The SME provides feedback to each of the commenters. In general, the OCIO staff has up to 5 calendar days to complete their review. The SME provides comment disposition to each responder. This 15 calendar day response time may be shortened if the responsibility and goals of the OCIO warrant it; or extended based on the size and complexity of the document; or if a number of policy documents are sent into review concurrently.
See chapter 4. Chapters 5. These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights. It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
Washington, D. A-Z Index. Policy Content 4. Policy Format 4. Policy Style 4. Management Officials 5. Background Establishing IT policy-level requirements in a uniform manner yields consistent documentation and sets the expectations of the targeted audience. IT policy content shall contain at a minimum: 4. Background Chapter 3.
Scope Chapter 4. Policy Chapter 5. Roles and Responsibilities as many breakdowns as needed Chapter 6. Applicable Laws and Guidance as many breakdowns as needed Chapter 7. Information and Assistance Chapter 8. Approved Glossary unnumbered Appendices or Figures lettered 4.
Each standard required chapter is described below: 4. Purpose: Describes the specific reason that the IT policy is being written. The three Department statements are: 4. Policy Format: All policies shall follow a standard format as described below: 4.
Cover Page: Mandatory A standard policy cover page shall be used as demonstrated by the cover page of this Policy. Nature of Changes: mandatory for revised policy only. Policy chapters: Standard titles, order and numbering of chapters are mandatory. Glossary: mandatory. Appendices or Figures: optional. The IT Investment or Project Manager must report, monitor, and implement actions as needed to correct variances from established IT Investment baselines to reduce the risk of cost overruns, schedule delays, and uncontrolled changes in scope.
PortfolioStat is an in-depth review of a portfolio of IT Investments. Generally, the initial assessment of the necessity of a TechStat or PortfolioStat is made using data from Folio. TechStat sessions review the overall management of the IT Investment, examine program performance data, and explore opportunities for corrective action. The criteria for selecting Investments for TechStat are:. PortfolioStat can be triggered if multiple IT Investments meet the criteria listed above. All IT Investment Managers and IT Project Managers must attain the levels of knowledge, skills, and experience required for their respective roles in accordance with applicable HHS training and certification requirements.
HHS IT Governance drives information sharing, coordinates spending and oversight, and expedites decision making. Once IT Investments are operational, at a minimum, they must be reviewed annually for reselection. All OAs should be signed by the appropriate Governance Board chair or an appropriate role with delegated authority leveraging input from appropriate SMEs.
Incremental Development is the development methodology characterized by iterative processes where Project functionality releases are produced in close collaboration with the users. This process improves Investment manageability, lowers risk of project failure, shortens the time to realize value, and allows agencies to better adapt to changing needs. TBM is the methodology created by the TBM Council to communicate the value of IT to stakeholders by focusing on cost transparency, delivery of value, identification of the total cost of IT and shaping the demand for IT services.
TBM enables Federal agencies to align technology spending to agency mission and priorities, and provide a better method of communication and understanding to stakeholders and users of IT. The key executives, decision boards, and critical partners described in this section are required for HHS IT Investment planning, decision-making, and execution.
OpDivs are required to coordinate IT project governance and Investment management functions within their respective organizations and OpDiv-level Governance Board. The IT Investment Manager is accountable to the Business Owner for ensuring that the IT Investment meets business requirements in a cost effective and efficient manner. The CPIC Critical Partners have the primary responsibility to review IT Investment projects for completeness, accuracy, and adequacy at specified Stage Gate Reviews to ensure that the projects meet the necessary requirements.
They assist in making timely tradeoff decisions where conflicts arise during the planning and execution of a project. These stakeholders will provide recommendations on any issues identified to the IT Governance organization and Business Owners based on their review. Because organizational structures vary within HHS and the OpDivs, the expertise for these Critical Partner roles may be fulfilled from a mixture of organizations, as appropriate.
The effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three 3 years from the approval date. Please note that this appendix is subject to change at any time. The risks assessed include assessments for HVAs and critical systems.
However, HHS currently utilizes a 3-point scale ranging from 2 to 4, to reduce the impact of high variances. Each of the 5 factors are self-assessed through response selections to a set of survey questions, and the survey answers are evaluated on a 3-point scale as shown below:. The required content implements the recommendations of the OMB Capital Programming Guide, Supplement to OMB Circular A, Part 7, which states that beyond the typical developmental performance measures of cost and schedule performance, an OA should seek to answer more subjective questions in the specific areas of: Customer Satisfaction, Strategic and Business Results, Financial Performance, and Innovation.
All OAs need to address these 17 key factors. The steps are a plan of action and strategy that offer guidance for TBM implementation success based on lessons learned. The 7 steps include:.
Identify key players and stakeholders. An effective TBM program requires active collaboration between stakeholders, financials analysts, and IT and acquisition professionals.
While non-exhaustive, the TBM team at a minimum should consist of the following key roles and responsibilities:. Create a roadmap to identify the current state and desired future state and incorporate the necessary activities, processes, data collection efforts and aggregation methods required to achieve success.
It is important to determine the scope, organizational structure, the key players, their roles and activities needed to achieve the desired future state, while incorporating a timeline.
Target Output: Document current state, identify gaps and areas of improvement, and define scope of implementation. Identify measurable outcomes, in order to determine the level of success achieved and areas with opportunities for improvement. While TBM provides a common taxonomy applicable to all organizations, the use cases and outcomes should be tailored to meet the needs of your organization. Through increased cost transparency, TBM can produce outcomes to help answer stakeholder questions such as those listed below:.
