Text

Capital Planning and Investment Control Policy
	ML20358A249
Person / Time
Issue date:	12/31/2020
From:	; NRC/OCIO/GEMSD/APIB
To:	;
	Sandra Valencia, 301-415-8701
Shared Package
ML20358A247	List: ML20358A249; ML20358A251;
References
	Download: ML20358A249 (34)
	v • d • e

U.S. Nuclear Regulatory Commission CPIC Policy Capital Planning and Investment Control Policy and Overview Office of the Chief Information Officer Capital Planning and Investment Control Team Version 2.5 December 2020

U.S. Nuclear Regulatory Commission CPIC Policy Revision History Date Version Summary of Changes Author 09/28/2015 1.0 Updated IT CPIC policy to reflect FITARA Vickie Smith, and associated OMB requirements. Under OIS/PMPD/IPMB FITARA, this policy is now publicly available. Approved by Darren Ash, OEDO/DEDCM ADAMS Accession No. ML15247A497.

12/28/2015 1.1 Updated to reflect organizational changes Vickie Smith, effective on 11/01/2015. OCIO/PMPD/IPMB ADAMS Accession No. ML15288A545. Approved by Darren Ash, CIO 10/21/2016 2.0 Significant updates were made to reflect Vickie Smith, new policy requirements in the revised OCIO/PMPD/IPMB OMB Circular A-130, Managing Information as a Strategic Resource Approved by David (July 2016); OMB Memorandum, Federal Nelson, CIO Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software (M-16-21); and OMB Category Management Policy for Common IT.

ADAMS Accession No. ML16272A383 12/31/2017 2.1 Updated to add clarity on the Chief Leah Kube, Information Officers (CIOs) role in OCIO/GEMS/PIMB information technology (IT) contracting and incremental development, make Approved by David minor changes to definitions, update the Nelson, CIO major IT investment criteria, and make other minor updates.

ADAMS Accession No. ML17346A193 12/31/2018 2.2 Added updated definitions and other Leah Kube, minor updates. OCIO/GEMS/IPSMB Approved by David Nelson, CIO 12/31/2019 2.3 Added and updated definitions and other Leah Kube, minor editorial updates. OCIO/GEMS/IPSMB Approved by David Nelson, CIO i

U.S. Nuclear Regulatory Commission CPIC Policy Date Version Summary of Changes Author 4/28/2020 2.4 Added updated IT CPIC policy to add CIO Cathy Smith, responsibilities according to GAO-18-93. OCIO/GEMS/IPSMB These were minor updates and some responsibilities were existing with the Approved by David 2.3 update. Nelson, CIO 12/8/2020 2.5 Updated some formatting and definitions Sandra Valencia/Lance based on FY21 guidance. Breeden OCIO/GEMS/APIB Approved by David Nelson, CIO Note: The U.S. Nuclear Regulatory Commission maintains detailed processes and operating procedures in separate documents to support continuous refinement of the agencys maturing investment management. This document sets forth the CPIC policy and gives an overview of CPIC processes.

ii

U.S. Nuclear Regulatory Commission CPIC Policy Contents Background and Authorities .......................................................................................................... 1 Purpose......................................................................................................................................... 2 Definitions ..................................................................................................................................... 3 Capital Planning and Investment Control Policy ......................................................................... 15 Planning, Programming, Budgeting, and Selecting ................................................................. 15 Acquiring Information Technology and Services ..................................................................... 20 Information Technology Investment Design and Management ............................................... 21 Responsibilities ........................................................................................................................... 23 Capital Planning and Investment Control Overview .................................................................... 27 Select ...................................................................................................................................... 28 Control ..................................................................................................................................... 30 Evaluate .................................................................................................................................. 30 iii

U.S. Nuclear Regulatory Commission CPIC Policy Background and Authorities Capital Planning and Investment Control (CPIC) for information technology (IT) investments refers to a decision-making process that ensures IT investments integrate strategic planning, budgeting, procurement, and management of IT in support of agency missions and business needs. 1 The Clinger-Cohen Act of 1996 (CCA) (Public Law 104-106, formerly known as the IT Management Reform Act of 1996) requires Federal agencies to use a disciplined CPIC process to acquire, use, maintain, and dispose of IT assets. Although other laws (e.g., the Paperwork Reduction Acts of 1980 and 1995, Government Performance and Results Act of 1993 (GPRA),

GPRA Modernization Act of 2010 (GPRAMA), and Federal Acquisition Streamlining Act of 1994) also require agencies to develop and implement a disciplined process to maximize the value of IT investments while balancing risks, the CCA goes a step further by mandating a specific, more rigorous methodology for managing IT investments that integrates IT capital planning with other agency processes.

Specifically, the CCA mandates that agencies implement CPIC processes that accomplish the following:

Provide for the selection, control, and evaluation of agency IT investments.

Integrate IT investment processes with the processes for budget, financial, and programmatic decisionmaking.

Provide minimum criteria for considering whether to undertake an IT investment.

Identify IT investments that would result in shared benefits or costs for other Federal agencies or State or local governments.

Provide the means for identifying quantifiable measurements for net benefits and risks of IT investment.

Provide the means for senior management to obtain timely information on an investments progress.

The Federal Information Technology Acquisition Reform Act (FITARA), enacted on December 19, 2014, established additional requirements. The Office of Management and Budget (OMB) issued guidance on implementing FITARA in Memorandum M-15-14, Management and Oversight of Federal Information Technology, dated June 10, 2015. FITARA builds on the CCA by empowering Federal Chief Information Officers (CIOs) with increased oversight over (1) budget planning, (2) governance structures, (3) portfolio risk management, (4) hiring practices within IT offices, (5) planning and execution of data center consolidation, and (6) reporting of progress and metrics to the OMB. To strengthen the CPIC requirements of the CCA, FITARA establishes the Common Baseline for IT Management, which defines the roles 1 The Office of Management and Budget provides this definition in the Integrated Data Collection Common Definitions. See 40 U.S.C. 11302 for statutory requirements and the Clinger-Cohen Act of 1996.

1

U.S. Nuclear Regulatory Commission CPIC Policy and responsibilities of the CIO and other senior agency officials while ensuring that the CIO retains accountability.

To assist agencies in meeting the requirements of the CCA and FITARA, the OMB issues IT budget and capital planning guidance annually as part of OMB Circular A-11, Preparation, Submission, and Execution of the Budget, and maintains its supplement, the Capital Programming Guide, to help agencies implement CPIC processes and meet requirements for reporting to Congress. OMB Circular A-130, Managing Information as a Strategic Resource, revised July 2016, provides additional guidance for implementing CCA and FITARA requirements. The OMB updates these circulars based on current, relevant statutes and executive orders.

As part of FITARA, the OMB has also issued its category management policy in a series of memoranda, including the following:

OMB Memorandum M-16-02, Category Management Policy 15-1: Improving the Acquisition and Management of Common Information Technology: Laptops and Desktops, dated October 16, 2015

OMB Memorandum M-16-12, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing, dated June 2, 2016

OMB Memorandum M-16-20, Category Management Policy 16-3: Improving the Acquisition and Management of Common Information Technology: Mobile Devices and Services, dated August 4, 2016 On August 8, 2016, the OMB also issued Memorandum M-16-21, Federal Source Code Policy:

Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software. The CCA, FITARA, and associated OMB policy, circulars, and guidance serve as the basis for CPIC policy, processes, and procedures at the U.S. Nuclear Regulatory Commission (NRC).

Purpose This document sets forth the NRCs CPIC policy. It establishes the business rules and guidelines for consistency and compliance in executing the NRCs CPIC processes and procedures, including the procurement of IT assets. This document contains updates that reflect FITARA, OMB Circular A-130, the OMBs category management policy, and OMB Memorandum M-16-21 requirements; therefore, it supersedes all previous versions of the NRCs CPIC policy.

