HHS Policy for Information Technology Portfolio Management (PfM)

Document #: HHS-OCIO-OES-2021-09-005
Version #: 1.0
Last Reviewed: 09/2021
Next Review: 09/2024
Owner: OCIO/OES
Approved By: Janet Vogel, HHS CIO (Acting)

Nature of Changes
Purpose
Background
Scope
Authorities
Policy
Roles and Responsibilities
Information and Assistance
Effective Date and Implementation
Approval

Appendix A: Procedures

A1. CIO Risk Ratings and Evaluation
A2. Operational Analysis
A3. Technology Business Management
A4. HHS IT Portfolio Reviews

Appendix B: Standards

Appendix C: Guidance

C1. IT Investment Classification and Reporting Requirements
C2. HHS IT Governance
C3. Portfolio Management Schedule of Activities

Appendix D: Forms and Templates

D1. The HHS IT Resource Statement
D2. HHS Operational Analysis (OA) Template

Glossary and Acronyms

1. Nature of Changes

This Department of Health and Human Services (HHS) Policy for IT Portfolio Management (PfM) (hereafter Policy) is a new issuance and supersedes the HHS Office of the Chief Information Officer (OCIO) Policy for Information Technology (IT) Capital Planning and Investment Control (CPIC) (HHS-OCIO-2016-CPIC-01), IRM Policy for Conducting IT Alternative Analysis (HHS-IRM-2003-0002), HHS-OCIO Policy for IT Investment Performance Baseline Management (HHS-OCIO-2010-0007), and HHS Policy for Conducting Operational Analysis (OA) for Information Technology (IT) Investments (HHS-OCIO-2015-05-0001), while also incorporating the following topic areas: Chief Information Officer (CIO) Investment Risk Rating and Evaluation, Incremental Development Certification, and Technology Business Management (TBM). This Policy includes general updates to CPIC related activities to reflect the changes to the Office of Management and Budget (OMB) CPIC guidance, the frequency with which OAs are conducted and updated, and inclusion of the Chief Information Officer (CIO) Rating and Risk Evaluation methodology, Incremental Development Certification process, and TBM requirements and standards.

2. Purpose

The HHS Policy for IT Portfolio Management contains the principles for conducting IT Investment planning and management within HHS. This Policy describes the CPIC principles and requirements, and establishes standard methodologies for conducting OAs, evaluating Investment Risks, certifying adequate Incremental Development, and successfully implementing TBM. Information Security, Cybersecurity, Privacy, and Information Technology risk management should be considered as domain-specific risk management practices that should inform investment planning and management decisions.

CPIC is the decision-making process that ensures IT Investments integrate strategic planning, budgeting, procurement, and management with a focus on HHS missions and business needs. The three CPIC phases (Select, Control, and Evaluate) incorporate the selection, management, and performance evaluation of the Department’s IT Investments. CPIC implementation addresses the requirements of the Federal Information Technology Acquisition Reform Act (FITARA), the Clinger-Cohen Act, OMB Circular A-130, and OMB Circular A-11.

OA is the method of examining the current and historical performance of the Operations and Maintenance Investments, steady-state portion of mixed life cycle Investments and measuring the performance against an established set of performance parameters. Having adequate and timely OAs for every applicable IT Investment result in HHS IT Investments that are viable, relevant, and pertinent to achieving the agency’s overarching mission. This is a requirement of OMB’s Capital Programming Guide V3.0, the Supplement to OMB Circular A-11, Part 7: Planning, Budgeting, and Acquisition of Capital Assets.

CIO Risk Ratings and Evaluation is the adopted HHS methodology to evaluate IT Investments. OMB requires Federal CIOs to provide ratings for all Major IT Investments (as defined in section 6.1.2.1) on the Federal IT Dashboard. The Operating Division (OpDiv) CIOs are required to use their judgement to rate each IT Investment based on a set of pre-established criteria (Risk Rating factors) and calculation (Self Assessed Score). The CIO’s ratings of Investments should reflect the Investments’ abilities to accomplish their set goals. When needed, the CIO should consult with appropriate OpDiv Stakeholders (e.g., Chief Acquisition Officers, Chief Management Officers, Chief Information Security Officer, Enterprise Risk Managers, Program Managers, Customers, etc.) in making their evaluation. Each evaluation should include a justification for the rating. The CIO Rating and Risk Evaluation implements the OMB Circular No. A-11, Chapter 11302 and 11315 of Title 40 and OMB Memorandum M-15-14, Management and Oversight of Information Technology.

Incremental Development Certification establishes the procedures for the HHS CIO to certify that Development, Modernization, and Enhancements (DME) Investments’ classified as Major IT Investments use adequate Incremental Development methodologies to deliver useable functionality at least every six months. It implements the OMB Circular No. A-11, Chapter 11319 of Title 40 and OMB Memorandum M-15-14, Management and Oversight of Information Technology.

TBM is an OMB-required IT management framework that implements a standard IT spend taxonomy to provide accurate and detailed understanding of IT costs to stakeholders and the IT community across federal agencies. TBM enables government organizations to disaggregate IT spending into smaller, consistent categories, thereby creating a more transparent bill of IT. Successful implementation of TBM satisfies the Federal IT Spending Transparency Cross Agency Priority (CAP) goal of the 2017 President’s Management Agenda (PMA).

In addition, this policy addresses compliance with the Federal Information Security Modernization Act (FISMA) Act of 2014. FISMA requires Government agencies to integrate IT security into their Capital Planning and Enterprise Architecture processes. IT security controls must be incorporated into the lifecycle planning costs of the overall Investment.

The principles in this Policy are based on legislation and OMB guidance that direct agencies to institute and maintain a disciplined approach to funding and monitoring IT Investments. In addition to the 25-Point Implementation Plan to Reform Federal IT Management, the Digital Government Strategy, and OMB Memorandum M-11-29, HHS leverages the Information Resource Management (IRM) Strategic Plan to shape ongoing tactical planning.

These principles form the basis for efficient and effective management of the Department's IT Investments by promoting informed decision-making and timely oversight by appropriate level review boards. The goal is to achieve the best balance of the Department's IT Investments at the lowest cost with the least risk, while ensuring that the mission and business goals are met.

Adherence to this Policy ensures that HHS IT Investments are selected based on their support of HHS business needs and mission requirements; that selected IT Investments meet approved cost, schedule, and performance milestones; and that they successfully achieve specified benefits and outcomes throughout the IT Investment life cycle.

3. Background

Prior to 1996, the following laws and policies required agencies to develop and implement a disciplined process to maximize the value of IT Investments while balancing risks.

The Paperwork Reduction Act of 1980 and 1995 required agencies to obtain approval from OMB before requesting information from the public to reduce the burden of Federal paperwork on the public. The Government Performance Results Act (GPRA) of 1993 was designed to improve Government performance management by requiring agencies to engage in performance management tasks, such as setting goals, measuring results, and reporting their progress. The Federal Acquisition Streamlining Act (FASA) was enacted in 1994 to streamline the acquisition process by lowering procurement barriers to encourage the procurement of commercial products.

In 1996, the Information Technology Management Reform Act (ITMRA) and the Federal Acquisition Reform Act (FARA) were signed into law as part of the National Defense Authorization Act of 1996. The ITMRA directed Federal agencies to focus more on the results achieved through IT Investments while streamlining the Federal IT procurement process. The ITMRA emphasized the rigor and structure in how agencies approached the selection and management of IT projects and established the CIO’s role for all Federal agencies. FARA increased the discretion of Contracting Officers to promote efficient competition. FARA allowed the use of simplified acquisition procedures in the acquisition of commercial items up to $5 Million. The ITMRA and FARA were subsequently designated as the Clinger-Cohen Act (CCA) of 1996.

The CCA supplemented existing law and policies by mandating a specific, more rigorous methodology for managing IT Investments than was previously required and an approach that integrates IT capital planning with other agency processes. The CPIC process was established to acquire, use, maintain and dispose of IT assets.

The CCA mandates that the CPIC process must:

Provide for the selection, control, and evaluation of agency IT Investments.
Be integrated with the processes for budget, financial, and programmatic decision-making.
Include minimum criteria to consider whether to undertake an IT Investment.
Identify IT Investments that would result in shared benefits or costs for other Federal Agencies or State or Local Governments.
Provide the means for identifying quantifiable measurements for IT Investment net benefits and risks.
Provide the means for Senior Management to obtain timely information regarding an Investment’s progress.

In 2014, Congress passed the Federal Information Technology Acquisition Reform Act (FITARA), which expanded CIO authorities and recommended the use of Incremental Development approaches over alternative development methodologies. OMB issued Memorandum M-15-14, Management and Oversight of Federal Information Technology, which details how Agencies must implement FITARA.

FITARA builds on the CCA by empowering CIOs with increased oversight over:

Budget planning
Governance structures
Portfolio Risk Management
Enterprise Resource Management and Cyber Risk Management
Hiring practices within IT offices
Data center consolidation planning and execution
Reporting progress and metrics to OMB

FITARA specifies that Agency CIOs are accountable for certifying the use of Incremental Development agency-wide as stipulated in OMB’s Annual Capital Planning Guidance. OMB issues the annual IT Budget and Capital Planning Guidance as part of OMB circular A-11, Preparation, Submission, and Execution of the Budget, and maintains its supplement (the Capital Programming Guide) to assist agencies with the implementation of CPIC processes and meeting CCA and FITARA reporting requirements to Congress.

In 2017, OMB collaborated with the General Services Administration (GSA) to introduce a phased approach to implementing the TBM taxonomy. Consistent with the FITARA OMB Common Baseline Implementation (M-15-14), OMB implemented a multi-year phased approach to address the different level of capabilities and maturity across Government agencies. The mandate for Government agencies to fully implement TBM by FY2021 was released to agencies through the annual updates to OMB Circular A-11, Section 55, and supplemented by the technical guidance in the FY 2019 IT Budget – Capital Planning Guidance.

4. Scope

This Policy sets forth roles and responsibilities, requirements, and processes for the HHS CIO and OpDivs to develop a more mature IT Portfolio Management program. It applies to the Department and all HHS OpDivs and Staff Divisions (StaffDivs) participating in HHS IT Portfolio Management. This Policy does not supersede any applicable law or higher-level agency directive in effect as of the effective date of this Policy.

This Policy also applies to all HHS IT Investments and IT projects throughout their entire life cycle, regardless of funding source, whether owned and operated by HHS or operated on behalf of HHS. OpDivs are required to manage their IT Investment portfolios in accordance with the CPIC requirements outlined in this Policy (Section 6). These requirements are irrespective of size, scope, complexity, funding source and partial or full ownership by HHS.

OpDivs and StaffDivs must use this Policy or may create a more restrictive OpDiv or StaffDiv policy, but not one that is less restrictive, less comprehensive, or not compliant with this document. HHS retains the right to audit each OpDiv/StaffDiv policy for compliance with the requirements of this Policy.