A bottom-up approach to cost mapping is recommended, starting with aligning financial data to cost pools before moving to IT towers. If experiencing data challenges, make valid assumptions with plans to make improvements over time.
Ensure the TBM team reviews and gains consensus on TBM definitions in order to unify communication with stakeholders, minimize discrepancy while gaining consistency. Look for insights and benefits that can be derived from cost data alignment.
The TBM implementation team should review the data to see how it provides insights into issues or benefits around the identified outcomes. The purpose of TBM is to give decision makers the data needed to have value-driven discussions around the cost and value of IT.
Transparency and increased understanding lead to strengthening trust amongst stakeholders and IT users. Common Insights from TBM discussions:. Adopt and rollout TBM. This step involves integrating TBM principles, data and value discussions into meetings and funding reviews. Ways to socialize TBM with stakeholders include:. Target Output: Share awareness of TBM goals, terminology, and achievements across the agency to increase activity participation in TBM discussions and activities.
Continue to mature TBM processes across your organization. A great way to measure maturity is to establish target TBM metrics and measure progress routinely. The metrics should be related to TBM outcomes similar to some of the examples below:. Target Output: Established metrics and review cycle to identify how TBM data and models are maturing and improving. The following executives are required to attend each year's Budget and Portfolio Review meeting:.
The outcomes and action items will be documented and tracked until they are resolved or closed. The IT Resource Statement should certify that:. The Select Phase includes the processes and activities to determine the best IT Investments to help accomplish the organization's mission. While not limited to the following criteria, IT Investments proposed and selected for funding must:.
The Control Phase consists of continuous management in monitoring a project's cost, schedule, and performance during development and deployment through the EPLC Process. OpDivs may utilize their own OA Template as long as it is not less stringent than the one below. To download a fillable copy, reference this intranet link.
Please list and provide more information on any other systems that rely on this Investment or system for their operations? Is there a need for additional functionality or performance enhancements?
Please include the results of your analysis below. If in chart or graphical format, please include as an attachment in the appendix to this template. Provide an annual assessment of Investment performance metrics, performance goals, and how this Investment continues to meet Agency Strategic goals.
List the top three Investment risks and their potential impact. Discuss any changes in operational risks for this Investment. Discuss the performance components with regards to effectiveness, efficiency, productivity, availability, reliability, and maintainability Use the table below.
Include any lessons learned during the analysis period and if there are plans to make changes to any of the Investment components to improve upon these areas before any potential problems arise. Provide current costs against life cycle costs. Are there any cost and schedule variances?
If not, explain the excessive variance s , and the corrective actions with results, if applicable. Describe the near term i. If these plans include enhancements or terminations, please summarize the actions to be taken. Have alternative methods for achieving the same mission needs and strategic goals been evaluated or revisited?
Why or why not? This governance framework provides greater visibility into division Investment decisions and allows for collaboration and coordination of HHS-wide initiatives that benefit the entire Department. Washington, D. The executive branch of the federal government serves the American people through hundreds of thousands of employees located in offices across the nation.
Increasingly, the government is called upon to deliver more and better services to a growing population that continues to expect ever-increasing improvements in service delivery. The relationship between the executive branch and the employees who administer the functions of the government is one based on trust.
Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. This Policy does not supersede any other applicable law or higher-level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.
Non-compliance with this policy and RoB specified herein may be cause for disciplinary and non-disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:. Questions, comments, suggestions, and requests for information about this policy should be directed to HHS.
Cybersecurity hhs. The effective date of this policy is the date on which the policy is approved. This policy must be reviewed, at a minimum, every three 3 years from the approval date. OpDivs shall implement this policy and the standard RoB within one hundred eighty days days from the issuance date. Please note that this appendix is subject to change at any time. OpDivs are responsible for implementing adequate security controls to ensure a high level of protection for all HHS information and information systems commensurate with the level of risk.
In addition, they shall ensure that all employees, contractors, and other personnel using HHS information resources, have the required knowledge and skills to appropriately use and protect HHS information and information systems.
Operating Divisions OpDivs are responsible for developing system-specific Rules of Behavior RoB and for ensuring that users read, acknowledge, and adhere to them.
Supplemental RoB shall be created and developed for systems that require users to comply with rules beyond those contained in the RoB on Appendix D and Appendix E deemed applicable. In such cases, users must comply with ongoing requirements of each individual system in order to access and retain access e. OpDiv System Owners must document any additional system specific RoB and any recurring requirement to acknowledge the respective RoB in their system security plans.
At a minimum, the system specific RoB shall:. Users of HHS information and information systems shall read, acknowledge, and adhere to the following rules prior to accessing data and using HHS information and systems.
When using federal government systems and equipment, I must refrain from the following activities, which are strictly prohibited:. I have read the above RoB for General Users , and understand and agree to comply with the provisions stated herein.
I understand that exceptions to these RoB must be authorized in advance in writing by the designated authorizing officials. These privileges are typically allocated to system, network, security, and database administrators, as well as other IT administrators. A Privileged User is a user who has been granted significantly elevated privileges for access to protected physical or logical resources. A privileged user has the potential to compromise the three security objectives of confidentiality, integrity and availability.
Such users include, for example, security personnel or system administrators who are responsible for managing restricted physical locations or shared IT resources and have been granted permissions to create new user accounts, modify user privileges, as well as make system changes. Examples of privileged users include:. The same signature acknowledgement process followed for the Appendix D, General RoB, applies to the privileged user accounts. Each OpDiv must maintain a list of privileged users, the privileged accounts those users have access to, the permissions granted to each privileged account, and the authentication technology or combination of technologies required to use each privileged account
0コメント