This document also gives a brief overview of the NRCs CPIC processes. It is worth noting that CPIC processes and procedures are continuously evaluated and refined; therefore, the NRC maintains separate documents giving detailed processes and procedures. This allows for timely updates and implementation and is consistent with best practices. It also supports the NRCs 2

U.S. Nuclear Regulatory Commission CPIC Policy goal of continuously maturing its IT investment management practices to achieve an IT portfolio that leverages IT for strategic outcomes in support of the NRCs mission.

Definitions The definitions in this section lay the foundation for, and build better understanding of, the CPIC policy and processes.

Adequate incremental development refers to the planned and actual delivery of new or modified technical functionality to users at least every 6 months during the development of software or services. It must be identified in OMB reports.

Agile software development is a software development approach in which requirements and solutions evolve through the collaborative effort of self-organizing and cross-functional teams and their customers or end users. It advocates adaptive planning, evolutionary development, early delivery, and continual improvement, and it encourages rapid and flexible response to change. The use of agile software development is expected, although it is no longer broken out in OMB guidance.

Alternatives analysis is a method for assessing the various options for meeting the performance objectives of an investment; it includes assessment of the return on investment of each option. The analysis is performed before the initial decision to implement a solution and is updated periodically, as appropriate, to capture changes in the context for an investment decision. These terms refer to best practices outlined in the Capital Programming Guide in Section I.4, Alternatives to Capital Assets, and Section I.5.1, Evaluate Asset Options.

Note: Alternatives analyses shall be performed for investments with projects in the planning stage or the development, modernization, and enhancement (DME) stage, whereas strictly operational investments require operational analyses until a decision is made to reevaluate them or to resume DME.

Baseline refers to the approved work breakdown structure, costs, schedule, and performance goals for a given investment. For additional information on baselines and baseline management, see OMB Memorandum M-10-27, Information Technology Investment Baseline Management Policy, dated June 28, 2010.

Benefit-cost analysis (BCA) refers to the recommended technique to use in a formal economic analysis of government programs or projects. OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, revised October 29, 1992, contains guidance for performing a BCA.

Capital programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of the agencys portfolio of IT investments to achieve the agencys strategic goals and objectives with the lowest overall cost and least risk.

3

U.S. Nuclear Regulatory Commission CPIC Policy CIO evaluation refers to the CIOs best judgment of the current level of risk for an investment relative to its ability to accomplish its goals (40 U.S.C. 11315(c)(2)). The evaluation should be informed by (1) risk management, (2) requirements management, (3) contractor oversight, (4) historical performance, (5) human capital, and (6) other factors that the CIO deems important to forecasting future success. Each evaluation includes a narrative to explain the rating; this is particularly important when the rating has changed since the last evaluation.

CIO TouchPoint refers to direct one-on-one discussions between the NRCs CIO and the members of the integrated project team (IPT) for a major IT investment (including IT project managers, subject matter experts, business process owners, information system security officers, system owners, and others as appropriate), especially IT project managers executing projects under the investment.

Cloud computing refers to a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing promotes availability and has five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (cloud software as a service, cloud platform as a service, and cloud infrastructure as a service), and four deployment models (private cloud, community cloud, public cloud, hybrid cloud). Key enabling technologies include fast wide-area networks; powerful, inexpensive server computers; and high-performance virtualization for commodity hardware.

Cloud First policy refers to the OMBs policy, also known as the Federal Cloud Computing Strategy, launched in December 2010, which is intended to accelerate the pace at which the Government realizes the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.

Note: The Federal Cloud Computing Strategy requires agencies to do the following:

Evaluate their technology sourcing plans to include consideration and application of cloud computing solutions as part of the budget process.

Seek to optimize the use of cloud technologies in their IT portfolios to take full advantage of the benefits of cloud computing to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize costs.

Default to cloud-based solutions when evaluating options for new IT deployments, if a secure, reliable, cost-effective cloud option exists.

Continually evaluate cloud computing solutions across their IT portfolios, regardless of investment type or life-cycle stage.

Commodity IT refers to a category of back-office IT services used by most, if not all, agencies (e.g., infrastructure and asset management, e-mail, hardware and software acquisition, and 4

U.S. Nuclear Regulatory Commission CPIC Policy help desks). Commodity IT is related to the OMBs PortfolioStat initiative; it plays a key role in a CIO-led approach to the delivery of IT infrastructure, enterprise IT, and administrative and business systems that encourages agencies to pool their purchasing power across their entire organization, by sharing services (as either provider or consumer) instead of implementing independent services with similar functions. This approach aims to eliminate duplication, rationalize each agencys IT investments, and drive down costs.

There are three categories of commodity IT:

(1) enterprise IT, which includes e-mail; collaboration tools; identity and access management; IT security (other than identity and access management); and Web hosting, infrastructure, and content (2) IT infrastructure, which includes desktop systems, mobile devices, mainframes and servers, and telecommunications (3) business systems, which include financial management, human resources management, grants-related federal financial assistance, and grants-related transfer to state and local governments Cost is defined in Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, dated September 2, 1993, as the monetary value of resources used. It is defined more specifically in Statement of Federal Financial Accounting Standards (SFFAS) No. 4, Managerial Cost Accounting Concepts and Standards, dated July 31, 1995, as the monetary value of resources used or sacrificed or liabilities incurred to achieve an objective, such as to acquire or produce a good or to perform an activity or service. Depending on the transaction, cost may be charged to operations immediately (i.e., recognized as an expense of the period), or it may be charged to an asset account for recognition as an expense of subsequent periods. In most contexts within SFFAS No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, dated May 10, 1996, cost is used synonymously with expense.

Cost avoidance, as defined in OMB Circular A-131, Value Engineering, revised December 2013, is an action taken in the immediate timeframe that will decrease costs in the future. For example, an engineering improvement that increases the mean time between failures and thereby decreases operation and maintenance costs is a cost avoidance action.

Cost savings refers to a reduction in actual expenditures to achieve a specific objective, as defined in OMB Circular A-131.

Development, modernization, and enhancement (DME) refers to projects and activities that lead to new IT assets or systems, or that change or modify existing IT assets or systems, to substantively improve capability or performance, implement legislative or regulatory requirements, or meet an agency leadership request. DME activity may occur at any time during a programs life cycle. Capital costs involved in DME may include hardware; software development and acquisition; commercial off-the-shelf acquisition; government labor; and 5

U.S. Nuclear Regulatory Commission CPIC Policy contracted labor for planning, development, acquisition, system integration, and direct project management and overhead support.

Disposition cost is the cost of retiring a capital asset (generally a system or investment) once its useful life is finished or a replacement asset has superseded it; disposition costs may be included in operational activities near the end of an assets useful life.

Earned value management (EVM) refers to an integrated management system that coordinates the work scope, schedule, and cost goals of a program or contract and objectively measures progress toward these goals. EVM is a tool used by program managers to (1) quantify and measure program or contract performance, (2) provide an early warning system for deviation from a baseline, (3) mitigate risks associated with cost and schedule overruns, and (4) provide a means to forecast final cost and schedule outcomes. A description of the qualities and operating characteristics of earned value management systems (EVMSs) appears in American National Standards Institute/Electronic Industries Alliance Standard 748-1998, Earned Value Management Systems, dated May 19, 1998. Additional information on EVM is available at www.acq.osd.mil/evm.

Note: For lower cost programs and projects for which the high cost of using EVM may be prohibitive, an alternative approach must be described under risks in the program or project plan, or in a separate risk management plan, as appropriate.

Enterprise architecture (EA) refers to an organizations documentation of the current and desired relationships among business and management processes and IT. An EA includes the rules, standards, and systems life-cycle information to optimize and maintain the environment that the agency wishes to create and maintain through its IT portfolio. An EA must contain a strategy that enables the agency to support its current state, as well as a roadmap for transition to its target environment. An EA defines principles and goals and sets a direction for such issues as the promotion of interoperability, open systems, public access, end user satisfaction, and IT security.

