Text

Capital Planning and Investment Control
	ML22021A982
Person / Time
Issue date:	01/21/2022
From:	; Governance & Enterprise Management Services Division
To:	;
	Valencia S
Shared Package
ML22021A940	List: ML22021A897; ML22021A982;
References
	Download: ML22021A982 (56)
	v • d • e

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Capital Planning and Investment Control Office of the Chief Information Officer Capital Planning and Investment Control Team Version 3.1 January 2022

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Revision History DATE VERSION

SUMMARY

OF CHANGES AUTHOR 12/28/2015 1.0 Updated Capital Planning and Investment Vickie Smith, Control (CPIC) processes to include new OCIO/PMPD/IPMB requirements from the Federal Information Technology Acquisition Reform Act Approved by (FITARA) and to reflect internal Darren Ash, CIO organizational changes. This document supersedes previous CPIC process documentation and supplements the document Capital Planning and Investment Control Policy and Overview posted on the NRC IT Policy Archive at nrc.gov.

Agencywide Documents Access and Management System (ADAMS) Accession No. ML15260A904.

12/31/2017 2.0 Revised CPIC process to include updates to Leah Kube, information technology (IT) governance, a OCIO/GEMS/PIMB new Select phase, additional Chief Information Officer (CIO) roles and Approved by responsibilities in incremental development, Dave Nelson, CIO various updates from the budget year 2019 IT BudgetCapital Planning Guidance, modifications to the CIO evaluation process, appendix updates, and other minor updates.

ADAMS Accession No. ML17349A083.

12/26/2018 2.1 Revised CPIC process to correct Leah Kube, typographical errors, update the Select and OCIO/GEMS/PIMB Evaluate processes, and make other minor updates. Approved by Dave Nelson, CIO ADAMS Accession No. ML18360A461.

12/31/2019 2.2 Revised CPIC process to correct Leah Kube, typographical errors, update the Select OCIO/GEMS/IPSMB process, decouple the Monthly Updates and CIO Evaluations processes, and add Approved by standard investments to the Monthly Dave Nelson, CIO Updates and CIO Evaluations processes.

12/8/2020 2.3 Updated the following processes and Lance Breeden, Sandra process areas: Preselect, Execution Year Valencia, Changes. Made formatting and OCIO/GEMS APIB typographical changes.

Approved by Dave Nelson, CIO 2

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control DATE VERSION

SUMMARY

OF CHANGES AUTHOR 1/31/2022 3.1 Revised CPIC process to correct formatting Jack Roscoe, Sandra and typographical errors. Valencia, OCIO/GEMS/APIB Approved by Dave Nelson, CIO 3

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Contents Background ................................................................................................................................ 6 Purpose ................................................................................................................................ 7 The NRCs Information Technology/Information Management Governance ................................ 7 The NRCs Information Technology Investment Review Boards .............................................. 7 The Information Technology/Information Management Portfolio Executive Council ............. 7 The Information Technology/Information Management Board .............................................. 8 Capital Planning and Investment Control .................................................................................... 10 Select Process: Screen, Compare, and Choose ..................................................................... 11 Preselect and Select Phases ............................................................................................... 11 Key Concepts of the Preselect and Select Phases ............................................................. 12 Roles and Responsibilities ................................................................................................... 14 Process Mechanisms ........................................................................................................... 16 Preselect and Select Phase Artifacts ................................................................................... 17 Process Diagram Key .......................................................................................................... 19 Preselect Phase Process Overview ..................................................................................... 19 Select Phase Process Overview .......................................................................................... 24 Business Case Development and Portfolio Selection Processes ........................................ 25 Prioritization and Funding Processes .................................................................................. 29 Reselection and Deselection Processes ............................................................................. 34 Control Process versus Evaluate Process .............................................................................. 36 Control Process: Monitor, Inform, and Correct ........................................................................ 37 Major Information Technology Investment and Standard Investment Monthly Reviews ..... 38 Major Information Technology Investment and Standard Investment Chief Information Officer Evaluations ............................................................................................................... 40 Quarterly Investment and Portfolio Reviews ........................................................................ 41 Major Information Technology Investment Control Reviews ............................................... 42 Chief Information Officer TouchPoints ................................................................................. 43 Evaluate Process: Learn, Recommend, and Adjust ................................................................ 44 Postimplementation Reviews ............................................................................................... 45 Operational Analysis ............................................................................................................ 46 Appendix A: The U.S. Nuclear Regulatory Commissions Information Technology Portfolio Structure ................................................................................................................ 49 4

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix B: Information Technology Budget Certification and Approval ................................... 52 Appendix C: Related Definitions ................................................................................................. 53 Appendix D: Index of Figures and Tables ................................................................................... 56 Figures .................................................................................................................................... 56 Tables...................................................................................................................................... 56 5

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

Background

Capital planning and investment control (CPIC) for information technology (IT) investments refers to a decision-making process that ensures IT investments integrate strategic planning, budgeting, procurement, and management of IT in support of agency missions and business needs.1 The Clinger-Cohen Act of 1996 (CCA) requires Federal agencies to use disciplined CPIC processes to acquire, use, maintain, and dispose of IT assets. Specifically, the CCA mandates that an agencys CPIC processes (1) provide for the selection, control, and evaluation of agency IT investments, (2) integrate with the processes for budget, financial, and programmatic decision-making, (3) include minimum criteria for whether to undertake an IT investment, (4) identify IT investments that would result in the sharing of benefits or costs with other Federal agencies or State or local governments, (5) provide means for quantifying the net benefits and risks of IT investments, and (6) allow for senior management to obtain timely information on an investments progress. To meet these requirements, CPIC relies on three distinct, yet interdependent, sets of processes: Select, Control, and Evaluate.

The Federal Information Technology Acquisition Reform Act (FITARA), enacted on December 19, 2014, established additional requirements. The OMB issued guidance on implementing FITARA in Memorandum M-15-14, Management and Oversight of Federal Information Technology, dated June 10, 2015. FITARA strengthens the CCA by empowering Federal Chief Information Officers (CIOs) with increased oversight for (1) budget planning, (2) governance structures, (3) portfolio risk management, (4) hiring practices within IT offices, (5) data center consolidation planning and execution, and (6) reporting of progress and metrics to the OMB. Building on the CPIC requirements of the CCA, FITARA establishes the Common Baseline for IT Management, which defines the roles and responsibilities of the CIO and other senior agency officials while ensuring that the CIO retains accountability.

To assist agencies in meeting CCA and FITARA requirements, the OMB issues the document IT BudgetCapital Planning Guidance annually as part of OMB Circular A-11, Preparation, Submission, and Execution of the Budget, and maintains its supplement, the Capital Programming Guide,2 to help agencies implement CPIC processes. OMB Circular A-130, Managing Information as a Strategic Resource, dated July 27, 2016, provides additional guidance. The OMB updates these circulars based on current, relevant statutes and Executive orders. The CCA, FITARA, and associated OMB guidance serve as the basis for CPIC policy, processes, and procedures at the U.S. Nuclear Regulatory Commission (NRC).

The NRCs CPIC policy, set forth in Capital Planning and Investment Control Policy and Overview, issued November 2020, is available on the NRC IT Policy Archive at https://www.nrc.gov/.

1 The Office of Management and Budget (OMB) defines CPIC in the Integrated Data Collection Common Definitions (see 40 U.S.C. 11302 for statutory requirements).

2 The Capital Programming Guide can be found at https://www.whitehouse.gov/wp-content/uploads/2018/06/capital_programming_guide.pdf.

6

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Purpose This document describes the NRCs CPIC processes and explains how they support the NRCs IT/information management (IM) governance. This includes the flow of inputs and outputs between the three distinct, yet interdependent, sets of CPIC processes: Select, Control, and Evaluate. This document supplements Capital Planning and Investment Control Policy and Overview by describing associated tools, techniques, and artifacts. The Capital Planners in the Office of the Chief Information Officer (OCIO) develop and maintain working documents detailing the step-by-step procedures used to implement the CPIC processes.

The NRCs Information Technology/Information Management Governance The NRCs CPIC processes are critical to the management and oversight of the agencys IT/IM resources because they provide executive decisionmakers with high-quality information and recommendations on IT investments for inclusion in the agencys IT portfolio. IT investment management comprises the NRCs CPIC and IT budget processes and is part of the agencys integrated IT/IM governance framework. The NRCs CPIC processes support the CIOs involvement in relevant governance boards and ensures that IT investments integrate and adhere to the frameworks other disciplines: (1) strategic planning and enterprise architecture (EA), (2) project management methodology (PMM), and (3) information and records management quality principles.

The NRCs CPIC processes also ensure review of IT investments, throughout their life cycle, for compliance with the internal cybersecurity standards set forth by the NRCs Information Security Directorate in OCIO and with the external cybersecurity standards mandated by the National Institute of Standards and Technology and the U.S. Department of Homeland Security.

The NRCs Information Technology Investment Review Boards The NRC uses investment review boards to ensure that IT investments are reviewed at the appropriate levels of the organization. The review boards encompass strategic business planning (which occurs at the executive level), program-level systems planning (which occurs across program offices), and technical architecture review (which occurs within OCIO). The two investment review boards are the IT/IM Portfolio Executive Council (IPEC) and the IT/IM Board (ITB).