5. Authorities

Legislation, Federal Regulation, and Executive Orders:

“Public Law 103-62: Government Performance and Results Act of 1993 (1993)
“Public Law 103-355: Federal Acquisition Streamlining Act of 1994 (1994)
“Public Law 104-13: Paperwork Reduction Act of 1995 (1995)
“Public Law 104-208: Federal Financial Management Improvement Act of 1996 (Public Law 104-208)
“Public Law 107-347: E-Government Act of 2002” (2002)
“Public Law 113-291: Federal Information Technology Acquisition Reform Act (FITARA) of 2014 (2014)
Clinger-Cohen Act (CCA) of 1996 (formerly the IT Management Reform Act of 1996) (Division of E of Public Law 104-106) and Federal Acquisition Reform Act of 1996 (Division D of Public Law 104-106)
Federal Information Technology Acquisition Reform Act of 2014, 40 USC. 11319(b)(1)(B) (ii)
Policies & Priorities, Technology Business Management. CIO.GOV
Records Management Act of 1950 (1950)
Section 508 of the Rehabilitation Act of 1973, (1998)
Executive Order 13636: Improving Critical Infrastructure Cybersecurity (February 2013)
Executive Order 14028: Improving the Nation's Cybersecurity (May 2021)
Federal Information Security Modernization Act (FISMA) of 2014, Pub. L. 113-283, 128 Stat. 3073 (Dec 2014)

Federal Guidance:

Government Accountability Office (GAO) Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity, GAO-04-394G (March 2004)
GAO Accounting and Information Management Division (AIMD) Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT Investment Decision-making, AIMD-10.1.13 (February 1997)
GAO Information Technology: Agencies Need to Strengthen Oversight of Billions of Dollars in Operations and Maintenance, GAO-13-87 (November 2013)
GAO Report 16-469, “Agencies Need to Increase Their Use of Incremental Development Practices (August 2016)
OMB Circular A-11, Part 7, Planning, Budgeting, Acquisition and Management of Capital Assets
OMB Circular A-11, Part 7, Preparation, Submission, and Execution of Budget (June 2018)
OMB Circular A-11, Part 7, Supplement, Capital Programming Guide (June 2016)
OMB Circular A-11, Section 55, Investment Technology Investments. (June 2016)
OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs (Revised February 7, 2014)
OMB Circular A-76, Performance of Commercial Activities (May 29 2003) including changes made by OMB Memorandum M-07-02 (October 31, 2006) and OMB Memorandum M-08-13 (March 11, 2008) and a technical correction made by OMB Memorandum M-03-20 (August 15, 2003)
OMB Circular A-123 Appendix D, Compliance with the Federal Financial Management Improvement Act (09/20/2013)OMB Circular A-130, Management of Federal Information Resources (2016)
OMB Circular A-130, Management of Federal Information as a Strategic Resource (July 2016)
OMB Federal Cloud Computing Strategy - Cloud Smart (June 2019)
OMB Memorandum M-97-02, Funding Information Systems Investments (October 1996)
OMB Memorandum M-05-23, Improving Information Technology (IT) Project Planning and Execution (August 2005)
OMB Memorandum M-15-14, Management and Oversight of Federal Information Technology. (June 2015)
A Framework for Assessing and Improving Process Maturity - Government Accountability Office (GAO) Information Technology Investment Management. GAO-04-394G (2004)
Federal Continuity Directive 1: Federal Executive Branch National Continuity Program and Requirements (October 2012)
Federal Continuity Directive 2: Federal Executive Branch Mission Essential Functions and Candidate Primary Mission Essential Functions Identification and Submission Process (June 2017)
Federal Information Processing Standard (FIPS) 140-2 (December 2002)
NIST SP 800-30 R1 Guide for Conducting Risk Assessments (September 2012)
NIST SP 800-37 R2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (December 2018)
NIST SP 800-39 Managing Information Security Risk Organization, Mission, and Information System View (March 2011)
NIST SP 800-53 R5 Security and Privacy Controls for Information Systems and Organizations (December 2020)
NIST SP 800-56A R3 Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (April 2018)
OMB Memorandum M-19-03: Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program (December 2018)
OMB Circular No. A-123: Management's Responsibility for Enterprise Risk Management and Internal Control (July 2016)
Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA) (Pub. L. 115-232) (August 2019)

Departmental Policy and Guidance:

HHS Policy for Section 508 Electronic and Information Technology (January 2005)
HHS Acquisition Regulation (April 2010)
HHS OCIO Roles and Responsibilities (March 1999)
HHS OCIO Enterprise Performance Life Cycle Framework Overview Document (October 2008)
HHS Information Technology Strategic Plan FY 2021-2023
HHS IT Policy for Enterprise Architecture (August 2008)
HHS Office of Acquisition Management and Policy (OAMP) – Acquisition Policy Memorandum (2008)
HHS Policy for Information Technology Acquisition Reviews (ITAR) (June 2020)
HHS Policy for IT Enterprise Performance Life Cycle (July 2017)
HHS Policy for Information Systems Security and Privacy (IS2P) (July 2014)
HHS Policy for Records Management (January 2008)
HHS Enterprise Risk Management Framework (April 2019)
HHS Memorandum for HHS Cloud Computing and Federal Risk and Authorization Management Program (FedRamp) Guidance (July 2016)
HHS Policy for Information Technology Procurements - Security And Privacy Language (March 2021)
HHS Policy for Cyber Supply Chain Risk Management (August 2020)
HHS Policy for the High Value Asset (HVA) Program (August 2019)
OCIO Federal IT Acquisition Reform Act (FITARA) Approval Guidance (December 2016)

6. Policy

6.1 Capital Planning and Investment Control (CPIC)

HHS IT CPIC aims to maximize the value of IT Investments while assessing and managing associated risks. IT Investments refer to all expenditures with an IT component. This Policy recognizes that IT Investment Management is dynamic; hence, selected Investments are continuously monitored and evaluated for effectiveness and efficiency in supporting the HHS mission and strategic goals. The HHS IT CPIC model relies on three phases – Select, Control, and Evaluate – to address the following:

Select – Determine the best IT Investments based on current and future business needs as they relate to the mission.
Control – Ensure that the selected IT Investments will deliver anticipated benefits on time and within budget.
Evaluate – Determine whether operational IT Investments continue to support requirements and deliver benefits efficiently and cost-effectively.

After the IT Investment’s initial funding during the select process, it becomes the subject of evaluation throughout the control processes for the purposes of reselection. Reselection is the decision to continue an IT Investment after annual assessment and evaluation. Reselection is ongoing and continues for as long as an IT Investment receives funding. A decision must be made to continue to fund or to “deselect” an Investment in the following instances:

If an IT Investment is not meeting the goals and objectives that were originally established when it was selected.
If there are changes in goals to reflect changes in mission objectives, and corrective actions are not effective.
If the Investment is no longer the most economical alternative to achieve the goals and objectives established.
If there are other competing Investments with higher priority.
If the IT Investment is not able to reduce the overall cybersecurity risk posture to an acceptable level as identified by the HHS or OpDiv Authorization Official (AO) after corrective actions and/or mitigation strategies have been implemented.

All IT Investments within HHS, whether managed and funded at the Department level or by the OpDivs, are HHS IT Investments. If HHS and another agency jointly fund an IT Investment, then the portion that HHS contributes funding to is an HHS investment.

6.1.1. IT Investment Characteristics

An IT Investment is the means through which a discrete and unique set of logically related business-driven IT products and/or services are delivered. The IT Investment’s justification, cost, schedule, measurement indicators, and other management and technical artifacts must describe its discrete and unique set of IT products/services. All Major IT Investment artifacts required by OMB (which include OAs, Risk Management Plan and Risk Registers, Investment Charter, Alternative Analysis/Benefit Cost Analysis, Post Implementation Reviews, CIO Risk Ratings and Evaluation and Baseline Change documents) must be uploaded to the HHS Portfolio Management Max Site. A Unique Investment Identifier (UII) will be assigned to each new IT Investment and may be utilized by other systems or processes for Enterprise Architecture, Security, Acquisition or other purposes.
Two or more HHS IT Investments must not deliver the same discrete and unique set of IT products/services and must not serve the same purpose without providing justification to the HHS OCIO as to why consolidation into a single IT Investment is not appropriate. When two or more IT Investments deliver IT products/services through the same IT system, each IT Investment’s set of IT products/services must be discrete and unique and clearly distinguishable from the sets of IT products/services delivered by the other IT Investments.
All HHS IT Investments should be continually evaluated for suitability for migration to safe and secure cloud computing solutions, regardless of Investment type or life cycle stage.

6.1.1.1. IT Funding

The source of funding for IT Investments must be documented in Folio. Folio is the HHS official system of records for IT Investments. Information on Folio, FAQs and training can be found at https://community.max.gov/display/GSA/FOLIO.

A funding source may fund more than one IT Investment and an IT Investment may be funded by one or more funding sources.
The funds provided for each IT Investment should be traceable to each associated IT system and/or IT project.

6.1.2. IT Investment Classification

6.1.2.1. Major Investment Classification

A Major IT Investment:

Is designated by the HHS or OpDiv CIO as critical to the HHS mission or to the administration of programs, finances, property, information security or other resources.
Is for financial management (i.e., included in HHS’s Financial Management Enterprise Architecture (EA) Segment) and obligates more than $500K annually as defined by OMB Circular A-123, Appendix D).
Requires special management attention because of its importance to the mission or function of HHS or an OpDiv.
Has a significant program or policy implication.
Has high Executive visibility.
Has high development, operating, or maintenance costs deemed by HHS as:
- Annual costs equal to or greater than $10M or
- Estimated life cycle costs equal to or greater than $75M.

6.1.2.2. Non-Major Investment Classification

A Non-Major IT Investment

Has total development, operating, or maintenance costs of less than $10 million in the budget year or
Has been designated by the HHS OCIO as a Non-Major IT Investment.

6.1.2.3. Standard Investment Classification

A Standard IT Investment:

Is provisioned for an enterprise-wide IT infrastructure service such as IT Management, IT Security and Compliance, Network, Data Center and Cloud, End User, Application, Platform, Output, and Delivery and
Is aligned to the functional view (IT towers) of the enterprise IT portfolio. Enterprise-wide IT Infrastructure Investments, now referred to as Standard IT Investments use the Standard IT Investment Reports for Budget Submission.

6.1.2.4. Consideration of High Value Assets in Investment Classification

When determining whether an IT Investment is a Major, Non-Major or Standard Investment it should be taken into consideration whether the IT Investment currently or potentially contains High Value Assets (HVAs) or contains critical systems that support Primary Mission Essential Functions (PMEFs) and Mission Essential Functions (MEFs) per Federal Continuity Directive 1 (FCD-1) and FCD-2. HVAs not associated with Major or Non-Major IT Investments may support Standard Investments.

6.1.3. IT Investment Reporting Requirements

The HHS IT Portfolio Management repository, Folio, is the authoritative source of IT Investment information that supports IT governance, the CPIC process, and the HHS IT budget submission.

Prior to the submission of the IT portfolio budget to OMB, the HHS CIO must approve of changes in classification, such as upgrades to Major IT Investments or downgrades to Non-Major IT Investments.

The following table summarizes IT Investment classification criteria, IT governance levels, and reporting requirements.

IT Investment Classification, Governance & Reporting Requirements
Investment Classification	Criteria	Governance Review and Approval	Reporting Requirements
Major IT Investments	Any of the criteria for Major IT Investments AND/OR Budget year costs ≥ $10M, or life cycle costs ≥ $75M	OpDiv IT Governance Board (section 7.6) AND as needed by the Administration Management Domain IT Steering Committee (AMD ITSC – section 7.5)	IT Portfolio Summary; IT Portfolio Summary Details (includes Major IT Business Case, Major IT Business Case Details); IT Steering Committee Briefing; CIO Evaluation Report
Non-Major IT Investments	Any of the criteria for Non-Major IT Investments	OpDiv IT Governance Board	IT Portfolio Summary; Contracts Report
Standard IT Investments	Any of the criteria for Standard IT Investments	HHS OCIO	IT Portfolio Summary; Contracts Report

The Agency IT Portfolio Summary (AITPS), often referred to as “IT Portfolio Summary”, is a report of all IT Investments and funding across the Department and must include all Major, Non-Major Investments, Standard Investments, and Funding Transfer investments. The AITPS includes the funding levels for Prior Year (PY), Current Year (CY) and Budget Year (BY). The AITPS Details are the sections required for all IT Investments by OMB for that FY’s budget submission. Major IT Business Case (MITBC) aligns Major IT Investments with strategic and performance goals, and ultimately provide value to the public by making Investment information more transparent. The MITBC Details are the sections required for all Major IT Investments by OMB for that FY’s budget submission.

The Agency IT Portfolio Summary is separated into three primary parts:

Part 1 Investments: IT Investments for Mission Delivery;
Part 2 Investments: IT Investments for Administrative and Support Systems;
Part 3 Investments: IT Investments for IT functions such as Application, Security & Compliance, End User, Delivery, IT Management, Data Center, Network, Platform, and Output.

More Information on IT Investment classification and reporting is included in Appendix C1.

6.1.4. Cost and Schedule Milestones: Performance Baseline Management

Performance Baseline Management (PBM) must be established for each IT Investment with Development, Modernization and Enhancement (DME) activities at the project level. A baseline must cover a useful system component or capability, at a minimum. For baselines to remain relevant, Investment project life cycles of manageable durations are recommended. At a minimum, baseline requests must include all of the following:

A description of the business needs for the proposed baseline
A description of performance measures, including baseline performance and proposed target performance
A product-oriented work breakdown structure and anticipated cost at completion for proposed activities

Cost and schedule milestone data should be tracked for all IT projects, whether funded by DME or O&M funds. Major IT Investment projects for DME and/or Maintenance are required to report cost and schedule data monthly in Folio. The IT Investment or Project Manager must report, monitor, and implement actions as needed to correct variances from established IT Investment baselines to reduce the risk of cost overruns, schedule delays, and uncontrolled changes in scope.

Acceptable reasons for Baseline change requests (also known as Rebaselining) are:

Significant change in Investment goals (scope, requirements, objectives) resulting from internal or external management decisions, or changes in funding level or availability of funds.
In the case where an incremental or iterative system development and planning life cycle has been chosen for the Investment, progressive elaboration may be necessary when transitioning from one iteration or increment to the next, as scope and objectives evolve. Such rapid evolution inherent to iterative development shall be approved by the Agency CIO.
Current baseline is no longer useful as a management tool for realistic performance measurement as variances are so high that they lose meaning.
Significant changes in contract details.