Note: Although this document does not establish EA standards, the selection and evaluation criteria found within should align with, and be reflected in, the NRCs target EA and Enterprise Roadmap.

Enterprise Roadmap refers to a document that describes the business and technology plan for the entire organization using EA methods. The Enterprise Roadmap provides current views, future views, and transition plans at an appropriate level of detail for all IT investments, services, systems, and programs. It also contains an IT asset inventory using the Federal Enterprise Architecture reference models, as well as other attachments or appendices requested by the OMB that provide additional information on Roadmap plans for CPIC, EA, shared services, and other planning products.

Federal IT Dashboard (ITDB) refers to a Web site (www.itdashboard.gov) that enables Federal agencies, industry, the general public, and other stakeholders to view details of the performance 6

U.S. Nuclear Regulatory Commission CPIC Policy of Federal IT investments. The administration and Congress use the ITDB to inform budget and policy decisions.

Financial management systems are systems necessary to support financial management.

They include automated and manual processes, procedures, controls, data, hardware, software, and support personnel dedicated to the operation and maintenance of system functions.

Examples of financial management systems include (1) core financial systems, (2) procurement systems, (3) loan systems, (4) grants systems, (5) payroll systems, (6) budget formulation systems, (7) billing systems, and (8) travel systems. OMB Circular A-127, Financial Management Systems, revised January 9, 2009, contains additional information and guidance.

Functional/business sponsor refers to the agency official responsible for the program or function supported or implemented by an investment (44 U.S.C. 3501(a)(4)). The sponsor is responsible for expressing the value of the IT investment, ensuring its successful implementation, and providing accurate and timely data to the agency CIO and the OMB. The sponsor may (or may not) be the same person as the business process owner or subject matter expert serving on the IPT. Each major and non-major IT investment must include the name and title of the functional or business sponsor.

Information and communication technology consists of IT and other equipment, systems, technologies, or processes whose principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content. Examples of information and communication technology include software, applications, Web sites, videos, electronic documents, computers and peripheral equipment, information kiosks and transaction machines, telecommunications equipment, customer premises equipment, multifunction office machines, and digital signs.

Information resources management (IRM) strategic plan refers to a document that addresses all of an agencys information resources management. Agencies must develop and maintain their IRM strategic plans as required by 44 U.S.C. 3506(b)(2) and OMB Circular A-130.

IRM strategic plans should support the agency strategic plan required by OMB Circular A-11; describe how IRM activities help accomplish the agencys mission delivery area and program decisions; and ensure that IRM decisions are integrated with management support areas, including organizational planning, budget, procurement, financial management, and human resources management.

Information security refers to all functions pertaining to the protection of Federal information and information systems from unauthorized access, use, disclosure, disruption, modification, and destruction, as well as to the creation and implementation of security policies, procedures, and controls. It includes the development, implementation, and maintenance of security policies, procedures, and controls throughout the entire information life cycle. IT security activities should include those described in National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, issued February 2010, including (1) security awareness training (but not the technical infrastructure required for the delivery of training), (2) compliance reporting under 7

U.S. Nuclear Regulatory Commission CPIC Policy the Federal Information Security Management Act, (3) development of a security policy, and (4) security audits and testing.

Note:

IT security should include systems that oversee agency IT needs.

IT security does not include IT costs related to identity or access management systems or solutions.

IT security does not include physical protection of an organization (e.g., guards, cameras, and facility protection).

Information system refers to a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, transmission, or dissemination of information, in accordance with defined procedures, whether automated or manual.

Information technology (IT) is defined as follows:

IT includes any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used by the agency in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

Such technology is considered used by the agency if either the agency uses it directly, or it is used by a contractor under a contract with the agency that requires either full or significant use of the technology to perform a service or furnish a product.

IT includes computers; ancillary equipment (such as imaging peripherals, input, output, and storage devices necessary for security and surveillance); peripheral equipment designed to be controlled by the central processing unit of a computer; software; firmware; and procedures, services (including provisioned services such as cloud computing and support services for any point of the life cycle of equipment or services),

and related resources.

IT includes high-performance computing capabilities, including those that are not communal in nature.

IT does not include any equipment that a contractor acquires incidentally to a contract that does not require its use.

IT asset refers to anything IT-related (tangible or intangible) that has value to an organization, including, but not limited to, computing devices, IT systems, IT networks, IT circuits, software (both installed and physical instances), virtual computing platforms (which are common in cloud and virtualized computing), and related hardware (e.g., locks, cabinets, keyboards), as well as people and intellectual property (including software).

8

U.S. Nuclear Regulatory Commission CPIC Policy Note: Assets are the lowest level at which IT is planned, acquired, implemented, and operated.

All IT hardware and software shall be associated with the comprising system or investment and tracked and monitored throughout its life cycle, in accordance with the NRCs IT Asset Management Policy processes.

IT investment refers to the expenditure of IT resources to address mission delivery and management support. An IT investment may include a project or projects for the DME or maintenance of either a single IT asset or a group of IT assets with related functionality, and the subsequent operation of those assets in a production environment.

Note: All IT investments shall have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most recent alternatives analysis, if applicable. When the asset is essentially replaced by a new system or technology, the replacement shall be reported as a new, distinct investment, with its own defined life-cycle information.

There are five types of IT investments:

(1) Funding transfer investment refers to the funding contributions a partner agency makes to an IT investment managed by another agency. The description of the IT investment should indicate the unique investment identifier (UII) of the managing partners investment.

Note: The NRC is a partner agency of multiple funding transfer investments (i.e., E-Govs, lines of business (LOBs), and shared services) and therefore shall budget for and report the funding provided to the agency managing each investment on the IT portfolio summary it submits to the OMB. During the selection process, funding transfer investments shall be included as alternatives considered in the alternatives analysis. If a funding transfer investment is not selected, the NRC must provide a business justification for the solution selected instead, and this justification must be approved by the CIO and submitted to the OMB for approval.

(2) IT migration investment refers to the migration costs associated with systems in a shared service partner agency that are not captured by the agency lead when the partner agency is migrating to the shared system. The description of the IT investment should indicate the UII of the major IT investment of the managing partner.

Note: The NRC shall plan, budget for, and report the IT cost of migrating to new investments or to funding transfer investments. When migrating to a funding transfer investment, the NRC shall do so under an IT migration investment on its IT Portfolio Summary. When migrating to a new investment that is not a funding transfer investment, the NRC shall report the cost as planning DME on the new investments life-cycle cost table.

9

U.S. Nuclear Regulatory Commission CPIC Policy (3) Major IT investment refers to an IT investment requiring special management attention because of its importance to the mission or function of the Government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agencys CPIC process. This includes all major automated information systems as defined in 10 U.S.C. 2445 and all major acquisitions consisting of information resources as defined in the Capital Programming Guide. The OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices about which investments are considered major.

(4) Nonmajor investment refers to any IT investment in the agencys IT portfolio that does not meet the definition of major IT investment, funding transfer investment, or IT migration investment.

(5) Standard investment refers to an IT infrastructure investment that has disaggregated to its discrete components, which are managed separately.

IT program managers and IT project managers are the personnel who lead the IPT for a given IT investment. In some cases, IT program or project managers can hold positions in other classification series; however, they must still meet the applicable Federal certification or IT program management experience requirements. The Office of Personnel Managements Job Family Standard for Administrative Work in the Information Technology Group (Series 2200 in the Federal Classification and Job Grading Systems) offers further definitions.

IT resources include all of the following:

agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, disposition, transformation, or other activity related to the life cycle of IT

acquisitions or interagency agreements that include IT, and the services or equipment provided by such acquisitions or interagency agreements IT resources do not include grants to third parties that establish or support IT not operated directly by the Federal Government.

