Chapter 4 - Capital Planning & Investment Control
Part 8 - Information Resources Management
|Information Technology Investment Review Board||8-4.2A|
|Chief Information Officer||8-4.2B|
|Annual IT Review||8-4.3B|
|Information Technology Investment Review Board||8-4.4|
|Department of Health and Human Services CIO||8-4.4C|
|Capital Planning and Investment Control Process and ITIRB Requirements||8-4.4D|
|Technical Review Board Charge||8-4.4E|
|Information Technology Investment Review Board Process||8-4.4F|
|Project Selection Process Phases||8-4.|
|Project Selection Phases||8-4.5A|
|Phase I - Submit IT Project Proposal||8-4.5B|
|Phase II - Screening Criteria||8-4.5B|
|Phase II - Objectives||8-4.5D|
|Phase III - Selection of IT Project Proposals||8-4.5E|
- Purpose. This chapter revises and updates the policies and responsibilities for performing Information Technology (IT) Capital Planning and Investment Control (CPIC) processes throughout the Indian Health Service (IHS).
- Background. Investments in IT can dramatically enhance organizational performance. When the investments are carefully managed, IT enables an organization to improve business processes, make information widely available to those who can benefit from it, and reduce the cost of providing essential Government services.
The Congress and the Office of Management and Budget (OMB) have clearly stated that each executive agency must actively manage its IT program to ensure technology expenditures are necessary and will result in demonstrated improvements in mission effectiveness and customer service. The Clinger-Cohen Act (CCA) mandates the prudent management of IT investments. The Department of Health and Human Services (HHS) Information Technology CPIC Policy, HHS- Information Resources Management (IRM)-2010-0002, requires each Operating Division under HHS to conform to IT governance and CPIC policy established under the CCA.
One key goal of the CCA is for agencies to develop policies and processes that will result in the implementation of systems at acceptable costs, within reasonable and expected time frames, and that contribute to tangible, observable mission performance. These processes must be institutionalized throughout the organization, must ensure compliance with the IHS Enterprise Architecture (EA) and be used for all IT-related decisions.
- Scope. This chapter applies to:
- All IHS organizational components including, but not limited to Headquarters, Area Offices, and Service Units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources.
- All IHS IT activities including the equipment, procedures, and technologies that are employed in managing these activities, including, teleworking, travel, other off-site locations, and all IHS office locations.
- All contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources.
- Policy. It is IHS policy that IHS capital investments related to IT must be reviewed on an annual basis.
- Clinger-Cohen Act of 1996 (formerly the IT Management Reform Act of 1996) [Division E, Public Law (P.L.) 104-106]
- Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576)
- Federal Acquisition Streamlining Act of 1994 (P.L. 103-355)
- Government Performance and Results Act of 1993 (P.L. 103-62)
- Paperwork Reduction Act of 1995 (P.L. 104-13)
- Rehabilitation Act of 1998, 29 United States Code 794d, as amended by the Fiscal Year (FY) 2001, Appropriation for Military Construction (P.L. 106-246) July 13, 2000
- Department of Health and Human Services IRM Policies:
- "Information Technology Capital Planning and Investment Control," HHS-IRM-2010-0002, February 26, 2010
- "Information Technology Enterprise Performance Lifecycle (EPLC)," HHS-IRM-2008-0004.001, October 6, 2008
- "Information Technology Performance Baseline Management," HHS-IRM-2010-007, November 22, 2010
- "Conducting IT Alternatives Analysis," HHS-IRM-2003-0002, June 13, 2003
- Office of Management and Budget Circulars:
- Circular A-11, Part 7, "Planning, Budgeting, and Acquisition of Capital Assets"
- Circular A-11, Part 7, "Supplement, Capital Programming Guide" (June 2006)
- Circular A-76, "Performance of Commercial Activities," (5/29/2003) including changes made by OMB Memorandum M-07-02 (10/31/2006) and OMB Memorandum M-08-13 (3/11/2008) and a technical correction made by OMB Memorandum M-03-20 (8/15/2003)
- Circular A-94, "Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs" (Revised 12/12/2008)
- Circular A-127, "Financial Management Systems"
- Circular No. A-130, "Management of Federal Information Resources"
- Memorandum 97-02, "Funding Information Systems Investments" (October 25,1996)
- Memorandum 05-23, "Improving Information Technology (IT) Project Planning and Execution" (August 5, 2005)
(1) BNS Business Needs Statement (2) CCA Clinger-Cohen Act (3) CFO Chief Financial Officers (4) CIO Chief Information Officers (5) COTS Commercial-off-the-Shelf (6) CPIC Capital Planning and Investment Control (7) EA Enterprise Architecture (8) EPLC Enterprise Performance Life Cycle (9) HHS Department of Health and Human Services (10) IEEE Institute of Electrical and Electronic Engineers (11) IHS Indian Health Service (12) IRM Information Resources Management (13) ISAC Information System Advisory Committee (14) IT Information Technology (15) ITIRB Information Technology Investment Review Board (16) IV and V Independent Verification and Validation (17) OIT Office of Information Technology (18) OMB Office of Management and Budget (19) OPDIV Operating Division (20) P.L. Public Law (21) TRB Technical Review Board
- Activity. The activity identifies what needs to be done to achieve a stated mission or purpose, without addressing how it is to be accomplished.
- Alternative Analysis. An alternative analysis is an evaluation of scenarios and design paths for meeting a general set of system design requirements described in a specific technical/architectural issue or a business case. This evaluation presents alternatives, which include assessments of current system functionality and design that may satisfy some of the requirements as well as the functionality that may impact the interfaces with other systems. A set of evaluation criteria is used to weigh the various alternatives against each other and provide a recommendation for the analysis.
- Architecture. The architecture is the organizational structure of a system or component [Institute of Electrical and Electronic Engineers (IEEE) 90].
- Baseline. The baseline is a specification or product that has been formally reviewed and agreed upon; that thereafter it serves as the basis for further development and can be changed only through formal change control authority.
- Business Case. A business case is a documented structured proposal outlining a business improvement requirement. The business case document is created to facilitate a selection decision for a proposed investment or IT project by the IHS IT Governance organizations. The business case describes the reasons and justification for the investment or IT project in terms of business process performance, needs and problems, and expected benefits. It identifies high level requirements that are to be satisfied, an analysis or proposed alternative solutions, assumptions constraints, risks, cost benefit analysis, and preliminary acquisition strategy.
- Business Need. A business need is any request at a high or low level to improve, change, update, or add new systems that facilitate the Agency's mission, goals, and objectives.
- Business Need Statement. The Business Need Statement (BNS) is submitted by the Business Sponsor. A BNS identifies the business need for a proposed investment or IT project. It includes a brief description of the proposed IT project's purpose, goals, and scope. The BNS provides sufficient information to justify a decision whether or not IHS should move forward with the development of a full business case.
- Business Sponsor. The person(s) who serve(s) as the primary customer and advocate for an investment or IT project. The Business Sponsor is responsible for identifying the business needs and performance measures to be satisfied by an IT project; providing funding for the investment or IT project; establishing and providing changes to cost, schedule and performance goals; and validating that the investment or IT project initially meets business requirements and continues to meet business requirements.
- Capital Planning. Capital planning is a discipline used by management to reduce the risk and increase the return associated with making investments in capital assets.
- Change Request. A change request is an instrument used to identify changes affecting the functional baselines and cost, schedule, and contractual data associated with information systems baselines. Change requests may also be used to identify changes from subordinate configurations that impact baselines outside their authority.
- Enterprise. Enterprise means the entire Agency and/or its components.
- Enterprise Performance Life Cycle. The Enterprise Performance Life Cycle (EPLC) is a structured development approach with defined activities, phases, deliverables, and reviews providing a standard to support the development of systems from the identification of a business need through implementation, operation, maintenance, and eventual retirement.
- Impact Assessment. An impact assessment is an analysis to determine the effect of a change to a current or new developmental system in order to evaluate how the proposed change affects the targeted technical cost and schedule.