6.1.5. TechStat and PortfolioStat

A TechStat is an in-depth review of a single IT Investment. PortfolioStat is an in-depth review of a portfolio of IT Investments. A TechStat or PortfolioStat can be triggered by the HHS CIO, an OpDiv CIO, or OMB when it is determined that project(s) or IT Investment(s) are underperforming. Generally, the initial assessment of the necessity of a TechStat or PortfolioStat is made using data from Folio. Two possible TechStat or PortfolioStat triggers are high cost(s) and/or schedule variance(s) for projects associated with an IT Investment or an assessment by the HHS CIO that the IT Investment is “High Risk”. Per the June 10, 2015 FITARA implementation guidance released by OMB, a TechStat is mandatory for all Major IT Investments that trend as “High Risk” for three consecutive months. TechStat sessions review the overall management of the IT Investment, examine program performance data, and explore opportunities for corrective action. The criteria for selecting Investments for TechStat are:

Major and/or enterprise-wide investment
+/- 10% variance with cost, schedule, or performance
Adverse report trending over a 3-month period (on the Federal IT Dashboard or within HHS internal reporting systems)
Continuous unmitigated and significant risk
Special Interest/High Visibility to Agency leadership or OMB.

PortfolioStat can be triggered if multiple IT Investments meet the criteria listed above. The outcome of a TechStat or PortfolioStat session is the establishment of clear action items required to correct the issues that triggered the TechStat/PortfolioStat. These items are tracked by the HHS OCIO until the IT Investment’s program office achieves completion of all action items.

6.1.6. Investment Personnel Oversight

All IT Investment Managers and IT Project Managers must attain the levels of knowledge, skills, and experience required for their respective roles in accordance with applicable HHS training and certification requirements. These requirements are referenced in the Office of Federal Procurement Policy (OFPP) Act, 41 U.S.C. 1101, OFPP Policy Letter 05-01, which established a requirement for Federal acquisition certification programs, the July 2014 HHS Handbook for Federal Acquisition Certification for Program and Project Managers, the HHS Office of Acquisition Workforce and Strategic Initiatives (OAWSI) FAC-P/PM Certification Resources and the December 16, 2013 OFPP Memorandum on Revisions to the Federal Acquisition Certification for Program and Project Managers (FAC-P/PM).

6.1.7. IT Governance

HHS IT Governance drives information sharing, coordinates spending and oversight, and expedites decision making. All proposed or new Major IT Investments (including Standard Investments) must report to the Administration Management Domain IT Steering Committee (AMD ITSC) and obtain the HHS CIO approval prior to funding approval within the Select Phase of CPIC. In addition, the AMD ITSC, led by the HHS CIO has the authority to annually review and approve all Major IT Investments. The HHS CIO and/or AMD ITSC may also recommend that Major IT Investments consult with the HHS Enterprise Risk Management Council, to seek advice on business risks and organizational interdependencies, which can help IT leadership increase the odds of successful implementation of large scale change management initiatives. Each OpDiv’s IT Governance Board is responsible for the review and funding approval of Non-Major Investments. More Information on the HHS IT Governance Board is included in Appendix A4 and Appendix C2.

6.2. Operational Analysis

Once IT Investments are operational, at a minimum, they must be reviewed annually for reselection. As part of the constant review and evaluate phase, OAs are used to analyze and assess the performance of the Agency’s IT Investments against quantifiable Investment requirements. All IT Investments (Major, Non-Major and Standard) are required to conduct OAs. The OA is the mandated method for evaluating steady-state IT Investments, hence a key tool for the CPIC Evaluate phase. As such, the timeliness of an Investment’s OA plays a significant role in the calculation of any Major IT Investment’s CIO Risk Ratings and Evaluation, which is publicly available on the Federal IT Dashboard. Major IT Investments that have not provided an OA in the preceding 12-month period are at risk of receiving a lower overall CIO Rating and Risk Evaluation score. Major IT Investment Managers are also required to provide OA artifacts to OMB within five business days (if requested). The Investment’s latest OA is documented as part of the annual IT budget cycle. Any new or updated OA for a Major IT Investment must be uploaded to the MAX.gov site. All OAs should be signed by the appropriate Governance Board chair or an appropriate role with delegated authority leveraging input from appropriate SMEs.

This Policy provides a Department-wide standard for analyzing and evaluating the performance and continued viability of all steady-state IT Investments during the O&M phase.

Each steady-state IT Investment or the steady-state portion of a mixed life cycle IT Investment must conduct an annual OA, beginning one year after conducting the IT Investment’s or IT project’s Post Implementation Review (PIR).
Each steady-state IT Investment or the steady-state portion of a mixed life cycle IT Investment must retain OA documentation that is updated annually. The document must be readily available, upon request by HHS, OMB, GAO, or any governing body.
The results of the annual OA may lead to a recommendation to modify, suspend, or terminate a steady-state IT Investment or the steady-state portion of a mixed life cycle IT Investment.
All IT Investments or systems approved for retirement or termination must submit a disposition plan, to the appropriate OpDiv IT Governance authority for approval. The disposition, distribution, and reallocation of IT assets and funds must be in accordance with HHS Records Management, Security, and all other appropriate HHS CPIC and IT policies and procedures.

More information on Operational Analysis is included in Appendix A2.

6.3. CIO Risk Ratings and Evaluation

The CIO Rating and Risk Evaluation is required of all OpDivs to analyze and assess their Major IT Investments for risks and performance. The CIO Rating provides CIO numeric evaluation (ranging from 1 – High Risk to 5 – Low Risk) for all Major IT Investments that reflects the OpDiv CIO’s best judgement of the current level of risk for the Investment in terms of its ability to accomplish its goals. The CIO Rating methodology requires OpDivs to self-assess their Part 1 and Part 2 Major IT Investments in 5 areas; Risk Management, Requirements Management, Contractor Oversight, Performance and Human Capital Requirements, while the ratings for Part 3 Infrastructure Investments are assessed by the HHS CIO. The HHS or OpDiv CIOs at their discretion may decide to upgrade or downgrade the CIO Rating score for any justified reason(s). OpDivs are required to report the CIO Rating Score for all Major IT Investments to the Federal IT Dashboard through Folio, while maintaining documentation showing the evaluation justifications. The document must be readily available, upon request by HHS, OMB, GAO or any governing body. Full details on how to calculate the CIO Rating Score is included in the CIO Rating and Risk Evaluation section of Appendix A1. If for any reason, Folio is unavailable to calculate the CIO Rating score, a CIO Risk Ratings and Evaluation template with prepopulated calculation is provided by HHS OCIO. Also, each OpDiv is required to maintain and update a Risk Register to capture risks and a CIO Rating Workbook with risk rating justifications.

6.4. Incremental Development Certification

Incremental Development is the development methodology characterized by iterative processes where Project functionality releases are produced in close collaboration with the users. This process improves Investment manageability, lowers risk of project failure, shortens the time to realize value, and allows agencies to better adapt to changing needs. In accordance with FITARA, OMB Circular No. A-11 and the IT Budget Capital Planning Guidance, the Incremental Development Certification process requires both the HHS CIO and OpDiv CIO to certify the HHS IT Resource Statement to verify adoption of Incremental Development with Major IT Investments. The HHS OCIO will validate the adoption and utilization of Incremental Development by reviewing IT System and Project data from Folio for documentation or evidence of periodic delivery of useable functionality. More information on the HHS IT Resource Statement is included in the HHS IT Resource Statement section of Appendix D.

6.5. Technology Business Management

TBM is the methodology created by the TBM Council to communicate the value of IT to stakeholders by focusing on cost transparency, delivery of value, identification of the total cost of IT and shaping the demand for IT services. TBM enables Federal agencies to align technology spending to agency mission and priorities, and provide a better method of communication and understanding to stakeholders and users of IT. To enable a more transparent view of IT spend, the HHS OCIO requires all OpDivs, StaffDivs and Offices within HHS to utilize the TBM framework when reporting IT costs. This Policy requires cost reporting using OMB required TBM categories:

Cost Pools (The Finance View): This is the layer of the TBM model, which begins with the general ledger and requires reporting IT spend in categories such as Hardware, Software, Labor, etc.
IT Towers (The IT View): This is the layer of the TBM model, which includes IT towers and requires reporting IT spending categories such as End User, Application, Delivery, Compute, Storage, etc.

More detail on TBM implementation is included in the TBM section of Appendix A3.

7. Roles and Responsibilities

The key executives, decision boards, and critical partners described in this section are required for HHS IT Investment planning, decision-making, and execution.

7.1. HHS CIO

The HHS CIO oversees the Department's use of IT to improve program performance and manage risks.

The HHS CIO, or designee, must:

IT Portfolio Management

Advise the HHS Secretary and other HHS senior executives on managing IT resources effectively and efficiently, and consistent with HHS priorities;
Ensure that all HHS IT Investments adhere to federally mandated requirements and to the requirements stipulated in the HHS Policies for Portfolio Management, EA, Information Security, and Records Management;
Implement a Portfolio Management suite of tools to enable effective and efficient cost, schedule, and performance data collection. The suite of tools should also have the capacity for Portfolio reporting and analysis;
Oversee training of personnel with specific responsibilities related to this Policy; and
Sign the HHS IT Resource Statement.

CPIC

Ensure that each OpDiv adopts CPIC policies and procedures that comply with this Policy and legislation, regulations, and other guidance in Section 5: Authorities;
At their discretion, audit IT Investments or OpDiv IT Portfolio in the form of a TechStat or PortfolioStat and require the submission of artifacts as part of the review process;
Approve all proposed or new Major IT Investments prior to funding approval;
Review and approve the Major IT Investment portion of the IT Portfolio budget request;
Establish, implement, and maintain an effective HHS CPIC process;
Co-chair the AMD ITSC;
Designate a member of the HHS CIO staff to serve as the HHS IT CPIC Officer; and
Ensure each OpDiv is performing an evaluation of their IT investments for suitability for migration to a cloud computing service.

Operational Analysis

Enforce compliance of Major IT Investments in complying with the OA requirements within this Policy;
Take into account the documented existence and currency of an Investment’s OA as a key factor impacting the Investment’s CIO rating on the Federal IT Dashboard; and
Invest in the operations of Folio to enable effective and efficient cost, schedule, and performance data which should be leveraged by IT Investment managers in the creation of Investment OAs.

CIO Risk Ratings and Evaluation

Review and approve all OpDivs’ annual IT Portfolio including but not limited to the Investments’ functions and benefits, budget request, other required resources, performance (including the use of Incremental Development when appropriate) and potential risks; and
Review (as the co-chair of the AMD ITSC) Major IT Investments.

Incremental Development Certification

Ensure IT Investments for each OpDiv considered Incremental Development through the authority delegated to the OpDiv CIO. The OpDiv IT Portfolios are reviewed for evidence of Incremental Development during the annual IT Portfolio Review meetings;
Review the OpDiv IT Portfolios during the annual IT Portfolio Review meetings for the frequency with which IT projects released useable functionality to production;
Lead the annual IT Portfolio Review meetings which include reviewing and approving the OpDiv IT Portfolios for budget requests, development methodology (incremental development) and potential risks; and
Certify OpDivs’ adequate use of Incremental Development by signing the HHS IT Resource Statement upon analyses of the Portfolio’s development methodology data.

Technology Business Management

Take personal ownership of the TBM transformation by ensuring resource availability, articulating a compelling vision, removing barriers, and driving accountability.

7.2. HHS Chief Information Security Officer

The HHS Chief Information Security Officer (CISO) oversees the Department’s information security strategy, architecture, and the protection of data.