IT service refers to a means of delivering IT, together with any personnel or processes of value to customers, to facilitate outcomes that customers want to achieve without owning specific costs and risks.

Integrated program/project team (IPT) refers to a multidisciplinary team associated with an IT investment. The IPT is led by an IT program or project manager responsible and accountable for planning, budgeting, and procurement, as well as life-cycle management of the investment to achieve its cost, schedule, and performance goals. Team skills include budgetary, financial, 10

U.S. Nuclear Regulatory Commission CPIC Policy capital planning, procurement, user, program, architecture, EVM, security, and other skills, as appropriate.

Note: For the OMB to approve the budget for a major IT investment, its IPT must include at a minimum the following:

a qualified, fully dedicated IT program/project manager

a contracting specialist, if applicable

an IT specialist

an IT security specialist

a business process owner or subject matter expert (SME)

The IPT might also include the following:

an enterprise architect

an IT specialist with specific expertise in data, systems, or networks

a capital planner

a budget contact

a contracting officers representative

an information system security officer

a performance specialist Key members of the IPT should be co-located during the most critical junctures of the program, to the maximum extent possible. Agencies should establish individual performance goals for IPT members to hold them accountable for both individual functional goals and the overall success of the program. The IPT should be defined in a program or an IPT charter.

Interagency acquisition refers to the use of the Federal Supply Schedules, a multiagency contract (i.e., a task order or delivery order contract established by one agency for use by multiple Government agencies to obtain supplies and services, consistent with the Economy Act, 31 U.S.C. 1535), or a Governmentwide acquisition contract (i.e., a task order or delivery order contract for IT established by one agency for Governmentwide use operated by an executive agent, as designated by the OMB pursuant to CCA Section 11302(3)).

Life-cycle costs are all investment costs, including Government full-time equivalents (FTEs),

from the beginning of an investment until the end of its estimated useful life (or the composite estimated useful lifetimes of the assets within the investment), independent of the funding source (e.g., revolving fund, appropriated fund, working capital fund, trust fund). The Capital Programming Guide and OMB Circular A-131 contain more information about life-cycle costs.

Maintenance refers to the activity necessary to keep an asset functioning as designed during the operations and maintenance phase of an investment. Maintenance activities may include, but are not limited to, operating system upgrades, technology refreshes, and security patch implementations. As defined in SFFAS 10, Accounting for Internal Use Software, dated October 9, 1998, maintenance excludes activities aimed at expanding the capacity of an asset 11

U.S. Nuclear Regulatory Commission CPIC Policy or otherwise upgrading it to serve needs different from or significantly greater than those originally intended. Such activities are considered DME.

Note: Maintenance activities of notable cost or duration with predetermined start and end dates should be managed as projects and reported on the project and activities tables in Section B of the Major IT Investment Update.

Managing partner refers to the lead agency that is responsible for coordinating the implementation of a funding transfer investment. The managing partner maintains an IT shared service, with approval from agency leadership for intra-agency services and from the OMB for interagency services. The managing partner organization, often referred to as the Program Management Office, develops, implements, and maintains financial and service models, as well as contracts with customers and suppliers, using strategic sourcing vehicles whenever practicable. The Program Management Office is responsible for the success of the IT shared service; it reports on its intra-agency IT shared service using the agencys own metrics, and on interagency LOBs using metrics developed by the Federal CIO Councils Shared Services Subcommittee. Managing partners are also responsible for maintaining contracts with customer agencies that allow the customer agency to terminate the contract if specified levels of service are not maintained.

Modular development refers to an approach that focuses on delivering specific investments, projects, or activities of an overall capability by progressively expanding on delivered capabilities until the full capability is realized. Investments may be decomposed into discrete projects, increments, or useful segments, each of which develops and implements products and capabilities that the larger investment delivers. For more information, see the OMBs Contracting Guidance to Support Modular Development, dated June 14, 2012.

Operational analysis refers to a method of examining the ongoing performance of an operating asset investment and measuring that performance against an established set of cost, schedule, and performance goals. An operational analysis is, by nature, less structured than performance reporting methods applied to developmental projects and should trigger considerations of how the investments objectives could be better met, how costs could be reduced, and whether the organization should continue performing a particular function. The Capital Programming Guide contains guidance on operational analysis. Best practices can also be found in the Government Accountability Office (GAO) report GAO-13-87, Information Technology: Agencies Need to Strengthen Oversight of Billions of Dollars in Operations and Maintenance Investments, issued October 2012.

Operations refers to the day-to-day management of an asset while it is in the production environment, producing the same product or providing a repetitive service. Operations include, but are not limited to, the activities of data centers, help desks, operational centers, telecommunication centers, and end-user support services.

Operations and maintenance refers to the expenses required to operate and maintain an IT asset that is operating in a production environment. It includes costs associated with operations, maintenance activities, and maintenance projects needed to sustain the asset at its current 12

U.S. Nuclear Regulatory Commission CPIC Policy capability and performance levels. Specifically, it covers Federal and contracted labor costs, corrective hardware and software maintenance, voice and data communications maintenance and service, replacement of broken or obsolete IT equipment, overhead costs, business operations and commercial services costs, and costs for the disposal of an asset. It is also commonly referred to as steady state.

Partner (customer) agency refers to the agency in an inter- or intra-agency collaboration, such as an E-Gov, LOB initiative, or Federal shared service, that contracts with and pays a managing partner for an IT shared service. The partner agency may be required to interact with suppliers to coordinate day-to-day service issues, while the managing partner handles major contract issues and resolves escalation items with suppliers. The partner agency usually provides resources (e.g., funding, FTEs) for the management, development, deployment, or maintenance of a common solution. The partner agency is also responsible for including the appropriate line items in its own IT Portfolio Summary budget submission, reflecting the amount of its contribution towards each of the initiatives for which it provides resources.

Planning refers to preparing, developing, or acquiring the information used to design the asset; assess the benefits, risks, and risk-adjusted costs of alternative solutions; and establish realistic cost, schedule, and performance goals for the selected alternative, before either proceeding to full acquisition of the capital project or useful component, or terminating the project.

Note: Before the acquisition phase can begin, planning must progress to the point where the agency is ready to commit to specific goals for the completion of the acquisition.

Information-gathering activities and tools to support planning may include the following:

market research on available solutions (see Federal Acquisition Regulation (FAR)

Part 10, Market Research)

architectural drawings

engineering and design studies

prototypes Planning may be general to the overall investment or may be specific to a useful component.

For investments developed or managed using an iterative or agile methodology, planning will be conducted throughout the entire acquisition, focusing on each iteration or sprint.

Post-implementation review (PIR) refers to an evaluation of how successfully an investments or projects objectives were met and how effective the project management practices were in keeping the investment or project on track. A PIR can be conducted after the completion of a project or at the conclusion of the implementation phase of an investment. The Capital Programming Guide contains additional details on the PIR process.

13

U.S. Nuclear Regulatory Commission CPIC Policy Privacy impact assessment (PIA) refers to the process for examining the risks and ramifications of using IT to collect, maintain, and disseminate information in identifiable form from or about members of the public. The process is also used to identify and evaluate protections and alternative options to mitigate the impact on privacy of collecting such information. Consistent with OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003, agencies must conduct and make publicly available PIAs for all new or significantly altered IT investments that administer information in identifiable form collected from or about members of the public.

Programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of a program to achieve the agencys strategic goals and objectives with the lowest overall cost and least risk.

Note: Any program that leverages IT to support its mission shall include the CIO in its programming to advise on and approve the IT aspects of the program.

Project refers to a temporary endeavor undertaken to accomplish a unique product or service.

A project has a defined start and end point and specific objectives that, when attained, signify completion. Projects can be undertaken for the DME, disposal, or maintenance of an IT asset.

Projects are composed of activities.

Note: When reporting project status, to the maximum extent practicable, agencies should detail the characteristics of increments under modular contracting, as described in the CCA, and the characteristics of useful segments, as described in OMB Circular A-130.

