HHS Policy for Information Technology Acquisition Reviews (ITAR)

Document #: HHS-OCIO-OES-2020-06-006
Version #: 1.0
Last Reviewed: June 2020
Next Review: June 2023
Owner: OCIO/OES
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy
7. Roles and Responsibilities
   • 7.1. HHS Chief Information Officer
   • 7.2. Chief Acquisition Officer (CAO) and Senior Procurement Executive (SPE)
   • 7.3. Operating Division Chief Information Officer (OpDiv CIO)
   • 7.4. HHS Legislative Compliance Division (LegCom)
   • 7.5. HHS Contracting Offices
   • 7.6. HHS ITAR Critical Partners
   • 7.7. Program Managers (PMs), Contracting Officer's Representatives (CORs), and Contracting Officers (COs)
   • 7.8. HHS OpDiv Senior Officials for Privacy (SOP)
   • 7.9. HHS OpDiv Section 508 Program Manager
8. Information and Assistance
9. Effective Date and Implementation
10. Approval
11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

---

1. Nature of Changes

This is the first issuance of the Department of Health and Human Services (HHS) Policy for Information Technology Acquisition Reviews (ITAR).

2. Purpose

The purpose of this Policy is to establish the Department of Health and Human Services (HHS) Information Technology Acquisition Review (ITAR) Program. The program will ensure HHS conducts its due diligence to manage and maintain oversight and governance over the procurement of Information Technology (IT) therefore contributing to effective planning, budgeting, and execution of IT resources. Further, it is designed to ensure the Department's Chief Information Officer (CIO) has the appropriate visibility and oversight of IT acquisitions across the agency.

This Policy, and its intended purpose, is separate from the Assistant Secretary for Financial Resources (ASFR), Office of Acquisition (OA) requirements set forth under Acquisition Alert 2019-01 and 2019-02, HHS Acquisition Review Pilot Program. Its purpose is not intended to replace nor amend acquisition reviews separately conducted under the oversight and governance of the Deputy Assistant Secretary for the Office of Acquisitions and Senior Procurement Executive.

Further, this Policy is not intended to replace nor amend the terms of the 2017 Memorandum of Understanding (MOU) between HHS and the HHS Office of Inspector General (OIG), which sets forth the agreement between both entities regarding the implementation of the Federal Information Technology Acquisition Reform Act (FITARA). The Inspector General Act of 1978 (IG Act), as amended, 5 U.S.C. App. 3, provides Inspector Generals with certain authorities and responsibilities to oversee the programs and operations of their respective Departments and agencies. The independence created by the IG Act affords the Inspector General with the authority to appoint their own personnel, including establishing the Inspector General as the agency head for purposes of appointing members of the Senior Executive Service; a process to submit and comment on any changes made to the Inspector General's budget; and the authority to enter into contracts and other agreements. The Office of Management and Budget (OMB) issued implementation guidance for departments and agencies regarding implementation of FITARA. The OMB guidance recognizes that the enhanced CIO authorities established by FITARA are not to be applied to OIGs in a manner that would adversely impact these offices' independence and authorities over personnel, performance, procurement, and budget, as delineated in the IG Act.

3. Background

The Federal Information Technology Acquisition Reform Act (FITARA) of 2014, passed by Congress through the National Defense Authorization Act (NDAA) of 2014, was designed to improve the manner with which the federal government procures and manages its IT. Additionally, this law increased the authority and responsibility of CIOs with the intent to promote and strengthen their influence and effectiveness amongst agency leadership as it relates to IT budgeting and governance; to include IT procurements. Section 831 of this mandate expands on this and states that agencies may not enter into a contract or other agreement for IT products or services unless the contract or agreement is reviewed and approved by the HHS CIO or delegated approver.

HHS fulfills its IT compliance responsibilities by developing and implementing robust policies that comply with federal mandates. This Policy is in place to formalize, streamline and refine the manner in which HHS IT acquisitions are forecasted, budgeted, governed, planned, and documented, as well as sufficiently supported in the pre-award phase of the acquisition lifecycle.

4. Scope

This Policy sets forth roles and responsibilities, requirements, and a formal process for the HHS CIO and the HHS Operating Division (OpDiv) CIOs to optimize tools and procedures, as well as develop a more mature IT acquisition management and governance program.

This Policy applies to the Department and all HHS OpDivs and Staff Divisions (StaffDivs) seeking to purchase goods or services. These acquisitions can either be IT acquisitions or other acquisitions or agreements containing IT components. For further information, see the HHS IT Decision Criteria Matrix located on the HHS Intranet. For guidance regarding applicable clauses for consideration, reference the Federal Acquisition Regulation (FAR), Department of Health and Human Services Acquisition Regulation (HHSAR), and HHS Acquisition Policy, Guidance and Instructions (PGI). In accordance with FITARA, the HHS CIO is a full participant in the ITAR governance process. IT contract review will be conducted prior to award, the Acquisition Strategy (AS) and Acquisition Planning (AP) phases, (see Section 6. Policy for more information).

To ensure the proper oversight and collaboration is conducted in the formal review process, and to improve the integrity of the process, the scope of this Policy also applies to the ongoing engagement between the Legislative Compliance Division (LegCom) ITAR reviewers and additional critical partner experts, (see Appendix A for additional information).

Supersessions

• This Policy does not supersede any applicable law or regulation
• This Policy does not supersede the 2017 MOU between HHS and the HHS OIG
• This Policy supersedes HHS Memorandum OCIO IT Acquisition Reform Act (FITARA) Approval Guidance, December 2016
• This Policy supersedes the HHS Information Technology Acquisition Review (ITAR) Process for OS and OCIO Acquisition Packages, Version 1.5, October 2017

Major IT Investments

HHS OpDivs and StaffDivs pursuing a Major IT investment, (see Glossary and Acronyms section of this Policy for definitions), are subject to Department CIO review and approval in accordance with FITARA.

All OpDivs that have a CIO and have been given delegated authority in accordance with the HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019, are responsible for implementing an internal review, approval and reporting process for, at minimum, all major acquisitions under IT investments below the ITAR review threshold located in section six (6) of this Policy.

OpDivs may create a supplemental policy that is more stringent, but not less stringent.

5. Authorities

Legislation, Federal Regulation, and Executive Orders:

• Clinger-Cohen Act, 40 U.S.C. § 11101, et. Seq.
• Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
• Executive Order 13833, Enhancing the Effectiveness of Chief Information Officers, May 15, 2018
• Federal Acquisition Regulation (FAR), 48 C.F.R. ch 1
• Department of Health and Human Services Supplemental Acquisition Regulation (HHSAR), 48 C.F.R ch 3

Federal Guidance:

• OMB Circular A-11, Preparation, Submission and Execution of the Budget, Section 55, June 28, 2019
• OMB Circular A-130, Managing Information as a Strategic Resource, July 28, 2016
• OMB M-15-14, Memorandum for Heads of Executive Departments and Agencies: Management and Oversight of Federal Information Technology, June 10, 2015
• OMB M-16-12, Memorandum for The Heads of Departments And Agencies, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing, June 2, 2016

Departmental Policy and Guidance:

• HHS Federal Information Technology Acquisition Reform Act (FITARA) Implementation-Revised HHS IT Governance Framework, October 25, 2016
• HHS Federal Information Technology Acquisition Reform Act (FITARA) HHS Implementation Plan, September 2015
• HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019
• HHS Policy for Capital Planning and Investment Control (CPIC), April 26, 2019
• HHS Policy for IT Enterprise Performance Lifecycle (EPLC), October 6, 2008
• Department of Health and Human Services (HHS) Procedures, Guidance and Instructions (PGI)
• Information Technology Decision Criteria and Clause Matrix version 1.3
• HHS Security and Privacy Language for Information and IT Procurements Guide
• HHS Standard for Encryption of Computing Devices and Information
• HHS Minimum Security Configuration Standards Guidance
• HHS Policy for Software Development Secure Coding Practices
• HHS Directive for Acquisition Strategy

6. Policy

In accordance with FITARA, the HHS CIO must ensure that its offices and components do not enter into contracts or agreements to procure IT products or services without CIO review and approval. The CIO is executing express authority by implementing the new ITAR Program and supplemental processes as an agency-wide requirement when there is a plan to expend funds for IT resources.

Department-level reviews will be conducted on applicable acquisition strategies and acquisition plan packages to ensure the CIO maintains visibility into the management and procurement of IT at HHS. The process will ensure proposed contract actions are properly planned and budgeted, align with approved programs and projects that have been properly vetted by governance boards, are sufficiently supported with required artifacts, and are in alignment with relevant IT laws, regulations, and strategic plans. Recommendations and business advice will be offered to improve pre-award documentation, collaboration, and strategic planning as a part of the review process. Conditions may be set forth and must be satisfied before final approval is granted whenever necessary.

The CIO places the responsibility to manage the ITAR program and related processes under the leadership of the Director of the Legislative Compliance Division (LegCom) within the Office of the Chief Information Officer (OCIO), Office of Enterprise Services (OES) at the Department.

ITAR reviews must be conducted in accordance with the following dollar thresholds:

1. Department OCIO, HHS Office of the Secretary StaffDivs (OS), and OpDivs without CIO Delegated Authority:
   • Acquisition Strategies for IT investments valued at $10 million total program/project lifecycle
   • Acquisition Plan packages for IT acquisitions valued greater than or equal to $150,000 (inclusive of agreements such as Interagency Agreements (IAA))
   • Acquisition Plan packages for non-IT acquisitions containing IT components – an overall contract value greater than or equal to $150,000 (inclusive of IAAs)
2. OpDivS with CIO Delegated Authority:
   • Acquisition Strategies (AS) for IT investments of $20 million annually/$100 million over 5 years
   • Acquisition Plans (AP) for contracts that have material variances (major revisions/drastic departure) from an approved AS for IT investments over $20 million annually/$100 million over 5 years.

The CIO delegates IT acquisition approval authority under the ITAR program, to an Executive who directly reports to the CIO and the Director of the LegCom Division as follows:

Approval Authority Threshold	Approver
≤ $1,000,000	LegCom Director
> $1,000,000	CIO or CIO Designee (Executive –Direct Report to CIO) (LegCom Director & CIO Designee: Co-Approvers)

Contracts, agreements (such as IAAs), and contract actions (such as modifications) that align with the aforementioned review thresholds must not be executed without evidence of an official ITAR approval, as indicated by an assigned ITAR number along with documented ITAR approval. As a full participant in this governance process, the CIO designates an Executive (direct report to CIO) and the Director of the LegCom Division as approvers for the ITAR program, consistent with the procedures set forth in this Policy under Appendix A2, which aligns with the above approver threshold chart.

7. Roles and Responsibilities

7.1. HHS Chief Information Officer

The HHS CIO, or designee, must:

• Define IT processes and policies, consistent with FITARA and related statutes, regulations and federal guidance, and make them publicly available
• Act as the principal accountable owner of the ITAR Program, and hold the authority for approval unless otherwise delegated or designated in accordance with the governance processes set forth in this Policy
• Review and approve acquisition strategies, acquisition plans, and interagency agreements that include IT
• Review all cost estimates of IT related costs, and ensure acquisition strategies and acquisition plans, that include IT, apply adequate incremental development principles
• Ensure there is an agency-wide governance process that confirms all acquisitions that include IT are:
  • led by personnel with appropriate federal acquisition certifications;
  • reviewed for opportunities to leverage acquisition initiatives, such as shared services, category management, strategic sourcing, and incremental or modular contracting, as appropriate;
  • and adequately implementing incremental development
• Participate on program governance boards to ensure early matching of appropriate IT with program objectives
• Approve any movement of funds for IT resources that require Congressional notification
• Collaborate and partner with the HHS cross-functional leadership team who share in these responsibilities, to include the Secretary, Deputy Secretary (DepSec), the Chief Financial Officer (CFO), the Chief Acquisition Officer (CAO), and the Chief Human Capital Officer
• Ensure IT acquisitions are in compliance with statutes, regulations, federal guidance and HHS policies and governance requirements

7.2. Chief Acquisition Officer (CAO) and Senior Procurement Executive (SPE)

The CAO and the SPE must:

• Ensure all IT contract actions are consistent with CIO-approved acquisition strategies and plans
• Notify the CIO when planned acquisition strategies and acquisition plans include IT

7.3. Operating Division Chief Information Officer (OpDiv CIO)

HHS OpDiv CIOs must:

• Implement OpDiv level policies and procedures to ensure compliance with FITARA, related HHS IT policies and guidance, and all other applicable statutes and regulation
• At minimum, implement an internal review, approval and reporting process for all major IT acquisitions and investments below the Department CIO review threshold (responsibility applicable to CIOs with delegated authority only)

7.4. HHS Legislative Compliance Division (LegCom)

The HHS LegCom must:

• Manage and lead the HHS ITAR Program effectively and efficiently
• Engage internal critical partners while executing ITAR to ensure the proper oversight and governance of IT acquisitions during the pre and post award phases of the acquisition lifecycle
• Conduct acquisition reviews and provide recommendations in alignment with statutes, regulations, federal and department guidance and policy, and the CIO delegated responsibilities detailed above
• Oversee compliance with IT laws, regulations, guidance, policies and best practices
• Strive to maintain the integrity of the ITAR process by doing due diligence to conduct thorough reviews in accordance with laws, regulation, guidance and policies therefore contributing to sustaining the integrity of IT resource management and improved IT governance agency-wide
• Stay abreast of IT trends, best practices, changes in laws and regulation, congressional shifts, GAO findings/recommendations, etc. in order to ensure HHS IT policies, guidance and procedures remain current.

7.5. HHS Contracting Offices

The HHS Contracting Offices must:

• Ensure acquisition requirements are not accepted, solicited, nor awarded by the contracting office without requisite CIO or delegate approval within the ITAR process, when applicable
• Partner with the LegCom Division to oversee compliance with FITARA, the FAR, HHSAR, this Policy and other HHS policies guidance and information (PGI) pertaining to HHS IT acquisitions
• Ensure all Program Managers and CORs involved with acquisitions that include IT are personnel with the appropriate federal acquisition certifications

7.6. HHS ITAR Critical Partners

HHS ITAR Critical Partners must:

• Participate in the ITAR review process by providing their expertise, oversight, governance, and recommendations
• Assist in enhancing IT governance; sound investment decisions and practices; and
• Help improve the integrity of IT strategic planning, IT acquisition planning and budgeting, and appropriate pre and post award documentation
• Prevent circumvention of the IT acquisition review requirement

***Critical partners vary dependent upon type, complexity, and uniqueness of each acquisition (Examples: Enterprise Architecture (EA), Capital Planning and Investment Control (CPIC), Privacy Officer, Chief Information Security Officer (CISO), OpDiv Section 508 Program Manager, Chief Product Office (CPO), etc.).

7.7. Program Managers (PMs), Contracting Officer's Representatives (CORs), and Contracting Officers (COs)

HHS PMs, CORs, and COs (in alignment with their respective role and position) must:

• Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance
• Ensure AS and AP documentation has been:
  • properly developed within the requiring office without deficiencies or omissions,
  • reviewed and approved by leadership at the program/project level,
  • and properly vet requirements (statement of work/statement of objectives) through program level subject matter experts before submitting the documents to ITAR
• Ensure the proper program and project governance requirements are satisfied, and component level critical partners have been engaged before pursuing IT acquisitions and/or acquisitions containing IT components
• Monitor the execution of contracts that procure IT products and services to ensure proper contract administration and efficient use of IT resources

7.8. HHS OpDiv Senior Officials for Privacy (SOP)

HHS OpDiv SOPs must:

• Evaluate IT investments for privacy risks to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of publicly identifiable information (PII)
• Approve any required privacy documentation, including the Privacy Solicitation Certification Checklist, as applicable, in accordance with the HHS Security and Privacy Language for Information and Information Technology Procurements Guide (see Appendix A)
• Review acquisition packages through each procurement phase to verify that privacy requirements have been fulfilled
• Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance

7.9. HHS OpDiv Section 508 Program Manager (PM)

HHS OpDiv Section 508 PMs must:

• Evaluate IT investments for compliance to HHS Section 508 requirements to ensure that HHS Section 508 requirements (and associated conformance controls), as well as any associated costs, are explicitly identified and included, with respect to any Information and Communications Technology (ICT) that is developed, procured, maintained, funded, and used by HHS.
• Provide Section 508 determination for any ICT that is developed, procured, maintained, funded, and used by HHS.
• Review acquisition packages through each procurement phase to verify that HHS Section 508 requirements have been fulfilled
• Comply with the provisions of this Policy, the HHS Policy on Section 508 Compliance and Accessibility of Information and Communications Technology, applicable OpDiv level Section 508 policy, and related statutes, regulations, and guidance.

8. Information and Assistance

The HHS Legislative Compliance Division is responsible for the development and management of this Policy. Direct questions, comments, suggestions, and requests for information about this Policy and all related procedures and guidance to ITAR@hhs.gov.

9. Effective Date and Implementation

The effective date of this Policy is the date on which the Policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of the Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jose Arietta, Chief Information Officer (CIO)

June 8, 2020

11. Concurrence

/S/

Scott Rowell, Assistant Secretary for Administration (ASA)

June 25, 2020

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

To initiate the ITAR process, a requesting office must submit a complete acquisition strategy or acquisition plan package to the Office of Legislative Compliance (LegCom) via the ITAR Portal (herein referred to as the "Service Portal") which is an online application that must be accessed using the Google Chrome Internet Browser. Packages deficient of supporting documentation and/or appropriate component level approvals will not be accepted. When submitting packages in the ITAR portal, requestors must be sure to reference the appendices of this Policy which provide supplemental procedures and guidance that must be followed.

Appendix A1: ITAR Standard Operating Procedures for Submitters

HHS OpDivs, OS, and OCIO seeking to procure IT products, IT services, or who have acquisitions containing IT components must undergo ITAR when the minimum criteria is met. This SOP is the structured process ITAR submitters will follow to perform the task of submitting a new ITAR request via the Service Portal: (https://hhsasa.servicenowservices.com/ocio).

ITAR requests submitted through the ITAR Service Portal will be reviewed and approved in accordance with LegCom's posted Service Level Agreements (SLAs) in Table 1 below:

Service	Description of Service	Performance Standards	Timer
ITAR Receipt Notification	The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom	1 Business Day	Starts when acquisition package submitted in portal. Automated email generated
Time to Completion/Approval	The time LegCom requires to review and route ITARs under $1M through the approval process	7 Business Days	Starts when a complete acquisition package has been submitted in portal.
CIO Approval (ITARs >$1M)	The time LegCom requires to review and route ITARs over $1M through the approval process	Up to 10 Business Days	Starts when a complete acquisition package has been submitted in portal.
Hold Time (Suspend)	The time period an ITAR is suspended without being reviewed due to missing information	Not to exceed 5 business days	Starts after incomplete ITAR package has been submitted in portal and LegCom reviewer informs Submitter that ITAR is on hold.

A1.1: ITAR Submitter Process

The illustration below presents the three (3) steps that ITAR submitters will execute to submit a new ITAR using the Service Portal, Figure 1:

Step 1 – Develop Acquisition Package

Requesting offices are required to develop the acquisition package in accordance with HHS acquisition policy and regulations. When submitting a new ITAR request, users must include all necessary information, supporting documentation, and evidence from critical partners to confirm the acquisition has been reviewed and is within the compliance standards of HHS. Examples of critical partners are: 508 Compliance, Capital Planning and Investment Control (CPIC), Enterprise Performance Life Cycle (EPLC), Privacy Office, or Information Security Officer (ISO).

Complete acquisition packages include the following core documents:

• Requirements Document (Statement of Work (SOW), Statement of Objectives (SOO), Performance Work Statement (PWS), Specification Document (SPEC)) to include all applicable Federal Acquisition Regulation (FAR) and HHS Acquisition Regulation (HHSAR) Clauses
• IT Acquisition Strategy (Signed and Approved by Program Office)1
• IT Acquisition Plan (Signed and Approved by Program Office)
• ITAR Request Form (Signed and Approved by Program Office)
• Limited Sources Justification (if applicable; and Signed and Approved by Program Office)
• Independent Government Cost Estimate (IGCE)2
• Business Cases
• Market Research Report3
• Inter-Agency Agreements (IAA)

Table 2 lists the documents and corresponding content required for ITAR:

Document Type	Required Content
Acquisition Plan	Contains a detailed high-level description of the acquisition to include but not limited to: Background and Objectives Conditions Capability/Performance Standards Brief description of the product or service being procured Sources
	ITAR Approval Form: Containing relevant acquisition information and signature of the Business Owner or PM and OpDiv/StaffDiv Executive.
	IGCE: Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required). Must show how the estimate was derived/calculated (what methodology was used).
	Requirements Document (SOW, PWS, SOO): Describes the product or service being procured. Products: Provides specifications and standards that must be met. Services: Defines the work the government expects a contractor to perform or delineates project objectives that contractor must meet. Deliverables, metrics, standards, applicable laws and regulation etc. are detailed.
Acquisition Strategy	Comprehensive, detailed, high-level description of a strategic approach that program management will follow to manage risk and meet program objectives. It governs program execution across the entire program life cycle. It is not specific to one acquisition and can contain high level information regarding several forecasted procurements that may eventually contribute to a single program. Acquisition Strategies include: Business Need Management Approach Business Strategy Risk Management Stability and Resources Procurement Forecasting Testing Milestones Execution Phases Note: Precedes the acquisition plan development and can have several acquisition plans that support it. Acquisition strategies and acquisition plans are not one in the same.

A1.1.2: Step 2 – Access Service Portal to upload Acquisition Documents

Access Service Portal

The ITAR Service Portal page is a secure site that is available to all users on the HHS Network. Users will be required to authenticate using their PIV Card and Pin before access is granted. To navigate to the Service Portal type (https://hhsasa.servicenowservices.com/ocio) in your Google Chrome browser, and then follow the prompts to login.

The ITAR submittal form contains data fields that are mandatory. Users will not be allowed to submit ITAR requests when a mandatory field(s) does not have a value. A red asterisk in the upper left corner indicates a mandatory field.

Figure 2 is as sequenced image of how users will access the tool.

Upload Acquisition Documents

Table 3 lists the steps required to access the Service Portal and Upload Documents. ITAR submissions are required to include supporting documentation. The contents of an acquisition package can vary, but Table 2 lists core acquisition documents and provides HHS sanctioned templates.

Service Portal Steps: Access Service Portal / Upload Documents
Step	Description
1	Use Google Chrome to log into the Service Portal Page: https://hhsasa.servicenowservices.com/ocio
2	Navigate to "ITAR Packages" at the top of landing page and select "Submit New ITAR";
3	Complete the ITAR Submission form;
4	Attach documents by clicking the paper clip button at the top right corner of form (Example shown in Figure 3 below);
5	Locate the acquisition document(s) within folder(s);
6	Click "Open" to attach file(s) once identified in folder(s);
7	Repeat steps 6 and 7 to upload additional files;
8	To remove a file, select "Edit" above the uploaded document(s);
9	Click the (X) to remove document(s) then click "Done" when finished;

Figure 3 displays the Service Portal landing page where users will initiate ITAR requests.

Figure 4 below is a partial image of the ITAR Service Portal submitter page ITAR Requestors complete to initiate IT Acquisition Reviews. To ensure requests are completed correctly the submitter page includes instructions and contact information for LegCom should a user require assistance with the form.

Submit ITAR Package

After completing the ITAR Submission form, and while still logged into the Service Portal – complete the steps in Table 4 to submit the ITAR Package.

Service Portal Steps: Submit ITAR Package
Step	Description
1	Verify that the ITAR Submission form has been completed by ensuring each field contains data;
2	Verify that the required ITAR supporting documents for the acquisition has been attached;
3	Scroll to bottom of form and click "Submit"
4	Submission is confirmed when user is redirected to landing page

Submitted ITAR requests will trigger anauto-generated email to the individual listed as "Requestor" on the submissionform once an ITAR Reviewer is assigned to the request. The email will provide the Requestor with anITAR Number and LegCom POC whom will perform the ITAR review.

Packages found to be incomplete or notin alignment with HHS IT policy and guidance will be placed on hold untiladditional information is provided. Arequest for additional information will be sent to the ITAR Requestor and theRequestor will have five (5) business days to provide a valid response withdocumentation. If the hold status of theITAR exceeds five (5) business days LegCom will cancel the request. Cancelled requests still requiring ITAR willhave to be resubmitted under a new ITAR submission; however, the initial ITARnumber must be referenced using the appropriate field in the Service Portal.

Requests for additional informationwill be delivered to the Requestors Microsoft Outlook mailbox. The Requestor must "Reply All" whenresponding to allow courtesy copied stakeholders to remain informed.

View Submitted ITARs

Requestors can check the status of a submitted ITAR by navigating back to the Service Portal page and clicking "Submitted ITARs" under "ITAR Packages." Follow the instructions in Table 5 to execute this action.

Service Portal Steps: View Submitted ITARs
Step	Description
1	Use Google Chrome to log into the Service Portal Page: https://hhsasa.servicenowservices.com/ocio
2	Navigate to "ITAR Packages" at the top of landing page and select "Submitted ITARs";
3	A list of ITAR(s) submitted with the logged in user listed as "Requestor" will be viewable in a table format;
4	Navigate and select the ITAR from the list to view

A1.2 Quality Control/Quality Assurance

The ITAR Application is built in a software module with a set of business rules that are designed to improve ITAR process quality measures. This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur. Use of the Service Portal feature to receive ITAR request will also eliminate much of the human intervention involved with communicating the status of each ITAR. Users will now have transparency into their requests in real-time and will be able to quickly identify where the package is in the workflow.

Several of the ITAR Submission Business Rules are described in the table below:

Rule	Description
Check Mandatory fields for values	Checks for: Acquisition Title is true Requestor is true OpDiv is true Requesting Office is true ITAR Form Approved by is true Contract Type is true Signed IT Security Cert. Checklist Attached is true Acquisition Amount equal to $0 is false Acquisition Amount is equal to or greater than $150K Period of Performance is true Total Number of Option Years is true If any of the above values are false, the ITAR request is prevented from being submitted and the user will be notified to enter the required information.
Set ITAR Number	Submitting a new record triggers the system to assign an ITAR Number
Set Submitted Date	Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins.

A1.3 ITAR Submitter Checklists

Table 7, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting IT Acquisition Packages for ITAR approval:

Develop Acquisition Package	Complete
Do you have a complete Acquisition Package? See Section 3.2.1 for guidance.	☐
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)	☐
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?	☐
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHSAR and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?	☐
Did you fill out the ITAR Approval Form? Is it signed by your program office?	☐
Enter Acquisition Data in ITAR Service Portal	Complete
Use Google Chrome to log into the Service Portal Page: (https://hhsasa.servicenowservices.com/ocio).	☐
Followed the instructions on Portal Page to complete the ITAR Submission form	☐
Ensured all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field	☐
Used paper clip icon to upload all supporting documentation and signed ITAR Approval Form	☐
Submit Request to LegCom	Complete
Clicked "Submit" button at bottom of form to send ITAR request to LegCom ITAR team	☐
Received Microsoft Outlook email confirmation of ITAR submission, ITAR Number, and ITAR POC assignment	☐
Responded to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner	☐

Appendix A2: ITAR Standard Operating Procedures for Reviewers and Approvers

Across HHS, the LegCom team is responsible for reviewing IT acquisitions and other acquisitions that contain IT components. ITAR is the structured process used to perform this task. ITAR customers will submit their requests to LegCom ITAR reviewers via the: Service Portal Page: (https://hhsasa.servicenowservices.com/ocio).

ITAR requests submitted through the Service Portal page are immediately received by the LegCom ITAR review team. Notification of a new submission is sent directly to the Outlook mailbox of each user in the ITAR Reviewer group on the application platform as a service (aPaaS). ITAR requests will be reviewed and approved in accordance with LegCom's posted Service Level Agreements, Table 8.

Service	Description of Service	Performance Standards	Timer
ITAR Receipt Notification	The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom	1 Business Day	Starts when acquisition package submitted in portal. Automated email generated
Time to Completion/Approval	The time LegCom requires to review and route ITARs under $1M through the approval process	7 Business Days	Starts when a complete acquisition package has been submitted in portal.
CIO Approval (ITARs >$1M)	The time LegCom requires to review and route ITARs over $1M through the approval process	Up to 10 Business Days	Starts when a complete acquisition package has been submitted in portal.
Hold Time (Suspend)	The time period an ITAR is suspended without being reviewed due to missing information	Not to exceed 5 business days	Starts after incomplete ITAR package has been submitted in portal and LegCom reviewer informs Submitter that ITAR is on hold.

A2.1 ITAR Reviewer Process

ITAR reviews performed by LegCom ITAR staff follow a four-step process outlined in Figure 4:

Step 1 - Review Acquisition Package

Completeness Review

Acquisition packages are subject to an applicability triage. ITAR Reviewers will use the IT Decision Criteria guidelines (located on the HHS Intranet) to determine if the acquisition package submitted requires ITAR. If it is determined that the requirement(s) require ITAR approval, the ITAR Reviewer will perform a completeness check of the acquisition package to ensure it contains the necessary information, supporting documentation, evidence of critical partner engagement, and program office approval before moving forward. Complete acquisition packages will receive further due diligence from the ITAR Reviewer.

Table 9 below provides the instructions necessary to perform a completeness review in the Service Portal.

Service Portal Steps: Completeness Review
Step	Description
1	Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2	Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3	Within the Click the ITAR Repository click the matching "ITAR Number" value found in the "New ITAR Submitted" email notification. (Example shown in Figure 7 below)
4	Review ITAR Data and Attachments
5a	If package meets ITAR requirements, enter ITAR POC name in "ITAR POC" field, then Click "Update"
5b	If package does not meet ITAR threshold, Click the "Does Meet ITAR Criteria" check box located under the "Approval Queue" field, then Click "Update at the top of the screen." (Example shown in Figure 6 below)
6	If "Does Not Meet ITAR Criteria" is checked, change the "Approval Queue" field to "Closed" – the "ITAR POC" field does not need to be populated for packages submitted in error

Incomplete acquisition packages submitted for review will prompt the reviewer to reach back to the ITAR Requestor for more information. An acquisition package is considered incomplete when it does not contain the required documentation or determined to be out of alignment with HHS IT policy and guidance. Follow the steps in Table 10 to suspend the review.

Service Portal Process Steps: Suspend ITAR / Request Additional Information
Step	Description
1	Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2	Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3	Click the ITAR Number (e.g., ITAR – 0001234) value
4	Select the "Workflow" tab then enter the suspend date in the "Suspend Date" field; input a suspend comment – when applicable (Example shown in Figure 8 below)
5	Next, navigate to banner and click the ellipsis (…) to the immediate left of "Update" button (Example shown in Figure 9 below)
6	Select Email option from menu
7	Draft Email to Requestor with courtesy copy to any other user(s) that need to be informed; including the ITAR reviewer
8	Click "Send"
9	If the requestor does not respond within five business days, change the "Approval Queue" field to "Closed" and document the reason for closure in the Suspend Comment" under the "Workflow" tab

Table 10, above, prescribes a hold status of no more than five (5) business days for all ITARs. If the Requestor does not respond to a request for additional information within the time allotted, the reviewer should take action to cancel the request.

Table 11 lists the required content for Acquisition Plans (AP) and Acquisition Strategies (AS).

Document Type	Required Content
Acquisition Plan	Contains a detailed high-level description of the acquisition and must include but is not limited to: Background and Objectives Conditions Capability/Performance Standards Brief description of the product or service being procured Sources
	ITAR Approval Form:Containing relevant acquisition information and signature of Business Owner or PM and OpDiv/StaffDiv Executive.
	IGCE:Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required).
	Requirements Document (SOW, PWS, SOO): Describes the performance requirements or project objectives in detail and includes the contract deliverables.
Acquisition Strategy	Contains a detailed high-level description of the acquisition and must include: Business Need Management Approach Business Strategy Risk Management Stability and Resources Procurement Forecasting Testing Milestones Execution Phases

Figure 7 is an image of the page the reviewer will view upon logging in to Service Portal and accessing the main ITAR table (ITAR Packages).

When suspending an incomplete ITAR request the reviewer must enter a "Suspend Date" and a "Suspend Comment" using the "Workflow" tab within the ITAR Record. To resume the review be sure that the "Resume Date" is also entered. Figure 8 below displays the "Workflow" tab in its entirety.

Figure 9 is an image of step 5 in Table 10, above. ITAR Reviewers will use the email feature in the Service Portal to engage Requestors and Critical Partners. After navigating to the banner, selecting the ellipsis, and then selecting the email option a window will open for Reviewers to create a unique message to stakeholders.

 

Full ITAR Review

ITAR Reviewers must review the full acquisition package in-depth by examining all contents of the acquisition package for compliance with federal laws, regulations, policy, and best practices. The reviewer must also verify that HHS standards are being met in the areas of Information Security and Information Technology policy.

Major Investments:

• Details for IT major investments must be provided by the requesting office
• Engage the CPIC team to validate the IT investment name and number in the eCPIC Folio. Contact the requestor if this information is not provided. Missing information constitutes an incomplete package

IT Security Certification Checklist attached

Click the "Recommendations" Tab to verify:

• The submitter has a completed and signed certification form attached to the acquisition package
• If not, send submitter an email from the ITARNow portal and advise this document was omitted from the acquisition package but is required. It must be completed and signed. Place package on hold for no more than 5 business days to allow submitter an opportunity to email document (see Table 10 of this SOP for instructions on how to place package on hold).

Security/Privacy Compliance Assessment

Click the "Recommendations" Tab to indicate the results of the Security/Privacy Compliance Assessment:

• Reviewer must conduct an analysis and select the applicable assessment indicating whether or not the content of the requirements document (SOO, SOW, PWS) aligns with the Office of Information Security's Security and Privacy Language for Information and Information Technology Procurements policy and guidance (https://intranet.hhs.gov/document/security-and-privacy-language-information-and-information-technology-procurements).

Follow the steps outlined in Table 12 below to begin a full ITAR Review in the Service Portal:

Service Portal Process Steps: Full ITAR Review
Step	Description
1	Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2	Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3	From the ITAR Repository, click the "ITAR Number" value of an ITAR Record without a value in "ITAR POC" column;
4	Assign the Reviewer by typing POC name or using the magnify glass icon to look up "ITAR POC" in active directory;
5	Click "Save" in top right corner of screen to save changes;
6	Review Acquisition Package attachments for compliance, FAR, Privacy and Security clauses, HHS Acquisition Regulations, and executive sponsor signatures;
7	Review the "Basic", "Period of Performance", and "Financial" tabs to confirm the data entered in the Service Portal matches the information provided in the acquisition documents;
8	Modify the ticket as necessary by adding any supplemental data discovered in the acquisition documentation;
9	Enter an ITAR POC Recommendation using the "Recommendation" Tab;
10	Follow the Critical Partner Engagement steps in Table 13 below to engage Critical Partner as necessary
11	If applicable, review Critical Partner(s) feedback within the ITAR record by selecting the "History" tab. Feedback from critical partners will also be directed to the Outlook mailbox of the ITAR POC;

Step 2 – Engage Critical Partners

Critical partner engagement is a key activity in the ITAR process. Critical partners are subject matter experts that contribute expertise in a specific knowledge area; and will provide verification that the requirement(s) have been vetted by the appropriate acquisition lifecycle groups necessary to move an acquisition package through each procurement phase. A few examples of ITAR critical partners are 508 Compliance, Information Security and Privacy, EPLC, and Cybersecurity.

LegCom requires customers of ITAR to engage critical partners prior to submitting an acquisition package for ITAR processing. Compliance with this requirement may reduce approval cycle-time if documentation that supports IT governance review, for example, is provided with the ITAR submission.

Critical Partner engagement is applicable to all OpDiv, OS, and OCIO acquisition packages submitted for ITAR.

The protocol for engaging Critical Partners is outlined in Table 13 below. Correspondence to and from critical partners will become part of the ITAR record in the Service Portal. Critical Partner feedback is required (when applicable and based upon the details of each acquisition package) before the review process can move forward.

Service Portal Process Steps: Critical Partner Engagement
Step	Description
1	Use Google Chrome to log into the ServiceNow: (https://hhsasa.servicenowservices.com);
2	Click "ITAR" then "ITAR Packages" in the Application Navigator menu;
3	Click the ITAR Number (e.g., ITAR – 0001234) value
4	Next, navigate to banner and click the ellipsis (…) to the immediate left of "Update" button (Example shown in Figure 9 above)
5	Select Email option from menu
6	Draft Email to Critical Partner(s) with courtesy copy to any other stakeholder(s) / user(s) that need to be informed; including the ITAR reviewer
7	Click "Send"

Step 3: Develop Review Summary

ITAR Reviewers must use information from the acquisition documentation, critical partner feedback, and ITAR data entered in the Service Portal to develop an ITAR summary. ITAR summaries are developed in ServiceNow using the "Recommendations" and "Summary" tab's shown in Figure 10, below.

The ITAR summary should be an abstract of the requirement under review. A standard ITAR Summary will include a background statement and a recommendation that provides feedback to aid with improving the contractual details of the acquisition. The ITAR summary will offer one of two recommendation types: conditional or non-conditional recommendation.4

Content entered in the "Recommendation" tab will be used to generate a final disposition email to ITAR Requestors. A subset of the ITAR summary is shown in Figure 11, below. If there is generic recommendation information the ITAR Requestor should be made aware of ITAR Reviewers enter the content under the "Recommendation" text found on the "Summary" tab in Figure 8.

 

Service Portal supports copy and paste functions that allow users to draft content in their tool of choice, then paste into Service Portal. Table 14 describes the steps reviewers will follow to draft the ITAR Summary.

Service Portal Process Steps: Develop Review Summary
Step	Description
1	In the ITAR record, click the "Summary" tab
2a	Draft ITAR "Background" and "Recommendations" within the Service Portal and in the Full Summary field; or
2b	Draft ITAR Summary outside of the Service Portal then paste into the Service Portal "Full Summary" field
3	Click the "Save" button to save work and return later to make further inputs
4	Click "Ready for Approval" radio button then "Save" to run approval workflow

A2.2: ITAR Approver Process

ITAR Approvers

LegCom Director: Performs the steps described in Table 15 below to complete pending approval(s). Approvers are cautioned to not "Reject" ITARs until an unequivocal final decision is reached on whether to allow the acquisition to move forward. Prematurely rejecting the ITAR will end the workflow immediately. Instead, use the comment feature of the approval form to seek additional information about on the package under review prior to postulating an approval decision.

CIO or CIO Designee (Executive, Direct Report to CIO): The CIO or CIO Designee will access pending ITAR Approvals following steps 1 through 4 of Table 15. However, the comment function is configured differently for the CIO and CIO Designee. Comments entered on the approval form by the CIO or CIO Designee will populate the "CIO / CIO Designee Conditions" field within the ITAR record, thereby making that comment a part of the approval email sent to the Requestor.

Follow steps 3 through 7 in Table 13 to send the ITAR Reviewer an email for additional information about the acquisition as necessary.

Approving ITARs

Table 15, below, lists the steps each approval authority will take to complete their action of approving the ITAR.

Service Portal Process Steps: Approve ITAR
Step	Description
1	Use Google Chrome to log into the ServiceNow: https://hhsasa.servicenowservices.com;
2	Next, click "ITAR" then "My Approvals" in Application Navigator menu;
3	Click the "Requested" value under the "State" Column; (Shown in Figure 10 below)
4	Review the ITAR Approval form and acquisition documents; (Shown in Figure 12 below)
5	Optional: Add comments using the comment feature within the Service Portal; (Shown in Figure 11 below): Post comment by clicking "Post" button under comment field
6	Click "Approve" or "Reject" at the top right corner of the page to submit an approval decision and end workflow
7	Rejecting an ITAR Approval request will end the workflow. Only click reject after it is determined that the acquisition should not move forward. The requesting office will have to resubmit their package if requests are prematurely rejected.

Figure 9, below, identifies the approval users and their respective approval threshold. Additionally, the figure lists the hierarchical order and sequence in which approval notifications will be sent.

Figure 10 below is a image of step 3 in Table 15. After selecting "My Approvals" the Service Portal will display each approval in the the approvers queue.

If an ITAR does not contain enough information for a decision Approvers are cautioned to take no action with regard to Approving or Rejecting. Instead, engage the ITAR POC following the directions provided in Table 13, above. Return to the approval request once sufficient information about the requirement is provided to complete the approval action.

Figure 11 is a partial image of the approval form approvers will review prior to approving or rejecting an ITAR request. Approvers can delve deeper into a requirement by opening the documents attached to the ITAR record. To provide input on the acquisition under review or request an action of the requesting office, approvers can post comments to the record. Figure 11 is an example of the ITAR Summary approvers will review. Figure 12, sits atop the ITAR Summary and is used to approve or post comments to the ITAR record.

Approval Descriptions

ITAR Approvers can render one of two decisions in the Service Portal. Approval users have the option to either "Approve" or "Reject" the acquisition under review in the Service Portal. Table 16 provides a description of each action and the subsequent results.

Decision	Description
Approve	The CIO or CIO Designee approves, and the acquisition can move forward. OS and OCIO acquisitions must attach the ITAR approval to the requisition in UFMS
Reject	The CIO or CIO Designee does not approve the acquisition; therefore, the procurement cannot move forward. If the requesting office intends to resubmit the acquisition package, it must first take the action of satisfying the disapproval conditions provided in the disapproval notice. Resubmitted ITARs require documentation that disclose the actions taken to remediate identified issues.

A2.3 Quality Control/Quality Assurance

The ITAR Application is built in the Service Portal with a set of business rules that are designed to improve ITAR process quality measures. This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur. The Service Portal's workflow automation feature will also eliminate much of the human intervention that existed in the legacy ITAR process in terms of management and reporting of performance metrics.

Several of the ITAR Business Rules are described in the table below:

Rule	Description
Calculate Number of Days in Process	Sets value for Number of Business Days in Process
Calculate Number of Suspended Days	Sets Number of suspended days. Cannot be triggered if Suspend Date is empty. Uses the current date if the Resume Date is not set.
Check for No Approval Required 1	Checks for: Requisition Amount is less than $150,000.00 This will notify ITAR reviewer that minimum threshold for ITAR is not met
Check for No Approval Required 2	Checks for: Ready for Approval is true Requisition Amount is less than $150,000.00 If both conditions are not satisfied, this prevents saving the ITAR package, there by not allowing the approval workflow to start.
Check for No Approval Required 3	Checks for: Ready for Approval is true ITAR POC field empty If both conditions are not satisfied, this prevents the approval workflow from triggering
Check Mandatory fields for values	Checks for: Acquisition Title is true Requestor is true OpDiv is true Requesting Office is true ITAR Form Approved by is true Contract Type is true Signed IT Security Cert. Checklist Attached is true Security/Privacy Compliance Assessment is true Acquisition Amount equal to $0 is false Acquisition Amount is equal to or greater than $150K Period of Performance is true Total Number of Option Years is true If any of the above values are false, the approval workflow is prevented from triggering and the user is notified to enter a required information
Set ITAR Number	On Save of a new record
Set Submitted Date	Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins.
Set ITAR fields when Done	Sets Archival Date when the ITAR Package goes to "Done"
Start ITAR Approval Check	Records the approval Start Date

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are associated with this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No further guidance is associated with this Policy.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Acquisition Plan (AP) Templates:

• HHS AP (Template)
• ITAR Approval Form (Template)
• HHS IGCE (Template)

Acquisition Strategy (AS) Templates:

• HHS Acquisition Strategy (Template)

ITAR Forms: ITAR Submitter Checklists

Table 17, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting IT Acquisition Packages for ITAR approval:

Develop Acquisition Package	Complete
Do you have a complete Acquisition Package? See Section 3.2.1 for guidance.	☐
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)	☐
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?	☐
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHSAR and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?	☐
Did you fill out the ITAR Approval Form? Is it signed by your program office?	☐
Enter Acquisition Data in ITAR Service Portal	Complete
Accessed ITAR Service Portal Page via the internet	☐
Followed the instructions on Portal Page to complete the ITAR Submission form	☐
Ensured all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field	☐
Used paper clip icon to upload all supporting documentation and signed ITAR Approval Form	☐
Submit Request to LegCom	Complete
Clicked "Save" button at bottom of form to send ITAR request to LegCom ITAR team	☐
Checked Microsoft Outlook regularly for delivery confirmation email from Service Portal	☐
Responded to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner	☐

ITAR Reviewer and ApproverChecklists

The checklist below is provided to aid ITAR Reviewer and Approvers with executing the task of obtaining ITAR approval for IT acquisitions.

The Service Portal ITAR Application Access – Reviewer and Approver	Complete
Ensure ability to access the Service Portal ITAR application	☐
Preliminary Review of Acquisition Package – Reviewer	Complete
Ensure ability to edit submitted acquisition data within the ITAR Record	☐
Determine if acquisition meets minimum dollar threshold for ITAR review	☐
Determine if any missing information or clarifications are required	☐
Determine if acquisition is IT or other with IT Components	☐
Determine whether an existing contract or strategic sourcing could be leveraged	☐
Validate that the data entered in the Service Portal matches data in the requirement document(s)	☐
Develop Summary and Recommendations – Reviewer	Complete
Name of Acquisition/Program/Project	☐
Description of Goods or Services	☐
Background Information	☐
Period of Performance (PoP)	☐
Cost (Base Year + Options)	☐
Identified Risks	☐
Synopsis of Acquisition	☐
Recommendations and Noteworthy Information	☐
Closing out the Reviewer Process/Prepare for Approver Process – Reviewer	Complete
ITAR POC name entered in the Service Portal data field	☐
Confirm the acquisition data fields in the Service Portal are accurate	☐
Engage Critical Partners / Incorporate Critical Partner Input	☐
Finalize the ITAR Review Summary	☐
Review ITAR Review Summary for comprehension and completeness	☐
Check "Ready for Approval" radio button then clicks "Update" to launch workflow	☐
Approval – Approver	Complete
Review the comprehensive ITAR Summary provided by ITAR Reviewers	☐
Reference acquisition package documents for further information or to obtain clarity if needed during approval analysis	☐
Determine if you concur with the recommendations provided by the reviewer	☐
Record your recommendations, concerns, conditions for approval and/or concurrence with the reviewer's recommendations using the comment feature on the approval form	☐
Click "Approve" or "Reject" on the approval form to move the ITAR record to the next approver or end the workflow (depending on $ threshold)	☐
Notification – Reviewer/The Service Portal Tool	Complete
Notify Requesting Office of CIO or CIO Designee Decision	☐
Provide Requesting Office with ITAR Approval Package	☐

Glossary and Acronyms

Definitions:

• Acquisition Plan:
  1. As defined in the Federal Acquisition Regulation (FAR) Part 2 "Definitions" and further explained under FAR Part 7 "Acquisition Planning".
     The process by which the efforts of all personnel responsible for an acquisition are coordinated and integrated through a comprehensive plan for fulfilling the agency need in a timely manner and at a reasonable cost. It includes developing the overall strategy for managing the acquisition.
  2. Definition explained further in supplemental agency guidance: HHS Directive for the Acquisition Strategy (revised February 2018).
     The Acquisition Plan (AP) is a tactical document approved in HALF Phase 3 – Program Development which identifies the steps necessary to implement the approved Acquisition Strategy for the Program/Project (P/P). Unlike the Acquisition Strategy (AS), which is an overall strategy for all acquisitions that might be necessary for a P/P, the AP outlines the specific actions necessary to acquire resources. An approved AP serves as a formal agreement between the various parties as to how the acquisition will proceed. An AP is execution-oriented and contract-focused and therefore very different than the AS.
• Acquisition Strategy: As defined in the HHS Directive for the Acquisition Strategy (revised February 2018).
  The AS, an essential part of the overall Program/Project Lifecycle Document (PLD) for each P/P, is a strategic document approved in HALF Phase 2 – Program Definition. The AS describes the entire mission/portfolio or program, defines the mission and business needs for the mission/portfolio or program, and provides the critical foundation necessary to determine the plans for the acquisition(s). The approval of the AS is required before developing management plans for the P/P structure and other details summarizing success factors and expected outcomes/results. The AS also provides the basis for meeting the organization's mission and business needs and established P/P objectives, thereby acting as an aid for the P/PM to gain acceptance, support, and approval for an acquisition. Development of the AS is a logical, systematic way of transforming a defined mission/business need into a comprehensive, top-level plan to direct the P/P management. Even though overarching strategies are required for all P/Ps, the AS is only required if the P/P will be augmented by contractor services/support. The AS Development Process consists of a series of iterative steps for identifying, analyzing, and resolving issues related to the essential elements of an AS. Documenting the AS is a means of performing adequate strategic planning in the beginning and throughout the program, thereby reducing potential diversions from program objectives that could adverse cost, schedule, and technical consequences.
• Information Technology (IT): As defined in OMB M-15-14: Management Oversight of Federal Information Technology
  1. Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency; where
  2. Such services or equipment are 'used by an agency' if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.
  3. The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources.
  4. The term "information technology" does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.
• Major Information Technology (IT) Investment: As defined OMB M-15-14: Management Oversight of Federal Information Technology
  An IT investment requiring special management attention because of its importance to the mission or function to the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agency's capital planning and investment control process. Agencies should also include all "major automated information system" as defined in 10 U.S.C. 2445 and all "major acquisitions" as defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources. OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices (RMOs) regarding which investments are considered "major." Investments not considered "major" are "non-major."

Acronyms:

• AP – Acquisition Plan
• AS – Acquisition Strategy
• ASFR – Assistant Secretary for Financial Resources
• CFO – Chief Financial Officer
• CIO – Chief Information Officer
• CPIC– Capital Planning and Investment Control
• EA – Office of Enterprise Architecture
• FAR – Federal Acquisition Regulation
• FITARA – Federal Information Technology Acquisition Reform Act
• HHS – Department of Health and Human Services
• HHSAR – Department of Health and Human Services Acquisition Regulation
• IGCE: Independent Government Cost Estimate
• IAA – Inter-Agency Agreement
• IT – Information Technology
• LegCom – Legislative Compliance Division
• OA – Office of Acquisition
• OES – Office of Enterprise Services (OES)
• OCIO – Office of the Chief Information Officer
• OIS – Office of Information Security
• OMB – Office of Management and Budget
• OpDiv – HHS Operating Division
• MOU – Memorandum of Understanding
• P/P – Program/Project
• PLD – Program/Project Lifecycle Document
• PSC – Program Support Center
• StaffDiv – HHS Staff Division
• SOW – Statement of Work
• VMO – Vendor Management Office

• 1. If submitting an approved ASfor ITAR approval in the early phases of the program and acquisition lifecycle, it is acceptable to submit it with just the supporting documentation that contributed to the development of the strategy content. It is understood that you will not yet have the Acquisition Plan package(s) developed in the strategy phase of the lifecycle because you are not yet ready to begin pre-award activities for specific products and services.
• 2. IGCE: This must reflect how the estimate was derived using historical procurement pricing within HHS of similar products or services within 3 years or current market research pricing all, of which must factor in at least 3% inflation for current pricing.
• 3. Market Research Report: A mandatory document containing details that must be in alignment with the complexity or simplicity of the acquisition and must contain actual research results.
• 4. Conditional recommendations are CIO conditions that must be satisfied through documentation before final approval. Non-conditional recommendations are CIO, or other, recommendations that are left up to the requesting office to build into their acquisition package.