The HHS CISO must:

IT Portfolio Management

Ensure that Investments adhere to the current version of the HHS Information Security and Privacy Policy and other HHS Information Security and Privacy Policies; Review and respond to HHS Policy Exception/Risk Based Decision Requests;
Provide leadership in IT security and privacy policy, guidance, and expert advice among OpDivs and the StaffDivs in developing, promoting, and maintaining IT security and privacy measures to adequately and cost effectively protect and ensure the confidentiality, integrity and timely availability of all information in the custody of the Department, as well as the information systems required to meet the Department’s current and future business needs;
Assist and advise the HHS CIO in the development, documentation, and implementation of the Program (e.g., issuing policy, maintaining situational awareness, and performing compliance oversight) in order to provide IT security and privacy safeguards for the electronic information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal organization or bureau, contractor, or other source;
Ensure that all IT resources are reviewed for compliance with established Department and external policies, standards, and regulations;
Ensure, in coordination with the HHS CIO and the Office of the Assistant Secretary for Financial Resources (ASFR)/Office of Grants and Acquisition Policy and Accountability (OGAPA)/Division of Acquisition (DA), that all IT acquisitions include Department security and privacy considerations and relevant contract language;
Serve as the primary liaison for the CIO to Authorizing Officials, System Owners, primary operational IT infrastructure managers1 , Information System Security Officers (ISSOs), and Senior Officials for Privacy (SOPs);
Provide management and oversight of activities under IT critical information protection (CIP);
Execute the Risk Management Framework (RMF) tasks as listed in the National Institute of Standards and Technology Special Publication (NIST SP) 800-37; and
Ensure, in coordination with the HHS CIO, that Investment considerations associated with potential or designated HVAs and critical systems that support PMEFs and MEFs are reviewed, understood, and consistent with established Department and federal policies, directives, guidance, and standards.

7.3. HHS Chief Artificial Intelligence Officer

The HHS Chief Artificial Intelligence Officer (CAIO) focuses on technology solutions to help enhance the Department’s operations and accomplishing its mission.
The HHS CAIO must:

IT Portfolio Management

Carry out the HHS AI Strategy; and
Create HHS AI procedures for staying in compliance with this Policy.

7.4. OpDiv CIOs

HHS OpDiv CIOs advise their respective executive management on the strategic direction and management of their organizations’ IT programs. The responsibilities of the HHS OpDiv CIO are listed below.

Within their respective organizations, the OpDiv CIOs must:

IT Portfolio Management

Provide leadership for the implementation of technology to support effective and efficient operation and management of their respective organizations;
Establish strategic planning, IT governance, IT architecture management, IT budget and contract review, IT security and privacy, records management, IT performance and results-based management;
Communicate the OpDiv’s policy directives regarding IT security awareness as it relates to botnets and AI to applicable personnel;
Ensure considerations are in place for HVAs and critical systems when categorizing IT Investments;
Ensure that OpDiv IT Investments comply with legislation, regulations, and other guidance stated in Section 5: Authorities; and
Ensure that individuals assigned to manage OpDiv IT Investments and IT projects are trained, qualified, and certified as IT Investment Managers or IT Project Managers, as appropriate.

CPIC

Establish and maintain IT governance structures consistent with this Department Policy to select, control, and evaluate IT Investments;
Establish effective CPIC processes and appropriate staffing and resources for the OpDiv;
Approve OpDiv CPIC policies and procedures consistent with this Department Policy;
Comply with Department reporting requirements for Major, Non-Major and Standard IT Investments;
Ensure each IT Investment in the IT Portfolio is planning an evaluation for suitability for migration to a cloud computing service;
May audit any of the OpDiv’s IT Investments in the form of a TechStat or PortfolioStat and require the submission of artifacts as part of the review process;
Review and approve Baseline requests or change requests for Major IT Investment projects; and
Designate a member of their OpDiv CIO staff to serve as the OpDiv IT CPIC Officer.

Operational Analysis

Enforce compliance of Non-Major IT in complying with the OA requirements within this Policy;
Perform oversight of the development, implementation and management of OpDiv-level OA policy, processes, and procedures that comply with this Policy;
Approve OA Guidance to address and manage the OpDiv’s IT Investments that are currently in the O&M or steady-state life cycle phase;and
Ensure that the OpDiv has a robust IT governance structure to include an OpDiv IT governance board that will review and provide Investment decisions based on submitted OAs.

CIO Risk Ratings and Evaluation

Review and approve all OpDivs’ Major IT Investments’ budget request, performance, the use of Incremental Development when appropriate, and potential risks.

Incremental Development Certification

Ensure that the OpDiv IT Investments consider and adopt Incremental Development as a development methodology, if appropriate. The OpDiv CIO is required to sign the HHS IT Resource Statement to certify the use of Incremental Development; and
Sign the HHS IT Resource Statement to verify the internal review of IT Investments and Projects to ensure the consideration or use of Incremental Development.

Technology Business Management

Take ownership of TBM transformation at the OpDiv-level, by ensuring resource availability, articulating a compelling vision, removing barriers, driving accountability and advocating for involvement of the OpDiv’s Finance, Acquisition and Human Resource teams.

7.5. OpDiv CISOs

The OpDiv CISO oversees the OpDiv’s information security strategy, architecture, and the protection of data.

The OpDiv CISO must:

IT Portfolio Management

Implement the requirements in the HHS Information Security and Privacy Policy and other HHS Information Security and Privacy Policies and develop and maintain procedures for implementing the federal and departmental guidelines and requirements;
Provide all necessary documentation requested (if applicable) to the HHS OCIO and HHS CISO;
Ensure, in coordination with the OpDiv CIO, that Investment considerations associated with potential or designated HVAs and critical systems that support PMEFs and MEFs are reviewed, understood, and consistent with established Department and federal policies, directives, guidance, and standards;
Ensure contractors, cloud service providers, and other third parties are compliant with the Security Policy;
Develop end-user training designed to secure systems utilizing AI;
Sign off on exceptions, where applicable;
Lead OpDiv IT security and privacy programs and promote proper IT security and privacy practices;
Ensure OpDiv-wide implementation of Department and OpDiv policies and procedures that relate to IT security and privacy incident response;
Assist System Owners in establishing and implementing the required security safeguards to protect computer hardware, software, and data from improper use or abuse; and
Execute the RMF tasks as listed in NIST SP 800-37.

7.6. HHS IT CPIC Officer

The HHS IT CPIC Officer is designated by the HHS CIO to direct and coordinate HHS CPIC processes and provide the HHS CIO with IT governance support.

The HHS IT CPIC Officer must:

IT Portfolio Management

Ensure Implementation of this Policy;
Request and review Investment documentation from OpDivs regarding compliance with this Policy;
Assess and report the results of HHS and OpDiv IT Investment performance reviews, as directed by the HHS CIO or AMD ITSC;
Coordinate, prepare, review, and evaluate the HHS IT Investment data for HHS budget submission and other reporting requirements;
Coordinate the resolution of issues arising from compliance with this Department Policy and associated procedures, and report issues to the HHS CIO or HHS ITSC for resolution; and
Oversee the Portfolio Management system of records.

CPIC

Develop, implement, and monitor associated CPIC policies and procedures;
Provide guidance to OpDiv IT CPIC staff regarding CPIC policies, procedures, and issues; and
Review OpDiv IT CPIC policies and procedures for compliance with this Department Policy and the legislation, regulations, and other guidance identified in Section 5: Authorities.

Operational Analysis

Develop and maintain Department-wide OA guidance and procedures;
For HHS Major Investments: Conduct a preliminary review of the OA submitted to coordinate any needed revisions of the OA with the OpDiv IT CPIC Officer; and
For OS Major Investments: Conduct a preliminary review of the OA submitted and coordinate any needed revisions of the OA with the IT Investment manager.

Incremental Development Certification

Review and validate the use of Incremental Development for HHS Major IT Investments.

Technology Business Management

Lead the TBM implementation at the Departmental level and provide guidance to the HHS IT community when needed; and
Ensure that Folio is the authoritative system of records for TBM reporting.

7.7. OpDiv IT CPIC Officer

As directed by their respective CIOs under their delegated authority, the OpDiv IT CPIC Officer (also known as the OpDiv CPIC Manager) coordinates their organization’s CPIC processes and ensures that the appropriate rigor for Performance Baseline Management (PBM) is fully integrated into their organization’s processes. Moreover, they ensure that required PBM processes are implemented for IT Investments and IT projects, and that PBM information is used effectively.

The OpDiv IT CPIC Officer must:

IT Portfolio Management

Request and review Investment documentation from Investment Managers regarding compliance with this Policy; and
Coordinate the resolution of issues that arise in complying with this Department Policy and associated procedures.

CPIC

Coordinate the collection of their organization’s IT Investment information to support HHS IT Investment reporting requirements;
Provide guidance to OpDiv IT Investment Managers and IT Project Managers regarding CPIC policy, procedures, and issues;
Coordinate the collection of their organization’s IT Investment information to support Departmental IT Investment PBM reporting requirements;
Coordinate the timely submission of budget and funding data for OpDiv Investments prior to Official Budget Submission and Presidential Passback;
Establish, implement, and maintain an effective HHS CPIC process within the OpDiv; and
Ensure IT Program and Project Managers assigned to IT Investments are well trained and meet the stipulated qualifications.

Operational Analysis

Develop OA Guidance to address and manage the OpDiv’s IT Investments that are fully or partially in the steady-state life cycle phase; and
For HHS Major IT Investments: Conduct a preliminary review of the OA to coordinate any needed revisions of the OA with the IT Investment manager.

CIO Rating and Risk Evaluation

Analyze and assess Major IT Investments for risks and performance; and
Assess Non-major IT Investments for risk and conduct performance reviews of high-risk, high-impact Non-major IT Investments, where appropriate. The TechStat format can be used as a model for reviewing the performance of Non-Major Investments. Should the performance review determine that the Non-Major IT Investment merits upgrade to Major, the OpDiv IT CPIC Officer will make such recommendation to the OpDiv CIO.

Incremental Development Certification

Support the review of IT Investments and the level of Incremental Development adoption.

Technology Business Management

Ensure IT costs during Capital Planning and Budget Submission are reported using the TBM Taxonomy.

7.8. OpDiv System Administrators

The OpDiv System Administrator manages, configures, and ensures the reliable operations of the OpDiv’s information systems.

The OpDiv System Administrator must:

IT Portfolio Management

Maintain and install antivirus software;
Install a firewall with configuration to restrict traffic coming into and leaving the network;
Install an Intrusion Detection Service and Network Behavior Analysis to determine malicious traffic on HHS networks;
Determine settings for least functionality and application whitelisting; and
Restrict administrative privileges to end users.

7.9. OpDiv Senior Agency Official for Privacy (SAOP)

The OpDiv SAOP ensures the safety and privacy of the OpDiv’s information while ensuring compliance with applicable privacy requirements and management of privacy risks.

The OpDiv Senior Official for Privacy must:

IT Portfolio Management

Provide representation, support and legal services to the Secretary of HHS and leadership for the integration of the Security Policy and ensuring legal protection and oversight;
Provide support for the development and implantation of secure AI technology throughout the agency by ensuring legal and privacy protections are adhered to;
Review, write and manage internal and vendor contracts associated with AI technology throughout the agency; and
Ensure legal compliance regarding privacy and ethics as it relates to AI technology.

7.10. Senior Official for Ethics or Ethical Affairs

The Senior Official for Ethics oversees the Department’s code of ethics and ensures adherence to the necessary policies.

The Senior Official for Ethics or Ethical Affairs must:

IT Portfolio Management

Provide support for the integration of the Security Policy and ensure privacy protection and ethical best practices where applicable;
Establish and evaluate a standard of ethical conducts for HHS;
Provide HHS leadership support and guidance on governance issues; and
Maintain an up-to-date knowledge and understanding of federal governance requirements, compliance, and responsibilities.

7.11. Enterprise IT Governance Board

The AMD ITSC is HHS’ enterprise IT Governance Board and serves as the principal decision-making body for managing effective, efficient, and secure use of HHS IT resources. The HHS CIO is the co-chair of the AMD ITSC. To ensure all stakeholder needs are addressed and decisions are made in the best interest of HHS, the AMD ITSC reviews, validates and approves the HHS Portfolio of Major IT Investments, while delegating the Non-Major IT Investments to the respective OpDiv IT Governance Boards. Reference the AMD ITSC Charter for roles and responsibilities.

7.12. OpDiv IT Governance Board

At the OpDiv-level, IT Investments and projects are reviewed and approved through oversight of the OpDiv’s Governance Board or other appropriate governance bodies, consistent with HHS policy. OpDivs are required to coordinate IT project governance and Investment management functions within their respective organizations and OpDiv-level Governance Board. OpDivs must work with their IT project teams to ensure performance and overall compliance with the direction of the AMD ITSC and must:

CPIC

Establish a governing charter consistent with legislation, regulations, and other applicable guidance;
Establish an IT governance process consistent with this Policy for the selection, control, and evaluation of OpDiv IT Investments;
Annually evaluate and select (including re-select and deselect) the OpDiv IT Investment portfolio based on the Administration’s and HHS Secretary’s strategic objectives, HHS and OpDiv mission and goals, and OMB directives and guidance;
Annually recommend to the HHS AMD ITSC the respective OpDiv IT Investment portfolios to be funded;
Establish and use criteria to select and evaluate OpDiv IT Investments in alignment to the HHS and the OpDiv’s mission and priorities and how well it supports the HHS and OpDiv business needs, meets expected performance goals, mitigates risk, and adheres to projected costs and expected benefits throughout the IT Investment’s life cycle;
Evaluate IT Investment performance and direct corrective actions, where needed, keeping the Department appraised of such Corrective Action Plans;
Approve exceptions to OpDiv CPIC policy and procedures for OpDiv IT Investments for which the IT governance board has management authority, and recommend changes to HHS CPIC policies, as necessary;
Recommend to the Business Owner the continuation, acceleration, modification, or suspension of IT Investments;
Make formal recommendations to the Business Owner and funding authority to terminate an IT Investment with persistent and irreparable performance issues;
Make formal recommendations to the Business Owner and funding authority to retire an IT Investment that is no longer effectively supporting HHS and OpDiv mission objectives and business needs or is being replaced by another IT Investment; and
Review and formally recommend or conditionally recommend to the IT Investment’s Business Owner the execution of the disposition plan for an IT Investment that has been approved for retirement or termination.

Operational Analysis

Review the results of the annual OAs for their organization’s IT Investments;
Approve, approve with conditions, or disapprove the decision recommendation in the OA made by the Business Owner;
Review the extent to which the OA process, analysis and results, as presented in the OA, provide sufficient information to evaluate the IT Investment’s performance and continued viability;
Direct the IT Investment Manager to implement corrective actions to ensure the OA process analysis and results provide sufficient information to evaluate the IT Investment’s performance and continued viability;
Provide OA decision to HHS OCIO and relevant HHS governing bodies upon request; and
Collaborate with HHS OCIO in reaching the final decision of continued viability of any selected IT Investment(s) as deemed appropriate by HHS OCIO or OMB.

7.13. Business Owners

The Business Owner is the organization executive who advocates for the IT Investment and is the primary point of contact to the CIO and the IT governance board.

In accordance with approved enterprise and/or OpDiv governance policies and procedures, the Business Owner must:

IT Portfolio Management

Propose candidate IT Investments that meet the business needs of the organization as well as the performance measurement targets;
Appoint qualified IT Investment Managers for each IT Investment;
Appoint a qualified IT Project Manager for each IT project within an IT Investment, in consultation with the IT Investment Manager;
Serve as the primary point of contact to the CIO and the designated IT governance board;
Review and implement IT governance board recommendations, as necessary;
Collaborate with the CISO community when utilizing an IT Investment with potential or designated HVAs and critical systems that support PMEFs and MEFs to ensure they are reviewed, understood, and consistent with established Department and federal policies, directives, guidance, and standards;
Review the proposed investment for potential risks relating to information security and data privacy; and
Collaborate with the Security team to assess and protect all the IT Investment against potential security risks.

CPIC

Obtain funding for the IT Investment and monitor IT Investment expenditures;
Approve the initial and subsequent changes to the IT Investment’s cost and schedule milestones and performance goals, in accordance with PBM;
Ensure that the IT Investment Manager and constituent IT project teams comply with EA, Security, Records Management, Enterprise Performance Life Cycle (EPLC), PBM, and this Policy as well as legislation, regulations, and other guidance identified in Section 5: Authorities;
Ensure that the IT Investment Manager and Project Manager have appropriate training and qualifications and the support and resources required to successfully plan, execute, and manage IT Investment risk; and
Take appropriate action to address IT Investment performance issues, including decisions made collaboratively with the organization’s CIO, IT governance board, and Contracting Officer.

Operational Analysis

Ensure that the OA is completed;
Identify the business needs and performance measures to be satisfied by an IT Investment;
Review the results of the OA and take appropriate action to address persistent IT Investment performance issues, including decisions to discontinue non-performing IT Investments;
Provide the OA decision recommendation on whether an Investment is meeting its performance goals and the appropriate next steps; and
Review and approve the disposition plans of IT Investments and ensure appropriate management of data or records. Authorize the execution of the disposition plan.

7.14. IT Investment Manager

The IT Investment Manager is accountable to the Business Owner for ensuring that the IT Investment meets business requirements in a cost effective and efficient manner. The IT Investment Manager provides information or reports to the OpDiv IT CPIC Officer, HHS IT CPIC Officer and the OpDiv CIO.

As directed by the Business Owner, the IT Investment Manager must:

CPIC

Oversee, execute, and manage the scope, cost and schedule baselines, and the reporting of IT projects associated with the Investment;
Update Folio with approved or updated project baselines within 30 days of approval;
Ensure all Investment documentation and artifacts are periodically updated and provided upon request;
Provide requested Investment documentations and artifacts;
Prepare Corrective Action Plans when a cost or schedule variance exceeds established thresholds and document justifications of cost or schedule variance;
Comply with CPIC legislation, regulations, and other guidance;
Execute CPIC procedures in a timely manner to ensure that all CPIC process milestones are met and ensure that the IT Investment’s constituent IT project teams comply with legislation, regulations, and other guidance; and
Manage the integration of supporting projects.

Operational Analysis

Schedule, prepare, and coordinate execution of the PIRs at the project level and annual OA at the investment level;
Ensure that the metrics and associated data collection methods to measure the IT Investment’s operational performance are developed and tested prior to the transition of the IT Investment to steady-state;
Report the results of annual OAs of steady-state IT Investments in compliance with the EPLC Policy;
Prepare and present for approval a disposition plan. When appropriate, provide OA recommendations;
Designate one or more IT Operations Managers, as needed, to oversee and report the results of the OA if the IT Investment is of sufficient complexity;
Submit the results of the OA and any subsequent revisions to the OpDiv or HHS CPIC staff;
Provide OA artifacts to OMB within five business days (if requested);
Ensure Investment OA artifacts are documented and up-to-date; and
Execute an approved disposition plan, as directed by the Business Owner.

CIO Rating and Risk Evaluation

Monitor and report the performance of projects associated with the Investment, manage Investment risk and alert the OpDiv IT CPIC Officer or OpDiv CIO of significant issues and planned corrective actions; and
Coordinate and oversee IT project Corrective Action Plans when a cost or schedule variance exceeds established thresholds.

Incremental Development Certification

Ensure the Investment projects consider and adopt Incremental Development as a development methodology, as appropriate.

Technology Business Management

Report IT Investment costs and Budget Submission using the TBM Taxonomy. Ensure accurate cost allocation across the TBM cost categories.

7.15. IT Project Manager

As directed by the IT Investment Manager, the IT Project Manager must:

CPIC

Plan and manage the cost, schedule, and scope of the IT project; and
Comply with legislation, regulations, and other guidance particularly with EPLC requirements for project planning and execution.

Operational Analysis

Conduct and report the results of annual OAs of steady-state IT investments as directed by the IT Investment Manager.

CIO Rating and Risk Evaluation

Report project performance to the IT Investment Manager, manage project risk, and proactively alert the IT Investment Manager of significant issues and planned corrective actions; and
Submit IT project Corrective Action Plans when a cost or schedule variance exceeds established thresholds, justifications of a cost or schedule zero variance, and Baseline Change Requests.

Incremental Development Certification

Ensure the OpDiv IT projects considered and adopted Incremental Development as a development methodology, as appropriate.

7.16. Critical Partners

The CPIC Critical Partners have the primary responsibility to review IT Investment projects for completeness, accuracy, and adequacy at specified Stage Gate Reviews to ensure that the projects meet the necessary requirements. They assist in making timely tradeoff decisions where conflicts arise during the planning and execution of a project. These stakeholders will provide recommendations on any issues identified to the IT Governance organization and Business Owners based on their review. Because organizational structures vary within HHS and the OpDivs, the expertise for these Critical Partner roles may be fulfilled from a mixture of organizations, as appropriate.

As directed by the IT governance board, the Critical Partners will:

CPIC

Review the progress of IT projects associated with IT Investments to ensure compliance with HHS policies, applicable laws and guidance, and HHS-adopted government and industry best practices in their respective functional areas;
Provide recommendations to the IT governance bodies, Business Owners, and IT Investment Managers on issues identified in those functional areas; and
Collaborate with other critical partners to ensure consistency of information, and accuracy of the Investment or System Inventory.

8. Information and Assistance

HHS OCIO IT Portfolio Management is responsible for the development and management of this Policy. Questions, comments, suggestions, and requests for information about this Policy should be directed to HHSPortfolioManagement@HHS.gov.

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date. The HHS CIO has the authority to grant a one (1) year extension of the policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Janet Vogel, HHS CIO (Acting)

09/23/2021

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

A1. CIO Risk Ratings and Evaluation

The CIO Rating and Risk Evaluation is required of all OpDivs to analyze and assess their IT Investments for risks and performance. The risks assessed include assessments for HVAs and critical systems. The CIO Rating provides CIO numeric evaluation (ranging from 1 – High Risk to 5 – Low Risk) for all Major IT Investments that reflects the OpDiv CIO's best judgement of the current level of risk for the Investment in terms of its ability to accomplish its goals. However, HHS currently utilizes a 3-point scale ranging from 2 to 4, to reduce the impact of high variances. The methodology for calculating the CIO Risk Ratings and Evaluation scores is included below:

1. The Risk Rating factors evaluated and score weightings are provided in the table below:

CIO Risk Rating Factors & Score Weighting
CIO Risk Rating Factors	Score Weighting
Risk Management	30%
Requirements Management	25%
Contractor Oversight	15%
Performance	25%
Human Capital	5%
Total Self-Assessment Score	100%

2. Each Major IT Investment is assessed by the Investment Manager against the 5 weighted Risk Rating Factors listed above. Each of the 5 factors are self-assessed through response selections to a set of survey questions, and the survey answers are evaluated on a 3-point scale as shown below:

Sample of CIO Risk Rating 3-point Scale
Risk Management	Requirements Management	Contractor Oversight	Performance	Human Capital	Self-Assessed Score
4	4	4	4	4	Low Risk
3	3	3	3	3	Medium Risk
2	2	2	2	2	High Risk

The Self-Assessed Score which also ranges from 2 (High Risk) to 4 (Low Risk) is the weighted average of the 5 Risk Factors.

3. The OpDiv CIO provides input for the CIO Discretionary Rating which may upgrade, downgrade or keep the CIO Rating score same as the Self-Assessed Score. The OpDiv CIO uses discretion to complete the question below:

CIO Discretionary Rating
CIO Discretion Question	CIO Discretionary Ratings Options	CIO Evaluation Score
CIO Entry: Evaluate the overall management and performance of the Investment	Low Risk	4
CIO Entry: Evaluate the overall management and performance of the Investment	Medium Risk	3
CIO Entry: Evaluate the overall management and performance of the Investment	High Risk	2

For more information, refer to Folio or the CIO Risk Rating and Evaluation workbook.

A2. Operational Analysis

An OA for Major IT Investments must at a minimum cover the areas defined below. The required content implements the recommendations of the OMB Capital Programming Guide, Supplement to OMB Circular A-11, Part 7, which states that beyond the typical developmental performance measures of cost and schedule performance, an OA should seek to answer more subjective questions in the specific areas of: Customer Satisfaction, Strategic and Business Results, Financial Performance, and Innovation. The GAO Report: Agencies Need to Strengthen Oversight of Multibillion Dollar Investments in Operations and Maintenance recommends the 17 key factors listed below. All OAs need to address these 17 key factors.

