Text

NRC Capital Planning and Investment Control Policy and Overview, Version 2.7 with Appendix a (Final Pages)
	ML22174A360
Person / Time
Issue date:	01/31/2022
From:	; Governance & Enterprise Management Services Division
To:	;
	Valencia S
References
	Download: ML22174A360 (42)
	v • d • e

U.S. Nuclear Regulatory Commission CPIC Policy

Capital Planning and Investment Control Policy and Overview

Office of the Chief Information Officer Capital Planning and Investment Control Team

Version 2.7 January 2022

U.S. Nuclear Regulatory Commission CPIC Policy

Revision History

Date Version Summary of Changes Author

09/28/2015 1.0 Updated information technology (IT) Vickie Smith, Capital Planning and Investment Control OIS/PMPD/IPMB (CPIC) policy to reflect the Federal Approved by Darren Ash, Information Technology Acquisition OEDO/DEDCM Reform Act (FITARA) (December 2014) and associated Office of Management and Budget (OMB) requirements. Under FITARA, this policy is now publicly available.

Agencywide Documents Access and Management System (ADAMS) Accession No. ML15247A497.

12/28/2015 1.1 Updated to reflect organizational changes Vickie Smith, effective November 1, 2015. OCIO/PMPD/IPMB

ADAMS Accession No. ML15288A545. Approved by Darren Ash, CIO

10/21/2016 2.0 Updated significantly to reflect new policy Vickie Smith, requirements in the revised OMB OCIO/PMPD/IPMB Circular A-130, Managing Information as Approved by David a Strategic Resource (July 2016); OMB Nelson, CIO Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open-Source Software (August 2016); and OMB Category Management Policy for Common IT.

ADAMS Accession No. ML16272A383.

12/31/2017 2.1 Revised to clarify the Chief Information Leah Kube, Officers (CIOs) role in IT contracting and OCIO/GEMS/PIMB incremental development, make minor Approved by David changes to definitions, update the major Nelson, CIO IT investment criteria, and make other minor updates.

ADAMS Accession No. ML17346A193.

12/31/2018 2.2 Added and updated definitions; made Leah Kube, other minor updates. OCIO/GEMS/IPSMB

i

U.S. Nuclear Regulatory Commission CPIC Policy

Date Version Summary of Changes Author

Approved by David Nelson, CIO

12/31/2019 2.3 Added and updated definitions; made Leah Kube, other minor editorial updates. OCIO/GEMS/IPSMB

Approved by David Nelson, CIO

4/28/2020 2.4 Updated IT CPIC policy to add CIO Cathy Smith, responsibilities according to Government OCIO/GEMS/IPSMB Accountability Office report GAO-18-93, Approved by David Critical Actions Needed to Address Nelson, CIO Shortcomings and Challenges in Implementing Responsibilities (August 2018). These were minor updates, and some of the responsibilities already existed in Version 2.3.

12/8/2020 2.5 Updated some formatting and definitions Lance Breeden, based on fiscal year 2021 guidance. Sandra Valencia, OCIO/GEMS/APIB

Approved by David Nelson, CIO

1/31/2022 2.6 Updated some formatting and definitions Jack Roscoe, based on fiscal year 2021 guidance. Sandra Valencia, OCIO/GEMS/APIB

Approved by David Nelson, CIO

6/21/2022 2.7 Add Appendix A Lance Breeden, Sandra Valencia, OCIO/GEMS/APIB

Approved by David Nelson, CIO

Note: The U.S. Nuclear Regulatory Commission maintains detailed processes and operating procedures in separate documents to support continuous refinement of the agencys maturing investment management. This document sets forth the CPIC policy and gives an overview of CPIC processes.

ii

U.S. Nuclear Regulatory Commission CPIC Policy

Contents Background and Authorities..................................................................................................................... 1 Purpose........................................................................................................................................................ 2 Definitions.................................................................................................................................................... 3 Capital Planning and Investment Control Policy................................................................................. 16 Planning, Programming, Budgeting, and Selecting................................................................................. 16 Acquiring Information Technology and Services.................................................................................... 19 Information Technology Investment Design and Management............................................................. 21 Responsibilities......................................................................................................................................... 23 Responsibilities of the Chairman............................................................................................................ 23 Responsibilities of the Commission........................................................................................................ 23 Responsibilities of the Executive Director for Operations...................................................................... 23 Responsibilities of the Chief Information Officer................................................................................... 23 Responsibilities of the Capital Planning and Investment Control Team................................................. 25 Other Responsibilities............................................................................................................................. 26 Capital Planning and Investment Control Overview........................................................................... 27 Select....................................................................................................................................................... 27 Control.................................................................................................................................................... 29 Evaluate................................................................................................................................................... 29 Appendix A................................................................................................................................................ 31

iii

U.S. Nuclear Regulatory Commission CPIC Policy

Background and Authorities

Capital planning and investment control (CPIC) for information technology (IT) investments refers to a decision-making process that ensures IT investments integrat e strategic planning, budgeting, procurement, and management of IT in support of agency missions and business needs.1 The Clinger-Cohen Act of 1996 (CCA) (Public Law 104-106, formerly k nown as the IT Management Reform Act of 1996) requires Federal agencies to use discipline d CPIC processes to acquire, use, maintain, and dispose of IT assets. Although other laws (e.g., the Paperwork Reduction Acts of 1980 and 1995, Government Performance and Results Act of 1993 (GPRA), GPRA Modernization Act of 2010 (GPRAMA), and Federal Acquisition Streamlining Act of 1994 ) also require agencies to develop and implement a disciplined process to maximize the val ue of IT investments while balancing risks, the CCA went a step further by mandating a spe cific, more rigorous methodology for managing IT investments that integrates IT capital planning wit h other agency processes.

Specifically, the CCA mandates that agencies implement CPIC pro cesses to do the following:

Provide for the selection, control, and evaluation of agency I T investments.

Integrate with the processes for budget, financial, and progra mmatic decision-making.

Include minimum criteria for whether to undertake an IT invest ment.

Identify IT investments that woul d result in sharing of benefi ts or costs with other Federal agencies or State or local governments.

Provide means for quantifying the net benefits and risks of IT investments.

Allow for senior management to obtain timely information on an investments progress.

The Federal Information Technology Acquisition Reform Act (FITA RA), enacted on December 19, 2014, established additional requirements. The Off ice of Management and Budget (OMB) issued guidance on implementing FITARA in Memorandum M-15 -14, Management and Oversight of Federal Information Technology, dated June 10, 20 15. FITARA strengthens the CCA by empowering Federal Chief Information Officers (CIOs) with in creased oversight for (1) budget planning, (2) governance structures, (3) portfolio risk managem ent, (4) hiring practices within IT offices, (5) data center consolidation planning and execution, and (6) reporting of progress and metrics to the OMB. Building on the CPIC requirements of the CC A, FITARA establishes the Common Baseline for IT Management, which defines the roles and responsibilities of the CIO and other senior agency officials while ensuring that the CIO retai ns accountability.

To assist agencies in meeting CCA and FITARA requirements, the OMB issues the document IT BudgetCapital Planning Guidance annually as part of OMB Circu lar A-11, Preparation,

1 The Office of Management and Budget (OMB) provides this definition in the Integrated Data Collection Common Definitions. See 40 U.S.C. 11302 for statutory requirements.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 1

U.S. Nuclear Regulatory Commission CPIC Policy

Submission, and Execution of the Budget, and maintains its sup plement, the Capital Programming Guide, to help agencies implement CPIC processes and meet requirement s for reporting to Congress. OMB Circular A-130, Managing Information as a Strate gic Resource, dated July 27, 2016, provides additional guidance for implementing CP IC and FITARA requirements. The OMB updates these circulars based on current, relevant statutes and executive orders.

As part of FITARA, the OMB has also issued the category managem ent policy in a series of memoranda, including the following:

OMB Memorandum M-16-02, Category Management Policy 15-1: Impr oving the Acquisition and Management of Common Information Technology: Laptops and De sktops, dated October 16, 2015

OMB Memorandum M-16-12, Category Management Policy 16-1: Impr oving the Acquisition and Management of Common Information Technology: Software Licen sing, dated June 2, 2016

OMB Memorandum M-16-20, Category Management Policy 16-3: Impr oving the Acquisition and Management of Common Information Technology: Mobile Devices and Services, dated August 4, 2016

On August 8, 2016, the OMB also issued Memorandum M-16-21, Fed eral Source Code Policy:

Achieving Efficiency, Transparency, and Innovation through Reus able and Open Source Software.

The CCA, FITARA, and associated OMB policy, circulars, and guid ance serve as the basis for CPIC policy, processes, and procedures at the U.S. Nuclear Regulator y Commission (NRC).

Purpose

This document sets forth the NRCs CPIC policy. It establishes the business rules and guidelines for consistency and compliance in executing the NRC CPIC processes and procedures, including the procurement of IT assets. This document contains updates that r eflect FITARA, OMB Circular A-130, the OMBs category management policy, and OMB Memorandum M-16-21 requirements; therefore, it supersedes all pr evious versions of the NRCs CPIC policy.

This document also gives a brief overview of the NRC CPIC proce sses. It is worth noting that CPIC processes and procedures are continuously evaluated and refined ; therefore, the NRC maintains separate documents on the detailed processes and procedures. Th is allows for timely updates and implementation and is consistent with best practices. It also s upports the NRCs goal of continuously maturing its IT investment management practices to achieve an I T portfolio that leverages IT for strategic outcomes in support of the NRCs mission.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 2

U.S. Nuclear Regulatory Commission CPIC Policy

Definitions

The definitions in this section lay the foundation for, and bui ld better understanding of, the CPIC policy and processes.

