level 1: OCIO review:

The HHS OCIO IT Policy Officer establishes a schedule for OCIO review and circulates (usually via email) the DRAFT IT policy through the Office of the Chief Information Officer (OCIO) for comment. All comments received by the IT Policy Officer are reviewed, assessed and discussed with the SME. The SME provides feedback to each of the commenters. In general, the OCIO staff has up to 5 calendar days to complete their review. After changes or updates are complete, the DRAFT IT policy is ready for the next level of review.

4.5.3. Level 2:

HHS Deputy Assistant Secretary (DAS: Budget; Information Technology; Finance; Human Resources; and Acquisition) Review: The purpose of the HHS DAS reviews is twofold: to ensure a coordinated Department effort regarding the subject matter, and, to announce the new IT policy inception or IT policy revision so that the DAS Community can offer assistance in their levels of responsibility and involvement. Again, the HHS OCIO IT Policy Officer establishes a review period of time (usually 3-4 calendar days), prepares the transmitting email sending the DRAFT IT policy to the HHS DAS Community for review, and requests that comments be sent to the HHS OCIO IT Policy Officer. The IT Policy Officer discusses the comments with the SME and updates are made to the DRAFT IT policy as appropriate. The SME provides comment disposition to each responder.

4.5.4. Level 3:

Operating Division (OpDiv) CIO Communities: Once the DRAFT IT policy has effectively cleared the Department, via levels 1 and 2 of the IT Policy Review Process, all appropriate updates are made and the SME has addressed all the comments received, the HHS OCIO IT Policy Officer receives the updated DRAFT IT policy from the SME to circulate it to the OpDiv CIO communities for review and comment. Per HHS IRM 2003-0001, Policy for Comments From and Responses to Operating Divisions on Newly Developed Policies and CIO Council and ITIRB Clearance Documents, dated February 14, 2003, OpDivs have a 15 calendar day review and comment period to respond, and may request an extension unless otherwise prohibited. This 15 calendar day response time may be shortened if the responsibility and goals of the OCIO warrant it; or extended based on the size and complexity of the document; or if a number of policy documents are sent into review concurrently. These conditions are assessed by the HHS OCIO IT Policy Officer who determines the exception review period. The HHS OCIO IT Policy Officer is responsible to create the OpDiv Comment Matrix. See chapter 4.5.3, OpDiv/StaffDiv IT Policy Review Process below. OpDivs/StaffDivs are also required to capture reviewer comments in a matrix; to document the disposition of those comments; and to maintain that comment matrix for historic purposes.

4.5.5. The SME is responsible for updating the DRAFT IT policy

The SME is responsible for updating the DRAFT IT policy as appropriate, to prepare responses to the OCIO (level 1) and the HHS DAS (level 2) staff providing disposition of their comments and to forward the updated DRAFT IT policy to the HHS OCIO IT Policy Officer for the next level of clearance. In Level 3 of the IT Policy Review Process, however, the HHS IRM 2003-0001, Policy for Comments From and Responses to Operating Divisions on Newly Developed Policies and CIO Council and ITIRB Clearance Documents, dated February 14, 2003, requires that the HHS OCIO IT Policy Officer (formerly the IT Policy Director) prepare an OpDiv Comment Matrix that captures each OpDiv comment, provides the Department’s (OCIO) disposition of each comment, and the OpDiv Comment Matrix accompanies the DRAFT IT policy for signature by the HHS CIO. The Comment Matrix has four columns: each OpDiv; each OpDiv comment; any OpDiv requested and approved/disapproved requests for extensions of time to review; and, the Department’s (SME) disposition of each OpDiv comment.

4.5.6. Requests for extensions

Requests for extensions of time to review are made to the HHS OCIO IT Policy Officer via email prior to the review due date and are reviewed and approved/disapproved by the HHS OCIO IT Policy Officer. It is the responsibility of the HHS OCIO IT Policy Officer to ensure that the extensions of time for review are managed timely and that comments received are forwarded to the SME for disposition.

4.5.7. The HHS OCIO IT Policy Officer prepares the IT policy approval package

The HHS OCIO IT Policy Officer prepares the IT policy approval package, which includes the completed OpDiv Comment Matrix and the updated IT Policy. (The OpDiv Comment Matrix serves as background material for the HHS CIO to review.)

4.5.8. After the HHS CIO signs the IT policy

After the HHS CIO signs the IT policy, it is returned to the HHS OCIO IT Policy Officer to place it under version control, to transmit (email) both the signed, version controlled IT Policy and its Comment Matrix to the OPDIV CIO Community and to request the IT policy be posted to the HHS CIO Web site. The HHS OCIO IT Policy Officer, per HHS IRM 2003-0001, has 30 calendar days from receipt of the last OpDiv comment or the OpDiv comment period due date, whichever is later, to prepare the Policy approval package, including obtaining disposition of each comment on the OpDiv Comment Matrix, obtain the HHS CIO’s signature on the IT policy, prepare the IT policy for version control and transmit (email) both the signed IT policy and its completed Comment Matrix to the OpDiv CIO Community.

4.6. OpDiv/StaffDiv IT Policy Review Process

OpDivs/StaffDivs shall use chapter 4.5, The HHS Three Level IT Policy Review Process, as a model to translate Department organizational functions and titles into OpDivs/StaffDivs equivalents to accomplish like coordinated reviews, distribution and implementation. OpDivs/StaffDivs shall also establish the requisite Comment Matrix procedures to capture comments and their disposition for historical purposes.

5. Roles and Responsibilities-Department

5.1. The Deputy Assistant Secretary for Information Technology/HHS Chief Information Officer (CIO)

The Deputy Assistant Secretary for Information Technology (DASIT)/HHS CIO, under the authority delegated by the Assistant Secretary for Resources and Technology (ASRT), shall:

  • ensure the Department compliance and conformance with Public Laws, regulations, OMB and GAO regulations, policies, standards, procedures, and instructions concerning agency operations and reviews;
  • develop Department IT policy;
  • disseminate the HHS IT policy for OPDIV review, comment, and
  • disseminate the approved HHS IT policy.

5.2. The HHS OCIO IT Policy Officer

The HHS OCIO IT Policy Officer is responsible for the facilitation and coordination of all IT Policies developed by the Department or on behalf of the Department. There are times when the HHS OCIO IT Policy Officer is the SME. The HHS OCIO IT Policy Officer is also responsible for the creation and distribution of the OpDiv Comment Matrix. Specific tasks and duties are contained throughout HHS-OCIO Policy for IT Policy Development, chapter 4. “Policy.”

5.3. The Operating Division Chief Information Officers (CIOs)

Operating Division (OpDiv Chief Information Officers (CIOs) are responsible for:

  • permitting employees to participate in IPTs to help develop HHS IT policies and to review IT policies and provide timely comments;
  • approving, disseminating and implementing HHS IT policy within their respective organizations;
  • when needed, developing and approving OpDiv policies that are more restrictive than the HHS (Department issued) policies but not one that is less restrictive or less comprehensive;
  • training all employees on policies (Department policy or OpDiv/StaffDiv policy), as appropriate; and
  • implementing security controls required by policy.

5.4. Management Officials

Management officials, in their supervisory role, are responsible for:

  • ensuring that employees, contractors, interns, etc. participate in the development and the review of HHS IT policy in a timely manner, as appropriate; and
  • informing users (employees, contractors, interns, etc.) of their rights and responsibilities, including the dissemination of the information in policy.

5.5. HHS Employees and Users of HHS IT Resources

  • Users, including employees, contractors, interns, etc., are responsible for:
  • participating in the development of IT policy or initiating IT policy as the subject matter expert (SME);
  • responding timely to comments made regarding IT policy during the IT policy Review Process where they are the SME;
  • adhering to the HHS IT Policy Review Process schedule or timely requesting extensions of time to review;
  • providing timely comments during the IT Policy Review Process and working collaboratively to address issues with the appropriate SME and the HHS OCIO IT Policy Officer;
  • seeking guidance from their supervisors when in doubt about the implementation of a specific policy;
  • following policies and procedures in their use of IT Resources (for example: Internet and e-mail) and refraining from any practices which might jeopardize HHS computer systems and data files, including but not limited to virus attacks, when downloading files from the Internet;
  • familiarizing themselves with any special requirements for accessing, protecting and utilizing data, including Privacy Act and Section 508 requirements, copyright requirements, and procurement sensitive data; and
  • adhering to all conditions set forth in chapter 4, Policy.

5.6. Roles and Responsibilities-OpDivs/StaffDivs

OpDivs/StaffDivs have a major role in Department IT policy development and review. Chapters 5.3 through 5.5 provide some specifics regarding those roles in that process. OpDivs/StaffDivs shall develop parallel, appropriate roles and responsibilities regarding OpDiv/StaffDiv IT policy development and review processes that follow the intent of broad coordination and collaboration during IT policy development and throughout the IT policy review process.

6. Applicable Laws/Guidance

Authorities include:

  • Computer Security Act of 1987, P.L. 100-235, 101 Stat. 1724
  • The Privacy Act of 1974, P.L. 93-579
  • The Hatch Act (Standards of Conduct), 5 USC Sec. 7302
  • The Freedom of Information Act, 5 USC Sec. 552
  • OMB Circular A-130, "Management of Federal Information Resources"
  • IETF RFC 1780 Postel, "Internet Official Protocol Standards," March 28, 1995
  • Federal Information Security Management Act of 2002 (FISMA)
  • OMB Memorandum M-04-26, “Personal Use Policies and ‘File Sharing’ Technology”, dated September 8, 2004
  • HHS OCIO 2006-0001, Policy for Personal Use of IT Resources, dated February 17, 2006
  • 5 C.F.R. Part 2635, Standards of Ethical Conduct for Employees of the Executive Branch, and 5 C.F.R. Parts 5501 and 5502, the HHS Supplemental Ethics Regulations
  • Section 508 of the Rehabilitation Act of 1973, as amended in 1998 (29 U.S.C. 794d)
  • HHS IRM 2003-0001, Policy for Comments From and Responses to Operating Divisions on Newly Developed Policies and CIO Council and ITIRB Clearance Documents, dated February 14, 2003

7. Information and Assistance

Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Technology, who serves as the HHS CIO, at (202) 690-6162.

8. Effective Date/Implementation

The effective date of this policy is the date the policy is approved.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations."

It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

9. Approved

/s/
Charles Havekost
HHS Chief Information Officer

November 28, 2006
DATE

10. Glossary

  • Guidelines – a documented statement of desired, good, or best practice that serves as a recommendation that leads or directs a course of action to achieve a certain goal. Guidelines provide instructions and advice for performing a task and suggest possible approaches that may be taken. Guidelines are generally voluntary, but the implication is that practitioners will use the concepts and principles in meeting their objectives.
  • They provide information for accomplishing the “how”. For example: if the requirement is to produce a “Return on Investment” (ROI), guidelines provide the knowledge, the method of how to perform an ROI. Guidelines generally support procedures; procedures generally support policy.
  • HHS Information Technology (IT) Resources – includes but is not limited to: staff, facilities, data, documents, personal computers and related peripheral equipment, software, network and web servers, telephones, facsimile machines, photocopiers, Internet connectivity and access to internet services, e-mail and, office supplies.
  • Information Technology (IT) – any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data.
  • Integrated Project Team (IPT) – cross-functional team of employees, contractors, interns, etc., that is temporarily established to share information and to produce a product or product(s)/deliverable(s) that reflects that focused collaboration, coordination and communication.
  • Internet – a worldwide electronic system of computer networks which provides communications and resource sharing services to government employees, businesses, researchers, scholars, librarians and students as well as the general public.
  • Intranet – an internal web-based computer system accessible only by HHS employees, interns and contractors who possess a password and log-in that allow such permissions.
  • OpDiv Comment Matrix – a comprehensive matrix developed by the Department that accounts for all comments made by the Operating Divisions regarding their review of an HHS IT Policy sent through the third level of the HHS Three Level IT Policy Review Process. The OPDIV Comment Matrix contains four (4) columns that lists: each OpDiv; their comments (including “no responses and no comments”); requests for extension of time and its disposition; and, the Department (OS) comment disposition. OpDivs/StaffDivs are also required to develop an organizational appropriate Comment Matrix, with similar four (4) column Comment Matrix, adjusting for their critical partners/organizations’ names, for their internal IT polices’ reviews.
  • Policy – a document predicated on oversight (Congressional mandates; legislation; Office of Management & Budget (OMB); Government Accountability Office (GAO); General Services Administration (GSA); National Archives Records Administration (NARA); etc.-this is not an all-inclusive list) requirements or Department/Agency authority that describes the “what” and the “when” certain actions must be taken in order to move an organization into compliance. Policy requires a certain level of measurement to determine where the organization is and how far from the end-state goal/requirement one is starting. Policy describes the specific tasks that need to be accomplished, much like a work breakdown structure, without stating “how” those tasks will be accomplished.
  • Procedures – a document that explains “how” policy shall be achieved by describing the specifics of the tasks, the steps needed to be taken to achieve the goal, to satisfy the end state requirement.
  • Subject Matter Expert (SME) – a person or persons in a functional area who presents content material regarding the policy subject area.
  • Table of Content (TOC) – a logical listing of each chapter, glossary, example, figure, appendix or table contained in the policy.
  • Work Breakdown Structure (WBS) – a decomposition of the planned work effort into specific phases, tasks, activities, milestones, and deliverables necessary to accomplish project objectives. A WBS is a task-oriented or deliverable-oriented grouping of identified elements or components of a project, which organizes and defines the total scope of the project.
  • World-wide Web (WWW) or Web – the collection of web pages (documents) which are developed in accordance
Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed