HHS-OCIO Policy for Management of the Enterprise IT System Inventory

Purpose
Background
Scope
Policy
Roles and Responsibilities
Applicable Laws/Guidance
Information and Assistance
Effective Date/Implementation
Approved
Glossary

1. Purpose

The purpose of this Department of Health and Human Services (HHS) Policy is to establish and maintain an enterprise-wide inventory of HHS Information Technology (IT) Systems.

This Policy defines:

Scope of the Enterprise IT System Inventory
General Management Principles of the Enterprise IT System Inventory
Sharing and distributing information from the Enterprise IT System Inventory among IT, business, and oversight communities.

This Policy is first issuance.

2. Background

The OMB Circular A-130, Management of Federal Information Resources, mandates, among other things, that all federal agencies must maintain "an inventory of the agency's major information systems, holdings, and dissemination products" and "an inventory of the agency's other information resources". Maintaining the Enterprise IT System Inventory involves coordination and collaboration of various business and IT functional areas. It is essential to a number of HHS component organizations to keep an accurate and current inventory of systems. A single comprehensive Enterprise IT System Inventory eliminates issues with maintenance of multiple sources and allows organizations to extract subsets of data based on their reporting and management requirements. The laws and guidance requiring an IT systems inventory may be found in Section 6. Applicable Laws/Guidance.

The HHS-OCIO Policy for Management of the Enterprise IT System Inventory establishes the authoritative source for the HHS Enterprise IT Systems Inventory and the stewards responsible for maintaining the accuracy, integrity and availability of the information.

3. Scope

This Policy applies to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS information technology (IT) resources. This Policy does not supersede any other applicable law, higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.

Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating IT systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this policy shall be incorporated into applicable contract language, as appropriate.

Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive, less comprehensive, or less compliant with this document.

4. Policy

4.1. Authoritative Source

The establishment and management of a single authoritative source for all HHS IT systems make possible a data source that is accurate, reliable, and readily available to all functional components, such as, IT Security, IT Capital Planning and Investment Control, Records Management, Telecommunications, etc.
The Enterprise IT System Inventory shall include all systems that meet the HHS definition of an Information Technology (IT) System that are owned by or operated on behalf of any part of the HHS organization. (See the glossary below for the full definition.)
The Enterprise IT System Inventory and related information shall reside in the HHS Enterprise Architecture Repository (the EA Repository).

4.2. General Principles

The HHS Office of Enterprise Architecture is responsible for the quality and management of the System Inventory. Business Owners in collaboration with System Owners and other functional stewards (e.g., IT Security, Records Management, IT Capital Planning and Investment Control, Telecommunications, etc.) must maintain up-to-date and accurate information in the IT System Inventory.
The HHS Office of Enterprise Architecture shall define and maintain a standard process for managing the IT System Inventory data and issue guidance as appropriate.
The IT System information pertaining to the IT System Inventory must follow specifications in the HHS EA Framework document. The basic set of information shall evolve and extend over time to meet business needs.
Stakeholders of the IT System information in the IT System Inventory need timely and accurate access to the information in order to meet regulatory and operational requirements.

4.3. Create an IT System Inventory Record

An IT System Inventory record in the HHS EA Repository shall be created as authorized by the system owner.

4.4. Share IT System Inventory Information

The HHS Office of Enterprise Architecture will make IT System Inventory information available to all approved users and interfacing IT systems as specified in the HHS EA Framework document.
Users of the HHS EA Repository must take care to retain the confidentiality and integrity of System Inventory information exported and used for ad-hoc queries, reports, etc.

4.5. Maintain IT System Inventory Information

IT System Inventory information must be provided by the system owner and be updated as soon as possible upon a change affecting the IT System.
IT System Inventory records that are deemed to no longer be part of the IT System Inventory shall be designated appropriately and retained for historical purposes as specified in guidance documents and in accordance with Records Management disposition schedules.

5. Roles and Responsibilities

5.1. HHS Chief Information Officer

The HHS Chief Information Officer is responsible to lead the HHS information technology function to maintain accurate, reliable, business processes and updated data/information for Department-wide use.

5.2. OPDIV Chief Information Officer

The OPDIV Chief Information Officer (CIO) is accountable for ensuring that information pertaining to the IT System Inventory is managed in accordance with this Policy.

5.3. HHS Chief Enterprise Architect

The HHS Chief Enterprise Architect leads the HHS Office of Enterprise Architecture (OEA) and is responsible for managing the HHS Enterprise Architecture (EA) program. The Chief Enterprise Architect charters and chairs the Enterprise Architecture Review Board (EARB). The Chief Enterprise Architect is the system owner of the IT System Inventory.

5.4. OPDIV Chief Enterprise Architect

The OPDIV Chief Enterprise Architect is responsible for the OPDIV enterprise architecture program and for maintaining up-to-date information in the EA Repository regarding the OPDIV's IT system records in collaboration with System Owners and other functional stewards (e.g., IT Security, Records Management, IT Capital Planning and Investment Control, Telecommunications, etc.). Additionally, the OPDIV Chief Enterprise Architect is responsible for overseeing the implementation of this Policy and for coordinating the resolution of any issues that arise in complying with this Policy and any companion guidance.

5.5. HHS Chief Information Security Officer

The HHS Chief Information Security Officer (CISO) directs IT Security at HHS as mandated by the Federal Information Security Management Act of 2002 (FISMA). The HHS CISO requires timely and accurate information from the IT System Inventory for use in the derivation of the HHS FISMA inventory and various reporting and oversight requirements.

5.6. OPDIV Chief Information Security Officer

The OPDIV Chief Information Security Officer (CISO) is responsible for ensuring that IT System Inventory information is maintained in a timely manner in conjunction with the OPDIV Chief Enterprise Architecture.

5.7. HHS IT Capital Planning and Investment Control Officer

The HHS IT Capital Planning Officer ensures that the appropriate rigor for Capital Planning and Investment Control (CPIC) is fully integrated into Department processes, required CPIC processes are implemented, and CPIC information, including IT System related information, is used effectively to support IT Investment decisions. The HHS IT Capital Planning and Investment Control Officer requires timely and accurate information from the IT System Inventory for identifying IT systems as they pertain to IT Investment management and funding.

5.8. OPDIV IT Capital Planning and Investment Control Officer

The OPDIV IT Capital Planning and Investment Control Officer is responsible for ensuring that IT System Inventory information is maintained in a timely manner in conjunction with the OPDIV Chief Enterprise Architecture.

5.9. HHS Records Officer

The HHS Records Officer is responsible for promulgating Department-wide records management oversight, policy, and high-level training for the Department (OPDIV and Regions). The E-Government Act of 2002 (Title III Section 3505 as amended), and the related requirements issued and monitored by OMB and the National Archives and Records Administration (NARA), requires Federal agencies to inventory and secure their records disposition authorization for electronic records. The HHS Records Officer requires timely and accurate information from the HHS IT System Inventory to identify systems that contain records.

5.10. Business Owner

The Business Owner is the executive in charge of the organization who serves as the primary customer and advocate for an IT investment. The Business Owner is responsible for identifying the business needs and performance measures to be satisfied by an IT project; providing funding for the IT project; establishing and approving changes to cost, schedule and performance goals; and validating that the IT project meets business requirements.

5.11. System Owner

The System Owner is the technical manager of an IT System and manages the system under the direction of a Business Owner. The System Owner is responsible for supplying the OPDIV Chief Enterprise Architect with the required IT System information as specified in the HHS EA Framework regarding a record in the IT System Inventory.

5.12. Enterprise Architecture Review Board (EARB)

The EARB is an expert decision-making body providing standards, configuration management, and oversight for HHS EA in establishing an integrated EA consistent with the goals and objectives of HHS. The EARB serves as the OPDIV contact for HHS EA updates and dissemination of initiatives and activities. The EARB is authorized to meet, review, render opinions, and establish committees and working groups. The EARB will provide the coordination and validation of System Inventory information.

6. Applicable Laws/Guidance

Applicable laws and guidance:

44 U.S.C. Chapter 21 - National Archives and Records Administration
44 U.S.C. Chapter 29 - Records Management by the Archivist of the United States and by the Administrator of General Services
44 U.S.C. Chapter 31 –Records Management by Federal Agencies (Federal Records Act)
44 U.S.C. Chapter 33 – Disposal of Records
Clinger-Cohen Act of 1996 (CCA), Public Law 104 – 106
E-Government Act of 2002, Public Law 107 - 347
FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
Federal Information Security Management Act (Title III of E-Gov Act of 2002)
HHS-OCIO Policy for Records Management (HHS-OCIO-2007-0004, dated January 30, 2008)
OMB Circular A-130, Management of Federal Information Resources
Paperwork Reduction Act of 1980, Public Law 96-511

7. Information and Assistance

Direct questions, comments, suggestions, or requests for further information to the Deputy Assistant Secretary for Information Technology, who serves as the HHS CIO, at (202) 690-6162.

8. Effective Date/Implementation

The effective date of this Policy is the date the policy is approved.

Requirements stated in this Policy are consistent with law, regulations and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS’ policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

9. Approved

/s/

Michael W. Carlton
HHS Chief Information Officer

July 28, 2009

Date

Glossary

Enterprise IT System Inventory (AKA: IT System Inventory): The subset of the EA Repository, which documents information about all information technology systems owned by or operated on behalf of the HHS organization.

General Support System: An interconnected set of information resources under the same direct management control which shares common functionality

HHS Enterprise Architecture Repository (The EA Repository): The HHS-wide repository of information in support of enterprise architecture development and analysis.

Information Dissemination Product: Any book, paper, map, machine-readable material, audiovisual production, or other documentary material, regardless of physical form or characteristic, disseminated by an agency to the public.

Information Technology (IT) System: A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual to support HHS’ or OPDIV’s mission. An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Refers to a set of information resources under the same management control that share common functionality and require the same level of security controls.
Usage and Context: The term IT system is used in context of security. The term IT system, information system, and application are often used interchangeably while the term application has the more narrow focus of software to meet user requirements. Types: Major IT System, Non-Major IT Systems, and General Support System (GSS). Source: HHS Glossary of Key Enterprise Terms

IT System Inventory: Alias for Enterprise IT System Inventory.

Major IT System: An information system that requires special management attention because of its importance to an agency mission; its high development, operating, or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources

Non-Major IT System: A system that requires appropriate attention to security when a compromise of the information or application would cause limited adverse harm (low or medium impact as defined in FIPS 199) on the HHS mission, business functionality, public health function and/or employee and citizen