Adequate incremental development refers to the planned and actual delivery of new or modified technical functionality to users at least every 6 months during the development of software or services, which must be identified in OMB reports.

Agile software development is a software development appr oach under which requirements and solutions evolve through the collaborative effort of self-organ izing and cross-functional teams and their customers or end users. It advocates adaptive planning, e volutionary development, early delivery, and continual improvement, and it encourages rapid an d flexible response to change. The use of agile software development is expected, although it is n o longer broken out in OMB guidance.

Alternatives analysis is a method for assessing the various options for meeting the p erformance objectives of an investment; it includes assessment of the retu rn on investment of each option. The analysis is performed before the initial decision to implement a solution, and is updated periodically, as appropriate, to capture changes in the context for an invest ment decision. These terms refer to best practices outlined in the Capital Programming Guide in Sec tion I.4, Alternatives to Capital Assets, and Section I.5.1, Evaluate Asset Options.

Note: Alternatives analysis shall be performed for investments with projects in the planning stage or the development, modernization, and enhancement (DME) stage, whereas strictly operational investments require operational analyses (OAs) until a decision is made to reevaluate them or to resume DME.

Baseline refers to the approved work breakdown structure, costs, schedul e, and performance goals for a given investment. OMB Memorandum M-10-27, Information Te chnology Investment Baseline Management Policy, dated June 28, 2010, provides additional in formation on baselines and baseline management.

Benefit-cost analysis (BCA) refers to the recommended technique to use in a formal economi c analysis of Government programs or projects. OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, contains guidan ce for performing a BCA.

Capital programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of the agency s portfolio of IT capital investments to achieve the agencys strategic goals and objecti ves with the lowest overall cost and least risk.

CIO evaluation refers to the CIOs best judgment of the current level of risk for an investment relative to its ability to accomplish its goals (40 U.S.C. 1131 5(c)(2)). The evaluation should be informed by (1) risk management, (2) requirements management, (3) contractor oversight,

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 3

U.S. Nuclear Regulatory Commission CPIC Policy

(4) historical performance, (5) human capital, and (6) other fa ctors that the CIO deems important to forecasting future success. Each evaluation includes a narrativ e to explain the rating; this is particularly important when the rating has changed since the la st evaluation.

CIO TouchPoints are direct one-on-one discussions between the NRCs CIO and the members of the integrated project team (IPT) for a major IT investment (in cluding IT project managers, subject-matter experts (SMEs), business process owners, informa tion system security officers, system owners, and others as appropriate), especially IT projec t managers executing projects under the investment.

Cloud computing refers to a model for enabling convenient, on-demand network a ccess to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with min imal management effort or service provider interaction. Cloud computing promotes availability. It comprises five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (cloud software as a service (SaaS), cloud platform as a service (PaaS), and cloud infrastructure as a service (IaaS), and four deployment models (private cloud, community cloud, public cloud, and hybrid cloud). Key enabling technologies include fast wide-area networks; powerful, inexpens ive server computers; and high -performance virtualization for commodity hardware.

Cloud First policy refers to the OMBs Cloud First policy, also known as the Fede ral Cloud Computing Strategy, which was launched in December 2010. This p olicy is intended to accelerate the Governments realization of the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investment s.

Note: The Federal Cloud Computing Strategy requires agencies to do the following:

Evaluate their technology sourcing plans to include consideration and application of cloud computing solutions as part of the budget process.

Seek to optimize the use of cloud technologies in their IT portfolios to take full advantage of the benefits of cloud computing to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize costs.

Default to cloud-based solutions when evaluating options for new IT deployments, if a secure, reliable, cost-effective cloud option exists.

Continually evaluate cloud computing solutions across their IT portfolios, regardless of investment type or life cycle stage.

Fulfilling this promise, the Administration has developed a new strategy to accelerate agency adoption of cloud-based solutions: Cloud Smart. The new strategy is founded on three key pillars of successful cloud adoption: security, procurement, and workforce. Collectively, these elements

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 4

U.S. Nuclear Regulatory Commission CPIC Policy

embody the interdisciplinary approach to IT modernization that the Federal enterprise needs in order to provide improved return on its investments, enhanced securit y, and higher quality services to the American people.

Commodity IT refers to a category of back-office IT services used by most, i f not all, agencies (e.g., infrastructure and asset management, e-mail, hardware an d software acquisition, and help desks). Commodity IT is related to the OMBs PortfolioStat init iative; it plays a key role in a CIO-led business approach to the delivery of IT infrastructure, enterpr ise IT, and administrative and business systems that encourages agencies to pool purchasing power acros s their entire organization, by both providing and using shared services instead of implementin g independent services with similar functions. This approach aims to eliminate duplication, rationa lize each agencys IT investments, and drive down costs.

There are three categories of Commodity IT:

enterprise IT: e-mail; collaboration tools; identity and access management; IT security (apart from identity and access management); and Web hosting, infrastructure, and content

IT infrastructure: desktop systems, mobile devices, mainframes and servers, and telecommunications

business systems: financial management, human resources management, grant-related Federal financial assistance, and grant-related transfer to State and local governments

Cost is defined in Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, dated September 2, 1993, as the monetary value of resources used. It is defined more specifically in Statement of Federal Financial Accounting Standards (SFFAS) No. 4, Managerial Cost Accounting Concepts and Standards, dated July 31, 1995, as the monetary value of resources used or sacrificed or liabilities incurred to achi eve an objective, such as to acquire or produce a good or to perform an activity or service. Depending on the transaction, cost may be charged to operations immediately (i.e., recognized as an expen se of the period), or it may be charged to an asset account for recognition as an expense of su bsequent periods. In most contexts within SFFAS No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, dated May 10, 1996, cost is used synonymously with expense.

Cost avoidance (as defined in OMB Circular A-131, Value Engineering, dated December 26, 2013) refers to an immediate action that will decr ease costs in the future. An example of a cost avoidance action is an engineering improvement that i ncreases the mean time between failures and thereby decreases operation and maintenance costs.

Cost savings (as defined in OMB Circular A-131) refers to the reduction in a ctual expenditures to achieve a specific objective.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 5

U.S. Nuclear Regulatory Commission CPIC Policy

Development, modernization, and enhancement (DME) refers to projects and activities that lead to new IT assets or systems, or that change or modify existing IT assets or systems, to substantively improve capability or performance, meet legislative or regulato ry requirements, or fulfill agency leadership requests. A DME activity may occur at any time durin g a programs life cycle. Capital costs involved in DME may include costs of hardware and softwar e development and acquisition; commercial off-the-shelf acquisition; Government labor; and con tracted labor for planning, development, acquisition, system integration, and direct projec t management and overhead support.

Disposition cost refers to the cost of retiring a capital asset (generally a sy stem or investment) once its useful life is over or a replacement asset has superse ded it; disposition costs may be included in operational activities near the end of the assets useful life.

Earned value management (EVM) refers to an integrated management system that coordinates the work scope, schedule, and cost goals of a program or contract a nd objectively measures progress toward these goals. EVM is a tool used by program managers to ( 1) quantify and measure program or contract performance, (2) provide an early warning system fo r deviation from a baseline, (3) mitigate risks associated with cost and schedule overruns, and (4) provide a means to forecast final cost and schedule outcomes. A description of the qualitie s and operating characteristics of an earned value management system (EVMS) appears in American Natio nal Standards Institute/Electronic Industries Alliance Standard 748-1998, Ea rned Value Management Systems, dated May 19, 1998. Additional information on EVM is available at https://www.acq.osd.mil/asda/ae/ada/ipm/index.html.

Note: For lower cost programs and projects for which the high cost of using EVM may be prohibitive, an alternative approach must be described under risks in the program or project plan, or in a separate risk management plan, as appropriate.

Enterprise architecture (EA) refers to an organizations documentation of the current and de sired relationships among business and management processes and IT. A n EA includes the rules, standards, and systems life cycle information to optimize and maintain the environment that the agency wishes to create and maintain through its IT portfolio. An EA must contain a strategy for the agency to maintain its current state, as well as a roadmap for transition to its target environment. An EA defines principles and goals and sets a direction for such i ssues as the promotion of interoperability, open systems, public access, end user satisfa ction, and IT security.

Note: Although this document does not establish EA standards, the selection and evaluation criteria found within should align with, and be reflected in, the NRCs target EA and Enterprise Roadmap.

Enterprise Roadmap refers to a document that describes the business and technology plan for the entire organization using EA methods. The Enterprise Roadmap pr ovides current views, future views, and transition plans at an appropriate level of detail f or all IT investments, services, systems, and programs. It also contains an IT asset inventory using the Federal Enterprise Architecture reference models, as well as other attachments or appendices gi ving more information on Roadmap plans for CPIC, EA, shared services, and other planning product s requested by the OMB.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 6

U.S. Nuclear Regulatory Commission CPIC Policy

Federal IT Dashboard (ITDB) refers to a Web site (https://viz.ogp-mgmt.fcs.gsa.gov/) where Federal agencies, industry, the general public, and other stake holders can view details of the performance of Federal IT investments. The administration and C ongress use the ITDB to inform budget and policy decisions. The ITDB is also known as IT Colle ct.

Financial management systems are systems necessary to support financial management. They include automated and manual processes, procedures, controls, d ata, hardware, software, and support personnel dedicated to the operation and maintenance of system functions. Examples of financial management systems include (1) core financial systems, (2) procurement systems, (3) loan systems, (4) grants systems, (5) payroll systems, (6) budget fo rmulation systems, (7) billing systems, and (8) travel systems. OMB Circular A-127, Financial Management Systems, dated January 9, 2009, contains additional information and guidance.