Risk management refers to a systematic process of identifying, analyzing, and responding to risk. It includes maximizing the probability and consequences of positive events and minimizing the probability and consequences of events adverse to overall objectives. Risk management should be conducted throughout the entire life cycle of a program.

Risk management plan refers to a documented and approved plan, developed at the onset of an investment and maintained throughout, that specifies the investments risk management process.

Shadow (hidden) IT refers to IT spending that is not fully transparent to the agency CIO, and IT resources included in a program whose primary purpose is not IT-related. An example would be a grants program in which a portion of the spending goes to equipment, systems, or services that provide IT capabilities for administering or delivering the grants.

Shared service refers to a service that a Federal organization provides to other Federal organizations that are outside the providers organizational boundaries. Shared services may be intra-agency or interagency. There are three categories of shared services in the Federal Government:

14

U.S. Nuclear Regulatory Commission CPIC Policy (1) Common solutionstechnology and contracts that can be used by more than one Federal agency. May be Government-to-Government or citizen-to-Government.

(2) Shared servicesservices consolidating routine or standard operations to a limited number of organizations. May use common solutions (technology or contracts) and share human resource expertise either within an agency or across agencies.

(3) Centralized serviceshighly standardized activities occurring in a single Governmentwide location, allowing organizations and users to benefit from consistent and uniform processes.

Note: Shared commodity IT and support services are considered to be IT; associated costs must be included and reported as part of the IT Portfolio Summary.

Shared service provider refers to the provider of a technical solution or service that supports the business of multiple agencies using a shared architecture. For multiagency services, this is the managing partner of the investment.

Unique investment identifier (UII) refers to a persistent numeric code applied to an investment that allows the identification and tracking of the investment through an agencys IT portfolio across multiple fiscal years. The UII consists of a three-digit agency code linked with a unique nine-digit investment number generated by the agency. Some nine-digit numbers are reserved for the OMB to assign to funding transfer investments and may not be assigned by agencies.

Capital Planning and Investment Control Policy All NRC IT resources shall be managed in accordance with Federal mandates, OMB requirements, and agency procedures. This policy establishes the business rules and guidelines for the management and oversight of IT resources, including FTEs, under all IT investments, except where it is stated that the rules apply only to major IT investments.

Planning, Programming, Budgeting, and Selecting (1) All IT resources shall be planned, budgeted, executed, and reported under an approved IT investment in the NRC IT Portfolio Summary submitted to the OMB during the annual budget submissions.

(2) For major IT investments, a Major IT Business Case must also be developed and maintained for justifying the budget request, including reporting performance and the expenditure of IT resources, to the OMB and Congress.

(3) An IT investment shall be classified as a major IT investment if it meets one or more of the following OMB criteria:

15

U.S. Nuclear Regulatory Commission CPIC Policy

It is important to the mission or function of the Government.

It has significant program or policy implications.

It has high executive visibility.

It has high development, operations, or maintenance costs, which the NRC defines as budget planning year costs of $10 million or more. 2

It involves an unusual funding mechanism.

It involves financial systems with annual cost and spending of $500,000 or more, as dictated by mandates and guidance on financial systems, such as OMB Circular A-127.

It is defined as major by the NRC CPIC process.

All other NRC IT investments are considered non-major or standard investments, with the exception of funding transfer investments and IT migration investments. The NRC is a partner agency on a number of investments managed by other agencies. These investments are considered major IT investments of the managing agencies, and the NRC shall report contributions to the managing partners in the NRC IT Portfolio Summary.

(4) During the planning, programming, and budgeting processes, all IT resources shall be identified and separated from non-IT resources to allow visibility to the CIO and executive investment review board (IRB). Budgeting for IT resources in all programs (not just programs that are primarily IT-oriented) shall be done in accordance with the IT budget guidance issued by the Office of the Chief Information Officer (OCIO) and in tandem with the overall agency budget formulation process issued by the Office of the Chief Financial Officer. This includes defining the level of detail at which IT resources are budgeted and, in consultation with the Chief Acquisition Officer (CAO), defining processes to track planned expenditures for IT resources against actual expenditures for all transactions that include IT resources. The Chairman is regularly briefed on the status of IT investments and activities.

(5) As a chair of the executive IRB, the CIO shall advise on and approve the IT aspects of all programs. In the case of major IT investments, additional, more extensive involvement shall occur through monthly updates, CIO evaluations, and CIO TouchPoints.

(6) The IT budget formulation process and the annual agency IT Portfolio Summary and Major IT Business Case submission process shall ensure that the budget justification materials in the NRCs initial budget submission receive the appropriate CIO approvals 2 The OMB establishes the criteria for a major IT investment but allows agencies to establish the dollar threshold.

16

U.S. Nuclear Regulatory Commission CPIC Policy and certifications and include affirmation statements of these approvals and certifications, as listed and described in OMB Circulars A-130 and A-11.

(7) The CIO and Chief Financial Officer (CFO) shall define and, as the cochairs of the executive IRB, shall oversee the process by which the CIO, CFO, CAO, and Chief Human Capital Officer work with program leadership to plan an overall IT portfolio that efficiently and effectively leverages IT for strategic outcomes in support of the program and business objectives aligned to the NRCs Strategic Plan.

(8) An IT investments justification, cost, schedule, measurement indicators, and other management and technical artifacts shall describe the discrete and unique set of IT products and services it encompasses and how they support the NRC mission or mission support functions. For all major IT investments, the formal Major IT Business Case and Required Artifacts (when requested) shall document and report all of the above to the OMB. 3 (9) Major IT investments shall adhere to the principles established by the OMB in Appendix 6, Principles of Budgeting for Capital Asset Acquisitions, to the Capital Programming Guide.

(10) No two IT investments shall serve the same purpose or deliver the same discrete and unique set of IT products or services. If duplicative investments are identified, an alternatives analysis shall be performed and a plan developed to eliminate the duplication and associated cost.

(11) When two or more IT investments deliver IT products or services through the same IT component (i.e., system or platform), the set of IT products or services delivered through that component by each investment shall be discrete and unique and clearly distinguishable from those delivered by the other investments. In addition, a consistent, reliable means must be used to determine the equitable cost of the shared system or platform for each investment; this ensures accurate planning, budgeting, and reporting of the total cost of ownership for each investment.

(12) All IT investments shall have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most recent alternatives analysis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement shall be reported as a new, distinct investment, with its own defined life-cycle information.

(13) Information security, privacy, records management, public transparency, and supply chain security issues must be considered for all resource planning and management activities throughout a systems development life cycle.

3 NRC CPIC procedures for Major IT Business Cases are based on the annual fiscal year IT Budget and Capital Planning Guidance issued as part of OMB Circular A-11.

17

U.S. Nuclear Regulatory Commission CPIC Policy (14) All major IT investments shall have a committed IPT comprising the required minimum membership (as noted in the definition of IPT) and program charter, and all IT projects shall have an IPT, project charter, project management plan, and schedule.

(15) An alternatives analysis shall be performed for investments with projects in the planning or DME stages. The alternatives analysis shall include both Government-provided (internal, interagency, and intra-agency) commercially available options and cloud solutions, where applicable.

(16) The alternatives analysis for a new investment shall include the three-step software solutions analysis described in OMB Memorandum M-16-21, which addresses Federal source code policy.

(17) In the case of a new major IT investment, a full business case must be developed. Once approved by the CIO, the initial business case shall serve as the basis for the Major IT Business Case submitted to the ITDB. The business case shall then be maintained through the Major IT Business Case and Major IT Update submission processes.

(18) To strengthen understanding of the requirements for an IT service, qualitative and quantitative research methods shall be used to determine the goals, needs, and behaviors of current and prospective managers and users of the service.