- Information System. An information system is a discrete set of IT, data, and related resources, such as personnel, hardware, software, and associated IT services, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
- Information Technology. This is any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the Agency. Information Technology includes computers, mobile devices, (i.e., BlackBerry®, iPad® tablets), ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. For purposes of this definition, equipment is "used" by the IHS whether the IHS uses the equipment directly or it is used by a contractor under a contract with the IHS that:
- requires the use of such equipment; or
- requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.
- Investment Control. Investment control involves management investment oversight activities to monitor projects under development and operational systems to ensure the cost, risk, and performance criteria used to select the investments are being achieved. Project-continuation decisions and corrective actions are made based on periodic monitoring.
- Infrastructure. The infrastructure is a substructure or underlying foundation and includes the basic installations and facilities on which information systems depend (i.e., hardware platform, operating system, telecommunications).
- Maintenance. Maintenance involves the set of activities which result in changes to the originally accepted baseline product set in order to keep the system functioning in an evolving, expanding user and operational environment.
- Performance. Performance is the degree to which a system or component accomplishes its designated functions within given constraints such as speed, accuracy, or memory usage (IEEE 90).
- Phase. A level of the system life cycle that generally specifies major activities, products, reviews and organizations, and roles and responsibilities; and that establishes the level of detail and product accountability.
- Process. A process is an organized set of activities with defined inputs and outputs, and performed to achieve a stated purpose.
- Return on Investment. Return on Investment measures the benefit of the investment as compared to the cost of the investment, which may be calculated in cost savings or cost avoidance.
- Review. A review is a formal evaluation procedure issued to determine the correctness of the products developed during a system life cycle phase.
- Stakeholders. Stakeholders are individuals, organizations, review boards, and committees with a vested interest in the result of a decision, process, review, or activity.
- Technical Evaluation. A technical evaluation includes activities to appraise the technical solutions, and associated costs and schedules presented by a customer. The major activities include a technical analysis of the proposed solutions with the cost and schedule, an architecture impact analysis to determine the solution's impact, and a presentation of the technical evaluation to stakeholders for approval.
- Information Technology Investment Review Board. In 2003, the IHS Information Technology Investment Review Board (ITIRB) is established to oversee and facilitate the review of major IT investments to ensure they are achieving defined performance goals that support the Agency mission and are compliant with the standards defined in the IHS EA plan. In 2007, the ITIRB charter was taken out of Part 8, Chapter 4, Section L, Indian Health Manual, and placed into the IHS Circular No. 2007-04, "Charter - Information Technology Investment Review Board."
- Chief Information Officer. The IHS Chief Information Officer (CIO) is responsible for providing advice and assistance to the Director, IHS, and other senior management personnel to ensure that IT is acquired and information resources are managed for the IHS in a manner that implements CCA policies and procedures. The CIO is also responsible for developing, maintaining, and facilitating the implementation of a sound and integrated EA, and promoting the effective and efficient design and operation of all major IRM procedures and processes for the Agency. This includes improvements to work processes of the IHS. The CIO is a member of the HHS ITIRB and:
- Chairs the ITIRB and is the final approval authority for the ITIRB.
- Ensures that IHS IT investments satisfy the CCA effectively and efficiently, support mission requirements, meet strict efficiency and performance criteria, and conform to the IHS architecture.
- Designates Office of Information Technology (OIT) staff to provide administrative support to the ITIRB.
- Formulates and issues policy, requirements, and procedural guidance for IHS use in conducting IHS investment reviews and in preparing for IHS ITIRB evaluations, reviews, documentation of status, and investments in IHS mission-critical systems.
- Formulates the IHS IT goals and strategies for defining measures of success in assessing and evaluating IT use and reporting the status of the IHS IT programs.
- Is responsible for performing CPIC for the IHS consistent with current legislation and IHS policy.
- Ensures that investment or IT project documents are provided to the IHS and HHS ITIRB members in advance of an ITIRB meeting.
- Provides and certifies an annual inventory of all current and future initiatives that contain an IT component.
- Is the focal point for working with sponsoring program offices on critical IT issues throughout the system life cycle. These issues include initiatives such as a single IHS EA, security, systems development activities, CPIC processes, and Independent Verification and Validation.
- Requests and receives documentation from IHS program offices for their designated IT investments. Designated staff shall analyze the material provided to support the business case for the system and make recommendations to the CIO for action.
- Is responsible for reviewing all IT-related documents, OMB Circular A-11, Part 7 Exhibit 300, and OMB A-11, Part 7 Exhibit 53.
- Oversight Process. The IHS oversight process maximizes the value of the IT acquisitions of the IHS by assessing and managing risk. The IHS oversight process shall include the following:
- Provide for the selection of IT investments to be made by IHS, the management of such investments, and the evaluation of the results of such investments.
- Include minimum criteria to be applied in considering whether to undertake a particular investment in information systems. This includes criteria related to the quantitatively expressed projected net, risk-adjusted return on investment, and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects.
- Be integrated with the processes for making budget, financial, and program management decisions within IHS.
- Identify information systems investments that would result in shared benefits or costs for other Federal agencies, Tribal, State or local governments.
- Provide the means for senior management personnel of IHS to obtain timely information regarding the performance of an investment in an information system. This includes a system of milestones for measuring the performance in terms of cost, the capability of the system to meet specified requirements, timeliness, and quality.
- Annual IT Review. All IHS expenditures, regardless of the size, complexity, risk, or cost, shall follow the same process defined in Section 8-4.4E, "Information Technology Investment Review Board Process." However, depending on the size, complexity, risk, cost and phase of the IT investment, the details of the IT investment review, analysis, and documentation will vary. The highest priority IT investments will be further reviewed by the IHS CIO to ensure CCA compliance and ensure the IHS is effectively managing its IT costs and risks associated with the IHS mission and infrastructure. For investments and expenditures that exceed the criteria below, Department-level reviews shall be required.
- Requirements. The Business Sponsor shall submit a BNS to the IHS CIO for all proposed IHS investment and IT project expenditures that meet the criteria in Section 8-4.3A, "Oversight Process."
- Business Need Statement. This proposal is based on the results of documentation from required CPIC planning.
- Review. The IHS CIO shall review the proposal, based on size, complexity, cost and risk factors; he or she will determine if the documentation is sufficient or if an IHS ITIRB review is required, according to established 5 year lifecycle cost thresholds in 8-4.4B, "Criteria." In making this assessment, the IHS CIO may request the respective IHS organization to provide additional documentation.
In addition, the IHS CIO shall provide and certify annually an inventory of all current and future initiatives that contain an IT component.
- Threshold Requirements. Once the investment or IT project expenditure is determined to meet the ITIRB Process threshold requirements, the Business Sponsor develops a business case which is then submitted to the Technical Review Board (TRB) for scoring and the ITIRB for final voting approval.
- Documentation. Wherever possible, existing documentation shall be used to meet the requirement for providing documentation to the IHS ITIRB and the HHS ITIRB.
- Criteria. All IT expenditures meeting either of the criteria below shall be presented to the IHS ITIRB:
- Cross-cutting systems and technology that may affect more than one Operating Division (OPDIV) at any level of resources.
- Systems that meet the OMB definition of "major information system," which means an "information system that requires special management attention because of its importance to an agency mission; its high development, operating or maintenance costs; or its significant role in the administration of agency programs, finances, property, or other resources."
- Dollar thresholds have been established for investments and IT projects to determine the level of IT Governance approval required. The following selection criteria and required documentation for IHS Area and Headquarters IT expenditure requests are as follows:
- Moderate IT investments: All IT projects with a five year lifecycle cost (planning, development, and operations and maintenance) of $25,000 to $500,000 are reviewed and approved by the IHS CIO.
- Large IT investments: All IT projects with a five year lifecycle cost (planning, development, and operations and maintenance) of $500,000 or greater not requiring HHS review are reviewed by the IHS CIO and TRB with final approval by the IHS ITIRB.