The Information Technology/Information Management Portfolio Executive Council The CIO and the Chief Financial Officer (CFO) serve as the cochairs of the IPEC. The IPEC is an executive-level IT governance body established to determine the NRCs strategic direction for IT/IM and to manage the agencys IT portfolio by setting priorities for the current fiscal year (FY) and determining the funding of IT investments that effectively integrate into the IT portfolio, as mandated by the CCA, OMB Circular A-130, the Federal Information Security Management Act of 2002, and other Government requirements. The IPEC has established roles, responsibilities, and processes consistent with those required by FITARA. In addition to the IPEC cochairs, voting members include the Chief Acquisition Officer, Chief Human Capital 7

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Officer, and Chief Information Security Officer (collectively referred to as the CXOs); the directors of the major program offices; and a Regional Administrator to represent all NRC regional offices. The directors of the major program offices also serve as business line leads in budget formulation and execution and as functional/business sponsors of IT investments. IPEC members are able to provide insight into organizational funding needs and describe how unavailability of funding would affect the agencys mission. They can also provide valuable input on the many aspects of the NRCs mission and business needs. Jointly, IPEC members provide an enterprise perspective on what is in the best interest of the agency and its mission. The IPEC has the following responsibilities:

Decide IT/IM direction, values, information security activities, and the agencys risk tolerance for IT activities to achieve strategic program objectives.

Approve major investments that will effectively integrate into the IT portfolio.

Ensure that the agencys capital plan supports the NRCs priorities.

Review the IT portfolio throughout the budget life cycle, such as budget formulation, including formulation of the Major, Unfunded, and Lower Priority lists, and budget execution, to address emergent fact-of-life priorities.

Oversee the execution of the portfolio by reviewing portfolio health on a quarterly basis against established direction, values, and risk tolerance.

Communicate IPEC discussion and decisions to other NRC boards and committees.

The Information Technology/Information Management Board The CIO established the ITB as a management-level board to review and recommend changes to the NRCs IT portfolio based on the agencys mission and business needs. The mission of the ITB is to align IT investments and technology standards with the NRCs strategic plan and architecture portfolio; provide resource, investment, and priority recommendations to the IPEC; and ensure that IT investments are consistent with the agencys direction as set by the IPEC.

The ITB reviews new proposals and current IT investments to ensure the following:

alignment with IPEC priorities, the agencys strategic direction, and budget

ability to integrate into the NRCs IT architecture

conformance with technology standards

identification of potential risks to the NRC environment The ITB employs subject-matter experts (SMEs) for technical reviews. The NRCs CPIC processes and team also support and facilitate ITB reviews. The Capital Planners work closely with the integrated program/project teams (IPTs) of existing investments to execute Control and Evaluate processes that inform ITB reviews. ITB reviews can result in minor corrective actions or in recommendations to the IPEC for matters warranting an executive decision.

8

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control To support ITB reviews of new proposals, the Capital Planners facilitate SME reviews, the Preselect process, and the Select process, based on input from office-level stakeholders. The Capital Planners ensure that proper facilitation occurs throughout the IT governance process and that the most viable solution to meet the business need is considered for inclusion in the NRCs IT portfolio. As the secretariat of both the IPEC and the ITB, the Capital Planners facilitate the meetings of both boards and act as a channel for communicating information, recommendations, and decisions between boards and among stakeholders.

9

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Capital Planning and Investment Control Recognizing that IT investment management is dynamic, the NRC continuously monitors and evaluates the investments in its IT portfolio to ensure that they effectively and efficiently support the agencys mission and strategic goals. The NRCs CPIC processes are designed to facilitate sound IT governance and the maturation of the agencys IT investment management.

The NRCs CPIC model, depicted in Figure 1, relies on three distinct, yet interdependent, sets of processes: Select, Control, and Evaluate. All three are applied concurrently to an IT investment once it becomes part of the NRC IT portfolio. After an investments initial funding in the Select process, it repeatedly undergoes the Control and Evaluate processes for review and reselection until it is determined to have come to the end of its life, at which point it is decommissioned and removed from the portfolio.

Figure 1 Flow of data between CPIC processes 10

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Select Process: Screen, Compare, and Choose Preselect and Select Phases The purpose of the Preselect and Select phases of the NRCs IT investment life cycle is to identify and prioritize requests for new or enhanced IT capabilities to support the NRCs mission and needs at acceptable levels of risk and cost. The key objectives of these phases include the following:

identifying and evaluating the efficacy of proposed IT investments in relation to the agencys mission and its strategic plans and priorities

assessing the risks and returns of each proposed new or enhanced IT capability before committing funds

validating the proposed investments alignment with the agencys EA

selecting those IT investments that will best support the agencys mission needs As Figure 2 illustrates, the Preselect and Select phases integrate with a wide range of organizational functions and processes designed to ensure that the agency uses its IT funding as effectively as possible.

11

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 2 Preselect and Select phase process integration summary During the Preselect and Select phases, current and potential IT capabilities are assessed from business and technical perspectives to validate their efficacy and cost relative to potential alternatives. In conjunction with the activities of the Control and Evaluate phases, this assessment forms a critical pillar supporting the continuous evolution and optimization of the agencys IT portfolio.

Key Concepts of the Preselect and Select Phases The following concepts are crucial to understanding and participating in the agencys Preselect and Select phase processes:

drivers for proposed additions to, enhancements of, or retirements from the IT portfolio

phase outcomes, including selection, reselection, and deselection of IT capabilities

portfolio selection versus funding prioritization 12

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Drivers for Proposed Additions to, Enhancements of, or Retirements from the IT Portfolio The following are some of the internal and external factors driving proposals for new or enhanced capabilities and retirement of existing capabilities:

changes in the agencys broader mission and support objectives

evolving business and technical strategies

changes or priority shifts in the agencys required mission capabilities

changes in statutory and regulatory requirements

new or updated Federal mandates

trends in the nuclear materials industry

evolution of vendor technologies and technical approaches that enable cost reductions, performance improvements, or innovation

sunsetting of vendor support for legacy systems or solutions Because of these factors, the NRC needs to continually assess and review current and potential IT capabilities, select new IT investments, and analyze new technologies that may increase its efficiency or effectiveness.

Phase Outcomes: Selection, Reselection, and Deselection of IT Capabilities and Enhancements The Select phase results in three primary outcomes for existing or proposed IT capabilities or enhancements:

(1) Selection is the approval of the addition of a new capability or an enhancement to an existing capability.

(2) Reselection is the approval of continued investment in and operation of an existing capability or an ongoing enhancement, which may include one or more proposals for desired additional enhancements.

(3) Deselection is the cancellation or decommissioning of an existing capability or an ongoing enhancement.

The agencys IT portfolio is modified to reflect the outcome for each investment considered in the Select phase, and funding is adjusted when appropriate.

13

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Portfolio Selection versus Funding Prioritization Selection or reselection of an IT capability or enhancement is only an initial step in the Select phase. The funding requirements of the agencys full IT portfolio generally exceed the funding available; therefore, the agency uses a prioritization process to rank the investments in the portfolio. This enables agency leadership to continuously align the NRCs IT capabilities with the agencys priorities.

Roles and Responsibilities The Preselect and Select phases require a multidisciplinary team of functional roles across the agencys mission and corporate support organizations. Table 1 summarizes the primary functional roles associated with these phases.

Table 1 Primary Functional Roles of Multidisciplinary Team ROLE RESPONSIBILITY

Supports the assignment and adjustment of funding to selected IT Agency IT capabilities and enhancements within the IT budget, consistent with the Budget Lead agencys budget processes and CIO decisions.

Serves as manager or executive leader to advocate for, and to authorize, Business proposed IT capabilities or enhancements for one or more organizational Sponsor components.

For enterprise technologies, may be the CIO.

Uses agency IT capabilities to execute mission or corporate support functions and processes.

Identifies current or potential needs, issues, and opportunities that may Business be addressed by introducing IT capabilities or modifying existing Stakeholder capabilities.

Is directly or indirectly affected if a proposed IT investment is accepted and implemented.

Helps evaluate whether a proposed IT capability or enhancement Service supports mission objectives without placing undue burden on the NRC Owner staff in completing related tasks, or whether it is likely to yield the expected benefits.

Supports and oversees the end-to-end IT investment life-cycle phases, including selection, control, and evaluation of current and proposed IT capabilities or enhancements.

Capital

Maintains the IT portfolio to reflect the current and planned IT Planner investments, systems, and services and their associated activities.

Facilitates external reporting to the OMB as required by Federal mandate.

14

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control ROLE RESPONSIBILITY

Works alongside agency leadership to define the strategic priorities for IT and to formalize assumptions about the EA and the availability of CIO financial resources.

Serves as the primary approval authority on Select decisions and is accountable for the IT portfolio.

Supports the planning or identification, or both, of acquisition channels using existing or planned contract vehicles.

Contract

Manages the acquisition processes in conjunction with selection and Specialist/ funding processes.

Officer

May also act as contracting officer for any resulting contracts.

Ensures that requested products and services are procured.

Helps evaluate whether a proposed capability or enhancement demonstrates a projected best value, by analyzing quantitative and qualitative benefits and costs and calculating whether the projected return on investment equals or exceeds that of alternative uses of available public resources.

Technical

Helps ensure that proposed capabilities and enhancements are Review Team/ consistent with applicable Federal and NRC enterprise and information Enterprise architectures.

Architect

Evaluates whether proposed technologies or methods mitigate risks, for example, by avoiding or isolating custom-designed components to minimize the impact of their potential failure on the overall project.

Manages the Intake process during the Preselect phase and supports activities in Select phase.

Acts as a critical liaison between the business organization and OCIO roles and services, supporting all aspects of the Select phase.

Develops or leads the development of key artifacts associated with the IT Program Preselect and Select phases.

Manager/Lead

Supports the presentation and discussion of current or proposed IT capabilities or enhancements from the perspective of functional and technical requirements and solutions.

Acts as office/system IT Budget Lead.

Information

Confirms whether proposed IT capabilities or enhancements adhere to and Records records management requirements and standards.

Management

Ensures that all required planning artifacts are made available for review Analyst and historical records.

Assesses whether proposed IT capabilities or enhancements adhere to Information computer security requirements and standards.

Security SME

Ensures that all required planning artifacts are made available for review and historical records.

15

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control ROLE RESPONSIBILITY

Represents the broader agency perspective when contemplating specific IT proposals.

ITB

Reviews and provides input on the agencys proposed portfolio selections as a whole.

Provides executive-level engagement in the management and governance of the IT portfolio through collaboration with and feedback IPEC from the CIO.

Serves as the initial approval authority for the annual agency IT budget submission.

Manages an offices IT budget processes and acts as a key interface between office leadership and OCIO throughout the budget cycle.

Office IT

Submits budget requests and adjustment requests related to an offices Budget Lead existing and planned IT capability requirements.

May be an office/functional IT PM/Lead.

Provides solution-level input on the recommended configuration of IT assets, alignment of the proposed solution to technology and service standards, technical feasibility, and application of new or specialized technologies.

Technical

Advises the Enterprise Architect on proposed and approved changes to SME the technical architecture.

Technical subject-matter areas include, but are not limited to, network, data center, and cloud infrastructure; mobility; Web content; and information and communication technology accessibility (compliance with the Section 508 Amendment to the Rehabilitation Act of 1973).

The process diagrams shown across the Preselect and Select phases give the specific activities for each of these roles.

Process Mechanisms The NRC uses several mechanisms, summarized in Table 2, to execute the steps of the Preselect and Select phase processes. These mechanisms are designed to facilitate and standardize the processes across the agency.

Table 2 Mechanism to Perform Identified Steps for Preselect and Select Phase Processes MECHANISM DESCRIPTION

The Agencywide Documents Access and Management System (ADAMS) is the agencys repository and primary publication mechanism for official records.

ADAMS

Although the processes do not explicitly state this, all documents used across the Preselect and Select phases are filed in ADAMS once processed.

16

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control MECHANISM DESCRIPTION

E-mail is used when the primary goal is to transmit information, and the E-mail mechanism for transmittal is through the agencys e-mail system.

FEDPASS is the agencys Web-based repository of IT portfolio information; it helps connect budget information to different dimensions of the portfolio.

FEDPASS

FEDPASS is also used to automate certain IT governance-, portfolio-,

and budget-related activities, providing forms for data capture, routing, tracking of approvals, and reporting.

Microsoft

Microsoft Word and Excel are used for form or worksheet templates for Word and populating, saving, and routing information through e-mail or uploading it Excel to SharePoint.

Meetings are live or virtual discussions to convey information, collect Meetings feedback, or secure a decision.

NRC System

The NSICD is the authoritative repository for the agencys inventory of Inventory systems, including system names, abbreviations, numbers, and Control descriptive information. All existing and planned systems must be Database recorded in the NSICD. System types include, but are not limited to, (NSICD) application, system/security boundary, and service.

PMM 2.0 is an agency repository for IT project information that is used for PMM 2.0 planning and executing IT projects.

Remedy is the agencys ticket tracking system.

The NRC uses Remedys workflow capabilities to track the Intake process during the Preselect phase and integrate it with Select phase Remedy and IT Purchasing processing.

The NRC uses Remedys built-in workflows to track IT Purchasing across the agency so that the staff can monitor the status of its requests.

SharePoint is a Web-based portal for capturing and transmitting SharePoint information through Web forms or for uploading documents to a centralized site or repository.

Strategic

The Strategic Acquisition System is the agencys centralized procurement Acquisition system, used to execute acquisition and contract processes and manage System their associated funding.

Preselect and Select Phase Artifacts The Preselect and Select phases create and use a wide range of artifacts, including work products, deliverables, and reports, to facilitate processes, establish formal records, and share information internally and externally. The following are the primary artifacts created during these phases:

17

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

Selection decisions are formal decisions to select, reselect, or deselect specific capabilities, resulting from the agencys governance and executive decision processes.

The Agency IT Portfolio Summary describes the agencys selection of IT capabilities and enhancements; it includes all IT-related investments, and it documents all changes to the NRCs IT portfolio structure or IT budget resulting from the addition or removal of any IT capabilities or enhancements.

Selection Decisions During the Preselect and Select phases, several key decision points are captured and recorded, including the following:

the Business Sponsors approval or denial to proceed with the development of a full business case based on an initial evaluation of a potential IT capability or enhancement

the CIOs approval or denial of the selection of a business case for a potential IT capability or enhancement

the CIOs approval or denial of the reselection into the portfolio, or deselection from the portfolio, of a current IT capability or enhancement In addition to the key decision points, governance recommendations and business and technical analyses are captured to complete the decision record for each potential or current investment.

IT Portfolio Summary The Agency IT Portfolio Summary provides a description, basic categorization, and budgetary information for all IT investments; it is used to budget for, and to track and report expenditures on, all agency IT resources, including full-time-equivalent (FTE) personnel. The Agency IT Portfolio Summary is an OMB-required CPIC document that the NRC submits with its overall budget. As well as providing a way for the NRC to request funding for, and report actual spending on, its IT investments, the Agency IT Portfolio Summary allows the NRC and the OMB to review trends and analyze both individual investments and the overall portfolio.

The updated guidance in Section 55 of OMB Circular A-11 specifies the information to be included in the Agency IT Portfolio Summary. The OMBs annual IT BudgetCapital Planning Guidance gives further details, listing the requirements and data to be reported for each investment in the Agency IT Portfolio Summary (formerly known as Exhibit 53).

The Agency IT Portfolio Summary covers all agency IT resource costs, as well as breakouts of certain costs as dictated by the OMB (e.g., summaries of the NRCs total provisioned IT spending and total infrastructure spending). For every submission, funding levels reported in the Agency IT Portfolio Summary must be consistent with program-level funding and agency summary funding tables, as provided to the OMB in the agencys overall Performance Budget submission.

The NRC submits the Agency IT Portfolio Summary and required spending summaries to the OMB twice in each FY. These documents include information and funding levels for all IT 18

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control investments during the 3 years of the current budget cycle: (1) prior year (PY), (2) calendar year (CY), and (3) budget year (BY). The purpose of the first submission, in September of each year, is to make a preliminary budget request for the BY. The second submission, in January of each year, reflects changes based on OMB feedback (commonly referred to as passback) on the preliminary budget request; it also includes actual expenditures for the PY.

The NRC submits its Agency IT Portfolio Summary on the following expected schedule:

last week of August: submission of draft Agency IT Portfolio Summary

early September: submission of Agency IT Portfolio Summary (including Provisioned IT Spending Summary and IT Infrastructure Spending Summary)

early January: submission of Final Presidents Budget Agency IT Portfolio Summary (including Provisioned IT Spending Summary and IT Infrastructure Spending Summary)

The NRCs Capital Planners are responsible for completing the Agency IT Portfolio Summary and spending summaries and submitting them to the OMB (with CIO concurrence), and for establishing and maintaining procedures for the Agency IT Portfolio Summary submissions. This requires close coordination with the Office of the Chief Financial Officer (OCFO) to align the deliverables with the overall agency budget process and budget justification materials submitted to the OMB by OCFO.

Process Diagram Key The Preselect and Select phases are segmented into individual processes, as summarized in the following sections. Figure 3 provides a key for the process diagrams in each section.

Figure 3 Process diagram key The process diagrams illustrate, at a high level, the processes that the NRC follows within the Preselect and Select phases. These processes are supported by detailed procedures.

Preselect Phase Process Overview The Preselect phase focuses on the discovery and initial evaluation of potential opportunities to apply IT within the agency to add business value; it may result in the development of proposals for new or enhanced technologies. The Preselect phase processes also help ensure that the NRC is performing due diligence in the initial documentation and communication of proposals to modify the IT portfolio.

19

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control As summarized in Figure 4, the Preselect phase may include iterative discussions with a wide range of stakeholders to define requirements and broadly identify potential capabilities or solutions that could satisfy the requirements.

Figure 4 Preselect phase process summary With support from the agencys Technical Review (Intake) Team and Enterprise Architect(s),

business needs and potential IT opportunities are elaborated to define the basic capability or enhancement desired by the agency. One output of the Preselect phase may be a recommendation to move forward with developing a full business case for new or enhanced IT capabilities, to initiate the Select phase processes.

Primary Sources for New IT Capabilities or Enhancements Although the introduction and proposal of new or enhanced IT capabilities may arise from a wide range of sources, the primary sources are the following:

planning for the introduction of new enterprise and infrastructure capabilities

- examples: opportunities to increase efficiency or improve service performance through infrastructure modernization, new security capabilities, or cross-cutting systems such as e-mail or document management

mission or support office requirements for new capabilities to address current or anticipated business requirements

- examples: changes to a system to address emerging regulatory needs or an enhancement to unify disparate corporate systems into one application

ideas, requests, or feedback captured through customer outreach or service delivery that suggest a change in the system or service portfolio 20

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

- examples: reviews of service ticket feedback that identifies a need for requesting improved self-service capabilities, or new requirements identified through a community-of-practice meetings

technical refreshes or upgrades of hardware or software led by vendor-driven innovations or end-of-life support termination Regardless of the source, the NRC requires that a business case accompany all recommended changes to the IT portfolio or to the approved architecture through the Intake process. The business case should describe (in progressively elaborated detail) the intended value, recommended approach, expected cost, return on investment, and projected risks associated with the proposed change to the IT portfolio.

Preselect Phase Input Types Proposals for new or enhanced IT capabilities may come in many forms, including potential reductions in or elimination of existing capabilities, and changes in the methods and approaches used to deliver or manage IT services. Table 3 summarizes the various types of requests (inputs) that may ultimately initiate the Select phase processes.

21

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Table 3 Request Types and Select Phase Processes INPUT TYPES PROCESSES New Systems or Solutions New Services or Utilities Functional Enhancements to Existing New or Revised Service Systems or Solutions Approaches or Methods System or Solution Retirement/ Termination of Decommissioning Existing Services Consolidation of Multiple Systems or New or Revised Approaches Solutions to Maintenance or Warranties System or Solution Platform Migration Changes to Agency Data Types, IT Asset Refreshes or Upgrades Models, and Sources Although frequently integral to the eventual delivery of IT capabilities, acquisition and contracting approaches and vehicles are not themselves considered IT capabilities; their selection and revision follow related, but separate, processes.