Operational Analysis Required Content
OA Subsection	Description	OA Key Factors
Customer and Stakeholder Satisfaction	Assesses feedback from customers and stakeholders to determine the extent to which the Investment supports customer needs as designed.	Identifies whether the Investment supports customer processes as designed and is delivering the goods and services it was designed to deliver
Strategic and Business Results	Measures and evaluates the Investment's impact on the performance of the OpDiv and HHS to determine how well the Investment is meeting business needs in its strategic alignment and business impact.	Includes a structured assessment of performance goals (i.e., measures the performance of the Investment against established goals)
Strategic and Business Results	Measures and evaluates the Investment's impact on the performance of the OpDiv and HHS to determine how well the Investment is meeting business needs in its strategic alignment and business impact.	Measures the effect the Investment has on the performing organization itself
Strategic and Business Results	Measures and evaluates the Investment's impact on the performance of the OpDiv and HHS to determine how well the Investment is meeting business needs in its strategic alignment and business impact.	Measure how well the Investment contributes to achieving the organization's business needs and strategic goals
Strategic and Business Results	Measures and evaluates the Investment's impact on the performance of the OpDiv and HHS to determine how well the Investment is meeting business needs in its strategic alignment and business impact.	Identifies a need to redesign, modify, or terminate the Investment or System after a problem has been identified
Strategic and Business Results	Measures and evaluates the Investment's impact on the performance of the OpDiv and HHS to determine how well the Investment is meeting business needs in its strategic alignment and business impact.	Identifies any lessons learned
Financial Performance	Measures and assesses the Investment's current and expected performance compared to the pre-established cost baseline through performance baseline metrics, expenditures and comparative measures.	Assesses current costs against life-cycle cost
Financial Performance	Measures and assesses the Investment's current and expected performance compared to the pre-established cost baseline through performance baseline metrics, expenditures and comparative measures.	Includes a structured schedule assessment (i.e., measures the performance of the Investment against its established schedule)
Financial Performance	Measures and assesses the Investment's current and expected performance compared to the pre-established cost baseline through performance baseline metrics, expenditures and comparative measures.	Compares current performance with a pre-established cost baseline and estimates
Financial Performance	Measures and assesses the Investment's current and expected performance compared to the pre-established cost baseline through performance baseline metrics, expenditures and comparative measures.	Includes an ongoing review of the risks statuses identified in the Investment's planning and acquisition phases
Financial Performance	Measures and assesses the Investment's current and expected performance compared to the pre-established cost baseline through performance baseline metrics, expenditures and comparative measures.	Identifies if the Investment had a cost or schedule variance
Innovation	An opportunity to conduct a qualitative analysis of the Investment's performance within the previously mentioned areas – demonstrating that alternative methods for meeting the same needs have been revisited.	Identifies any areas for innovation in the areas of customer satisfaction, strategic and business results, and financial performance
Innovation	An opportunity to conduct a qualitative analysis of the Investment's performance within the previously mentioned areas – demonstrating that alternative methods for meeting the same needs have been revisited.	Identifies if the agency revisited alternative methods for achieving the same mission needs and strategic goals
Innovation	An opportunity to conduct a qualitative analysis of the Investment's performance within the previously mentioned areas – demonstrating that alternative methods for meeting the same needs have been revisited.	Addresses issues such as greater utilization of technology or consolidation of Investments to better meet organizational goals
Innovation	An opportunity to conduct a qualitative analysis of the Investment's performance within the previously mentioned areas – demonstrating that alternative methods for meeting the same needs have been revisited.	Includes an analysis on the need for improved methodology (i.e., better ways for the Investment to meet cost and performance goals)
Innovation	An opportunity to conduct a qualitative analysis of the Investment's performance within the previously mentioned areas – demonstrating that alternative methods for meeting the same needs have been revisited.	Includes information on the overlap of the Investment with other systems
Investment Recommendation		Provides a recommendation to the OpDiv governance board regarding next steps for the IT Investment. The recommendation might include one or more of the following conclusions: Continue the IT Investment without adjustment Modify the associated business processes Increase operational management controls Reduce or increase funding to sustain current operating levels Enhance one or more of the IT Investment's products or services, or acquire a new product or service Retire or replace one or more of the IT Investment's IT products or services Restructure the IT Investment by incorporating another IT Investment's IT products or services, or transfer the IT Investment's products or services to another IT Investment

A3. Technology Business Management

To successfully implement TBM, each OpDiv should adopt a TBM methodology consistent with the:

Identification of key players and stakeholders such as Business Stakeholders, Financial Analysts, and Acquisition Professionals. These key players are required to collaborate through the collection, analysis, reporting and review of IT data. The TBM support staff are supported by Stakeholders, Sponsors, Financial/Budget Analysts, Acquisition Professionals, and Data Stewards.
Creation of a TBM Roadmap that identifies the current state and future state and incorporates the necessary business processes, data collection efforts and aggregation methods required to achieve success.
Identification of measurable outcomes to determine the level of success and areas with opportunities for improvement.
Alignment of IT cost data to cost pools, and to the IT towers using a bottom-up approach.
Utilization of information and insights gathered from the additional line of sight provided by TBM data.
Integration of TBM principles, data and value discussions into IT processes and activities across the Department. OpDivs and StaffDivs are required to request the use of TBM cost categories from IT staff and vendors when completing acquisition or contract documents.
Assessment of TBM maturity and identification of opportunities to maximize TBM implementation and improvement.

The 7 steps described are part of the General Services Administration (GSA) TBM Playbook to achieve successful TBM implementation. The steps are a plan of action and strategy that offer guidance for TBM implementation success based on lessons learned. The 7 steps include:

1. Identify key players and stakeholders. An effective TBM program requires active collaboration between stakeholders, financials analysts, and IT and acquisition professionals. While non-exhaustive, the TBM team at a minimum should consist of the following key roles and responsibilities:

TBM Team Key Roles
Resource	Typical Background	Responsibilities
Executive Sponsor	CIO, CTO, CFO	Takes personal ownership of the TBM transformation; ensures resources are available, articulates a compelling vision, removes barriers, and drives accountability.
TBM Program Manager	Budget or Resource Management	Leads the TBM implementation team and works with leadership to identify desired outcomes and set strategy for the TBM project.
TBM Analysts	Financial Management, IT Analyst	Manages the TBM cost model, transform data, build reports, and trains users; work with stakeholders to improve reporting and analyze output.
Agency Stakeholders	CHCO, CAO, Senior Leadership, Others	Reviews the TBM outputs and holds the decision-making responsibility around how business and IT will work together to complete the agency mission and fund IT requirements.
Data Owners	Finance/Budget. Contracts, Infrastructure, Application, Services	Responsible for providing data required to implement TBM.
Subject Matter Experts (SME)	Specialized analyst	Provides input and guidance; execute planned activities; identify issues as they arise.

Target Output: Dedicated TBM team with support from a broad set of stakeholders and data stewards.

2. Create a roadmap to identify the current state and desired future state and incorporate the necessary activities, processes, data collection efforts and aggregation methods required to achieve success. It is important to determine the scope, organizational structure, the key players, their roles and activities needed to achieve the desired future state, while incorporating a timeline.

Target Output: Document current state, identify gaps and areas of improvement, and define scope of implementation.

3. Identify measurable outcomes, in order to determine the level of success achieved and areas with opportunities for improvement. While TBM provides a common taxonomy applicable to all organizations, the use cases and outcomes should be tailored to meet the needs of your organization. Through increased cost transparency, TBM can produce outcomes to help answer stakeholder questions such as those listed below:

Stakeholder Questions answered by use of TBM
Resource	Responsibilities
Agency	Why are IT costs on the rise? How does our IT spend compare to other organizations?
CIO	What is the cost to run certain applications? Can I save money by migrating applications to the cloud?
CFO	Is IT spending aligning with the financial plan and agency strategy? How do current spending patterns affect future budget projections and needs?
CAO	What is total spend across similar vendors? What is the mix of internal and external labor that supports each IT function and how to plan acquire needed resources?

Target Output: Identification of near and long-term outcomes.

4. Align cost data to TBM taxonomy using TBM cost categories: cost pools, sub-pools, IT towers and sub-towers. A bottom-up approach to cost mapping is recommended, starting with aligning financial data to cost pools before moving to IT towers. If experiencing data challenges, make valid assumptions with plans to make improvements over time. Ensure the TBM team reviews and gains consensus on TBM definitions in order to unify communication with stakeholders, minimize discrepancy while gaining consistency.

Target Output: First draft of IT costs mapped to the TBM taxonomy.

5. Look for insights and benefits that can be derived from cost data alignment. The TBM implementation team should review the data to see how it provides insights into issues or benefits around the identified outcomes. The purpose of TBM is to give decision makers the data needed to have value-driven discussions around the cost and value of IT. Transparency and increased understanding lead to strengthening trust amongst stakeholders and IT users. Common Insights from TBM discussions:

Is the percentage of spending between the different cost pools and towers expected?
Are several offices spending similar amounts on the same towers? Should they be?
Are there large gaps in data that data owners could fill in the next iteration?

Target Output: Documented insights that lead to decisions or further analysis.

6. Adopt and rollout TBM. This step involves integrating TBM principles, data and value discussions into meetings and funding reviews. Ways to socialize TBM with stakeholders include:

Using TBM terms such as cost pools, towers and services when discussing IT spending.
Providing links to reference documents that contain visuals and definitions.
Presenting reports in TBM format so stakeholders can acclimatize and look for insights while reviewing data.
Documenting and demonstrating how decisions are made using TBM data.
Discussion on what the TBM team and stakeholders are working on next.
Invite all stakeholders to be active participants in TBM activities.

Target Output: Share awareness of TBM goals, terminology, and achievements across the agency to increase activity participation in TBM discussions and activities.

7. Continue to mature TBM processes across your organization. Based on initial TBM rollout and adoption, assess TBM maturity and identify opportunities to derive greater TBM impact over time. A great way to measure maturity is to establish target TBM metrics and measure progress routinely. The metrics should be related to TBM outcomes similar to some of the examples below:

Sample Target TBM Metric
Metric	Rationale/Actions to Improve	Calculation
Cost of IT Service/User (Year over year trend vs. target)	Important for internal IT team to bring together the Capital expenditure and Operating expenditure side of IT costs and for business to understand their cost usage while accounting for the number of users. The goal could be to aim to reduce the year-over-year costs.	IT service total cost of ownership/ number of users

Additionally, you can help mature your TBM implementation through these steps:

Continue change management activities including outreach and training activities.
As you achieve an acceptable level of maturity with TBM data for a particular area or data set, then select the next data set or focus area.
Improve the data you already have based on feedback from stakeholders.
Assess TBM activities semi-annually to determine what is working well or when a change in direction or focus is needed.

Target Output: Established metrics and review cycle to identify how TBM data and models are maturing and improving.

NOTE: Once finalized by OMB, the TBM cost allocation framework to be used across Federal agencies will be added to this Policy.

A4. HHS IT Portfolio Reviews

The HHS IT Portfolio Reviews are annual meetings between each of the OpDivs and the HHS CIO to review the OpDiv's management of their IT Investment portfolio and the fiscal year budget request. Every year, all ten HHS OpDivs (ACF, ACL, AHRQ, CDC, CMS, FDA, HRSA, IHS, NIH, and SAMHSA) and OIG are required to attend the IT Portfolio Review meetings, prior to the submission of their fiscal year budget to OMB. The following executives are required to attend each year's Budget and Portfolio Review meeting:

The HHS CIO
The HHS Chief Financial Officer (CFO) or Budget Officer
The OpDiv CIO
The OpDiv CFO or Budget Officer

Prior to the Budget and Portfolio Review Meetings, the HHS CIO may request additional artifacts and documentation of the OpDiv's IT Portfolio to be presented at the meeting. During the meetings, all four executives in attendance must discuss and review the OpDiv's IT Investments, Portfolio Management processes, the use of Incremental Development on Investment projects in development, Operational Analyses of steady-state Investments or the steady-state portion of mixed life cycle Investments, FY budget request for Major Investments, the OpDiv's IT Portfolio Summary, the budget and strategic plans for out years and other supporting artifacts requested by the HHS OCIO or Office of Finance/Budget. The outcomes and action items will be documented and tracked until they are resolved or closed.

As an outcome of the meeting, both the HHS CIO and the OpDiv CIO must sign off on the HHS IT Resource Statement for that OpDiv. The IT Resource Statement should certify that:

The HHS CIO collaborated with the OpDiv CIO and Budget Officers on the IT Budget Submissions, and that it includes appropriate estimates of all IT resources included in the budget request/President's budget.
A statement from the CIO indicating the extent to which the CIO has reviewed and had significant input in approving IT Investments included in the budget request.
A joint certification statement from the CIO and Budget Officers identifying the extent to which the CIO had a significant role in reviewing planned IT support for major programs and significant increases and decreases in IT resources reflected in the budget.
An update of the CIO's common baseline rating for Element D of FITARA ("D1. CIO reviews and approves Major IT Investment portion of the budget request") to show whether the desired development outcome is
1. Incomplete – Agency has not started development of a plan describing the changes it will take to ensure that all baseline FITARA responsibilities are in place.
2. Partially Addressed – Agency is working to develop a plan describing the changes it will make to ensure that all baseline FITARA responsibilities are in place.
3. Fully Implemented – Agency has developed and implemented its plan to ensure that all common baseline FITARA responsibilities are in place.
The extent to which the CIO can certify the use of Incremental Development by each OpDiv.
The extent to which the CISO can certify the adoption of Security protocols and compliance with the HHS Information Security and Privacy Policy.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are required to comply with this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

C1. IT Investment Classification and Reporting Requirements

CPIC Process

The HHS CPIC consists of three phases: Select, Control, and Evaluate.

Select Phase

The Select Phase includes the processes and activities to determine the best IT Investments to help accomplish the organization's mission. While not limited to the following criteria, IT Investments proposed and selected for funding must:

Support core/priority mission functions performed by HHS.
Be consistent with applicable Federal, HHS, and OpDiv Enterprise and Information Architectures.
Integrate organizational work processes and information flows with technology to achieve the organization's strategic goals.
Reflect the organization's technology vision.
Adhere to standards that enable information exchange and resource sharing, while retaining flexibility in the choice of suppliers and in the design of local work processes.

