HHS Federal Information Technology Acquisition Reform Act (FITARA) Implementation-Revised HHS IT Governance Framework
Department of Health and Human Services
Office of the Chief Information Officer
October 25, 2016
As part of the Office of Management and Budget’s (OMB’s) approval of the Department of Health and Human Service (HHS)’s FITARA Implementation Plan, one of the four conditions was for HHS to publicly post a revised HHS IT Governance Framework. This document presents an overview of HHS’ current integrated governance framework for overseeing and managing information technology (IT), which includes several changes since HHS presented its FITARA implementation plan to OMB in 2015. HHS revised its Information Technology Governance Framework in light of these FITARA changes.
IT Governance and Management Processes
The passage of FITARA has placed renewed emphasis on how federal agencies manage IT investments, budgets, and acquisitions, ensuring accountability and transparency at all levels of the Department.
The integrated governance framework for IT depicts key relationships in the IT investment decision-making process at HHS (Figure 1), namely, the relationship between Operating Division (OpDiv)/Staff Division (StaffDiv) IT governance and that of the Department.
Figure 1: Revised HHS Integrated IT Governance Framework
The IT Steering Committees (ITSCs), which are co-chaired by the HHS CIO, make IT investment and acquisition decisions not otherwise made at the OpDiv or StaffDiv level through formal delegations of decision making authority. The Department’s Integrated IT governance framework relies heavily on the work of OpDiv IT investment review and control mechanisms. Figure 2 below outlines the roles and responsibilities for each level in Figure 1 and the membership of these governance groups.
Figure 2: Revised IT Governance Roles and Responsibilities
|
Body |
Purpose / Scope |
Membership |
Decision Threshold |
|---|---|---|---|
|
ITSCs (i.e., AMD, SRD, HHSD) |
Department IT portfolio/budget review, priority setting, and approval, and other enterprise IT initiatives |
CIO (Chair), Chief Acquisition Officer, ASFR, Selected OpDiv COOs (rotating co-chair assignment). |
> $20 million/yr. or > $100 million over 5 yr. at first, but refined over time |
|
Executive Review Board |
Department IT investment and acquisition review support to ITSCs |
Mirrors Consolidated ITSCs, but with OpDiv CIOs or designees |
Below ITSCs’ and OpDiv thresholds |
|
OpDiv/StaffDiv IT Governance |
OpDiv/OS IT portfolio/budget review and approval; IT project oversight (EPLC) |
As designated by OS/OpDiv |
< $20 million/yr. or < $100 million over 5 yr. |
For IT investments and acquisitions that meet size or mission critical thresholds or have Department-wide implications, the HHS OCIO performs oversight through the Department-level IT governance processes. Typically, Department-level decision making is provided through the Administration Domain (AMD) ITSC. Increasingly, all three of the domain steering committees (AMD, the Scientific Research Doman (SRD) and the HHS Domain (HHSD)) are meeting together to make enterprise-level IT decisions. The Executive Review Board (ERB) conducts stage-gate reviews for selected department-level IT investment and makes some IT decisions in between regularly scheduled ITSC meetings. The CIO Council serves as the primary information sharing and collaboration forum for the CIO community across the Department and supports a number of communities of interest.
The HHS CIO continues to be a “full participant” in the HHS IT budget process, through the federated model for IT oversight where the vast majority of programmatic IT acquisition decisions are made at the OpDiv level. As noted above, the CIO, working through the ITSCs and ERB, may delegate decision-making for IT investment and acquisition decision-making to OpDiv CIOs. These delegations are documented in formal delegations of authority memoranda from the HHS CIO to the respective OpDiv CIOs and are based on analysis of the maturity of OpDiv IT management policies and practices. In some cases, the CIO delegations of decision making authority include conditions that OpDivs must satisfy to retain their delegations. OpDivs must report the results of their IT decision-making and oversight processes to the HHS CIO as a condition of the delegations and the delegations are subject to review and renewal each year.
The Enterprise Performance Life Cycle (EPLC) is the core of Department’s IT oversight and provides a framework, with guiding principles, for the OpDivs to adapt to their unique organizational structures and missions. Consistent with the variety of missions, sizes of the organizations, and IT management capabilities that span the Department, the OpDivs rely on their own governance groups and processes for IT investment and acquisition review and approval. Based on a review of OpDiv IT management capabilities, the HHS CIO has delegated certain decisions to OpDiv CIOs, subject to an annual review and approval process. The HHS CIO retains the authority over the HHS IT Portfolio, or the aggregate of the OpDiv and StaffDivs’ portfolios, and therefore is a full participant in all IT spending decisions.
Summary of Revisions from Original FITARA Implementation Plan
Like many organizations, HHS’ IT decision-making ,governance policies and practices have evolved over time. The enactment of FITARA and the changes in leadership and organizational priorities across the Department provided HHS the opportunity to update governance policies and processes accordingly. Elements of the Department-level and OpDiv and StaffDiv-level IT oversight and governance mechanisms have been revised to clarify IT decision making authorities consistent with new CIO authorities and responsibilities under FITARA and to codify some changes in practice as follows:
- The ITSCs have met as a single group to provide department-wide perspective on several key IT initiatives;
- The AMD, in particular, is playing a more active role in reviewing and approving key IT spending and acquisition decisions;
- The OCIO is formalizing an IT investment and acquisition oversight/governance group that will look across the Office of the Secretary’s (OS) StaffDivs much like an OpDiv CIO would coordinate and oversee efforts in the centers, institutes, and offices;
- The HHS CIO has documented formal delegations of IT decision authority to selected OpDivs based on documented IT governance mechanisms at that level;
- Where HHS CIO has not approved a delegation of decision making authority to an OpDiv, OCIO is working to increase the IT management capacity so that OpDiv can receive a delegation; and
- Major IT acquisitions, strategies, and plans are being routed through OCIO for concurrence as part of the existing review and approval process run by the Department’s Senior Procurement Executive.
Next Steps
As part of the annual review of CIO decision-making delegation to OpDivs, OCIO will conduct an IT portfolio analysis along with an assessment of effectiveness of documented OpDiv IT management processes. These analyses will assess the differing levels of IT management maturity among the OpDivs, which is often a function of the size of the organization, its IT spend, and its experience managing significant IT projects. HHS will use these two analyses to inform the future levels of delegated decision making authority from the HHS to OpDiv CIOs.