Preselect Phase Process Figure 5 summarizes the Preselect process, which includes both triage and screening to identify, quickly evaluate, and promote for further planning the IT capability or enhancement ideas having the greatest value to the agency.

22

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Note: This process is being revised.

Figure 5 Needs identification and initial solution planning General IT users or stakeholders can request an IT capability or enhancement by submitting an Intake Request form, which initiates internal discussions of whether additional analysis and planning is warranted. An agency IT program manager (PM)/lead can initiate a request by submitting a New/Enhanced Capability Request form, which describes the business justification for the request. The form should clearly indicate the current state, desired future state, and initial recommendations or options for achieving the desired objectives. Submission of this form initiates the Intake process.

At least one of the agencys Enterprise Architects reviews the initial request to confirm alignment with the NRCs mission and technology objectives and strategies. Additionally, during this phase, a wide range of business and technical stakeholders may participate to help define the requirements and potential solutions. These include the following:

executive stakeholders 23

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

external stakeholders

service owners

project/program managers

business architects

system/solution owners

system/solution users

service owners

data architects

system/solution integrated team members

dependent or parent system/solution integrated team members

staff members

infrastructure service users

infrastructure service integrated team members

enterprise architects

security and privacy officers

technology SMEs

policy SMEs

OCIO Branch Chief Council The roles involved in the Preselect process depend on the originator and the nature of the requirement. The agencys Enterprise Architect is responsible for ensuring that the appropriate individuals are engaged throughout the process.

Preselect Process Outcomes Summary Based on the outcomes of initial reviews and discussions with the primary stakeholders, the Enterprise Architect submits a recommendation to the CIO as to whether to develop a full business case. If approved by the CIO, the request exits the Preselect phase and advances into the Select phase. At this time, the requesting business sponsor must sign off on the effort to proceed with the allocation of resources to develop a full business case.

Select Phase Process Overview The agency segments the Select phase into three primary process groups:

(1) Group 1: business case development and selection processes (2) Group 2: prioritization and funding processes (3) Group 3: reselection and deselection processes These processes are interconnected as illustrated in Figure 6.

24

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 6 Select phase process summary The NRCs Select phase processes organize and integrate a range of business and technical functions and roles across the agency to help ensure that the IT portfolio is continuously optimized, due diligence is applied, and activities comply with agency and Federal standards and requirements.

Business Case Development and Portfolio Selection Processes Following the approval to exit the Preselect phase, the agency executes three subprocesses for managing formal portfolio selection:

(1) the business case development process (2) the business and technical review process (3) the executive decision process The development of a business case for desired investments in IT capabilities represents an important planning step to help ensure that changes to the IT portfolio are fully documented, vetted, and approved before they are funded, implemented, and used. The business case also serves as a control to minimize nonauthorized investment or deployment of IT capabilities within the environment. The subsections below describe each process in detail.

Business Case Development Process The NRCs business case development process, as illustrated in Figure 7, encompasses several planning steps to help the agencys business and technical leadership articulate its requirements and proposed solution(s).

25

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 7 Business case development Although the level of detail required for a business case depends on the scale, estimated cost, and expected impact of the investment, each business case is expected to include the following elements:

definition of the underlying business requirements

analysis of alternatives and their respective return on investment or net present value relative to the selected option

description of the proposed IT capability expected to address the business requirements

expected outcomes, benefits, or returns of the investment in the new or enhanced IT capability

identified business, technical, implementation, and operational risks

estimated life-cycle costs, including implementation, operation, retirement, and, if applicable, interim operation of legacy systems

planned approach for implementation and ongoing operation or delivery

general timing of the investment and realization of the expected benefits, inclusive of and compliant with incremental development mandates when appropriate (as described in the OMBs FY 2022 IT BudgetCapital Planning Guidance)

Additional information is available on business case development and its associated components.

26

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Business and Technical Review Process As illustrated in Figure 8, once a business case has been developed, it undergoes one or more technical, security, privacy, and records reviews to refine and finalize it before CIO review and approval.

Figure 8 Business and technical review As previously noted in the section Roles and Responsibilities, the review is expected to verify whether the new capability or enhancement will do the following:

Adhere to internal and external policies and regulatory requirements.

Maintain an acceptable risk profile from the perspectives of security and privacy.

Adhere to, or further evolve, the agencys technical standards and approved technologies.

Deliver the expected benefits to its intended stakeholders.

The business case review process is also intended to validate and provide recommendations on the schedule, resource, and funding estimates so that approval is based on sound, experience-driven planning.

27

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Executive Decision Process After a business case undergoes the review process and any required updates, it is presented to the CIO (together with any recommendations or input resulting from the review process) for review and approval, as illustrated in Figure 9.

Figure 9 Executive decision process Based on the proposed investments potential impact, risk, or cost to the agency, the CIO may elect to present the business case to the IPEC for additional discussion and input before making a decision or conducting further review.

For proposed capabilities or enhancements that include development, the CIO will also confirm and certify the use of incremental development where appropriate, consistent with the OMB guidance current at the time of the review. The Capital Planners will record the CIOs certification in the agencys IT Portfolio Management System.

If the proposal requires, but does not leverage, incremental development, the CIO will request an update and resubmission of the business case consistent with the business case development process. The CIO may also request changes to the business case to address any other perceived weaknesses or opportunities for improvement, thus returning the business case to the development process.

28

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Business Case Development and Portfolio Selection Outcomes Summary The business case expands upon the Preselect phases new capability request by describing the performance metrics, potential alternatives, projected life-cycle costs, estimated return on investment, risks, and assumptions of the proposed IT capability or enhancement. Evaluation, concurrence, and feedback from reviewers with functional expertise in EA, information security and privacy, infrastructure operations, accessibility, and IM are required to help ensure collective concurrence on the solution approach.

The review process is also used to identify and document any required exceptions to existing agency standards, assumptions about solution implementation, and prerequisites or dependencies of the solution. If approved, the business case is assigned a placeholder within the IT portfolio, and its future will be decided during the appropriate funding process.

Prioritization and Funding Processes As previously stated, selection of an IT capability or enhancement means only an opportunity for funding; it does not guarantee that funding will be available or approved. Funding decisions are based not only on the relative value of a proposed investment, but also on the broader priorities of the agency and individual offices. Thus, some business cases may have to wait for additional or adjusted funding before proceeding.

Prioritization and funding decisions for selected business cases are made through three subprocesses:

(1) the portfolio and funding prioritization process (2) the annual budget formulation process (3) the execution year realignment/reallocation process Although these subprocesses represent broader agency functions, they play a critical role in the Select phase as part of the agencys IT portfolio selection activities. The subsections below summarize each subprocess.

Portfolio and Funding Prioritization Process To ensure that its IT investments are funded in accordance with their relative importance to agency mission functions, the NRC uses an IT portfolio prioritization process and the IT Roadmap to rank the business cases in the portfolio. As illustrated in Figure 10, this process is continuous and informs agency IT funding, strategic planning, and portfolio analysis.

29

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 10 IT portfolio prioritization Prioritization is based on analyses of each investments alignment with agency objectives and IT/IM strategic goals, the risks it would pose to agency operations, and its relative criticality (benefit) to agency operations, as summarized in Figure 11.

Figure 11 Portfolio prioritization approach Throughout the year, as input to funding processes and as part of the continual evaluation of the IT portfolio, the relative priorities of the items in the portfolio are reassessed through the IT portfolio prioritization process.

30

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Funding Selected Capabilities: Annual Budget Formulation Process Once a business case is approved, the newly approved IT capability, enhancement, or activity is available for funding through one or more funding processes, including the agencys annual budget formulation process. As summarized in Figure 12, during this period, the agency and offices, including OCIO, may request funding for the approved items in the portfolio (internally described as budget items).

Figure 12 Funding request: annual budget formulation process The annual budget formulation process defines the required resources (FTE and contract dollars) for the operations, maintenance, development, modernization, and enhancement of IT capabilities during the agencys BY, which is typically two future periods (years) from the present period. For example, budgeting for FY 2021 was expected to occur in FY 2019.

Funding Selected Capabilities: Execution Year Realignment/Reallocation Process When resources are required sooner, offices may request an execution year realignment or reallocation. The execution year realignment/reallocation process is a way to right-size the resource needs while funding emergent fact-of-life requests in the current FY. As illustrated in Figure 13, this process enables authorized IT stakeholders and Service Area Manager to reexamine the portfolio and, where necessary, request adjustments based on changes to funding requirements and agency priorities, to enable the optimal use of IT resources in the year of execution.

The office first reviews its budget for the current FY to determine whether it has funding that can be reallocated. If not, then the office can request a reallocation from the IT Product Line during the OCFO Resource Review/Commission Shortfall Process. Finally, if funding within the Product Line is not available, the office can request a realignment or reallocation from its mission/program funds. If the funding requirement, also known as a shortfall, is $500,000 or more, the IT Product Line may prioritize the shortfall for Commission approval as part of the OCFO Resource Review Process.

Once the Commission approves the list of requests and the OCFO releases available funding, the funding may be used on the selected IT capabilities or initiatives, consistent with the funding prioritization process described earlier. Whether the funding is reallocated within the IT Product Line or between products across the agency, the CIO approves the change in funding with the 31

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control IT Product Line. The CIO is responsible for formulating and executing funding decisions to support the agencys IT investments.

32

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 13 Execution year reallocation process 33

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control At its core, this process provides an opportunity to identify potential available funds to cover shortfall reallocation at the CIOs discretion. It is expected that, as the NRC moves into the execution year, it will possess more accurate resource and funding need estimates, also known as spend plans, enabling adjustments to the execution years funding assignments. However, this process is not an opportunity to reintroduce proposals that have been previously rejected or deselected from the portfolio.