Control Phase

The Control Phase consists of continuous management in monitoring a project's cost, schedule, and performance during development and deployment through the EPLC Process.

The IT Investment's periodic PBM reports and reviews may result in a recommendation to the IT Investment's CIO to modify, suspend, or terminate an IT Investment.
The results of the EPLC stage gate reviews of an IT Investment's IT project(s) may include a recommendation to the appropriate IT governance board, the IT Investment's CIO, and Business Owner to modify, suspend, or terminate an IT project.

Evaluate Phase

Each IT Investment that has received approval to transition to steady-state will conduct Operational Analyses, Alternatives Analyses, and Post-Implementation Reviews (PIR) after a period of sustained operation.

C2. HHS IT Governance

The illustration below shows the relationship between the IT Governance bodies at HHS. The OpDiv IT Governance Board is responsible for reviewing all OpDiv IT Investments to ensure adequate management, effective and efficient use of IT budget, Investment selection based on established criteria and alignment with the OpDiv's mission. The HHS AMD ITSC led by the HHS CIO oversees all Major IT Investments and enterprise-level Investments across the department to advance innovation and improve value, effectiveness, and efficiency of HHS IT. Given the high visibility and criticality to HHS' mission, all Major IT Investments under the purview of the AMD ITSC may be reviewed or audited at the discretion of the HHS CIO. The AMD ITSC is supported in its activities and decision-making process by the four subcommittees listed below. In addition to these subcommittees, the AMD ITSC is also supported by the HHS CISO and OpDiv CISOs.

Enterprise Review Board (ERB): Reviews, analyzes, and decides upon the components of IT Investments at the project level and informs the ITSC of the outcome of their reviews.
CISO Council: Reviews IT Investments for information security and data privacy.
CIO Council: Reviews, approves, and makes final decisions on matters related to agency-wide technical architecture, infrastructure, security, and strategic use of IT.
508 Operations Board: Reviews information and communication technology on the technical standards needed to comply with the Section 508 accessibility requirements.

C3. Portfolio Management Schedule of Activities

Activity	Estimated Timeframe	Frequency
OMB releases the Annual OMB Circular A-11 / Capital Planning – IT Budget Capital Planning Guidance	May – Aug	Annually
Official IT Budget preparation and submission Submit Agency IT Portfolio Summary (AITPS) Submit Agency Budget Accounts Summary Submit Agency IT Portfolio Summary Details (AITPSD) Major IT Business Case Major IT Business Case Details Contracts Report Submission Validation Submissions transmitted to OMB	Aug – Sep	Annually
Incremental Development Certification for Major IT Investments	Aug – Sep	Annually
OMB President's Budget Submission	Jan-Feb	Annually
Operational Analysis for Major IT Investments	Investment dependent	Annually
Investment Alternative Analysis	Investment dependent	Tri-Annual
CIO Ratings and Risk Evaluation	Month End	Monthly
Federal IT Dashboard Monthly Control and Variance Reporting	Month End	Monthly
HHS CPIC Conference Calls	N/A	Bi-weekly

*Note: IT Budget Submission requirements, frequency and estimated timeframe are subject to change based on OMB guidance.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

D1. The HHS IT Resource Statement:

The HHS IT Resource Statement will serve as the HHS IT Portfolio and Investment Review Certification for each OpDiv.
Both the HHS CIO and OpDiv CIO will sign the HHS IT Resource Statement to certify the OpDiv IT portfolio has been reviewed for adequate management practices and budget/funding data.
The HHS IT Portfolio Summary includes a statement from the HHS CIO certifying the extent to which HHS IT Investments adequately use Incremental Development methodologies.
The HHS IT Portfolio Summary includes a statement from the HHS CIO certifying the review and approval by both the HHS CISO and SAOP.
The HHS CIO will sign the IT Resource Statement and ensure the Resource Statement is posted to MAX.gov as defined in the IT Budget Capital Planning Guidance.
The HHS CIO will use the statement below in the HHS IT Resource Statement, in compliance with OMB Budget Justification- IT Resource Statement, OMB Circular A-11, Section 51.3, to certify adequate use of Incremental Development:
"The CIO certifies that all HHS OpDivs are using Incremental Development for projects where Incremental Development is an appropriate system development life cycle methodology."
HHS OpDiv CIOs must certify to the HHS CIO the use of Incremental Development for IT Investments and projects where Incremental Development is an appropriate system development life cycle methodology during the annual IT Portfolio Review Meetings and in the HHS IT Resource Statement as part of their annual IT budget submissions to the Department. The following statement should be included in the HHS IT Resource Statement:
"The OpDiv CIO certifies that the OpDiv is using Incremental Development for projects where Incremental Development is an appropriate system development life cycle methodology."

Annually, the HHS CIO and OpDiv CIOs are required to jointly certify the HHS IT Resource Statement during the Budget and Portfolio Review cycle.

The IT Resource Statement is required as part of the HHS Agency IT Portfolio annual submission.

MEMORANDUM

TO:

Office of E-Government
Office of Management and Budget

FROM:

{Insert Name for HHS CIO}
Chief Information Officer and Senior Agency Official for Privacy

DATE:

SUBJECT: OMB Budget Justification - Information Technology (IT) Resource Statement

Reference: OMB Circular A-11, Section 51.3
In accordance with OMB Circular A-11, Section 51.3, the Department of Health and Human Services (HHS) is providing this memorandum to demonstrate compliance with the following statements:
1. The Chief Information Officer (CIO) / Senior Agency Official for Privacy (SAOP) conducted a joint review with each component CIO and the Chief Financial Officer (CFO) on the FY20XX IT Budget Submission.
2. The HHS CIO affirms that the HHS CIO has reviewed and approved all the Operating Divisions' (OpDivs') IT investments as part of planning budgetary estimates for all years of the HHS FY 20XX baseline budget submission:
3. The CIO and CFO affirm that the HHS CIO had a significant role in reviewing planned IT support for major programs and significant increases and decreases in IT resources reflected in the HHS FY20XX baseline budget submission.
4. The CIO affirms that HHS' implementation of FITARA Element D ("D1. CIO reviews and approves Major IT Investment portion of budget request") is Fully Implemented – HHS has developed and implemented its plan to ensure that all common baseline FITARA responsibilities are in place.
5. The CIO certifies that all HHS OpDivs are using Incremental Development for projects where Incremental Development is an appropriate system development life cycle methodology.
6. The HHS CISO and SAOP have reviewed the IT Budget submission. Security and Privacy requirements, as well as any associated costs, are explicitly identified and included with respect to any IT Security and Privacy for the information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal agency, contractor, or other source. OpDivs must comply with and support the implementation of a Department-wide IT security and privacy program, to include compliance with Federal requirements and programmatic policies, standards, procedures, and IT security controls.
Summary: The HHS CIO and CFO have had a significant role in reviewing and approving the HHS IT baseline budget for FY20XX in accordance with applicable FITARA requirements.

Point of Contact: The point of contact for this memorandum is the HHS Portfolio Management Team, HHSPortfolioManagement@HHS.gov

D2. HHS Operational Analysis (OA) Template

The HHS OA Template is provided below as a reference. OpDivs may utilize their own OA Template as long as it is not less stringent than the one below. To download a fillable copy, reference this intranet link.

INVESTMENT OVERVIEW
Name of Investment	Instruction: Enter the name as it appears in Folio.
Unique Investment Identifier (UII)	*Instruction:* Insert in the following format XXX- XXXXXXXXX
OpDiv/Office
Investment Sponsor
Investment Manager
Program/Business Function supported by this Investment	*Instruction:* Enter the business functions and processes supported by this Investment based on the Federal Enterprise Architecture (FEA) Business Reference Model (BRM).
Dates this Operational Analysis (OA) Report covers	Instruction: Enter the dates for which the analysis covers (e.g., 10/1/2020 – 09/30/2021).
Dates of last completed OA Report	*Instruction:* Enter the dates for the previously completed OA (e.g., 10/1/2019 – 09/30/2020). Enter "NA" if this is the first OA completed for this Investment.
Investment Description	*Instruction:* Provide an Investment summary and a description of the business processes it supports. Include information on the overlap of this Investment with other Investments (systems).

Investment’s Systems
System Names (Reconcile this list with the Systems Inventory in Folio)	DME or O&M	Date of Most Recent Upgrade or Re-engineering	Estimated # of Years until Retirement

Please list and provide more information on any other systems that rely on this Investment or system for their operations?

Customer and Stakeholder Satisfaction

1. Identify the end-users of this Investment and describe the process used to assess end-user/customer satisfaction (i.e., surveys, human centered design, user group meetings, reviews of help desk logs, etc.)

2. How is this Investment providing end-users/customers with the needed functionality and performance? Is there a need for additional functionality or performance enhancements? Note: Examine gaps in the Investments performance goals, technical performance limitations, and/or results from the user/customer survey. Please include the results of your analysis below. If in chart or graphical format, please include as an attachment in the appendix to this template.

Strategic and Business Results

1. Provide an annual assessment of Investment performance metrics, performance goals, and how this Investment continues to meet Agency Strategic goals.

2. List the top three Investment risks and their potential impact. Discuss any changes in operational risks for this Investment. (Note: a complete list of risks should be maintained and kept separate as part of the Investments Risk Management Plan/Risk Register.)

Risk Title - Description	Potential Impact	Mitigation	Comment

3. Discuss the performance components with regards to effectiveness, efficiency, productivity, availability, reliability, and maintainability (Use the table below).

Metric Description	Unit of Measure	Target	Actual

Include any lessons learned during the analysis period and if there are plans to make changes to any of the Investment components to improve upon these areas before any potential problems arise.

Financial Performance

1. Provide current costs against life cycle costs. Address any budgetary constraints/issues and how they are being managed.

2. Are there any cost and schedule variances? Is performance within acceptable limits (<10%)? If not, explain the excessive variance(s), and the corrective actions with results, if applicable.

3. Identify current cost baselines related to ongoing operations and maintenance costs and/or innovation/modernization projects costs within this Investment and compare with current cost performance.

4. What future cost savings or cost avoidance can be expected over the next 12 months?

Innovation

1. Describe the near term (i.e. 1-2 year) and long term (i.e. >2 years) plans for this Investment. If these plans include enhancements or terminations, please summarize the actions to be taken. Are there plans to improve the Investment in the areas of financial performance, customer satisfaction, and/or strategic and business results through process improvements, utilization of new technology, or consolidation of Investments to better meet organizational goals?

2. Have alternative methods for achieving the same mission needs and strategic goals been evaluated or revisited? Why or why not? Are there plans for system upgrades, re-engineering, redesigns, retirement, and/or replacement not already noted above? If there are no current plans for system replacement, what is the estimated number of years before each system in this Investment will be retired/replaced? Are there new technologies or alternatives that could provide enhanced functionality at a lower cost (such as shared services and/or cloud computing solutions)?

Recommendations

Instructions:

This section documents the Business Owner, Critical Partner, and IT Investment Governance Board recommendations for the IT Investment to:

Continue as is: The System or Investment is meeting its performance goals and objectives and is technically the most cost-effective option for achieving the benefits and outcomes for the stakeholders. Operations and Maintenance funding ONLY will be requested during the next budget cycle.
Initiate remediation action: The System or Investment is partially meeting its performance goals and objectives. Remediation will take place to address areas of vulnerability. Operations and Maintenance and Development Modernization and Enhancement funding will be requested during the next budget cycle.
Initiate innovation action: The System or Investment will be initiating innovations action to improve performance goals and objectives. Development Modernization and Enhancement funding will be requested during the next budget cycle.
Initiate modernization or replacement action: The System or Investment cannot meet performance goals and objectives and will be modernized or replaced with another system or Investment. Development Modernization and Enhancement funding will be requested for under a new Investment or the existing Investment at the next budget cycle.
Initiate disposal action: The System or Investment no longer meets the performance goals or objectives of the agency. Future funding will not be requested.

Selection	Recommendation	Affected Systems
	Continue the IT Investment as is
	Initiate remediation action for the IT Investment
	Initiate Innovation action for the IT Investment
	Initiate modernization or replacement action for the IT Investment
	Initiate disposal action for the IT Investment

Signature:

Print Name:

Title/Role:

Date:

Glossary and Acronyms

Definitions:

Business Owner - The organizational executive who is the primary IT Investment customer, advocates for the IT Investment, and serves as the primary point of contact to the CIO and the IT Governance Board (or designated governance body).
Capital Planning and Investment Control (CPIC) - Is the decision-making process that ensures IT Investments integrate strategic planning, budgeting, procurement, and management with a focus on HHS missions and business needs.
CIO Risk Rating and Evaluation - Is the adopted methodology to evaluate Major IT Investments. OMB requires Federal CIOs to provide ratings for all Major IT Investments on the Federal IT Dashboard. The OpDiv CIOs are required to use their judgement to rate each IT Investment based on a set of pre-established criteria (Risk Rating factors) and calculation (CIO Rating score). The CIO’s ratings of Investments should reflect the Investments’ abilities to accomplish their set goals.
Cloud Computing - Is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing promotes availability and is composed of five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured Service); three service models (Cloud Software as a Service (SaaS), Cloud Platform as a Service (PaaS), Cloud Infrastructure as a Service (IaaS)); and four deployment models (Private cloud, Community cloud, Public cloud, Hybrid cloud). Key enabling technologies include: (1) fast wide-area networks, (2) powerful, inexpensive server computers, and (3) high-performance virtualization for commodity hardware.
Development, Modernization & Enhancement (DME) – The projects and activities leading to new IT assets/systems, as well as projects and activities that change or modify existing IT assets to substantively improve capability or performance, implement legislative or regulatory requirements, or meet leadership request. DME activity may occur at any time during a program’s life cycle.
Enterprise Performance Life Cycle - A framework to enhance IT Governance through rigorous application of sound Investment and project management principles and industry best practices. The Enterprise Performance Life Cycle (EPLC) provides the context for the HHS IT Governance process and describes interdependencies between its project management, Investment management, and capital planning components. The EPLC is comprised of 10 phases – from initiation through disposition – and identifies the activities, roles and responsibilities, Stage Gate Reviews, and exit criteria for each phase. The EPLC framework complies with federal regulations and policies, industry best practices, and HHS policies and standards.
FOLIO – Is the HHS official System of Records for IT Investment Information, IT Governance information, Portfolio Management activities, which includes all CPIC activities and activities required for the official IT budget submission.
High Value Asset (HVA) – Is a designation for Federal information or a federal information system that is considered vital to an agency fulfilling its primary mission or is considered essential to an agency’s security and resilience.
Incremental Development Certification – Establishes the procedures for the HHS Chief Information Officer (CIO) to certify that Development, Modernization, and Enhancements (DME) Investments use adequate Incremental Development methodologies to deliver useable functionality every six months.
Information Technology - Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This includes equipment used by the executive agency directly or used by a contractor under a contract with the executive agency that (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term includes computer, ancillary equipment, software, firmware, and similar procedures, services (including support services), Web sites, subscriptions to electronic services and products, and related resources.
Investment Manager - The Investment Manager is responsible for planning and executing the investment to achieve approved baselines. The Investment Manager may or may not be a subject matter expert in the business area supported by the investment.
IT Investment - The acquisition of an IT asset and the management of that asset through its life cycle after the initial acquisition. An IT Investment can also refer to the expenditure of IT resources to address mission delivery and management support. An IT Investment may include a project or projects for the development, modernization, enhancement, or maintenance of a single IT asset or group of IT assets with related functionality, and the subsequent operation of those assets in a production environment. All IT Investments should have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the Investment. When the asset(s) is essentially replaced by a new system or technology, the replacement should be reported as a new, distinct Investment, with its own defined life cycle information.
IT Project - A temporary, planned endeavor funded by an approved IT Investment; thus achieving a specific goal and creating a unique product, service, or result. Projects have defined start and end points. Projects can be undertaken for the development, modernization, enhancement, disposal, or maintenance of an IT asset. Projects are composed of activities. When reporting project status, to the maximum extent practicable, Agencies should detail the characteristics of “increments” under modular contracting as described in the Information Technology Management Reform Act of 1996 (ITMRA, also known as the “Clinger Cohen Act”) and the characteristics of “useful segments,” as described in OMB Circular A-130.
IT Steering Committee (ITSC) - The ITSCs are organized into three distinct business areas, known as “domains”: Health and Human Services, Scientific Research, and Administration and Management. HHS IT Investments within the domain model are structured and mapped according to their business area. The ITSCs are responsible for directing strategy, policy, and standards surrounding these IT Investments.
The mission of each domain ITSC is to:
- Ensure HHS receives optimal value from IT Investments by addressing HHS-wide IT policy, procedure, and architecture issues.
- Maximize knowledge sharing, best practices, assets, and capabilities.
- Collaborate with OpDivs and StaffDivs to implement and execute an expedited IT Investment management process.
This governance framework provides greater visibility into division Investment decisions and allows for collaboration and coordination of HHS-wide initiatives that benefit the entire Department.
IT System - A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual, to support HHS’, OpDivs’ or StaffDivs’ mission. An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Refers to a set of information resources under the same management control that share common functionality and require the same level of security controls. Includes automated information system applications, enclaves, outsourced IT-based processes, and platform IT interconnections.
Lessons Learned - A document that summarizes information gained throughout the course of the Investment that can be used to benefit other Investments and projects in the organization. Lessons learned should draw from positive and negative Investment and project experiences and address the causes of issues, reasoning behind the corrective action chosen, and suggestions for future improvement.
Life Cycle - The duration of all activities associated with the Investment from its initiation through disposal of its assets.
Life Cycle Costs - All initial costs, plus the periodic or continuing costs of operation and maintenance (including staffing costs), and any costs of decommissioning or disposal.
Major IT Investment - An IT Investment that meets at least one of the following criteria: is designated by the HHS CIO as critical to the HHS mission or to the administration of programs, finances, property, or other resources; is for financial management and obligates more than $500K annually; requires special management attention because of its importance to the mission or function of HHS or an OpDiv; has a significant program or policy implication; has high executive visibility; has high development, operating, or maintenance costs, deemed by HHS as: annual costs equal to or greater than $10M, estimated life cycle costs equal to or greater than $75M; or is defined as Major by the HHS CIO.
Non-Major IT Investment - An IT Investment is classified as Non-Major when it: has total planned development, operating, or maintenance costs less than $10M in the budget year or has been designated by the HHS CIO as a Non-Major IT Investment.
Operational Analysis - An Operational Analysis (OA) evaluates IT Investment performance, user satisfaction with the IT Investment, the IT Investment’s adaptability to changing business needs, and new technologies that might improve the IT Investment. The OA review is diagnostic in nature and can lead to the initiation of development or maintenance activities.
Operations and Maintenance (O&M) - The activities related to the performance of routine, preventive, predictive, scheduled, and unscheduled actions aimed at preventing equipment failure or decline with the goal of increasing efficiency, reliability, and safety. The phase within the Capital Planning and Investment Control process which maintains the IT system(s) for ongoing activities within the production environment.
Policy - A policy is a set principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals.
Performance Baseline Management - A primary tool to measure IT Investment, IT project, or IT contract performance and identifying risk. The baseline identifies the work that will be accomplished, and defines the cost and schedule to accomplish that work. The Performance Baseline Measurement, which consists of the cost, schedule, and scope baseline, is derived from the scope of work described in a hierarchical Work Breakdown Structure (WBS) – which, in turn, decomposes the entire project into a logical structure of tasks and activities tied to deliverables and to assigned responsibilities – and the associated WBS dictionary. The Performance Baseline Measurement comprises:
- The cost baseline, which defines the approved, projected, time-phased, life-cycle costs for acquiring, operating, and disposing of the physical and/or logical system represented by the scope baseline.
- The schedule baseline, which is the approved timeline for acquiring, operating, and disposing of the physical and/or logical IT asset/system.
- The scope baseline, which represents the configuration of the product of the project as developed and described in the project’s technical documentation.
The Performance Baseline Measurement is integrated where the time-phased cost baseline is consistent with the schedule baseline, and the costs are related to acquiring, operating, and disposing of the physical and/or logical IT asset represented by the scope baseline.
Steady State - Referring to an IT Investment, asset, project or services that is in the Operations and Maintenance phase of its life cycle, i.e., currently not in development but operational.
Technology Business Management (TBM) – Is an OMB-required IT management framework that implements a standard IT spend taxonomy to provide accurate and detailed understanding of IT costs to stakeholders and the IT community across federal agencies. TBM enables government organizations to disaggregate IT spending into smaller, consistent categories, thereby creating a more transparent bill of IT.

Acronyms:

AIMD – GAO’s Accounting and Information Management Division
AIS – Automated Information System
AMD – Administration & Management Domain
ANSI/EIA – American National Standards Institute/Electronic Industries Alliance
AO – Authorization Official
ASFR – Office of the Assistant Secretary for Financial Resources
CAIO – Chief Artificial Intelligence Officer
CCA – Clinger-Cohen Act of 1996
CFR – Code of Federal Regulations
CIO – Chief Information Officer
CIP – Critical Information Protection
CISO – Chief Information Security Officer
CPIC – Capital Planning and Investment Control
DA – Division of Acquisition
DME – Development Modernization and Enhancement
EA – Enterprise Architecture
EPLC – Enterprise Performance Life Cycle
FAC-P/PM – Federal Acquisition Certification for Program and Project Managers
FAR – Federal Acquisition Regulation
FCD-1 – Federal Continuity Directive 1
FCD-2 – Federal Continuity Directive 2
FISMA – Federal Information Security Modernization Act of 2002
FITARA – Federal Information Technology Acquisition Reform Act of 2014
GAO – Government Accountability Office
GSA – Government Services Administration
HHS – Health and Human Services, Department of
HHSAR – Health and Human Services Acquisition Regulation
HHSD – Health and Human Services Domain
IRM – Information Resource Management
IS2P – HHS Information Security and Privacy Policy
IT – Information Technology
ITMRA – Information Technology Management Reform Act
ITSC – Information Technology Steering Committee
MEF – Mission Essential Function
NARA – National Archives and Records Administration
O&M – Operations & Maintenance
OA – Operational Analysis
OAMP – Office of Acquisition Management and Policy
OCIO – Office of the Chief Information Officer
OFPP – Office of Federal Procurement Policy
OGAPA - Office of Grants and Acquisition Policy and Accountability
OMB – Office of Management and Budget
OpDiv – Operating Division
OS – Office of the Secretary
PBM – Performance Baseline Management
PfM – Portfolio Management
PIR – Post Implementation Review
PMEF – Primary Mission Essential Function
SOP – Senior Official for Privacy
StaffDiv – Staff Division
TBM – Technology Business Management

back to note 1

HHS Policy for Information Technology Portfolio Management (PfM)

Table of Contents

1. Nature of Changes

2. Purpose

3. Background

4. Scope

5. Authorities

6. Policy

6.1 Capital Planning and Investment Control (CPIC)

6.1.1. IT Investment Characteristics

6.1.1.1. IT Funding

6.1.2. IT Investment Classification

6.1.2.1. Major Investment Classification

6.1.2.2. Non-Major Investment Classification

6.1.2.3. Standard Investment Classification

6.1.2.4. Consideration of High Value Assets in Investment Classification

6.1.3. IT Investment Reporting Requirements

6.1.4. Cost and Schedule Milestones: Performance Baseline Management

6.1.5. TechStat and PortfolioStat

6.1.6. Investment Personnel Oversight

6.1.7. IT Governance

6.2. Operational Analysis

6.3. CIO Risk Ratings and Evaluation

6.4. Incremental Development Certification

6.5. Technology Business Management

7. Roles and Responsibilities

7.1. HHS CIO

7.2. HHS Chief Information Security Officer

7.3. HHS Chief Artificial Intelligence Officer

7.4. OpDiv CIOs

7.5. OpDiv CISOs

7.6. HHS IT CPIC Officer

7.7. OpDiv IT CPIC Officer

7.8. OpDiv System Administrators

7.9. OpDiv Senior Agency Official for Privacy (SAOP)

7.10. Senior Official for Ethics or Ethical Affairs

7.11. Enterprise IT Governance Board

7.12. OpDiv IT Governance Board

7.13. Business Owners

7.14. IT Investment Manager

7.15. IT Project Manager

7.16. Critical Partners

8. Information and Assistance

9. Effective Date and Implementation

10. Approval

Appendix A: Procedures

A1. CIO Risk Ratings and Evaluation

A2. Operational Analysis

A3. Technology Business Management

A4. HHS IT Portfolio Reviews

Appendix B: Standards

Appendix C: Guidance

C1. IT Investment Classification and Reporting Requirements

C2. HHS IT Governance

C3. Portfolio Management Schedule of Activities

Appendix D: Forms and Templates

D1. The HHS IT Resource Statement:

MEMORANDUM

D2. HHS Operational Analysis (OA) Template

Glossary and Acronyms

Definitions:

Acronyms: