Chapter 1 - Chief Information Officer
Part 8 - Information Resources Management
- PURPOSE. This chapter establishes the Indian Health Service (IHS) policies governing the responsibilities of the IHS Chief Information Officer (CIO) to ensure compliance with legislative- and executive-level guidance and to support the mission of the IHS.
- BACKGROUND. The scope and importance of the CIO have increased through the passage of the "Information Technology Management Reform Act of 1996," Clinger-Cohen Act (CCA), Division E, Public Law (P.L.) 104-106; the "The Federal Information Technology Acquisition Reform Act," and the pervasiveness of information technology (IT) and health IT in the delivery of health care and in today's technology driven world. The CIO is a member of senior management involved in establishing IHS directions, priorities, strategic plans, and investments.
- SCOPE. This chapter applies to all IHS organizational components including but not limited to Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT and health IT resources. The policies contained in this chapter include but are not limited to; all IHS IT activities including procurement and implementation of IT, health IT resources, biomedical equipment and software, procedures associated with the administration and management of IT and health IT systems, and ancillary technologies that are employed in managing IT systems and activities. The policy includes IT operations associated with teleworking, travel, other off-site locations, and all IHS office locations. Agency officials will apply this chapter to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources.
- Department of Health and Human Services (HHS):
- IRM Circular: No. IRM-101, "CIO Roles and Responsibilities," March 1999.
- "Operating Division Chief Information Officer (CIO) Delegation of Authority," from the Deputy Assistant Secretary for Information Technology and CIO, Office of the Assistant Secretary for Administration, HHS, dated October 3, 2016
- Federal Information Technology Acquisition Reform Act, Title VIII, Subtitle D of the National Defense Authorization Act (NDAA) for Fiscal Year 2015, P. L. No. 113-291.
- "Information Technology Management Reform Act of 1996," CCA, Division E, P.L. 104-106.
- Office of Management and Budget (OMB) Circular No. A-130, "Management of Federal Resources."
- OMB Memorandum M-15-14, "Management and Oversight of Federal Information Technology".
- "Paperwork Reduction Act of 1995," P.L. 104-13.
- Biomedical Systems. Biomedical equipment or clinical engineering equipment as defined IHS Part 5, Chapter 14, "Clinical Engineering Program," is equipment that interfaces with clinical programs (e.g., medical, pharmacy, dental, radiology/imaging, lab, etc.); IT and health IT systems.
- Capital Planning. Capital planning is a discipline used by management to reduce the risk and increase the return associated with making investments of capital assets.
- Capital Assets. Land, structures, equipment (including motor and aircraft fleets), and intellectual property (including software), which are used by the Federal Government and that have an estimated useful life of two years or more. Capital assets exclude items acquired for resale in the ordinary course of operations or held for the purpose of physical consumption such as operating materials and supplies. The cost of a capital asset is its full life-cycle costs, including all direct and indirect costs for planning, procurement (purchase price and all other costs incurred to bring it to a form and location suitable for its intended use), operations and maintenance (including service contracts), and disposal.
- Firmware. Firmware is software that is loaded into and executed from Read-Only-Memory. Firmware controls a computer between the time it is turned on and the time the primary operating system takes control of the machine. The firmware's responsibilities include testing and initializing the hardware, determining the hardware configuration, loading (or booting) the operating system, and providing interactive debugging facilities in case of faulty hardware or software.
- Hardware. The collection of physical elements that constitutes a computer system. Computer hardware is the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphics cards, sound cards, Random Access Memory, motherboard, and so on, all of which are tangible physical objects. By contrast, software (see definition below) consists of instructions that can be stored and run by hardware.
- Health Information Technology. Health IT is the use of computer hardware and software to privately and securely store, retrieve, and share patient health and medical information. When expressed more generally, health IT is a broad concept that encompasses an array of technologies to store, share, and analyze health information.