Figure 14 Funding request: execution year changes The budget formulation and realignment processes do not replace or bypass the requirement for offices to propose new IT capabilities or enhancements through the agencys Preselect and business case development and portfolio selection processes, which must occur before any funding decisions are made.

Prioritization and Funding Outcome Summary The overarching purpose of the prioritization and funding processes is to ensure that the agency directs its resources to meet its most critical IT requirements. To this end, the agency uses integrated funding processes to connect its available, but limited, IT resources to its business requirements across planning and execution of the IT portfolio. Investments that have been selected for the portfolio but cannot be funded remain on a shortfall list and are eligible for funding as new resources becomes available, consistent with their relative priority.

Reselection and Deselection Processes Throughout the year, selected IT capabilities and projects are reviewed and evaluated during the Control and Evaluate phases based on information collected through their operation or execution. As summarized in Figure 15, the agency uses this information to determine whether to reselect the capability or project for continued investment or deselect (terminate) it.

34

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 15 Reselection and deselection processes Based on review and evaluation results, the agency may adjust delivery or management approaches to improve the expected results of the capability or project. In these cases, the capability or project is considered reselected for continued investment, and any suggested changes to delivery or management are communicated to the appropriate business and technical personnel.

In some cases, the evaluation may indicate that a capability or project requires one or more enhancements to fully realize its expected benefits. In these cases, the capability or project is considered reselected pending the approval of the enhancement(s) through the previously described business case development and portfolio selection processes. In other cases, the capability or project may require only new or adjusted funding, which follows the previously described prioritization and funding processes.

The agency may also examine alternatives to an existing capability that might represent a better value from the perspective of cost, benefits, or risk. If a desired alternative is identified, a proposal for the alternative (including any decommissioning requirements) would undergo the Preselect and business case development processes.

35

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control A capability or project under evaluation may also be selected for termination, resulting in its deselection. In this case, termination planning and execution activities will be performed, usually funded by the existing funding source(s) for the capability or project.

The reselection and deselection processes represent only those activities within the Select phase that are related to the Control and Evaluate phase processes; they are not intended to encompass all Control and Evaluate activities. The sections on the Control and Evaluate processes below give full descriptions of those phases.

Reselect and Deselect Outcomes Summary The Control and Evaluate processes jointly help the agency determine whether selected capabilities or enhancements meet or will continue to meet the following criteria for reselection and funding:

The capability or enhancement continues to meet business needs and defined performance goals, or it is expected to do so once complete.

For reselection with enhancements, the investment will meets business needs and expected performance goals with enhancements or modifications, and these are more cost-effective than replacing the investment.

Current risk management activities effectively mitigate business, technical, security, privacy, delivery, and other risks.

The investment adheres to projected costs and expected benefits throughout its life cycle.

If an IT capability requires a change or enhancement to be reselected, the proposal for the change will undergo the agencys business case development and portfolio selection processes.

Control Process versus Evaluate Process As previously mentioned, CPIC comprises three distinct, yet interdependent, sets of processes that provide continuous management and oversight of individual investments and of the agencys IT portfolio. At any given time, CPIC processes are being simultaneously performed for four distinct FYs:

(1) the PY, for which actuals must be reported (2) the CY, which is being executed (3) the BY, for which a budget request has been submitted (4) BY+1, for which the next budget request is being formulated The main difference between the Control and Evaluate processes is that the former is mainly intended to monitor and inform during the CY, to allow for quick corrective actions that will prevent larger issues and ensure investment health. A midyear control review of major investments may provide input for certain Select process activities, such as restacking or reprioritization; however, most outputs inform Evaluate processes. The Control processes 36

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control gather data throughout each FY that serve as input for the evaluation of investments and support the evaluation of the overall portfolio. The Evaluate processes use the data to perform postimplementation reviews (PIRs) and operational analyses (OAs), which include the evaluation of factors such as trends over multiple years of an investments life cycle, end-of-life planning, dependencies among investments, opportunities for innovation, and efficiencies. The results of PIRs and OAs serve as input to the Select processes.

Table 4 lists the distinctions between the Control and Evaluate processes by FY.

Table 4 Control and Evaluate Process Distinctions FY CONTROL PROCESSES EVALUATE PROCESSES PY Gather and record actuals (i.e., final costs, Analyze data outputs from the schedule dates, and metrics results) as input Control process and other sources to for Evaluate processes and report to the perform PIRs and annual OAs for the OMB. prior FY.

CY Monitor investments (monthly or quarterly), Use Control process data to evaluate keep IT governance boards informed, and current investment health and take minor corrective actions when identify investments in need of necessary. deeper analysis or executive-level visibility.

Larger or more complex issues are escalated to the Evaluate process. Perform a TechStat Accountability Session (TechStat)3 on investments issues needing executive direction and decisionmaking.

BY Help gather and record data needed for CPIC Continuously evaluate changing documents, and submit artifacts to the OMB. business needs, agency priorities, and investment health to inform the Select process and budget requests.

BY+1 Help gather and record data needed for the Continuously evaluate changing CPIC documents to be submitted to the OMB. business needs, agency priorities, and investment health to inform the Select process and budget formulation.

Control Process: Monitor, Inform, and Correct The purpose of the Control process is to ensure that, as projects develop and expenditures are made, each investment and its associated projects and activities continue to meet mission or business needs at the expected cost and risk levels. The key objectives are (1) to ensure quick corrective action to address any deficiencies in project or operational components, and (2) to 3 The NRCs TechStat Policy and Process Overview, Version 1.1, issued November 2015, is available through the NRCs IT Policy Archive at https://www.nrc.gov/public-involve/open/digital-government/policyarchive/.

37

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control enable the NRC to adjust investment objectives and modify expected outcomes if its mission or business needs have changed.

The Control process provides the data needed to monitor project costs and schedules, risks (including the plan of actions and milestones), and investment performance, to inform decisions on changes to investments, projects, or the portfolio. The tools and techniques used in the Control process include the following:

major IT business case submissions

major IT investment monthly reviews and CIO evaluations

nonmajor investment quarterly reviews

major IT investment control reviews

CIO TouchPoints Data and information collected during the monitoring of investments provide input for investment evaluation, support executive decisionmaking, and ensure compliance with OMB reporting requirements.

Capital Planners are responsible for executing all Control processes. One Capital Planner, designated as the CPIC Lead, serves as the SME on capital planning guidance, major IT business case requirements, Control processes and procedures, and Federal IT Dashboard (ITDB) submissions. The CPIC Lead ensures that Control processes and procedures are documented, implemented, enforced, updated, and continuously enhanced.

Major Information Technology Investment and Standard Investment Monthly Reviews Purpose The major IT investment monthly reviews are performed to actively monitor NRCs major IT investments throughout the year of execution. The key objective is to ensure quick corrective action to address any deficiencies in project or operational components.

Description The approved Major IT Business Cases, Major IT Business Case Details, and Standard Investment Reports provide the baseline for monthly reviews. The major IT investments and standard investments are monitored monthly throughout the year of execution, with the focus on tracking progress on project costs and schedules, risk mitigation, and operational performance.

This helps identify concerns early to allow for corrective action and risk mitigation. It also helps the agency meet reporting requirements. The OMB requires the Major IT Business Case Details and Standard Investment Reports to be updated on the ITDB as new information becomes available or at least monthly. Although the full Major IT Business Cases and Standard Investment Reports need only be submitted semiannually (during annual and passback submissions), IPT contacts and acquisition data should be updated whenever new information becomes available and can be submitted during a monthly submission.

In the first week of each month, the Capital Planners perform monthly reviews of their assigned major IT investments and standard investments to track and monitor progress, performance, 38

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control and risk. The Capital Planners must review the Major IT Business Case Details and Standard Investment Reports and identify data that need to be updated, areas for improvement, and potential areas of concern (e.g., schedule delays, cost increases, failure to meet performance metrics).

The following key areas should be reviewed and monitored:

updates to the IPT

contract end dates

addition of new contracts

modifications to existing contracts

contract information alignment with the Federal Procurement Data System

project activity projected start date (evolving date)

project activity projected completion date (evolving date)

project activity projected total cost (evolving cost)

project activity actual start date (coming up, past due, or delayed)

project activity actual completion date (coming up, past due, or delayed)

project activity actual total cost (coming up, past due, or delayed)

After this initial review, the Capital Planners provide an initial assessment and inquiries to the investment project/program managers and request responses and new or updated data within 3 business days of receiving monthly invoices. The invoices and the results of performance metrics are due to the investment program managers by the 15th of each month. Once the Capital Planners receive the new or updated data and responses to any inquiries, they enter the data into the IT portfolio management and submission tool, validate the data, and run a comparison report. They send the detailed report and a submission confirmation report by e-mail to the CIO, highlighting any significant changes and requesting approval to submit the updates to the OMB. Once the CIO provides a final evaluation and approves the updates, the Capital Planners finalize the data in the CPIC tool and submit the updates to the ITDB.

Inputs The IPTs (primarily the IT PMs) are responsible for providing up-to-date information about the investment, including, but not limited to, current data on the following:

IPT members

contracts

projects

activities

operational/performance metrics

operational/project risks

corrective actions

action items (i.e., ITB, IPEC, or TechStat action items)

Systems Inventory List The IPTs and IT PMs are also responsible for responding promptly to any specific questions from the Capital Planners.

39

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Deliverables and Timeline Updates to the Major IT Business Cases and Standard Investment Reports should be made and submitted when new information becomes available or at least monthly.

Major Information Technology Investment and Standard Investment Chief Information Officer Evaluations Purpose The major IT investment and standard investment CIO evaluations are performed to actively monitor and assess investment health throughout the year of execution. The key objectives are (1) to ensure quick corrective action to address any deficiencies in project or operational components, and (2) to enable the NRC to adjust investment objectives and modify expected outcomes if its mission or business needs have changed.

Description The approved Major IT Business Cases, Major IT Business Case Details, and Standard Investment Reports provide the baseline for CIO evaluations. The major IT investments and standard investments that had a previous CIO evaluation rating of 2 or lower are carefully monitored on a quarterly basis throughout the year of execution, with the focus on tracking risk management, requirements management, contractor oversight, performance management, human capital management, cybersecurity risks, and certain other areas.

The CIO evaluations are updated as new information becomes available, or at least quarterly for major IT investments and at least semiannually for standard investments. The CIO evaluation criteria are a set of CIO-approved questions that cover risk management, requirements management, contracts, performance management, human capital, cybersecurity, and other areas (e.g., EA, CPIC, records management). During the last month of each FY quarter, the Capital Planners meet with IT PMs to discuss the CIO evaluation questions. The Capital Planners also reach out to cybersecurity, EA, CPIC, and records management SMEs to discuss the CIO evaluation questions in their respective focus areas. All responses are entered in the CPIC tool, and each focus area is given a rating. The CPIC tool automatically provides a suggested rating for each investment and produces a variance report. All findings and proposed ratings are presented to the CIO the first month of each FY quarter. Upon CIO approval of the evaluations, the Capital Planners submit the investment-level ratings and comments to the ITDB.

Inputs The IPTs (primarily the IT PMs) are responsible for providing up-to-date information about the investment, including, but not limited to, current data on the following:

risk management

requirements management

contractor oversight

performance management

human capital

cybersecurity

other areas (CPIC, EA, Records Officer) 40

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control The IPTs and IT PMs are also responsible for responding in a timely manner to any specific questions from the Capital Planners.

The CIO may provide additional input, such as an adjusted CIO evaluation, after reviewing the reports.

Deliverables and Timeline CIO evaluations should be updated and submitted when new information becomes available or at least quarterly. The NRC TechStat Policy in the NRC IT Policy Archive gives more information about how CIO evaluations can trigger and inform TechStat reviews.

Quarterly Investment and Portfolio Reviews Purpose This process allows the CIO to see planned expenditures for IT investments at the contract and task-order levels and at all levels of the NRCs budget structure throughout the year of execution.

Description Quarterly reports are generated using authoritative data from the following systems:

The Spend Plan module within the NRCs Budget Formulation System (BFS) tracks contract costs and projected funding needs based on planned spending combined with financial and contract information. The Spend Plan is a centralized, standardized tool that increases efficiency in budget execution planning and management.

The Financial Accounting and Integrated Management Information System (FAIMIS) is the NRCs core financial accounting system and the authoritative source for budget execution and fees for reimbursable work. FAIMIS also supports accounting for assets, liabilities, fund balances, revenues, and expenses in accordance with Federal standards.

The Human Resources Management System supports the submission, approval, and adjustment of employees hours and the management of time, attendance, leave, and payroll processing.

OCFO requires contracting officers representatives (CORs) in all offices to update their spending plans for active contracts on a quarterly basis for the upcoming 12 months.

Inputs Quarterly investment and portfolio reviews are developed using the following inputs:

BFS spend plan reports

summary and detail-level forward funding information and comparisons of IT budgets against actual expenditures, generated using the FAIMIS Financial Analysis Reporting Suite 41

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

OCIO approvals and explanations for reallocations and emergent needs affecting the IT portfolio

reports from the BFS and/or the Human Resources Management System on FTE budgets and actual utilization during the year of execution

input from ITB representatives and contracting officers representatives on identified anomalies Deliverables and Timeline As implemented in FY 2017, the quarterly investment and portfolio review process yields the following deliverables on a quarterly basis:

summary and detail-level reports to facilitate rebalancing decisions to accommodate emergent needs and reallocation requests in the subsequent quarter

documented explanations and decisions about discrepancies or anomalies identified during the quarterly review and assessed by both the ITB and the IPEC OCIO conducts this review and presents the findings and recommendations to the IPEC on a quarterly basis.

The NRC TechStat Policy in the NRC IT Policy Archive gives more information about how quarterly investment and portfolio reviews can trigger and inform TechStat reviews.

Major Information Technology Investment Control Reviews Purpose Control reviews are used to identify and address issues early. As a result of these reviews, the ITB can issue minor corrective actions to IPTs or make recommendations to the IPEC on matters warranting an executive decision. The ITB can also assign action items, as appropriate (e.g., an action to update documentation or respond to requests for additional information).

Control review results are used as input to the annual OA and may inform CY budget reprioritization and reallocations.

Description During each year of execution, the Capital Planners are required to conduct a thorough review of all major IT investments based on data sources such as monthly reviews, any PIRs, and any findings from the annual OA performed on the PY data. This review is to be done in collaboration with the respective IPTs, with the full engagement of any IT PMs who are executing and managing projects within the investment. Together, the Capital Planners, IPTs, and IT PMs present the control review findings to the ITB. The control reviews help the agency monitor, identify, and promptly address issues with performance, risk mitigation, costs and schedules, and current contracting plans or strategies. Although the focus is on the execution of current projects and their costs, schedules, and milestones, as well as the current burn rate for operations and maintenance, it is also important to present any significant findings from the 42

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control previous years OA and any PIRs of functionalities implemented during the previous or current FY.

Once all the data have been compiled and analyzed, any significant findings are presented to the ITB to increase transparency on major IT investments; inform all ITB members of the findings; provide a collaborative and open forum to discuss successes, risks, budgetary issues, and corrective actions; and implement governance over IT investments. The Capital Planner compiles and edits all significant findings with input from, and in conjunction with, the appropriate investment program managers. Subsequently, the Capital Planner helps compile the data, and the IT PMs present the data to the ITB.

Inputs The deliverables from the following processes provide inputs into the control reviews:

major IT investment monthly reviews and CIO evaluations

PIRs

OAs Additional sources of information include the following:

current risk logs and progress on the plan of actions and milestones

customer satisfaction surveys, if applicable Deliverables and Timeline The major IT investment control reviews occur during the second and third quarters of each FY.

Ideally, these reviews should take place early enough in the FY to leave time for corrective actions, if needed. This would improve CY execution and support the annual business case updates that take place upon the release of the OMBs BY guidance around June or July.

CIO TouchPoints Purpose CIO TouchPoints keep the CIO well-informed and enable early mitigation or corrective actions when needed. These discussions support risk categorization and CIO evaluations of major IT investments, as required by FITARA. CIO TouchPoints are also another way for the CIO to maintain involvement in major programs and to influence planning and set the direction of the IT portion of major programs.

Description CIO TouchPoints are one-on-one discussions between the NRCs CIO and the IPTs for major IT investments, especially IT PMs executing projects under the investments. Each CIO TouchPoint is a 60-minute session for open, candid discussion of items such as the status of milestones and deliverables, changes in cost and schedule, open risks, major accomplishments, investment challenges, future planning (CY, BY, and BY+1), and changes in business needs or acquisition strategies. The CIO will hold at least one CIO TouchPoint session per year for each major IT investment. More CIO TouchPoints may be scheduled at the CIOs discretion.

43

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Inputs The basis or starting point for these discussions is the authoritative data captured in the CPIC tool, especially as contained in the current Major IT Business Cases, Major IT Business Case Details, CIO Evaluations, and OA, as well as the latest version of the investments required artifacts. The CIO informs the Capital Planner of the main topics of discussion for each investment, as appropriate.

Deliverables and Timeline The CIO holds one CIO TouchPoint per year for each major investment and can request additional TouchPoints for any investment (major or nonmajor) at any time. CIO TouchPoints are scheduled around factors such as the timing of major milestones, deliverables, and corrective actions.

Evaluate Process: Learn, Recommend, and Adjust The purpose of the Evaluate process is to compare actual versus expected benefits and costs of IT investments and projects to assess return on investment, customer satisfaction, and value to the NRC in meeting its mission and business needs. The key objectives are as follows:

Assess the capacity of a project or investment to meet performance expectations within cost and schedule limits and in compliance with IT policies.

Identify any modifications needed on an investment (or on its associated projects or activities).

Update IT investment management policies, processes, and procedures based on lessons learned.

The Evaluate processes are used to analyze investment data to support the decisionmaking required to maximize the value of IT investments and the maturation of the IT portfolio and IT management practices. This entails performing annual OAs, PIRs, and TechStats as needed (the NRC TechStat Policy in the NRC IT Policy Archive has more information on TechStats).

Although all of these activities inform the selection, reselection, and deselection of projects and investments within the IT portfolio, the OA is paramount. The NRC has based its OA on the requirements in Section III, Management In-Use, of the Capital Programming Guide. The OA allows for a periodic, structured assessment of cost, performance, and risk trends over time to help determine when the cost and risk of an investment outweigh the value it provides.

The Capital Planners are responsible for executing all Evaluate processes and facilitating the Select processes. One investment analyst, designated as the CPIC Lead, serves as the SME on relevant Federal mandates, Executive orders, OMB guidance, and agency policy and ensures that Evaluate processes and procedures are documented, implemented, enforced, updated, and continuously enhanced. The CPIC Lead also serves as the SME on Select criteria and ensures that the Select processes and procedures are documented, implemented, enforced, updated, and continuously enhanced.

44

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Post-implementation Reviews Purpose The PIR is used to evaluate stakeholder and customer/user satisfaction with the end product, mission/program impact, and technical capability and to provide lessons learned that can help decisionmakers improve investment management and decisionmaking processes.

Description The PIR is a tool for evaluating IT investment projects. It is conducted once a system, service, or new functionality has been operational for 6 to 12 months. The PIR is designed to achieve the following objectives:

Validate estimated project benefits and costs.

Evaluate stakeholder and customer/user satisfaction with the end product, mission/program impact, and technical capability.

Determine whether additional actions, modifications, or enhancements are needed.

Document effective management practices for broader use.

To maximize their value and minimize oversight costs, PIRs are required only for projects within major IT investments. However, the CPIC team and the IT governance boards reserve the right to initiate PIRs on projects within nonmajor investments to assess lessons learned or identify areas of concern.

Section III of the Capital Programming Guide contains more information on PIRs.

Inputs Each PIR uses business case data that provide an overview of the project to be evaluated. The CPIC staff and EA SMEs interview the IT PMs to complete the PIR, which includes five assessment areas:

(1) internal business (2) customer/user satisfaction (3) strategic impact and effectiveness (4) lessons learned and innovation (5) process improvement The PM should provide any lessons learned or best practices that could be applied to other projects. These lessons learned should be communicated throughout the investment portfolio as a form of knowledge sharing. They should also be shared with executive management to highlight and help enforce the use of best practices. Lessons learned should be communicated through the following channels:

communications to all IT PMs, IPTs, and PMM 2.0

PM community of practice 45

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

IPEC meetings

ITB meetings

updated policy/process documentation

training The CPIC tool will house the lessons learned from the PIR for future reference by project teams.

Deliverables and Timeline The Capital Planners use the assessment data to identify any areas of critical concern that require additional action. They recommend which areas should be addressed and, where appropriate, what specific actions should be taken. To gain alignment and agree on the next steps, they discuss all findings and recommendations with the IT PM and IPT.

After defining an action plan, the Capital Planners and IT PM take the following actions:

The IT PM communicates the action plan to the investment owner for his or her awareness.

Assisted by the Capital Planners, the IT PM presents findings, recommendations, and action plans to the CIO, IPEC, or ITB as needed.

The Capital Planners track all PIR action plans.

The IT PM and Capital Planners incorporate lessons learned into the appropriate business processes.

Operational Analysis Purpose The OA examines the ongoing performance of an operating component under an IT investment and measures it against established cost, schedule, and performance goals. The purpose is to identify ways to better meet the investments objectives and reduce costs, and to determine whether the agency should continue with the component in question.

Description During the requirements, design, development, test, and implementation phases of the investment life cycle, great emphasis is often placed on meeting the budget, scope, and schedule to ensure that the desired functionality is delivered on time and fulfills requirements; however, these costs are only a fraction of the assets total life-cycle costs. Ownership costs, such as costs of operations and maintenance (including service contracts and disposition), can easily be up to 80 percent of the total life-cycle costs. Therefore, to minimize lifetime costs, periodic, structured assessments of cost, performance, and risk trends over time are essential.

The OA is conducted annually to evaluate the cost of continued maintenance support, manage risk, assess technology opportunities, measure an investments continued effectiveness in supporting mission and stakeholder requirements, identify gaps and any necessary enhancements, and consider potential retirement or replacement. OA results are used to 46

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control provide recommendations on the assets continued use, modification, or termination/replacement.

In accordance with the requirements in Section III of the Capital Programming Guide, the OA must report performance in four areas:

(1) Customer satisfaction is measured by the extent to which the investment supports customer processes as designed. The focus is on how well the investment delivers the services it was funded to deliver (i.e., its effectiveness) and considers stakeholder perception of whether the costs are as low as they could be for the customer. Customer satisfaction data are typically collected in surveys, using both quantitative and qualitative metrics.

(2) Strategic and business results measure the investments impact on the NRCs performance. They indicate how well the investment is meeting business needs, whether it is contributing to the achievement of the NRCs strategic goals, and whether it continues to align with the NRCs strategic direction. Strategic and business results should be unique to an operational domain. For example, performance metrics for paying vendor invoices are relevant to the operational domain of finance, while performance metrics for processing and managing grant applications are relevant to research-oriented operational domains. Strategic and business result metrics must be designed to measure the investments contribution to mission processes, independent of other aspects of performance, such as the competence of the people performing the work.

(3) Financial performance is measured by comparing the investments current performance to the preestablished cost baseline. The analysis should include efficiency measures such as tracking actual costs of work performed against budgeted costs.

Although financial performance is typically reported as a quantitative measure, the investment should also undergo regular reviews for cost effectiveness and efficiency.

(4) Innovation is measured qualitatively by the extent to which the project team is tracking emerging technologies and analyzing possible ways to achieve the same or better results at lower cost and risk than the current solution. In reporting on innovation, the OA should also demonstrate that the investments technical architecture and its connection to strategic planning activities will allow it to meet emerging requirements and support long-term strategic objectives.

Section III of the Capital Programming Guide contains more information on OAs.

Inputs In addition to the Major IT Business Cases and Major IT Business Case Details, the OA uses all the data collected in the Control processes, as well as the Control process outputs. For example, it uses control review outcomes, CIO TouchPoint results, CIO evaluations, and the monitoring of the progress of any assigned corrective actions. The results of any customer surveys and interviews are also valuable input for the OA.

47

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Deliverables and Timeline In the first quarter of each FY, the Capital Planners work with customer service, Enterprise Architects, OCIO financial management SMEs, and the appropriate IPT members to conduct the OA. The OA covers all the information collected in the previous FY and the investments performance during that time, in addition to past operational data. The OA must examine the entire operational history and account for any trends.

After completing the OA, the Capital Planners do the following:

In collaboration with customer service, Enterprise Architects, and financial management SMEs, present the OA findings, analysis, and recommendations to the ITB and the CIO.

Ensure that any corrective actions and actions items are recorded and tracked.

48

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix A: The U.S. Nuclear Regulatory Commissions Information Technology Portfolio Structure The terms defined below explain how the information technology (IT) portfolio is organized and structured. The Office of Management and Budget (OMB) requires agencies to report investments individually in the Agency IT Portfolio Summary, organized into the following parts according to their purpose:

Part 1: IT Investments for Mission Delivery

Part 2: IT Investments for Mission Support

Part 3: IT Investments for IT Infrastructure, IT Security, and IT Management Program areas are the mission delivery and management support areas within an agency. The U.S. Nuclear Regulatory Commission (NRC) has four program areas: (1) Nuclear Reactor Safety, (2) Nuclear Materials and Waste Safety, (3) Financial Management, and (4) Corporate Support.

IT investment refers to the expenditure of IT resources to enable core functions and processes that support the agencys mission and operational business requirements. An IT investment may include one or more projects for the development, modernization, enhancement, or maintenance of either a single IT asset or a group of IT assets with related functionalities, or for the subsequent operation of the asset(s) in a production environment. All investments should have a defined life cycle with start and end dates. The end date should represent the end of the currently estimated useful life of the investment, based on either the most recent alternatives analyses of its assets or the most recent operational analysis of the investment, which summarizes the assets operational performance and the investments ability to deliver the required functionality. There are five types of IT investment:

(1) Major IT investment refers to an investment in Part 1 or Part 2 of the IT portfolio that requires special management attention because of its importance to the mission or function of the Government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agencys Chief Information Officer (CIO) or through the Capital Planning and Investment Control process. A Major IT Business Case must be submitted for each major IT investment in the agencys portfolio, to provide a detailed justification for the associated budget request in the Agency IT Portfolio Summary and to provide supplemental data for monitoring the investments performance and risk throughout the calendar year of execution. Major IT investments are continuously monitored, with monthly updates provided to the CIO and the OMB.

(2) Funding transfer investment refers to the portion of funding a partner agency contributes to an investment managed by another agency. The NRC is a partner agency on several shared services (e.g., e-Gov initiatives, line-of-business solutions) that other agencies operate and maintain. Each managing partner lists the shared services as a major IT investment in Part 1 or Part 2, as appropriate, of its Agency IT Portfolio 49

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Summary. The NRC reports its funding contributions to the managing partner in Part 1 or Part 2 of the NRCs Agency IT Portfolio Summary, as appropriate.

(3) IT migration investment refers to the costs associated with a partner agencys migration to a shared service that are not captured by the managing partner. The investments life cycle comprises the duration of the migration. Once the migration is complete, the investment is retired, and the partner agency begins reporting its funding contributions to the managing partner as a funding transfer investment.

(4) Nonmajor IT investment refers to any investment in Part 1 or Part 2 of the IT portfolio that does not meet the definition of a major IT investment, funding transfer investment, or IT migration investment.

(5) Standard IT investment refers to a Part 3 investment that has been disaggregated to its discrete components, which are managed separately. Standard investments clearly delineate the types of investments that every agency needs to deliver the basic IT services upon which its mission and business capabilities depend. The standard investments across the Government are application, data center and cloud, delivery, end user, IT management, IT security and compliance, network, platform, and output.

Each investment is assigned a unique investment identifier for the purposes of tracking, budgeting, and reporting, both internally to the CIO and the IT/Information Management Portfolio Executive Council (IPEC) and externally to the OMB.

Components are any IT-related items (tangible or intangible) that have value to an organization, including, but not limited to, IT systems, services, functions, networks/circuits, hardware, software (either installed or physical instances), virtual computing platforms (which are common in cloud and virtualized computing), and related hardware (e.g., cables, racks, servers). The term component may also refer to people and intellectual property. Components are associated with budget items and are the lowest level at which IT is planned, acquired, implemented, and operated. Budgeting at this level provides the IT cost transparency required by the CIO, Chief Financial Officer (CFO), and IPEC for decisionmaking and for compliance with multiple authorities.

Each component is assigned a component identifier to enable internal tracking, budgeting, and reporting and to facilitate the necessary rollup to meet OMB tracking and reporting requirements.

Budget items (formerly called activities) are planned and approved expenses, projects, and full-time-equivalent personnel allocations that constitute the costs and resources associated with a given IT component. Budget items are categorized as either operations and maintenance (O&M) or development, modernization, and enhancement (DME), defined as follows:

O&M refers to the expenses required to operate and maintain an IT asset that is operating in a production environment. O&M includes costs associated with operations, maintenance activities, and maintenance projects needed to sustain the asset at the current capability and performance levels. Specifically, it covers the costs of Federal and 50

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control contracted labor, corrective hardware and software maintenance, voice and data communications maintenance and service, replacement of broken or obsolete IT equipment, overhead, and asset disposal. O&M is also commonly referred to as steady state.

DME refers to projects and activities that lead to new IT assets, or that change or modify existing IT assets, to substantively improve capability or performance, meet legislative or regulatory requirements, or implement decisions of the agencys executive leadership. A DME activity may occur at any time during a programs life cycle. Capital costs involved in DME may include costs of hardware and software development and acquisition; commercial off-the-shelf acquisition; Government labor; and contracted labor for planning, development, acquisition, system integration, and direct project management and overhead support.

Starting in fiscal year 2018, the NRC began breaking investment costs into IT towers and IT cost pools at the budget item level so that the CIO would have better visibility during budget execution and data collection to inform strategic planning, decisionmaking, and future budget formulation. These terms are defined as follows:

IT towers are a set of categories used to break down the total cost of an investment into standard IT costs (common to all agencies). The categories are Application, Compute, Data Center, Delivery, End User, IT Management, IT Security and Compliance, Network, Output, and Storage. These categories provide a CIO view or technical view of the investment costs, which can be used to explain or justify expenditures by tying them directly to the mission and business capabilities they support. The IT towers are based on the technology business management taxonomy.

IT cost pools are a standard set of IT costs associated with each investment; they provide a CFO view or financial view that can be mapped to the general ledger. Like the CIO view, the CFO view directly links IT costs to the mission and business capabilities they support. The CFO view enables analysts to determine the cost per user by program area. The IT cost pools are External Labor, Facilities and Power, Hardware, Internal Labor, Internal Services, Outside Services, Software, Telecom, and Other. The IT cost pools are based on the technology business management taxonomy.

(Note that many budget items are associated with the IT portfolio; therefore, this document does not list them. The agencys capital planning and portfolio management tool provides the budget items associated with each component under every investment.)

51

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix B: Information Technology Budget Certification and Approval Once investments and projects are selected for inclusion in the information technology (IT) portfolio, IT resources must be entered in the U.S. Nuclear Regulatory Commissions (NRCs) budget. As the secretariat for the IT governance boards, the Capital Planners are responsible for ensuring that the selected investments, components, and projects are incorporated in the IT budget formulation process for funding. In addition, the Federal Information Technology Acquisition Reform Act (FITARA) requires that the Capital Planners facilitate the certification and approval of the IT budget. The IT budget staff within the Office of the Chief Information Officer work closely with a liaison from the Office of the Chief Financial Officer to ensure proper timing and alignment with the overall budget formulation process and to develop IT and information management budget instructions. The initial analysis and prioritization are timed to allow the IT governance boards to perform their reviews, recommendations, and approvals of the IT budget for inclusion in the overall agency budget.

Once the Commission approves the final IT budget, the IT budget staff submits the resulting IT budget request to the Capital Planners for use in finalizing the IT Capital Planning and Investment Control documents. The Capital Planners enter the data into the IT portfolio management and submission tool to update the Agency IT Portfolio Summary and Major IT Business Cases. They also work with the Office of the Chief Financial Officer to ensure that the IT table and IT statements are included in the NRCs overall Performance Budget submission to the Office of Management and Budget (OMB), as required by FITARA and described in the Common Baseline for IT Management established by FITARA; in Section 51.3 of OMB Circular A-11, Preparation, Submission, and Execution of the Budget; and in the OMBs IT BudgetCapital Planning Guidance. The budget justification materials in the agencys initial budget submission to the OMB must include the following affirmation statements:

The NRCs Chief Information Officer (CIO) affirms that he or she has reviewed and approved the major IT investments portion of the budget request.

The NRCs Chief Financial Officer and CIO affirm that the agencys CIO had a significant role in reviewing planned IT support for major program objectives and significant increases and decreases in IT resources.

The NRCs Chief Financial Officer and CIO affirm that the IT portfolio includes appropriate estimates of all IT resources included in the budget request.

The CIOs current common baseline rating for Element D, Item D1, CIO Reviews and Approves Major IT Investment Portion of Budget Request, is fully implemented. The NRC has developed and implemented its plan to ensure that the necessary processes and procedures are in place to fulfill these common baseline FITARA responsibilities.

The CIO can certify the use of modular approaches or incremental development practices, or both, for contracts and projects associated with the major IT investment portion of the NRCs IT budget request.

52

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix C: Related Definitions The Office of Management and Budget (OMB) definitions listed below are useful for understanding Capital Planning and Investment Control processes. The current version of Integrated Data Collection Common Definitions, posted on MAX.gov, provides a complete list of related OMB definitions.

Adequate incremental development refers to the planned and actual delivery of new or modified technical functionality to users at least every 6 months during the development of software or services.

Capital programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of the agencys portfolio of capital investments to achieve the agencys strategic goals and objectives with the lowest overall cost and risk.

Cost avoidance (as defined in OMB Circular A-131, Value Engineering, dated December 26, 2013) refers to an immediate action that will decrease costs in the future. An example of a cost avoidance action is an engineering improvement that increases the mean time between failures and thereby decreases operation and maintenance costs.

Cost savings (as defined in OMB Circular A-131) refers to a reduction in actual expenditures to achieve a specific objective.

Digital services refers to software or related technology that the Federal Government provides so that the public can access certain Federal Government services, or to software or technology that is custom-built on behalf of the Federal Government to directly support the delivery of a Federal Government service to the public.

Information life cycle refers to the stages through which information passes. The information life cycle typically comprises creation or collection, processing, dissemination, use, storage, and disposition (including destruction and deletion).

Information management is the planning, budgeting, manipulating, controlling, and processing of information throughout the information life cycle.

Information resources refers to information and related resources, such as personnel, equipment, funds, and information technology (IT) (44 U.S.C. 3502).

Information system refers to a discrete set of IT, data, and related resources (such as personnel, hardware, software, and associated IT services) organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, in accordance with defined procedures, whether automated or manual (see OMB Circular A-130, Managing Information as a Strategic Resource, dated July 27, 2016, and 44 U.S.C. 3502).

Information system life cycle refers to all phases in the useful life of an information system, including planning, acquisition, operation, maintenance, and disposition/decommissioning.

53

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Information technology (IT) is defined as follows:

IT includes any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used by an agency in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Such services, equipment, or systems are considered used by an agency if either the agency uses them directly, or a contractor uses them under a contract with the agency that requires either full or significant use of them to perform a service or furnish a product.

IT includes computers; ancillary equipment (such as imaging peripherals and input, output, and storage devices necessary for security and surveillance); peripheral equipment designed to be controlled by the central processing unit of a computer; software; firmware; and related resources, procedures, and services (including provisioned services such as cloud computing and support services for any point of the equipment or service life cycle).

IT includes high-performance computing capabilities, including those that are not communal in nature.

IT does not include any equipment acquired by a contractor incidentally to a contract that does not require its use.

IT assets are any IT-related items (tangible or intangible) that have value to an organization, including, but not limited to, computing devices; IT systems, networks, and circuits; software (either installed or physical instances); virtual computing platforms (which are common in cloud and virtualized computing); related hardware (e.g., locks, cabinets, keyboards); and people and intellectual property, including software. Assets are the lowest level at which IT is planned, acquired, implemented, and operated.

IT investment refers to the expenditure of IT resources to enable mission delivery and management support. An IT investment may include one or more projects for the development, modernization, enhancement, or maintenance of either a single IT asset or a group of IT assets with related functionalities, or for the subsequent operation of the asset(s) in a production environment. All IT investments should have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most recent alternatives analysis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement should be reported as a new, distinct investment, with its own defined life-cycle information.

IT resources include (1) all agency budgetary resources, personnel, equipment, facilities, and services that are primarily used in the management, operation, acquisition, disposition, or transformation of IT, or in other activity in the information life cycle, and (2) acquisitions or interagency agreements that include IT, and the services or equipment they provide. IT resources do not include grants to third parties that establish or support IT that the Federal Government does not directly operate.

54

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control IT system refers to a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.

Interagency agreement, for the purposes of this document, refers to a written agreement between two Federal agencies that specifies goods to be furnished or tasks to be accomplished by one agency (the servicing agency) in support of another agency (the requesting agency).

Interagency agreements include assisted acquisitions as described in the OMBs guidance in Improving the Management and Use of Interagency Acquisitions, dated June 6, 2008, and other cases described in Part 17, Special Contracting Methods, of the Federal Acquisition Regulation.

Major IT investment refers to an IT investment in Part 1 or Part 2 of the IT portfolio that requires special management attention because of its importance to the mission or function of the Government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major through the agencys Capital Planning and Investment Control process. Major IT investments include all major automated information systems (as defined in 10 U.S.C. 2445) and all major acquisitions (as defined in the OMBs Capital Programming Guide, a supplement to the annual OMB Circular A-11, Preparation, Submission, and Execution of the Budget) that include information resources. The OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices to determine which investments are considered major. Investments that are not considered major are called nonmajor.

55

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix D: Index of Figures and Tables Figures Figure 1 Flow of data between CPIC processes 10 Figure 2 Preselect and Select phase process integration summary 12 Figure 3 Process diagram key 19 Figure 4 Preselect phase process summary 20 Figure 5 Needs identification and initial solution planning 23 Figure 6 Select phase process summary 25 Figure 7 Business case development 26 Figure 8 Business and technical review 27 Figure 9 Executive decision process 28 Figure 10 IT portfolio prioritization 30 Figure 11 Portfolio prioritization approach 30 Figure 12 Funding request: annual budget formulation process 31 Figure 13 Execution year realignment/reallocation process 33 Figure 14 Funding request: execution year changes 34 Figure 15 Reselection and deselection processes 35 Tables Table 1 Primary Functional Roles of Multidisciplinary Team 14 Table 2 Mechanism to Perform Identified Steps for Preselect and Select Phase Processes 16 Table 3 Request Types and Select Phase Processes 22 Table 4 Control and Evaluate Process Distinctions 37 56

ML22021A982

Text

SUMMARY

SUMMARY

Background

Navigation menu

Search