(19) All acquisition planning shall adhere to the planning provisions in FAR Subpart 7.1, Acquisition Plans, and FAR Part 10.

(20) Planning for IT acquisitions shall substantiate the NRCs commitment to achieving specific goals through the completion of each acquisition. Planning activities and results shall be documented and final plans approved before the acquisition phase begins. For investments developed or managed using an iterative or agile methodology, proper planning for each iteration or sprint shall be conducted throughout the entire acquisition.

(21) All IT hardware and software shall be planned, acquired, deployed, managed, and disposed of under an IT investment on the NRCs IT Portfolio Summary and in accordance with the NRCs IT asset life-cycle management processes and procedures.

(22) When analyzing and prioritizing IT investments for selection into the agency IT portfolio, all decisions to select (acquire or develop) an IT system or service shall be merit-based and consider factors such as, but not limited to, the following:

alignment with the NRCs Strategic Plan

ability to meet operational or mission requirements

conformance to the current and target EA and alignment with the Enterprise Roadmap

total life-cycle cost of ownership and ability to sustain this cost 18

U.S. Nuclear Regulatory Commission CPIC Policy

performance

security risks

interoperability

privacy

accessibility

ability to be shared or reused

resources required to switch vendors to avoid being locked in

availability of high-quality support at a reasonable cost (23) The decision to improve, enhance, or modernize an existing IT investment or to develop a new IT investment shall be based on an alternatives analysis that covers both Government-provided (internal, interagency, and intra-agency, where applicable) and commercially available options, from which the option offering the best value to the Government shall be selected.

(24) Preference shall be given to using available and suitable Federal information systems, technologies, or shared services or information-processing facilities, or to acquiring open-source or commercially available off-the-shelf software or technologies, over developing or acquiring custom or duplicative solutions.

(25) Decisions to acquire custom or duplicative solutions must be justified based on their overall life-cycle cost-effectiveness or their ability to meet specific and high-priority mission or operational requirements.

(26) The security levels of information systems shall be commensurate with the risk that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of the information they contain, consistent with NIST standards and guidelines.

Acquiring Information Technology and Services When acquiring IT and IT services, the NRC shall adhere to the following:

all relevant Federal mandates, such as 41 U.S.C. 2308, Modular Contracting for Information Technology

OMB policy, including but not limited to the category management policies for improving the acquisition and management of common IT, such as the following:

19

U.S. Nuclear Regulatory Commission CPIC Policy

- laptops and desktops (OMB Memorandum M-16-02)

- software licensing (OMB Memorandum M-16-12)

- mobile devices and services (OMB Memorandum M-16-20)

the FAR, including the planning provisions in FAR Subpart 7.1 and Part 10 to be implemented before an acquisition

NRC Management Directive 11.1, NRC Acquisition of Supplies and Services, dated May 9, 2014 During the acquisition process, all of the above must be referenced and applied as appropriate.

This includes, but is not limited to, the policy steps described below:

(1) Develop a thorough benefit-cost analysis of all procurement requirements based on market research, which includes an alternatives analysis.

(2) Use adequate competition, analyze risks (including supply chain risks) associated with potential contractors and the products and services they provide, and allocate risk responsibility between the Government and the contractor.

(3) Conduct definitive technical, cost, and risk analyses of alternative design implementations, considering, for example, the full life-cycle costs of IT products and services, which include but are not limited to planning, analysis, design, implementation, sustainment, maintenance, recompetition, and retraining costs, scaled to the size and complexity of individual requirements.

(4) When developing planned information systems, consider existing Federal contract solutions or shared services available from within the same agency, from other agencies, or from the private sector, to avoid duplicative IT investments.

(5) Initiate development of new information systems or of custom solutions to improve existing information systems only when no existing alternative private-sector or Government source can efficiently meet the need, taking into account long-term sustainment and maintenance.

(6) Structure acquisitions for major IT investments into useful segments, each with a narrow scope and brief duration, to reduce risk, promote flexibility and interoperability, increase accountability, and better match mission need with current technology and market conditions.

(7) To the extent practicable, award modular contracts for IT, including orders for increments or useful segments of work, no more than 180 days after the solicitation is issued. If the award cannot be made within 180 days, the agency shall consider canceling the solicitation. The IT acquired should be delivered no more than 18 months after the solicitation is issued.

(8) Align IT procurement requirements with the agencys strategic goals.

20

U.S. Nuclear Regulatory Commission CPIC Policy (9) Promote innovation in IT procurements; in particular, conduct market research to maximize the use of innovative ideas.

(10) Include security, privacy, accessibility, records management, and other relevant requirements in solicitations.

(11) Ensure that the CIO reviews and approves all acquisition strategies, plans, and requirements (as described in FAR Part 7, Acquisition Planning) and all interagency agreements (such as those used to support purchases through another agency) that include IT. These approvals shall consider the following factors:

alignment with mission and program objectives in coordination with program leadership

appropriateness with respect to the mission and business objectives supported by the NRCs IRM Strategic Plan

inclusion of innovative solutions

appropriateness of contract type for IT-related resources

appropriateness of IT-related portions of statement of needs or statement of work

ability to deliver functionality in short increments

inclusion of Governmentwide IT requirements, such as information security

opportunities to migrate from end-of-life software and systems, and to retire such software and systems (12) Consistent with the FAR, include in contracts for custom software development provisions that reaffirm the right to reuse the software throughout the Federal Government.

(13) Enter all acquired IT hardware and software into the NRCs IT asset inventory and management tools.

Information Technology Investment Design and Management The NRC shall, to the extent practicable and financially responsible, implement the following requirements:

(1) Information systems and processes shall support and maximize interoperability and access to information, where appropriate, by using documented, scalable, and 21

U.S. Nuclear Regulatory Commission CPIC Policy continuously available application programming interfaces and open machine-readable formats.

(2) Information systems and technologies must facilitate interoperability, application portability, and scalability across networks of heterogeneous hardware, software, and communications platforms.

(3) When information and communication technology is developed, procured, maintained, or used, it must comply with Title 36 of the Code of Federal Regulations 1194.1, Standards for Section 508 of the Rehabilitation Act.

(4) In designing, developing, integrating, or implementing IT solutions, the practices and architecture must conform to the NRC information technology/information management technical standards.

(5) All information life-cycle processes and stages, including the design, development, implementation, and decommissioning processes for information systems, must fully incorporate records management functions and retention and disposition requirements.

This applies particularly to Internet resources, including storage solutions and cloud-based services such as software as a service, platform as a service, and infrastructure as a service.

(6) A PIA and security impact assessment must be performed up front, and the appropriate security planned, budgeted, and built in at the start of the project.

(7) IT investments shall use an EVMS and Integrated Baseline Review, when appropriate, as required by FAR Subpart 34.2, Earned Value Management System. When an EVMS is required, agencies must have a documented process for accepting a contractors EVMS. When an EVMS is not required, a baseline validation process must be implemented as part of an overall investment risk management strategy consistent with OMB guidance.

(8) All IT development projects shall appropriately implement incremental development and modular approaches, as defined in the OMBs Contracting Guidance to Support Modular Development.

(9) Maintenance activities of notable cost or duration with predetermined start and end dates should be managed as projects. In the case of major IT investments, the project and activities tables in Section B of the Major IT Investment Update shall be used to track, monitor, and report the cost and schedule.

(10) For operational investments, operational analyses shall be performed until a decision is made to reevaluate the investment or to resume DME.

(11) All applicable decisions about system and service investments shall be reflected in new or updated entries (e.g., system, service, application) in the NRC information system 22

U.S. Nuclear Regulatory Commission CPIC Policy inventory, as required by statute (Title 44, Emergency Management and Assistance, of the Code of Federal Regulations, Chapter 53, among others) and OMB policy.

Responsibilities Responsibilities of the Chairman Review the IT budget request included in the overall agency budget recommended by the Executive Director for Operations (EDO) and the CFO, and submit final recommendations to the Commission.

Responsibilities of the Commission Review and approve the agencys IT budget request as included in the overall agency budget.

Responsibilities of the Executive Director for Operations (1) Serve as the Chief Operating Officer and, as such, supervise the activities of the Assistant for Operations, who serves as the Performance Improvement Officer, in accordance with the GPRAMA.

(2) Ensure that the NRCs planning and budgeting process for IT investments is consistent and integrated with the agencys overall planning, budgeting, and performance management (PBPM) process.

(3) Ensure that program office and IT officials participate in the PBPM process for IT investments throughout their life cycle.

(4) Ensure that statutory responsibilities for IT investments and their oversight are appropriately assigned to the agencys CIO.

(5) Together with the CFO, review and approve the selections and budget for the annual IT investment portfolio recommended by the executive-level IT IRB, and submit recommendations to the Chairman.

(6) Assign the CIO to be the Designated Approving Authority formally responsible for approving the operation of an IT system at an acceptable level of risk based on an agreed-on set of implemented security controls, in accordance with the Federal Information Security Management Act and NIST guidelines.

Responsibilities of the Chief Information Officer (1) Assist and act for the EDO in executing the EDOs responsibility for IT infrastructure, application development, project management, information management services, and information systems security oversight.

23

U.S. Nuclear Regulatory Commission CPIC Policy (2) Supervise, provide guidance to, and coordinate with the Deputy CIO and the Chief Information Security Officer.

(3) Develop and implement an agencywide IT investment framework that supports the NRCs mission, meets the requirements of Federal statutes and regulations and guidance from OMB and GAO, and is consistent with the NRCs overall PBPM programs. The framework should encompass policies, processes, and procedures for IT investment management, strategic planning and EA, information and records management, and information security.

(4) Cochair the executive-level IRB with the CFO, set the agenda for and facilitate meetings to achieve the IRBs goals and objectives, and approve revisions to its charter, as needed.

(5) As cochair of the executive-level IRB, jointly with the CFO, define the level of detail with which IT resources are described distinctly from other resources throughout the planning, programming, and budgeting stages. The level of detail shall provide transparency for the IT budget and serve as the primary input to the IT CPIC documents submitted to the OMB with the agencys budget.

(6) Review and approve the major IT portion of the budget request; the CFO shall affirm this CIO approval in the NRCs budget justification materials.

(7) Review and collaborate with program leadership on planned IT support for major program objectives and significant increases and decreases in IT resources.

(8) Jointly with the CFO, affirm that the IT portfolio contains appropriate estimates of all IT resources included in the IT budget request.

(9) Jointly with the CFO and executive-level IRB, provide an executive IT investment review function as required by the OMB, make decisions on the IT portfolio, and recommend the IT budget to the EDO for consideration in the NRCs overall budget.

(10) Establish other executive and technical review or advisory bodies, as necessary, to involve business and technical SMEs in IT investment planning and management oversight; ensure agencywide coordination; and comply with CPIC requirements for IT investments, strategic planning and EA, security, and information and records management policies, as stated in the Capital Programming Guide and OMB Circular A-130.

(11) Jointly with the CFO and CAO, define agencywide policy for the level of detail of planned expenditure reporting for all transactions that include IT resources.

(12) As a member of the Strategic Sourcing Group, review and approve all acquisitions over

$1 million, and provide oversight to ensure that all acquisition strategies and plans that include IT apply adequate incremental development principles, use appropriate contract types, contain appropriate statements of work for the IT portions, support the mission 24

U.S. Nuclear Regulatory Commission CPIC Policy and business objectives listed in the IT strategic plan, and align mission and program objectives in consultation with program leadership.

(13) Review and approve all new IT purchases regardless of dollar threshold.

(14) Recommend to the Commission any movement of funds for IT resources that requires congressional notification.

(15) Jointly with the Chief Human Capital Officer, develop a set of competency requirements for IT and IT-acquisition staff (including IT and IT-acquisition leadership positions), and develop and maintain a current workforce planning process so that the agency can anticipate and respond to changing mission requirements, maintain workforce skills in a rapidly developing IT environment, and recruit and retain the IT talent needed to accomplish its mission. Continue to assess existing IT workforce to identify deficiencies within the agency, and provide assessments to the Chairman as part of the annual Human Capital Commission Briefing.

(16) Formally assume responsibility for operating a major system or network at an acceptable level of risk; evaluating the mission, business case, and budgetary needs for an NRC system in view of the security risks; and permitting or denying operations or use based on unacceptable security risk.

(17) Provide an annual report on the NRC Cybersecurity Program, the NRC Privacy Program, and the findings of the NRC Inspector Generals review of the program, signed by the Chairman.

(18) Oversee the NRC Cybersecurity Program, and provide a quarterly report on the information security responsibilities of all agency senior officials, using a cybersecurity performance metric based on five major criteria: (1) computer security awareness training, (2) role-based training, (3) continuous monitoring, (4) cybersecurity incidents, and (5) phishing.

(19) As part of the regular CIO evaluations, perform risk reviews covering three major areas:

(1) managing active risks, (2) maintaining a risk log and actively managing risk mitigation strategies, and (3) identifying and managing risk triggers.

(20) As part of the CIO evaluations, review investments that meet the criteria for a TechStat.

A TechStat is required for any high-risk investment that remains red or at risk for 3 consecutive months or more.

(21) Jointly with the CAO, share acquisition and procurement responsibilities. The CIO reviews all cost estimates of IT-related costs and ensures that all acquisition strategies and plans that include IT apply adequate incremental development principles (see definitions).

25

U.S. Nuclear Regulatory Commission CPIC Policy Responsibilities of the Capital Planning and Investment Control Team (1) Facilitate IT SME reviews for policy compliance, security, IT project management, and infrastructure impact, and consolidate the SME recommendations for executive-level and management-level IRBs.

(2) Facilitate IT investment reviews (e.g., control reviews, TechStats, CIO TouchPoints) with the CIO and appropriate IT governance boards.

(3) Coordinate with the NRCs EA to verify mapping between the NRCs EA and the Federal EA and to ensure that investments align with the NRCs Strategic Plan, Information Technology/Information Management (IT/IM) Strategic Plan, and Enterprise Roadmap.

(4) Coordinate with the NRCs Program and Project Management Team to establish project control gates and to ensure that project management standards and best practices are implemented throughout the life cycle of each IT investment.

(5) Coordinate with other functional areas of OCIO on security-related requirements to support the development and review of IT business cases and project plans and the monitoring and evaluation of IT investments throughout their life cycle.

(6) Assist IT investment owners in understanding and complying with CPIC process and related OMB requirements, including preparation of the NRCs IT Portfolio Summary and Major IT Business Case submissions.

(7) Work with IPTs and IT program/project managers for each major investment to update Major IT Business Cases and ensure complete and timely submission of updates to the OMB.

(8) Serve as a single point of contact for NRC inquiries about IT governance and CPIC processes and procedures.

(9) Coordinate input to the annual IT planning and budgeting guidance.

(10) Maintain an inventory of the agencys capitalized IT investments (i.e., Major IT Business Cases), and provide the current list to the Office of the Chief Financial Officer for inclusion in the NRCs budget justification materials.

(11) Provide input to educational outreach activities and training related to CCA, FITARA, and OMB requirements, and present training to IPTs and all program/project managers on the CPIC portfolio and investment management and submission tool, OMB reporting requirements, and the NRCs IT governance.

(12) Establish requirements and criteria for selecting the IT investments that make up the NRCs IT portfolio.

26

U.S. Nuclear Regulatory Commission CPIC Policy (13) Define and implement processes and procedures to monitor and evaluate IT investments throughout their life cycle.

(14) Provide a secretariat function for the executive-level and management-level IT IRBs, including scheduling meetings, developing agendas, coordinating briefings and reviews, taking minutes to document decisions and action items, and tracking action items to completion.