- Information Technology Enterprise Architecture. The IT enterprise architecture (EA) is an integrated framework for evolving or maintaining existing IT and acquiring new IT to achieve strategic and information resource management goals.
- Information Technology Management. Information technology management is the process of managing information resources to accomplish the Agency's mission and to improve Agency performance, including the reduction of information-collection burdens on the public.
- Information Technology. Definition as per OMB Memorandum M-15-14, dated June 10, 2015, "Information technology" includes:
- Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency; where such services or equipment are 'used by an agency' if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.
- The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources.
- The term "information technology" does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.
- For IHS purposes, the term "information technology" specifically includes the IHS network and devices connected to it, servers, computers, ancillary equipment including biomedical and networked laboratory equipment, software, firmware and similar procedures, services (including support services), and related resources.
- Information Technology Resources. Definition as per OMB Memorandum M-15-14, dated June 10, 2015, "Information technology" includes all:
- Agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, disposition, and transformation, or other activity related to the lifecycle of information technology;
- Acquisitions or interagency agreements that include information technology and the services or equipment provided by such acquisitions or interagency agreements; but
- Does not include grants to third parties which establish or support IT not operated directly by the Federal Government.
- Network. A computer network or data network is a telecommunications network that allows computers to exchange data.
- Operating System. An operating system (OS) is a software system that manages computer hardware and software resources and provides common services for computer programs. The operating system is a component of the software system in a computer system. Application programs usually require an operating system to function.
- Strategic Planning. Strategic planning is long-term planning (spanning the present through 5 years and beyond) that integrates organizational IT requirements and the projected activities over the planning period.
- Software. Computer software, or simply software, is part of a computer system that consists of encoded information or computer instructions, in contrast to the physical hardware from which the system is built. The term is roughly synonymous with computer program.
- Chief Information Officer, HHS:
- Retains authority over the IHS IT portfolio.
- May revoke the IHS CIO's October 3, 2016 delegated authority, as amended, with cause.
- Will provide mid-year and annual performance input to the Director, IHS, regarding the IHS CIO's performance.
- Shall play a role in the following staffing activities when the IHS hires an individual with the title and/or function of a CIO:
- Participate as a Subject Matter Expert in reviewing candidates.
- Participate in the interview process.
- Participate in the selection process.
- Director, IHS:
- Is responsible for designating the Director, Office of Information Technology (OIT), as the IHS CIO, subject to section F(1)d. above.
- Shall provide the IHS CIO with direct access to himself/herself regarding IT issues.
- Shall notify the HHS CIO when there is a personnel change in the IHS CIO position.
- Will ensure that any IHS decision maker for a particular contract or other agreement notifies the IHS CIO, prior to materially altering the underlying IT budget, acquisition strategy, and investment lifecycle to ensure that the HHS CIO and the IHS CIO meet the FITARA requirements to be a "full participant" in the governance process.
- Chief Information Officer. The Director, OIT, is the designated IHS CIO. The IHS CIO is responsible for the management, governance, and oversight of the IHS's decision making on IT budget strategies, technological advancements, IT security, compliance issues, policy development, and enterprise initiatives.
The IHS CIO is a member of the HHS CIO Council. The CIO Council defines and codifies the Department's IT infrastructure standards. The IHS CIO will ensure that the IHS IT architecture is built, modified, and securely operated in a way to conform to these standards. Additionally, the HHS CIO Council is an enterprise-wide committee responsible for reviewing the technical and managerial soundness of IT investments and providing technical recommendations to the HHS Information Technology Investment Review Board.
The IHS CIO is also a key member of the HHS management team for establishing the vision and strategic direction of the HHS enterprise. The CIO, in full partnership with IHS program executives, provides the necessary and critical perspectives as well as the methods and tools to achieve technology and business improvement.