Functional/business sponsor refers to the agency official responsible for a program or func tion supported or implemented by an investment (44 U.S.C. 3501(a)(4) ). The sponsor is responsible for expressing the value of the investment, ensuring its successful implementation, and providing accurate and timely data to the agency CIO and the OMB. The spo nsor may (or may not) be the same person as the business process owner or SME serving on the IPT. Each major and nonmajor IT investment must include the name and title of the functional or business sponsor.

Information and communication technology (ICT) refers to IT and other equipment, systems, technologies, or processes whose principal function is the crea tion, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as to any associated content.

Examples of ICT include software applications, Web sites, video s, electronic documents, computers and peripheral equipment, information kiosks and transaction ma chines, telecommunications equipment, customer premises equi pment, multifunction office machines, and digital signs.

Information Resource Management (IRM) Strategic Plan refers to a document that comprehensively addresses an agencys IRM. Agencies must develo p and maintain their IRM Strategic Plans as required by 44 U.S.C. 3506(b)(2) and OMB Cir cular A-130. IRM Strategic Plans should support the Agency Strategic Plan required by OMB Circul ar A-11; describe how IRM activities support the agencys mission delivery area and progr am decisions; and ensure that IRM decisions are integrated with management support areas, includi ng organizational planning, budget, procurement, financial managemen t, and human resources manageme nt.

Information security refers to all functions pertaining to the protection of Federal information and information systems from unauthor ized access, use, disclosure, disruption, modification, and destruction. It includes the development, implementation, and m aintenance of security policies, procedures, and controls throughout the entire information life cycle. Information security activities should include those described in National Institute of Standar ds and Technology (NIST) Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, among which are (1) security awareness training (but not the technical infrastructure required for the delivery of training), (2) compliance reportin g under the Federal Information Security Management Act, (3) development of a security policy, and (4) s ecurity audits and testing.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 7

U.S. Nuclear Regulatory Commission CPIC Policy

Note:

IT security should include systems that oversee agency IT needs.

IT security does not include IT costs related to identity or access management systems or solutions.

IT security does not include physical protection of an organization (e.g., guards, cameras, and facility protection).

Information system refers to a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, transmission, or dissemi nation of information, in accordance with defined procedures, whether automated or manual.

Information technology (IT) is defined as follows:

IT includes any services or equipment, or interconnected system (s) or subsystem(s) of equipment, that are used by an agency in the automatic acquisit ion, storage, analysis, evaluation, manipulation, management, movement, control, displa y, switching, interchange, transmission, or reception of data or information.

Such services, equipment, or systems are considered used by an agency if either the agency uses them directly, or a contractor uses them under a co ntract with the agency that requires either full or significant use of them to perform a se rvice or furnish a product.

IT includes computers; ancillary equipment (such as imaging pe ripherals and input, output, and storage devices necessary for security and surveillance); p eripheral equipment designed to be controlled by the central processing unit of a computer; software; firmware; and related resources, procedures, and services (including provisioned serv ices such as cloud computing and support services for any point of the equipment o r service life cycle).

IT includes high-performance computing capabilities, including those that are not communal in nature.

IT does not include any equipment a cquired by a contractor inci dentally to a contract that does not require its use.

IT assets are any IT-related items (tangible or intangible) that have val ue to an organization, including, but not limited to, computing devices; IT systems, n etworks, and circuits; software (either installed or physical instances); virtual computing platforms ( which are common in cloud and virtualized computing); related hardware (e.g., locks, cabinets, keyboards); and people and intellectual property (including software).

Note: Assets are the lowest level at which IT is planned, acquired, implemented, and operated. All IT hardware and software shall be associated with the comprising system or investment and tracked

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 8

U.S. Nuclear Regulatory Commission CPIC Policy

and monitored throughout its life cycle, in accordance with the NRCs IT asset management processes.

IT investment refers to the expenditure of IT resources to enable mission de livery and management support. An IT investment may include one or more projects for the DME or maintenance of either a single IT asset or a group of IT assets with related functional ities, or for the subsequent operation of the asset(s) in a production environment.

Note: All IT investments shall have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most recent alternatives analysis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement shall be reported as a new, distinct investment, with its own defined life cycle information.

There are five types of IT investment:

(1) Funding transfer investment refers to the portion of funding a partner agency contributes t o an investment managed by another agency. The description of the investment should indicate the unique investment identifier (UII) of the managing partners investment.

Note: As a partner agency on multiple funding transfer investments (e.g., E-Gov, line-of-business (LoB), and shared services), the NRC shall budget for and report the funding provided to each managing agency on the Agency IT Portfolio Summary that it submits to the OMB. During the Select process, funding transfer investments shall be considered in the alternatives analysis. If a funding transfer investment is not selected, the agency must provide a business justification for the solution selected instead, which must be approved by the CIO and submitted to the OMB for approval.

(2) IT migration investment refers to the costs associated with a partner agencys migratio n to a shared service that are not captured by the managing partner. The description of the investment should indicate the UII of the managing partners in vestment.

Note: The NRC shall plan, budget for, and report the IT cost of migrating to new investments or to funding transfer investments. When migrating to a funding transfer investment, the NRC shall report the cost as an IT migration investment in the Agency IT Portfolio Summary.

When migrating to a new investment that is not a funding transfer investment, the NRC shall report the cost as planning DME in the new investments life cycle cost table.

(3) Major IT investment refers to an IT investment requiring special management attenti on because of its importance to the mission or function of the Gov ernment; significant program or policy implications; high executive visibility; high develop ment, operating, or maintenance costs; unusual funding mechanism; or definition as major throug h the agencys CPIC process. Major IT investments include all major automated info rmation systems (as defined in 10 U.S.C. 2445) and all major acquisitions (as defined in the Capital Programming

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 9

U.S. Nuclear Regulatory Commission CPIC Policy

Guide) that include information resources. The OMB may work wit h the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices to determine which inv estments are considered major.

(4) Nonmajor investment refers to any investment in the agencys IT portfolio that does not meet the definition of a major IT investment, funding transfer investment, or IT migration investment.

(5) Standard investment refers to an IT infrastructure investment that has disaggregat ed to its discrete components, which are managed separately.

IT program managers and IT project managers are the personnel who lead the IPT for a given investment. In some cases, IT program or project managers can h old positions in other classification series; however, they must still meet the applicable Federal ce rtification or IT program management experience requirements. Further definitions are available in t he Office of Personnel Managements Job Family Standard for Administrative Work in the Information Technology Group (Series 2200 in the Federal Classification and Job Grading Systems).

IT resources include all of the following:

agency budgetary resources, personnel, equipment, facilities, and services that are primarily used in the management, operation, acquisition, disposition, or transformation of IT, or in other activity related to the IT life cycle

acquisitions or interagency agreements that include IT, and the services or equipment they provide

IT resources do not include grants to third parties that establ ish, or support IT not operated directly by the Federal Government.

IT service refers to a means of delivering IT, together with any personnel or processes of value, to facilitate outcomes that customers want to achieve without the costs and risks of ownership.

Integrated project team (IPT) refers to a multidisciplinary team associated with an IT inves tment.

Each IPT is led by an IT program or project manager responsible and accountable for planning, budgeting, and procurement, as well as life cycle management to achieve the investments cost, schedule, and performance goals. Team skills include budgetary, financial, capital planning, procurement, user, program, architecture, EVM, security, and ot her skills, as appropriate.

Note: For the OMB to approve the budget for a major IT investment, its IPT must include at least the following:

a qualified, fully dedicated IT program/project manager

a contracting specialist, if applicable

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 10

U.S. Nuclear Regulatory Commission CPIC Policy

an IT specialist

an IT security specialist

a business process owner or SME

The IPT might also include the following:

an enterprise architect

an IT specialist with specific expertise in data, systems, or networks

a capital planner

a budget contact

a contracting officers representative

an information system security officer

a performance specialist

Key members of the IPT should be co-located during the most critical junctures of the program, to the maximum extent possible. Agencies should establish individual performance goals for IPT members, to hold them accountable for both individual functional goals and the overall success of the program. The IPT should be defined in a program or an IPT charter.

Interagency acquisition refers to the use of the Federal Supply Schedules, a multiagen cy contract (i.e., a task order or delivery order contract established by o ne agency for use by multiple Government agencies to obtain supplies and services, consistent with the Economy Act, 31 U.S.C. 1535), or a Governmentwide acquisition contract (i.e., a task order or delivery order contract for IT established by one agency for Governmentwide us e, operated by an executive agent, as designated by the OMB pursuant to CCA Section 11302(3)).

Life cycle costs are all costs, including Government full-time equivalents (FTEs ), from the beginning of an investment until the end of its estimated usefu l life (or the composite estimated useful lifetimes of the assets within it), independent of the f unding source (e.g., revolving fund, appropriated fund, working capital fund, trust fund). The Capit al Programming Guide and OMB Circular A-131 contain more information about life cycle costs.

Maintenance refers to the activity necessary to keep an asset functioning a s designed during the operations and maintenance phase of an investment. Maintenance activities include, but are not limited to, operating system upgrades, technology refreshes, an d security patch implementations. As defined in SFFAS No. 10, Accounting for Internal Use Software, dated October 9, 1998, maintenance excludes activities aimed at expanding an assets c apacity or otherwise upgrading it to serve needs different from or significantly greater than those originally intended. Such activities are considered DME.

Note: Maintenance activities of notable cost or duration with predetermined start and end dates should be managed as projects and reported in the project and activity tables in Section B of the Major IT Investment Update.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 11

U.S. Nuclear Regulatory Commission CPIC Policy

Managing partner refers to the lead agency that is responsible for coordinating the implementation of a funding transfer investment. The managing partner maintain s an IT shared service, with approval from agency leadership for intra-agency services and f rom the OMB for interagency services. The managing partner organization, often referred to as the Program Management Office, develops, implements, and maintains financial and service model s, as well as contracts with customers and suppliers, using strategic sourcing vehicles when ever practicable. The Program Management Office is responsible for the success of the IT shared service; it reports o n its intra-agency shared service using the agencys own metrics, and on interagency LoBs using metrics developed by the Federal CIO Counc ils Shared Services Subcommittee. Managing partners are also responsible for maintaining contracts with customer agenci es that allow the customer agency to terminate the contract if specified levels of service are not m aintained.

Modular development refers to the approach of delivering investments, projects, or activities of a specified capability by progressively expanding on delivered ca pabilities until the full capability is realized. Investments may be decomposed into discrete projects, increments, or useful segments, each of which is undertaken to develop and implement products a nd capabilities that form part of the overall investment. The OMBs Contracting Guidance to Support Modular Development, dated June 14, 2012, provides more information.

Operational analysis (OA) refers to a method of examining the ongoing performance o f an operating asset and measuring it against established cost, sche dule, and performance goals. An OA is by nature less structured than the performance reporting met hods applied to developmental projects. It should trigger considerations of how to better mee t the investments objectives, how to reduce costs, and whether the organization should continue perf orming a particular function. The Capital Programming Guide contains guidance on OAs. Best practi ces also appear in the Government Accountability Office (GAO) report GAO-13-87, Infor mation Technology: Agencies Need to Strengthen Oversight of Billions of Dollars in Operatio ns and Maintenance Investments, issued October 2012.

Operations refers to the day-to-day management of an asset while it is in a production environment, producing the same product or providing a repetitive service. O perations include, but are not limited to, activities in data centers, help desks, operational centers, telecommunication centers, and end-user support services.

Operations and maintenance refer to the expenses required to operate and maintain an IT as set that is operating in a production environment. It includes cost s associated with operations, maintenance activities, and maintenance projects needed to sust ain the asset at the current capability and performance levels. Specifically, it covers the costs of Federal and contracted labor, corrective hardware and software maintenance, voice and data co mmunications maintenance and service, replacement of broken or obsolete IT equipment, overhe ad, business operations and commercial services, and asset disposal. It is also commonly re ferred to as steady state.

Partner (customer) agency refers to the agency in an inter-or intra-agency collaboratio n, such as an E-Gov, LoB initiative, or Federal shared service, that contr acts with and pays a managing partner for an IT shared service. While the managing partner handles ma jor contract issues and resolves

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 12

U.S. Nuclear Regulatory Commission CPIC Policy

escalation items with suppliers, the partner agency may need to interact with suppliers to handle day-to-day service issues. The partner agency usually provides resources (e.g., funding, FTEs) for the management, development, deployment, or maintenance of a co mmon solution. The partner agency is also responsible for including the appropriate line i tems in its own IT Portfolio Summary budget submission to reflect the amount of its contribution to each of the initiatives for which it provides resources.

Planning refers to preparing, developing, or acquiring the information needed to design an asset; assessing the benefits, risks, and risk-adjusted costs of alter native solutions; and establishing realistic cost, schedule, and performance goals for the selecte d alternative, before either proceeding to full acquisition or terminating the project.

Note: Before the acquisition phase can begin, planning must progress to the point where the agency is ready to commit to specific goals for the completion of the acquisition. Information-gathering activities and tools to support planning may include the following:

market research on available solutions (see Federal Acquisition Regulation (FAR) Part 10, Market Research)

architectural drawings

engineering and design studies

prototypes

Planning may be general, for the overall investment, or it may be specific to a useful component. For investments developed or managed using an iterative or agile methodology, planning will occur throughout the entire acquisition, focusing on each iteration or sprint.

Post-implementation review (PIR) refers to an evaluation of how successfully the objectives of an investment or project were met and how effectively the project management practices kept it on track. A PIR can be conducted after the completion of a project or at the conclusion of the implementation phase of an investment. The Capital Programming Guide contains additional details on the PIR process.

Privacy impact assessment (PIA) refers to the process for examining the risks and ramification s of using IT to collect, maintain, and disseminate information in i dentifiable form from or about members of the public. PIAs are also used to identify and evaluate prot ections and alternative processes to mitigate the privacy impact of collecting such information. Con sistent with OMB Memorandum M-03-22, Guidance for Implementing the Privacy Prov isions of the E-Government Act of 2002, dated September 26, 2003, agencies must conduct and m ake publicly available PIAs for all new or significantly altered IT i nvestments that administer information in identifiable form collected from or about members of the public.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 13

U.S. Nuclear Regulatory Commission CPIC Policy

Programming refers to an integrated process within an agency that focuses o n the planning, budgeting, procurement, and management of a program to achieve the agencys strategic goals and objectives with the lowest overall cost and least risk.

Note: Any program that leverages IT to support its mission shall include the CIO in its programming to advise on and approve the IT aspects of the program.

Project refers to a temporary endeavor undertaken to provide a unique product or service. A project has a defined start and end point and specific objectives that, when attained, signify completion.

Projects can be undertaken for the DME, disposal, or maintenanc e of an IT asset. Projects are composed of activities.

Note: When reporting project status, to the maximum extent practicable, agencies should detail the characteristics of increments under modular contracting, as described in the CCA, and the characteristics of useful segments, as described in OMB Circular A-130.

Risk management refers to a systematic process of identifying, analyzing, and responding to risk. It includes maximizing the probability and consequences of positiv e events and minimizing the probability and consequences of adverse events. Risk management should be conducted throughout the entire life cycle of a program.

Risk management plan refers to a documented and approved plan, developed at the ons et of an investment and maintained throughout, that specifies the invest ments risk management process.

Shadow (hidden) IT refers to IT spending that is not fully transparent to the age ncy CIO, and to IT resources included in a program whose primary purpose is not IT related. An example would be a grants program in which a portion of the spending goes to equip ment, systems, or services that provide IT capabilities for administering or delivering the gra nts.

Shared service refers to a service that one Federal organization provides to other Federal organizations that are outside the providers organizational bo undaries. Shared services may be intra-agency or interagency. There are three categories of shar ed services in the Federal Government:

(1) Common solutionstechnology or contracts that can be used by more than one Fede ral agency. May be Government-to-Government or citizen-to-Governmen t.

(2) Shared servicesservices consolidating routine or standard operations to a lim ited number of organizations. May use common solutions (technology or contr acts) and share human resource expertise either within an agency or across agencies.

(3) Centralized servicesservices providing a single Governmentwide location for highly standardized activities, allowing organizations and users to be nefit from consistent and uniform processes.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 14

U.S. Nuclear Regulatory Commission CPIC Policy

Note: Shared commodity IT and support services are considered to be IT; associated costs must be included and reported as part of the IT Portfolio Summary.

Shared service provider refers to the provider of a technical solution or service that supports the business of multiple agencies using a shared architecture. For multiagency services, this is the managing partner of the investment.

TechStat sessions are a tool for anticipating critical problems in an investment, turning around underperforming investments, or terminating investments if appr opriate. Agencies report the outcomes of all TechStat sessions through the quarterly Integra ted Data Collection (IDC) process.

Unique investment identifier (UII) refers to a persistent numeric code applied to an investment i n an agencys IT portfolio that allows it to be identified and tr acked across multiple fiscal years. The UII consists of a three-digit agency code linked with a unique nine -digit investment number generated by the agency. Some nine-digit numbers are reserved for the OMB to assign to funding transfer investments and may not be assigned by agencies.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 15

U.S. Nuclear Regulatory Commission CPIC Policy

Capital Planning and Investment Control Policy

All NRC IT resources shall be managed in accordance with Federa l mandates, OMB requirements, and agency procedures. This policy establishes the business rul es and guidelines for the management and oversight of IT resources, including FTEs, under all IT investments, except where it is stated that the rules apply only to major IT investments.

Planning, Programming, Budgeting, and Selecting (1) All IT resources shall be planned, budgeted, executed, and reported under an approved IT investment in the NRC IT Portfolio Summary submitted to the OMB during the annual budget submissions.

(2) For each IT investment, descriptive and financial data (inc luding data on the investments performance and the expenditure of IT resources) must be develo ped and maintained to justify the budget request to the OMB and Congress.

(3) An IT investment shall be cla ssified as a major IT investment if it meets one or more of the following OMB criteria:

importance to the mission or function of the Government

significant program or policy implications

high executive visibility

high development, operations, or maintenance costs, which the N RC defines as budget planning year costs of $10 million or more 2

unusual funding mechanism

financial systems with annual cost and spending of $500,000 or more, as dictated by mandates and guidance on financial systems, such as OMB Circula r A-127

definition as major by the NRCs CPIC process All other NRC IT investments are considered nonmajor or standar d investments, apart from funding transfer investments and IT migration investments. The NRC is a partner agency on a number of investments managed by o ther agencies. These invest ments are considered major IT investments of the managing agencies, and the NRC shal l report contributions to the managing partners in the NRC IT Portfolio Summary.

(4) During the planning, programming, and budgeting processes, all IT resources shall be identified and separated from non-IT resources to allow visibil ity to the CIO and the IT/Information Management (IM) Portfolio Executive Council (IPE C). Budgeting for IT resources in all programs (not just programs that are primarily IT -oriented) shall follow the IT budget guidance issued by the Office of the Chief Information O fficer (OCIO) and shall take

2 The OMB establishes the criteria for a major IT investment but allows agencies to establish the dollar threshold.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 16

U.S. Nuclear Regulatory Commission CPIC Policy

place in tandem with the overall agency budget formulation proc ess issued by the Office of the Chief Financial Officer (CFO). The budgeting process includ es defining the level of detail at which IT resources are budgeted and, in consultation with th e Chief Acquisition Officer (CAO), defining processes to track planned versus actual expend itures for all transactions that include IT resources. The Chairman is regularly briefed on the status of IT investments and activities.

(5) As a co-chair of the IPEC, the CIO shall advise on and appr ove the IT aspects of all programs. In the case of major IT i nvestments, more extensive involvement shall occur through monthly updates, CIO evaluations, and CIO TouchPoints.

(6) The IT budget formulation process and the annual agency IT Portfolio Summary submission process shall ensure that the budget justification materials in the NRCs initial budget submission receive the appropriate CIO approvals and certificat ions and include the corresponding affirmation statements, as listed in OMB Circular s A-130 and A-11.

(7) The CIO and CFO shall define and, as the co-chairs of the I PEC, shall oversee the process by which the CIO, CFO, CAO, and Chief Human Capital Officer (CHCO) work with program leadership to plan an overall IT portfolio that efficiently and effectively leverages IT to further program and business objectives aligned to the agencys Strateg ic Plan.

(8) An IT investments justification, cost, schedule, measureme nt indicators, and other management and technical artifacts shall describe the discrete and unique set of IT products and services it encompasses and how they contribute to the NRC mission or mission support functions. For all major IT investments, the agency shall docum ent and report all of the above to the OMB (when requested).3 (9) Major IT investments shall adhere to the principles established by the OMB in Appendix 6, Principles of Budgeting for Capital Asset Acquisitions, to th e Capital Programming Guide.

(10) No two IT investments shall serve the same purpose or deliver t he same discrete and unique set of products or services. If duplicative investments are ide ntified, an alternatives analysis shall be performed, and a plan developed to eliminate the dupli cation and associated cost.

(11) When two or more IT investments deliver products or servic es through the same IT component (i.e., system or platform), the set of products or se rvices delivered through that component by each investment shall be discrete and unique and c learly distinguishable from the products and services deliv ered by the other investments through the same component.

In addition, there must be a consistent, reliable means of dete rmining an equitable cost of the shared platform for each investment, to ensure accurate plannin g, budgeting, and reporting of the total cost of ownership of each investment.

(12) All IT investments shall have a defined life cycle with st art and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with

3 NRC CPIC procedures for Major IT Business Cases are based on the OMBs annual IT BudgetCapital Planning Guidance issued as part of OMB Circular A-11.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 17

U.S. Nuclear Regulatory Commission CPIC Policy

the investments most recent alternatives analysis, if applicab le. When an asset is essentially replaced by a new system or technology, the replacement shall b e reported as a new, distinct investment, with its own defined life cycle information.

(13) Information security, privacy, records management, public transparency, and supply chain security issues must be considered for all resource planning an d management activities throughout a systems development life cycle.

(14) All major IT investments shall have a committed IPT compri sing the required minimum membership (as noted in the definition of IPT) and program char ter. All IT projects shall have an IPT, project charter, project management plan, and schedule.

(15) Alternatives analysis shall be performed for investments w ith projects in the planning or DME stages. The alternatives analysis shall include both Government -provided (internal, interagency, and intra-agency) and commercially available optio ns, as well as cloud solutions, where applicable.

(16) The alternatives analysis for a new investment shall inclu de the Three-Step Software Solutions Analysis described in OMB Memorandum M-16-21, which a ddresses Federal source code policy.

(17) To strengthen understanding of the requirements for an IT service, qualitative and quantitative research methods shall be used to determine the go als, needs, and behaviors of current and prospective managers and users of the service.

(18) All acquisition planning shall adhere to the planning prov isions in FAR Subpart 7.1, Acquisition Plans, and FAR Part 10.

(19) Planning for IT acquisitions shall substantiate the NRCs commitment to achieving specific goals through the completion of each acquisition. Planning acti vities and results shall be documented, and final plans approved before the acquisition pha se begins. For investments developed or managed using an iterative or agile methodology, p roper planning for each iteration or sprint shall be conducted throughout the life of t he investment.

(20) All IT hardware and software shall be planned, acquired, d eployed, managed, and disposed of under IT investments in the NRCs IT Portfolio Summary and i n accordance with the NRCs IT asset life cycle management processes and procedures.

(21) In analyzing and prioritizing IT investments for selection into the agency IT portfolio, all decisions to select (acquire or develop) an information system technology or service shall be merit-based and shall consider factors including, but not limit ed to, the following:

alignment to the NRCs Strategic Plan

ability to meet operational or mission requirements

conformance to the current and target EA and alignment to the Enterprise Roadmap

total life cycle costs of ownership and ability to sustain suc h costs

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 18

U.S. Nuclear Regulatory Commission CPIC Policy

performance

security risks

interoperability

privacy

accessibility

ability to be shared or reused

resources required to switch vendors to avoid being locked in

availability of high-quality support at a reasonable cost (22) The decision to improve, enhance, or modernize an existing IT investment or to develop a new IT investment shall be based on an alternatives analysis th at covers both Government-provided (internal, interagency, and intra-agency, where applic able) and commercially available options, from which the option offering the best valu e to the Government shall be selected.

(23) Preference shall be given to using available and suitable Federal information systems, technologies, or shared services or information-processing faci lities, or to acquiring open-source or commercially available off-the-shelf software or technologies, over developing or acquiring custom or duplicative solutions.

(24) Decisions to acquire custom or duplicative solutions must be justified by their overall life cycle cost-effectiveness or their ability to meet specific high-prior ity mission or operational requirements.

(25) The security levels of information systems shall be commen surate with the risk that may result from unauthorized access, use, disclosure, disruption, m odification, or destruction of the information they contain, consistent with NIST standards an d guidelines.

Acquiring Information Technology and Services

When acquiring IT and IT services, the NRC shall adhere to the following:

all relevant Federal mandates, such as 41 U.S.C. 2308, Modula r Contracting for Information Technology

OMB policy, including but not limited to the category manageme nt policies for improving the acquisition and management of common IT, such as the following:

- laptops and desktops (OMB Memorandum M-16-02)

- software licensing (OMB Memorandum M-16-12)

- mobile devices and services (OMB Memorandum M-16-20)

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 19

U.S. Nuclear Regulatory Commission CPIC Policy

the FAR, including the planning provisions in Subpart 7.1 and Part 10 to be implemented before an acquisition

NRC Management Directive 11.1, NRC Acquisition of Supplies an d Services, dated May 9, 2014

During the acquisition process, all of the above must be refere nced and applied as appropriate. This includes, but is not limited to, the following policy guideline s:

(1) Develop a thorough benefit-cost analysis of all procurement requirements based on market research, including an alternative analysis.

(2) Effectively use competition, analyze risks (including supp ly chain risks) associated with potential contractors and the products and services they provid e, and allocate risk responsibility between the Government and the contractor.

(3) Conduct definitive technical, cost, and risk analyses of a lternative design implementations, considering, for example, the full life cycle costs of IT produ cts and services, which include but are not limited to planning, analysis, design, implementati on, sustainment, maintenance, recompetition, and retraining costs, scaled to the size and com plexity of individual requirements.

(4) When developing planned information systems, consider exis ting Federal contract solutions or shared services available from within the same agency, from other agencies, or from the private sector, to avoid duplicative investments.

(5) Initiate development of new information systems or of cust om solutions to improve existing information systems only when no existing private-sector or Gov ernment source can efficiently meet the need, taking into account long-term sustai nment and maintenance.

(6) Structure acquisitions for major IT investments into usefu l segments, each of narrow scope and brief duration, to reduce risk, promote flexibility and int eroperability, increase accountability, and better match mission need with current tech nology and market conditions.

(7) To the extent practicable, award modular contracts for IT, including orders for increments or useful segments of work, no more than 180 days after issuing th e solicitation. If an award cannot be made within 180 days, consider canceling the solicita tion. The IT acquired should be delivered no more than 18 months after the solicitation was issued.

(8) Align IT procurement requirements with the agencys strateg ic goals.

(9) Promote innovation in IT procurements; in particular, cond uct market research to maximize the use of innovative ideas.

(10) Include requirements for security, privacy, accessibility, records management, and other relevant considerations in solicitations.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 20

U.S. Nuclear Regulatory Commission CPIC Policy

(11) Ensure that the CIO reviews and approves all acquisition strategies, plans, and requirements (as described in FAR Part 7, Acquisition Planning ) and all interagency agreements (such as those used to support purchases through ano ther agency) that involve IT. These approvals shall consider the following factor s:

alignment with mission and program objectives in coordination with program leadership

appropriateness with respect to the mission and business objec tives supported by the NRCs IRM Strategic Plan

inclusion of innovative solutions

appropriateness of contract type for IT-related resources

appropriateness of IT-related portions of statement of needs o r statement of work

ability to deliver functionality in short increments

inclusion of Governmentwide IT requirements, such as informati on security

opportunities to migrate from and retire end-of-life software and systems

(12) Consistent with the FAR, include in contracts for custom s oftware development provisions that reaffirm the right to reuse the software throughout the Fe deral Government.

(13) Enter all acquired IT hardware and software into the NRCs IT asset inventory and management tools.

Information Technology Investment Design and Management

The NRC shall, to the extent practicable and financially respon sible, implement the following requirements:

(1) Information systems and processes shall support and maximiz e interoperability and access to information, where appropriate, by using documented, scalable, and continuously available application programming interfaces and o pen machine-readable formats.

(2) Information systems and technologies must facilitate intero perability, application portability, and scalability across networks of heterogeneous hardware, soft ware, and communications platforms.

(3) When ICT is developed, procured, maintained, or used, it mu st be in compliance with Title 36 of the Code of Federal Regulations 1194.1, Standards for Section 508 of the Rehabilitation Act.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 21

U.S. Nuclear Regulatory Commission CPIC Policy

(4) In designing, developing, integrating, or implementing IT s olutions, the practices and architecture must conform to the NRC IT/IM Technical Standards.

(5) All information life cycle processes and stages, including the design, development, implementation, and decommissioning processes for information systems, must fully incorporate electronic records management (ERM) functions, policies, and retention and disposition requirements or have electronic recordkeeping mitigation strategies in place.

Laws and regulations under the National Archives and Records Administration (NARA) require agencies to manage information throughout the lifecycle regardless of the media.

This applies particularly to Internet resources, including storage solutions and cloud-based services such as software as a service, platform as a service, and infrastructure as a service.

(6) A PIA and security impact assessment must be performed up f ront, and the appropriate security planned, budgeted, and built in at the start of the pr oject.

(7) IT investments shall use an EVMS and Integrated Baseline Re view, when appropriate, as required by FAR Subpart 34.2, Earned Value Management System. When an EVMS is required, agencies must have a documented process for accepting a contractors EVMS.

When an EVMS is not required, a baseline validation process mus t be implemented as part of an overall investment risk management strategy consistent wi th OMB guidance.

(8) All IT development projects shall appropriately implement incremental development and modular approaches, as defined in the OMBs Contracting Guidance to Support Modular Development.

(9) Maintenance activities of notable cost or duration with pre determined start and end dates should be managed as projects. In the case of major IT investme nts, the project and activity tables in Section B of the Major IT Investment Update shall tra ck, monitor, and report the cost and schedule.

(10) For operational investments, OAs shall be performed until a decision is made to reevaluate the investment or to resume DME.

(11) All applicable decisions about system and service investme nts shall be reflected in new or updated entries (e.g., system, service, application) in the NRC information system inventory, as required by statute ( 44 U.S.C. Chapter 35, Coordination of Federal Information Policy, among others) and OMB policy.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 22

U.S. Nuclear Regulatory Commission CPIC Policy

Responsibilities

Responsibilities of the Chairman Review the IT budget request included in the overall agency bud get recommended by the Executive Director for Operations (EDO) and the CFO and submit final recommendations to the Commission.

Responsibilities of the Commission

Review and approve the agencys IT budget request as part of th e overall agency budget.

Responsibilities of the Executive Director for Operations

(1) Serve as the Chief Operating Officer and, as such, supervi se the activities of the Assistant for Operations, who serves as the Pe rformance Improvement Officer, in accordance with the GPRAMA.

(2) Ensure that the NRCs planning and budgeting process for I T investments is consistent and integrated with the agencys overall planning, budgeting, and p erformance management (PBPM) process.

(3) Ensure that program office and IT officials participate in the PBPM process for IT investments throughout their life cycle.

(4) Ensure that statutory responsibilities for IT investments and their oversight are appropriately assigned to the agencys CIO.

(5) Together with the CFO, review and approve the selections a nd budget for the annual IT investment portfolio recommended by the IPEC and submit recomme ndations to the Chairman.

(6) Assign the CIO to be the Designated Approving Authority for mally responsible for approving the operation of an IT system at an acceptable level of risk ba sed on an agreed-on set of implemented security controls, in accordance with the Federal I nformation Security Management Act and NIST guidelines.

Responsibilities of the Chief Information Officer

Please refer to Appendix A - Nuclear Regulatory Commission Chief Information Officer (CIO )

Assignment Plan and Responsibilities.

(1) Assist and act for the EDO in executing the EDOs responsibility for IT infrastructure, application development, project management, IM services, and information system security oversight.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 23

U.S. Nuclear Regulatory Commission CPIC Policy

(2) Oversee, guide, and coordinate with the Deputy CIO and the Chief Information Security Officer.

(3) Develop and implement an agenc ywide framework of policies, processes, and procedures for IT investment management, strategic planning and EA, informatio n and records management, and information securi ty. This framework should support the NRCs mission, conform to Federal statutes and regulations and to OMB and GAO guidance, and be consistent with the NRCs overall PBPM programs.

(4) Co-chair the IPEC with the CFO, set the agenda for and fac ilitate meetings to achieve the IPECs goals and objectives, and approve revisions to its chart er, as needed.

(5) As co-chair of the IPEC, jointly with the CFO, define the l evel of detail with which IT resources are described distinctly from other resources through out the planning, programming, and budgeting stages. The level of detail provides transparency for the IT budget and serves as the primary input for the IT CPIC document s submitted to the OMB with the agencys overall budget.

(6) Review and approve the major IT portion of the budget reque st; the CFO shall affirm this CIO approval in the NRCs budget justification materials.

(7) Review and collaborate with program leadership on planned I T support for major program objectives and significant increases and decreases in IT resour ces.

(8) Jointly with the CFO, affirm that the IT portfolio contains appropriate estimates of all IT resources included in the IT budget request.

(9) Jointly with the CFO and the IPEC, provide an executive IT investment review function as required by the OMB, make decisions on the IT portfolio, and re commend the IT budget to the EDO for consideration in the NRCs overall budget.

(10) Establish other executive and technical review or advisor y bodies, as necessary, to involve business and technical SMEs in IT investment planning and manag ement oversight; ensure agencywide coordination; and fulfill CPIC requirements for IT i nvestments, strategic planning and EA, security, and information and records management polici es, as stated in the Capital Programming Guide and OMB Circular A-130.

(11) Jointly with the CFO and CAO, define agencywide policy for the level of detail of planned expenditure reporting for all transactions that include IT reso urces.

(12) As a member of the Strategic Sourcing Group, review and ap prove all acquisitions over

$1 million, and provide oversight to ensure that all acquisitio n strategies and plans that involve IT apply adequate incremental development principles, u se appropriate contract types, contain appropriate statements of work for the IT portio ns, support the mission and business objectives in the IT strategic plan, and align mission and program objectives (in consultation with program leadership).

(13) Review and approve all new IT purchases, regardless o f dollar value.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 24

U.S. Nuclear Regulatory Commission CPIC Policy

(14) Recommend to the Commission any movement of funds for IT r esources that requires congressional notification.

(15) Jointly with the CHCO, develop a set of competency require ments for IT and IT acquisition staff (including IT and IT acquisition leadership positions), a nd develop and maintain a current workforce planning process so that the agency can antic ipate and respond to changing mission requirements, maintain workforce skills in a r apidly developing IT environment, and recruit and retain the IT talent needed to acc omplish its mission.

Continually assess the existing IT workforce to identify defici encies and provide such assessments to the Chairman as part of the annual Human Capital Commission Briefing.

(16) Formally assume responsibility for operating major systems and networks at acceptable risk levels; evaluating the mission, business case, and budgetary ne eds for NRC systems in view of their security risks; and permitting or denying operations o r use based on security risk.

(17) Provide an annual report on the NRC Cybersecurity Prog ram, the NRC Privacy Program and the findings of the NRC Inspector Generals review of these pro grams, signed by the Chairman.

(18) Oversee the NRC Cybersecurity Program, which provides a q uarterly report on the information security responsibilities of all senior agency offi cials, using a cybersecurity performance metric based on five major criteria: (1) computer s ecurity awareness training, (2) role-based training, (3) continuous monitoring, (4) cyberse curity incidents, and (5) phishing.

(19) As part of regular CIO evaluations, perform risk revie ws covering three major areas:

(1) managing active risks, (2) maintaining risk logs and active ly managing risk mitigation strategies, and (3) identifying and managing risk triggers.

(20) As part of the CIO evaluations, review investments tha t meet the criteria for a TechStat. A TechStat is required for any high-risk investment that remains red or at risk for 3 consecutive months or more.

(21) Jointly with the CAO, share acquisition and procurement responsibilities. The CIO reviews all IT-related cost estimates and ensures that all acquisition stra tegies and plans that involve IT apply adequate incremental development principles.

Responsibilities of the Capital Planning and Investment Control Team

(1) Facilitate IT SME reviews for policy compliance, security, IT project management, and infrastructure impact, and consolidate SME recommendations for the IPEC.

(2) Facilitate IT investment reviews (e.g., Control Reviews, Te chStats, CIO TouchPoints) with the CIO and appropriate IT governance boards.

(3) Coordinate with the Enterprise Architect to verify mapping between the NRCs EA and the Federal EA, and to ensure that investments align with the NRCs Strategic Plan, IT/IM Strategic Plan, and Enterprise Roadmap.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 25

U.S. Nuclear Regulatory Commission CPIC Policy

(4) Coordinate with the NRCs Program and Project Management Te am to establish project control gates and to ensure that project management standards a nd best practices are implemented throughout the life cy cle of each IT investment.

(5) Coordinate with other functional areas of OCIO on security-related requirements to support the development and review of IT business cases and project pla ns and the monitoring and evaluation of IT investments throughout their life cycle.

(6) Help IT investment owners understand and comply with the CP IC process and related OMB requirements, including preparation of the NRCs IT Portfolio S ummary and Major IT Business Case submissions.

(7) Work with IPTs and IT program and project managers for each major investment to update Major IT Business Cases and ensure complete and timely submissi on of updates to the OMB.

(8) Serve as a single point of contact for NRC inquiries about IT governance and CPIC processes and procedures.

(9) Coordinate input for the annual IT planning and budgeting guidance.

(10) Maintain an inventory of the agencys capitalized IT inve stments (i.e., Major IT Business Cases), and provide the current list to the Office of the Chief Financial Officer for inclusion in the NRCs budget justification materials.

(11) Provide input to educational outreach activities and train ing related to CCA, FITARA, and OMB requirements, and present training to IPTs and IT project m anagers on the CPIC portfolio and investment managemen t and submission tool, OMB reporting requirements, and the NRCs IT governance.

(12) Establish requirements and criteria for selecting investme nts for the NRCs IT portfolio.

(13) Define and implement processes and procedures to monitor and evaluate IT investments throughout their life cycle.

(14) Serve as the secretariat for the IPEC scheduling meetings, developing agendas, coordinating briefings and reviews, taking minutes to document decisions and action items, and tracking action items to completion.

Other Responsibilities Current charters fully describe and maintain the responsibiliti es of the IPEC, acquisition review boards, and IPTs. NRC Management Directive 2.8, Integrated Inf ormation Technology/Information Management (IT/IM) Governance Framework, dated February 24, 20 16, describes the responsibilities of the Enterprise Architect and the project ma nagement function. The NRC, Information Technology Asset Management Policy, issued Decemb er 2016, describes the responsibilities of the hardware asset manager and software man ager.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 26

U.S. Nuclear Regulatory Commission CPIC Policy

The NRC uses NUREG-1908, Information Technology/Information Management Strategic Plan, to outline and refine internal processes, focusing on three key co mponents: to empower, protect, and serve. Across both the public and the private sector, there is increased focus on using technology to create transparency and efficiency and to improve the customer experience, both internally and externally. OCIO has completed a benchmark of the IT/IM Strateg ic Plan, and the NRC is in alignment with industry standards in both the private and the p ublic sector.

As of November 2019, the NRC has met the requirements establish ed by Congress in 2014, which include a special provision to the GAO to annually review agencies data center inventories and strategies. The GAOs objectives were to (1) evaluate agencies progress and plans for data center closures and cost savings, (2) assess agencies progress agains t the OMBs data center optimization targets, and (3) identify effective agency practic es for achieving data center closures, cost savings, and optimization targets. The GAO attained these objectives, presenting the results in GAO-16-323, Data Center Optimization: Agencies Making Progress, but Planned Savings Goals Need to Be Established, dated March 4, 2016, and GAO-19-241, Data Center Optimization:

Additional Agency Actions Needed to Meet OMB Goals, dated Apri l 11, 2019. The NRC has met all requirements for maintaining an inventory and consolidating and optimizing data centers, as posted in the OMB IT Dashboard.

Capital Planning and Investment Control Overview

The NRC CPIC is critical to the management and oversight of the agencys IT resources. It provides a mechanism for delivering high-quality information and recomme ndations to executive decisionmakers on investments to be included in the IT portfoli o.

Recognizing that IT investment management is dynamic, the NRC selects and continuously monitors and evaluates the investments in its IT portfolio to ensure tha t they effectively and efficiently support the agencys mission and strategic goals. The NRCs CPIC proces ses are designed to facilitate sound IT governance and the maturation of the NRCs IT investme nt management. The CPIC model relies on three distinct, yet interdependent, sets of processes : (1) Select, (2) Control, and (3) Evaluate. An investment can be active concurrently in multi ple CPIC processes. After an investment is initially selected and funded, it repeatedly unde rgoes the Control and Evaluate processes for review and reselection until it is determined to have come to the end of its useful life, at which point it is decommissioned and removed from the IT por tfolio.

Select

The purpose of the Select process is to identify the IT investm ents, projects, and activities that best support the NRC mission and current business needs at acceptabl e risk levels and as cost-effectively as possible. The key objectives are to analyze the risks and returns of each investment or project before committing funds, and to select or reselect those investments and projects that will best support mission needs.

The Select process and procedures capture IT investments and th eir supporting projects and resources for consideration in the overall IT portfolio. Invest ments considered include both new

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 27

U.S. Nuclear Regulatory Commission CPIC Policy

proposals and current investments being evaluated for reselecti on, either as-is or with enhancements. Investments being decommissioned also remain in t he portfolio until they have been completely removed from the production environment and require no further funding. Investments are captured, categorized, analyzed, prioritized, and either se lected, rejected, or placed on a lower priority or nonfunded list.

New IT investments proposed and selected for funding shall meet the following criteria:

Support the NRCs core or priority mission functions.

Fill a performance or capability gap in achieving the NRCs str ategic goals and objectives, yielding the maximum benefits at the lowest life cycle cost amo ng viable alternatives.

Support a function that no alternative private-sector or Govern ment source can more efficiently support.

Support work processes that have been simplified or otherwise r edesigned to reduce costs, improve effectiveness, and make maximum use of commercial off-t he-shelf technology.

Demonstrate a projected best value, based on an analysis of qua ntifiable and qualitative benefits and costs and projected return on investment, that cle arly equals or exceeds that of any alternative uses of available public resources.

Benefits contributing to best value may include improved missio n performance in accordance with GPRA measures; reduced cost; increased quality, speed, or flexibility; and increased customer or employee satisfaction.

IT investment costs shall be adjusted for such risk factors a s the investments technical complexity, the organizations management capacity, t he likelihood of cost overruns, and the consequences of under-or non-performance.

Be consistent with applicable Federal and NRC enterprise and in formation architectures.

Reduce risk by employing measures such as avoiding or isolating custom-designed components so that their failure would have minimal adverse eff ects on the overall project; using fully tested pilots, simulat ions, or prototype implementa tions before beginning production; establishing clear measures and accountability for project progress; and securing substantial stakeholder involvement and buy-in throughout the p roject.

Be implemented in phased, successive segments, modules, sprints, or other useful units as narrow in scope and brief in duration as practicable, each solv ing a specific part of an overall mission problem and delivering a measurable net benefit indepen dent of future segments or modules.

Adhere to the standards in the NRCs Project Management Methodo logy 2.0, including the use of required artifacts.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 28

U.S. Nuclear Regulatory Commission CPIC Policy

Adhere to security standards, including the use of required art ifacts.

Employ an acquisition strategy that allocates risk between the Government and contractors, effectively uses competition, ties contract payments to accompl ishments, and takes maximum advantage of commercial technology.

Annually, the NRC shall review and evaluate all existing IT investments, based on data collected through the Control process and procedures and analyzed in the Evaluate process and procedures, to determine whether each investment meets the following criter ia for reselection and funding:

The investment continues to meet business needs and expected pe rformance goals.

Business needs and expected performance goals can be met more c ost-effectively by maintaining, enhancing, or modifying the investment than by rep lacing it.

The investments current risk management plan and risk log show effective risk mitigation, including the management and closing of cybersecurity risks ide ntified through continuous monitoring as listed on the investments plan of actions and mi lestones.

The investment adheres to projected costs and expected benefits throughout its life cycle.

Control

The purpose of the Control process is to ensure that, as projec ts develop and expenditures are made, each investment and its associated projects and activitie s continue to meet mission or business needs at the expected cost and risk levels. The key ob jectives are (1) to ensure quick corrective action to address any deficiencies in project or ope rational components, and (2) to enable the NRC to adjust investment objectives and modify expected out comes if its mission or business needs have changed.

The Control process and procedures encompass various tools and techniques for monitoring and reporting on the performance of IT investments and the risks as sociated with them. These are key to obtaining high-quality data on the status of project costs and schedules, risks (including plans of actions and milestones), and investment performance, to inform decisions on changes to investments, projects, or the portfolio. The Control process an d procedures include the annual updates and submissions of services, ledgers, and financial dat a; major IT investment monthly reviews and CIO evaluations; quarterly portfolio reviews; major IT investment control reviews; and CIO TouchPoints. Data and information collected from the monito ring of investments provide input for the evaluation of investments and support OMB reporting req uirements.

Evaluate

The purpose of the Evaluate proces s is to compare actual versus expected benefits and costs of IT investments and projects to assess return on investment, custom er satisfaction, and value to the NRC in meeting its mission and business needs. The key objectiv es are as follows:

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 29

U.S. Nuclear Regulatory Commission CPIC Policy

Assess the capacity of a project or investment to meet performa nce expectations within cost and schedule limits and in compliance with IT policies.

Identify any modifications needed on an investment (or on its a ssociated projects or activities).

Update IT investment management policies, processes, and proced ures based on lessons learned.

The Evaluate process and procedures are used to analyze IT inve stment data to support the decision-making required to maximize the value of IT investment s and the maturation of the IT portfolio and IT management practices. This entails performing annual OAs, PIRs, and TechStats, as needed. Although all of these activities inform the selectio n, reselection, and deselection of projects and investments within the IT portfolio, the OA is par amount. The NRC has based its OA process on the requirements in Section III, Management InUse, of the Capital Programming Guide.

The OA allows for a periodic, structured assessment of cost, pe rformance, and risk trends over time to help determine when the cost and risk of an investment outwe igh the value it provides.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 30

U.S. Nuclear Regulatory Commission CPIC Policy

Appendix A

Nuclear Regulatory Commission Chief Information Officer (CIO) A ssignment Plan and Responsibil ities

The following CIO Assignment Plan details decisions about certa in IT resources included in the Common Baseline that the CIO delegates to other agency official s, as well as evidence that the CIO retains accountability in these areas. The CIO, throug h the Office of Chief Financial Officer, provides financial information to the Chairman and Com mission. The CIO provides both the Chairman and the EDO the status of IT investments and the agencys IT Portfolio and activities on a regular basis. The CIO is responsible for the NRC IT Portfolio financial data. As OCIO receives inquiries from the Commission about the agency IT budget, CIO responds to this request. The CIO also participates in decision making meetings on the bu dget sent to the Chairman from the EDO.

Assignment of Information Technology and Information Managemen t (IT/IM) Responsibilities delegating listed authorities to the CIO or equivalent lead off icial at the NRC.

FITARA Assignment Plan Evidence that the CIO retains section accountability B The CIO assigns responsibility for The CIO approves IT planning, developing proposed IT planning, programming, and budget artifacts CIO role in programming, and budgeting artifacts to the before they are submitted to OMB.

pre-budget Division of Resource Management and The CIO approves artifacts based submission for Administration (DRMA), who coordinates on Investment attestation of programs that with the Office of the Chief Financial Officer accuracy of reporting.

include IT and (OCFO), Program Offices, including CXOs.

overall This group is comprised of budget, contract, OMB budget submissions will include portfolio acquisition, program management and HR. information technology resource statements that affirm the CIOs Each agency office ensures the review and approval of IT accuracy of the information being investments in the budget request, as reported, and after the CIO performs a well as changes to IT programs and final review. resources.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 31

U.S. Nuclear Regulatory Commission CPIC Policy

FITARA Assignment Plan Evidence that the CIO retains section Accountability

C The CIO engages in program The CIO approves planning and management through senior level project management artifacts before CIO role in management meetings including NRC they are submitted to OMB or planning Office Director meetings, Budget implemented. The CIO approves program Formulation Process meetings, and artifacts based on Investment management Quarterly Program Review meetings. attestation of accuracy of reporting through OCIO and agencywide clearance processes.

The CIO leads agency Annually, Quarterly and Monthly IT portfolio reviews as part of the CPIC Performance process.

D The CIO, with the support of Office The CIO approves planning, Directors, approves the IT programming, and budget artifacts CIO reviews investments and budget request prior before they are submitted to OMB and approves to the budget submission. The CIO or implemented. The CIO approves the major IT assigns the responsibility for the artifacts based on office attestation investment accuracy of IT investments and of accuracy of all agency level portion of financials information reported in the Reporting for the Agency IT Portfolio.

budget request agencys budget request to each office, but always performs a final review.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 32

U.S. Nuclear Regulatory Commission CPIC Policy

FITARA Assignment Plan Evidence that the CIO retains section accountability E The CIO assigns responsibility for Capital The CIO maintains Planning and Investment Control (CPIC) accountability through the Ongoing CIO performance reporting to the NRC IT NRC IT governance structure engagement investment Integrated Project Team (IPT). and CPIC process.

with program The CIO assigns responsibility for ensuring Additionally, the CIO managers the accuracy of reported information as well maintains accountability as participating in regular portfolio and through quarterly CIO investment level reviews. evaluations which involve a review of risks, projects, costs, schedules, IT requirements, enterprise architecture and human capital.

F The C I O h a s v i s i bility into the IT planned The CIO approves IT planned expenditures prior to the execution year. expenditure data. The data is Visibility of IT Every new or follow up acquisition is reconciled in the NRC Agency planned reviewed and approved by the CIO. Portfolio System, FEDPASS, expenditure Throughout the FY, the CIO reviews all and Capital Planning and reporting to execution year changes and must review Investment Control CIO any changes that occur across cost Performance Reporting.

centers or BL PL Ps.

In regard to IT/IM Budget Guidance, the NRC has enhanced its budget execution process and procedures to better align budget formulation and budget execution, as well as provide improved visibility to all stakeholders. In FY 2020, OCFO implemented a new module within its Budget Formulation System (BFS) to capture the budget execution information. This new module, the Commitment Planning Module (CPM), is designed to track and document budget execution, and explain reallocations against formulated resources, while ensuring that appropriate plans are

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 33

U.S. Nuclear Regulatory Commission CPIC Policy

formulated prior to commitments. At the start of a fiscal year, Allowance Holders create Baseline contract/task order level commitment (execution) plans which align with the latest budget estimate. By aligning detail level contract plans against budgeted resources, CPM facilitates an early identification of resources for reallocation. With the additional goal of enhancing the CIOs visibility on budget execution, OCIO leveraged CPM to require CIO approvals for baseline commitment plans, as well as changes and reallocation requests on IT resources. The CIO approves reallocations throughout the year based on the OCIO reallocation approval guidance procedures. The agency has also implemented the consolidation of IT hardware and software purchases, as well as requiring offices to submit IT hardware and software purchases for enterprise architecture review.

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 34

U.S. Nuclear Regulatory Commission CPIC Policy

G The CIO assigns responsibility for defining The CIO issues agencywide development processes, milestones, review, guidance that defines CIO defines IT and overall policies for project management development processes, processes and and reporting for IT resources at the milestones, review gates, and policies investment level to the Integration overall policies for project Program/Project Team. The IPTs then management and reporting for coordinate with their respective leadership IT resources. Investments must and CXOs. These elements must remain in fully comply with this guidance full compliance with NRC development when developing investment processes, milestones, review gates, and level processes, milestones, overall policies for project management and review gates, and overall reporting for IT resources as defined by the policies for project management CIO. and reporting for IT resources.

OCIO posts agencywide IT policies and processes to the NRC intranet.

https://www.nrc.gov/public-involve/open/digital-government/policyarchive/index.

html

NRC FITARA COMMON BASELINE IMPLEMENTATION PLAN 35

U.S. Nuclear Regulatory Commission CPIC Policy

FITARA Assignment Plan Evidence that the CIO retains section accountability H The CIO and CFO co-chair the IPEC IPEC decides IT/IM direction, values, CIO role on governance board and provide oversight information security activities, and program for investment level IT governance bodies establishing the agencys risk governance to voting members. Each NRC Office has tolerance for IT activities to achieve boards a voting member and a back-up strategic program objectives; represented in the IPEC. IPEC is an Approves major investments that will executive management body established effectively integrate into the IT/IM to determine U.S. Nuclear Regulatory Portfolio; Ensures the Agencys Commission (NRC) Information Capital Plan supports NRCs priorities; Technology/Information Management Reviews the IT/IM Portfolio in the year (IT/IM) strategic direction and to manage of execution to address current fiscal its IT/IM portfolio by setting current fiscal year priorities; Oversee the execution year priorities and determining the funding of the portfolio by reviewing the of IT/IM investments that effectively portfolio health on a quarterly basis integrate into the IT/IM portfolio, as against established direction, values required by the Clinger-Cohen Act, the and risk tolerance; and Communicates Office of Management and Budget (OMB) IPEC discussion and decisions to Circular A-130, the Federal Information other NRC boards and/or committees.

Security Management Act of 2002 Each investment reports regularly to (FISMA), and other Government the CIO on its full IT governance requirements. structure and investment status.

I The CIO shares IT acquisition and IT Budget Execution Guidance, procurement responsibilities with the office MD 4.8, Budget Execution; NRC Shared of Administration (ADM), w h i c h i s Acquisition of Supplies and acquisition and responsible for the execution of all Services, MD 11.1; Memorandum procurement acquisition and procurements activities. of Understanding Between Office responsibilities of Administration, Office of the Chief Financial Officers and Regions, Capital Planning, and Investment Control Processes.

The Office of the CIO and ADM have worked collaboratively to:

define processes to ensure that the adequate use of incremental development is applied to IT acquisitions; develop formal procedures and training tutorials for the CORs and contractors to use in the execution and maintenance of various contracts

36 U.S. Nuclear Regulatory Commission CPIC Policy

or task orders; and the CIO is provided a report on a weekly basis that lists all requisitions received by the Acquisition team.

J The CIO establishes thresholds for The CIO establishes thresholds for mandatory agency and investment level mandatory agency and investment CIO role in TechStat reviews as well as mandatory level TechStat reviews as well as recommending criteria for modification, termination, or mandatory criteria for modification, modification, pause of IT unless specifically exempted by termination, or pause of IT unless termination or the CIO. The CIO assigns investment level specifically by the CIO.

pause of IT actions to CPIC and Enterprise Architecture, as well as the responsibility for auditing and TechStat Policy, Capital Planning, ensuring the accuracy of all information and Investment Control Processes reported to the agency for the CIO. as it is stated in the https://www.nrc.gov/public-involve/open/digital-government/policyarchive/index.html

37 U.S. Nuclear Regulatory Commission CPIC Policy

K The CIO reviews and approves acquisition IT Budget Execution Guidance, MD CIO review strategy and acquisition plan prior to 4.8, Budget Execution; NRC and approval of contract award and ensures complete and Acquisition of Supplies and Services, acquisition accurate information in OMB Submission. MD 11.1; Memorandum of strategy and Understanding Between Office of acquisition plan Administration, Office of the Chief Financial Officers and Regions, Strategic Sourcing Group Charter

In response to the GAO request that the NRC provide supporting documentary evidence that acquisition office officials review acquisitions to ensure that IT is properly identified, NRC issued Acquisition Instruction (AI) #2018-01, Identifying IT Related Acquisitions, on June 25, 2018. As this AI has been shared with NRC program offices and regions, NRC is fully compliant with FITARA Section K-Acquisition.

38

ML22174A360

Text

Navigation menu

Search