Other Responsibilities All IRBs, acquisition review boards, and IPTs maintain charters that fully describe their current responsibilities. NRC Management Directive 2.8, Integrated Information Technology/Information Management (IT/IM) Governance Framework, dated February 24, 2016, describes the responsibilities related to EA and project management. The NRC IT Asset Life-Cycle Management Policy describes the responsibilities of the IT asset manager for hardware and the agency software manager.

The NRC develops and uses NUREG-1908, Information Technology/Information Management Strategic Plan, to outline and refine internal processes, focusing on three key components: to empower, protect, and serve. Across both public and private sectors, there is increased focus on using technology to create transparency and efficiency and to improve the customer experience, both internally and externally. OCIO has completed a benchmark of the Information Technology/Information Management Strategic Plan, and the NRC is in alignment with industry standards in both the private and public sectors.

As of November 2019, the NRC has met the requirements established by Congress in 2014, which give a special provision to GAO. This provision requires GAO to annually review agencies data center inventories and strategies. Accordingly, GAOs objectives were to (1) evaluate agencies progress and plans for data center closures and cost savings, (2) assess agencies progress against OMBs data center optimization targets, and (3) identify effective agency practices for achieving data center closures, cost savings, and optimization progress.

These objectives have been attained, as reported under GAO-16-323 and GAO-19-24. All requirements for maintaining an inventory and consolidating and optimizing data centers have been met, and results have been posted to the OMB max portal dashboard.

Capital Planning and Investment Control Overview The NRCs CPIC is critical to the management and oversight of the agencys IT resources. It is key to the NRCs IT investment management, because it provides a mechanism for delivering high-quality information and recommendations to executive decisionmakers on IT investments to be included in the IT portfolio.

The NRCs CPIC policy recognizes that IT investment management is dynamic. For this reason, the NRC selects and continuously monitors and evaluates its IT investments to ensure that each investment in the NRC IT portfolio effectively and efficiently supports the agencys mission and strategic goals. The NRCs CPIC processes are designed to facilitate sound IT governance and the maturation of the agencys IT investment management. The NRCs CPIC model relies on 27

U.S. Nuclear Regulatory Commission CPIC Policy three distinct, yet interdependent, sets of processes: (1) Select, (2) Control, and (3) Evaluate.

An IT investment can be active concurrently in more than one CPIC process. After an IT investment is initially selected and funded, it undergoes the Control and Evaluate processes for review and reselection until it is determined to have come to the end of its useful life; at that point, it is decommissioned and removed from the IT portfolio.

Select The purpose of the Select process is to identify the IT investments, projects, and activities that best support the NRC mission and current business needs at an acceptable level of risk and as cost-effectively as possible. The key objectives are to identify and analyze the risks and returns of each investment or project before committing funds and to select or reselect those investments and projects that will best support mission needs.

The Select process and procedures capture IT investments and their supporting projects and IT resources for consideration in the overall IT portfolio. Investments considered include both new investment proposals and existing investments being evaluated for reselection, either as-is or with enhancements. Investments being decommissioned also remain in the portfolio until they have been completely removed from the production environment and require no further funding.

These investments are captured, categorized, analyzed, prioritized, and either selected, denied, or placed on a lower priority or nonfunded list.

New IT investments proposed and selected for funding shall meet the following criteria:

Support the NRCs core or priority mission functions.

Fill a performance or capability gap in achieving the NRCs strategic goals and objectives, yielding the maximum benefits at the lowest life-cycle cost among viable alternatives.

Support a function that no alternative private-sector or Government source can more efficiently support.

Support work processes that have been simplified or otherwise redesigned to reduce costs, improve effectiveness, and make maximum use of commercial off-the-shelf technology.

Demonstrate a projected best value, based on an analysis of quantifiable and qualitative benefits and costs and projected return on investment, which is clearly equal to or better than that of any alternative use of available public resources.

Benefits contributing to best value may include improved mission performance in accordance with GPRAMA measures; reduced cost; increased quality, speed, or flexibility; and increased customer and employee satisfaction.

IT investment costs shall be adjusted for such risk factors as the investments technical complexity, the organizations management capacity, the likelihood of cost overruns, and the consequences of under- or non-performance.

28

U.S. Nuclear Regulatory Commission CPIC Policy

Be consistent with applicable Federal and NRC enterprise and information architectures.

Reduce risk by employing measures such as avoiding or isolating custom-designed components to minimize potential adverse consequences to the overall project; using fully tested pilots, simulations, or prototype implementations before going into production; establishing clear measures and accountability for project progress; and securing substantial involvement and buy-in from stakeholders throughout the project.

Be implemented in phased, successive segments, modules, or other useful units as narrow in scope and brief in duration as practicable, each of which solves a specific part of an overall mission problem and delivers a measurable net benefit independently of future segments or modules.

Adhere to the standards stated in the NRCs project management methodology, including the use of required artifacts.

Adhere to security standards, including the use of required artifacts.

Employ an acquisition strategy that allocates risk between Government and contractor, effectively uses competition, ties contract payments to accomplishments, and takes maximum advantage of commercial technology.

Annually, the NRC shall review and evaluate all existing IT investments, based on data collected through the Control process and procedures and evaluation results from the Evaluate process and procedures, to determine whether each investment meets the following criteria for reselection and funding:

The investment continues to meet business needs and expected performance goals.

Business needs and expected performance goals can be met more cost-effectively by enhancing or modifying the investment than by replacing it.

The investments current risk management plan and risk log show effective risk mitigation, including management and closing of cybersecurity risks identified through continuous monitoring, as listed on the investments plan of actions and milestones.

The investment adheres to projected costs and expected benefits throughout its life cycle.

29

U.S. Nuclear Regulatory Commission CPIC Policy Control The purpose of the Control process is to ensure that, as projects develop and expenditures continue, the investment and its associated projects and activities continue to meet mission or business needs at the expected levels of cost and risk. The key objectives are (1) to ensure that corrective actions are taken quickly to address any deficiencies in project or operational components, and (2) to enable the NRC to adjust its objectives for an investment and to appropriately modify expected outcomes if mission or business needs have changed.

The Control process and procedures encompass various tools and techniques for monitoring and reporting on the performance of IT investments and the risks associated with them. These are key to obtaining high-quality data on the status of project costs and schedules, the status of risks (including plans of actions and milestones), and investment performance, to inform decisions on changes to investments, projects, or the portfolio. The Control process and procedures include the annual Major IT Business Case updates and submissions, monthly reviews and CIO evaluations for major IT investments, quarterly portfolio reviews, major IT investment control reviews, and CIO TouchPoints. Data and information collected while monitoring investments provide input for the evaluation of investments and support OMB reporting requirements.

Evaluate The purpose of the Evaluate process is to compare the actual and expected benefits and costs of each investment or project, so as to determine its return on investment, customer satisfaction, and value to the NRC in meeting mission and business needs. The key objectives are as follows:

Assess the capacity of a project or investment to meet performance expectations within cost and schedule thresholds and in compliance with IT policies.

Identify any needed changes to an investment or its associated projects or activities.

Update IT investment management policies, processes, and procedures based on lessons learned.

The Evaluate process and procedures are used to analyze IT investment data to support the decisionmaking required to maximize the value of IT investments and the maturation of the IT portfolio and IT management practices. This entails analyzing the results of annual operational analyses, post-implementation reviews, and TechStats, as needed. Although each of these tools helps inform the selection, reselection, and deselection of projects and investments within the IT portfolio, the operational analysis is paramount. The NRC has based its operational analysis on the requirements stated in the Capital Programming Guide,Section III, Management In-Use. The operational analysis provides a periodic, structured assessment of cost, performance, and risk trends over time to help determine when the costs and risks of an investment are no longer reasonable and outweigh the value the investment offers.

30

ML20358A249

Text

Navigation menu

Search