The CIO is the IHS IT expert and information resources manager. The CIO assists IHS staff in properly using IT to the fullest extent possible while delivering high-quality products and services, and achieving the IHS mission and goal. The IHS CIO is responsible for the activities shown under the following major IT management and governance functions:
- Budget, Acquisition, and Investment Approval. The IHS CIO is authorized to approve the IHS IT budget, acquisitions (through acquisition strategy approval), and investments less than $20 million annually or $100 million over five years.
- The IHS CIO must ensure that all entrusted decision makers for contracts and agreements adhere to approved IHS governance requirements and policies.
- The IHS CIO shall maintain an IT governance structure ensuring that IT is well managed through select, control, and evaluate processes. Changes to the IHS IT governance plan must be approved by the HHS CIO.
- Personnel. The IHS CIO shall provide input into the annual HHS CIO Work Plan which is established by the HHS CIO.
- The IHS CIO will approve the IHS IT budget for each fiscal year. The IHS CIO will send the approved budget to the HHS CIO each year.
- The IHS CIO will report the results of IHS IT Investment Review Board decision making to the HHS CIO on a regular basis.
- Business Improvement Process. The CIO's role is critical in providing a cross-functional perspective, for advising senior management officials on how IT will enable current operations and on any transition to a more effective environment. The business improvement process includes creating a vision and developing goals, strategies, performance measures, plans, and architectures to move the enterprise into the future. The CIO will:
- Serve as the lead information technologist for the IHS.
- Develop the IHS EA.
- Establish Agency IT policies, standards, and processes that implement and support the EA.
- Formulate and conduct the IHS IT capital planning and investment review process consistent with the HHS and Government-wide requirements.
- Define the current IT environment and provide strategies for closing the gap between the current and the targeted environment as defined in the IHS EA.
- Lead IT strategic planning, and establish IHS IT performance measures.
- Develop IT tactical plans and budgets, perform IT investment analyses and capital planning, and make the business case for IT initiatives.
- Determine probable outcomes for IT investments.
- Planning. This includes the integration of IT planning and strategic business planning, IT planning and budgeting, capital planning, IT knowledge and skills requirements, and information/architecture development. The CIO's planning responsibilities include the following:
- Participate in strategic business planning and in creating the vision of the enterprise. Identifying opportunities to achieve the vision.
- Bring an enterprise-wide view, a business-process orientation, and an understanding of the IHS programs, technology, and organization.
- Process Improvement. The IHS CIO has the necessary enterprise perspective and the infrastructure to support enterprise process design and re-engineering. The infrastructure includes architectures, analyses, and design methods and tools; and networks and processing platforms that are critical components in enabling process innovation. The CIO's process-improvement responsibilities include:
- Partnering with operational leaders aligning the processes from which systems and information requirements are derived.
- Promoting an understanding of the enterprise's cross-functional view, using information, and IT architectures.
- Providing methods and tools to facilitate inter and intra-agency processing innovation.
- Providing an IT infrastructure to test and communicate improved processes.
- Information Technology Services Delivery. The CIO will manage or oversee the IHS IT program to ensure that IT services support their programmatic and administrative operations. Services include:
- IT budget formulation
- Health information management
- Design, development, and acquisition of system applications and infrastructure
- Analysis of new technologies
- Systems management
- Data administration
- Information resources examinations and reports
- IT systems requirements analyses
- IHS Section 508 Program management
- Continuous Improvement. The CIO will continually evaluate the IT program performance against measures established in strategic and program planning, and against industry best practices. Responsibilities include:
- Adjusting operational systems and new IT capital project plans according to lessons learned.
- Identifying and leveraging IT assets to support new business opportunities.
- Reusing and extending existing IT assets.
- Enhancing IT service levels.
- Achieving and raising IT investment performance targets.
- Incorporating systems achievements and lessons learned into the successive strategic planning cycles.
- Information and Computer Security. The CIO will ensure the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. Responsibilities include:
- Audit response
- Risk and compliance
- Systems authorization
- Contingency Planning
- Incident response and threat intelligence
- Security architecture and engineering
- Policy and awareness