- The following summarizes the selection criteria for any IHS IT investment with an annual cost in the budget year of $3,000,000 or greater. In addition to the IHS CIO, TRB, and ITIRB approvals, these investments require HHS and/or OMB review:
- Tactical IT investments: All IT projects with an annual cost in the budget year of $3,000,000 to $10,000,000.
- Major IT investments: All IT projects with an annual cost in the budget year of $10,000,000 or greater.
- Department of Health and Human Services CIO. The Department CIO retains the discretion to direct that any specific system be brought to the HHS ITIRB.
- Capital Planning and Investment Control Processes and ITIRB Requirements. The IHS shall establish and manage CPIC processes and ITIRB review structures in a manner consistent with the requirements of this policy that include the following:
- Compliance with the IHS EA.
- Coordination of IT investment reviews with IHS budget time lines and documentation requirements.
- Ensuring that investments adhere to legislative requirements and best practices for security and privacy protection, including privacy impact assessments.
- Obtaining approval by the IHS ITIRB of investments prior to approval of budgets by the Service and Supply Fund Board.
- Obtaining IHS ITIRB approval prior to the obligation of funds for development of new IT systems meeting the criteria in Section 8-4.5C, "Phase II - Screening Criteria."
- Submission of an OMB Exhibit 53, "Agency IT Investment Portfolio" and any necessary OMB Circular A-11 Exhibit 300, "Capital Asset Plan and Justification" forms for the next available budget cycle submission.
- Technical Review Board Charge. The TRB is charged with the following:
- Evaluate and score proposed IHS IT Business Cases for technical soundness.
- Identify opportunities to leverage and reuse existing IHS IT and other governmental investments.
- Ensure that the investment is aligned with strategic goals, is part of the EA Transition Strategy or "To-Be" environment, complies with all security and privacy requirements, and is following the HHS and OMB policies and procedures.
- Conduct stage gate reviews for the Concept, Planning, Design and Implementation Phases of the EPLC.
- Provide project feedback on the Stage Gate Reviews to Business Sponsor and CPIC Manager.
- Provide finalized scoring of the initial project concept to the CPIC Manager prior to a scheduled ITIRB meeting.
- Escalate project progress issues to IHS CIO.
- Information Technology Investment Review Board Process. The ITIRB process is an integrated approach to managing IT investments that provides for the continuous identification, selection, control, lifecycle management, and evaluation of IT investments. This structured process provides a systematic method for agencies to minimize risks while maximizing the return on IT investments.
The IHS developed its ITIRB process to become more accountable for the economic and efficient management of IT and to implement a sound and integrated EA plan.This process is consistent with HHS policies requiring an investment and review process at the Department and OPDIV levels, as well as with relevant legislation such as the CCA and the Government Performance and Results Act. The central goal of the ITIRB is to assess IHS IT investments to ensure that IT resources support the IHS mission, adhere to the IHS EA, to promote the lifecycle management of IT systems; and to ensure IT project approvals are based on established selection criteria.
There are three phases included in the HHS IT investment management process: Selection, Control, and Evaluation. The ITIRB process addresses IT project selection. The goal of the selection phase is to assess and prioritize current and proposed IT initiatives, and to create an optimal portfolio of IT initiatives. Participants in the ITIRB process make selections and prioritize decisions based on a consistent set of decision criteria that compare costs, benefits, risks, potential returns, and impact on the IHS mission. This phase helps ensure that the organization selects IT projects that will best support mission and IT requirements, and identifies and analyzes a project's risks and returns before the expenditure of project funds.
This structured ITIRB process provides a systematic method for IHS to review proposed IT projects in order to make sound business investment decisions. In addition, it will enable IHS to satisfy Departmental capital planning requirements.
The IHS ITIRB process applies to projects that propose changes to existing systems as well as projects that propose totally new systems.
All IT projects that meet the 5 year life cycle threshold criteria are required to comply with the IHS ITIRB Project Selection process. The IHS ITIRB process applies to projects that propose changes to existing systems as well as projects that propose totally new systems.
- Project Selection Phases. All proposed IT projects will pass through three phases during the IHS ITIRB Project Selection process:
- Phase I - Proposal Submission
- Phase II - Proposal Screening
- Phase III - Proposal Selection
- Phase I - Submit IT Project Proposal. All funding proposals are submitted for initial inclusion in the IHS budget during the scheduled ITIRB meetings throughout the fiscal year. The funding proposal for IT projects ideas are forwarded to the CPIC Manager. The CPIC Manager works with the Business Sponsor (the person who takes responsibility for overseeing the development of the IT idea into an IT project) to complete the OIT BNS.
- Interaction. In general, any IT project that meets the $500,000 5 year lifecycle threshold should be submitted for ITIRB review.
- The Business Sponsor will complete the OIT BNS.
- The IHS CPIC Manager will provide technical assistance to the project sponsor in completing the proposal form.
- Information. The Business Sponsor will submit the completed OIT BNS to the IHS CPIC Manager to coordinate appropriate reviews and approval(s).
- Phase II - Screening Criteria.
- The Business Sponsor is required to present the completed Business Case to the TRB. In addition to the Business Case presentation, the Business Sponsor must provide supporting documentation to enable the TRB to score the IT projects. The supporting documentation consists of all completed forms, such as the BNS and analyses associated with the proposals since they entered the ITIRB process.
- The IHS TRB will review and score the information provided by the Business Sponsor on the OIT BNS. The TRB reviewer will provide "remarks" that are intended to provide an initial indication of a project's ability to succeed in the ITIRB process. In this way, the Business Sponsor can get important feedback on the proposed IT project without expending a large amount of resources.
- Project scores will be based on criteria outlined in the Business Case. These criteria include those suggested in HHS guidance (risk-related criteria, financial criteria, and mission-related criteria):
- alignment of IHS priorities and the IHS Information Systems Advisory Committee (ISAC) IT priorities
- strategic support
- integration with IHS EA
- costs and benefits
- acquisition strategies
- analysis of alternatives
- implementation risks
- performance measures
- project management
- security considerations
- support of IHS operations.
- Initial Acceptance Requirements. The proposed project must meet the following initial requirements:
- Support a mission or function that needs to be performed by the Federal Government.
- Provide a service that must be performed by the IHS because no alternative private-sector or governmental source can do it better or more efficiently.
- Support work processes that have been simplified or otherwise redesigned to reduce costs, make maximum use of commercial-off-the-shelf (COTS) technology, and improve effectiveness.
- Clearly support the mission and strategic objectives of the IHS.
- Phase II - Objectives. The objectives are to determine which proposals satisfy the initial acceptance requirements and which require a detailed IHS ITIRB review and meet the scoring criteria of the TRB.
- Roles and Responsibilities. The TRB is responsible for screening the completed BNS to determine if the proposals satisfy the initial acceptance requirements. If the proposal does not, it will be sent back to the Business Sponsor with comments explaining the reasons why the proposal does not satisfy the requirements. If there is insufficient information for the reviewer to make a recommendation, the proposal will also be sent back to the Business Sponsor. All actions on proposals will be reported to the ITIRB by the CIO's office.
- Information Requirements for Phase II. The TRB needs a completed OIT BNS from the Business Sponsor in order to perform the screening.
- Phase III - Selection of IT Project Proposals. The ITIRB will hold a project selection meeting to select and vote on which investment and IT projects to fund after the proposals have been scored. Selections will be made based on the TRB scoring outcomes and the availability of IHS funding with emphasis on alignment of IHS mission and the IHS ISAC IT Priorities. The ITIRB members will discuss the rankings and agree on any changes to the list by consensus. These discussions may be based on the supporting documentation or other "global" considerations such as congressional or HHS interest. The list of selected projects will be submitted as the IHS IT budget for use at the IHS National Budget Work Session.
- Objective. The objective is to select a set of investments or IT projects to submit for use at the IHS National Budget Work Session.
- Responsibilities. The ITIRB makes the final selections. The CIO or designee will facilitate the selection meeting.
- Information Requirements for Phase III. The requirements include the prioritized list of IT projects from Phase II and supporting documentation for each proposal.