ML18360A461

From kanterella
Revision as of 07:42, 20 October 2019 by StriderTol (talk | contribs) (Created page by program invented by StriderTol)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
NRC Capital Planning and Investment Control Process - Version 2.1 2018
ML18360A461
Person / Time
Issue date: 12/26/2018
From:
NRC/OCIO/GEMSD/PIMB
To:
Kube, Leah, OCIO/GEMSD, 415-0669
References
Download: ML18360A461 (56)


Text

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Capital Planning and Investment Control Office of the Chief Information Officer Capital Planning and Investment Control Team Version 2.1 2018

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Revision History DATE VERSION

SUMMARY

OF CHANGES AUTHOR 12/28/2015 1.0 Updated CPIC processes to include new Vickie Smith, requirements from FITARA and to reflect OCIO/PMPD/IPMB internal organizational changes. This document supersedes previous CPIC Approved by Darren process documentation and supplements Ash, CIO the Capital Planning and Investment Control Policy and Overview posted on the NRC IT Policy Archive at nrc.gov.

ADAMS Accession No. ML15260A904 12/31/2017 2.0 Revised the Capital Planning and Leah Kube, Investment Control (CPIC) process to OCIO/GEMS/PIMB include updates to information technology (IT) governance, a new Select phase, Approved by Dave additional Chief Information Officer (CIO) Nelson, CIO roles and responsibilities in incremental development, various updates from the budget year 2019 IT budget/capital planning guidance, modifications to the CIO evaluation process, updates to the appendix, and other minor updates.

ADAMS Accession No. ML17349A083 12/26/2018 2.1 Updated CPIC process to include edits of Leah Kube, typographical errors, updates to the select OCIO/GEMS/PIMB process, updates to the evaluate process, and other minor updates. Approved by Dave Nelson, CIO ADAMS Accession No. ML ML18360A461 2

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Table of Contents Background ...5 Purpose ...6 The NRCs Information Technology/Information Management Governance ................................ 6 The NRCs Information Technology Investment Review Boards .............................................. 6 The Information Technology/Information Management Portfolio Executive Council ............. 6 The Information Technology/Information Management Board .............................................. 7 Capital Planning and Investment Control ...................................................................................... 9 Select Process: Screen, Compare, and Choose ..................................................................... 10 Preselect and Select Phases ............................................................................................... 10 Key Preselect and Select Phase Concepts ......................................................................... 11 Roles and Responsibilities ................................................................................................... 13 Process Mechanisms ........................................................................................................... 15 Preselect and Select Phase Artifacts ................................................................................... 16 Process Diagram and Notation Summary ........................................................................... 18 Preselect Phase Process Overview ..................................................................................... 19 Select Phase Process Overview .......................................................................................... 23 Business Case Development and Portfolio Selection Processes ........................................ 24 Prioritization and Funding Processes .................................................................................. 28 Reselection and Deselection Processes ............................................................................. 32 Control Process versus Evaluate Process .............................................................................. 34 Control Process: Monitor, Inform, and Correct ........................................................................ 35 Major Information Technology Business Case Submissions ............................................... 36 Major Information Technology Investment Monthly Reviews and Chief Information Officer Evaluations ............................................................................................................... 38 Quarterly Investment and Portfolio Reviews ........................................................................ 40 Major Information Technology Investment Control Reviews ............................................... 42 Chief Information Officer TouchPoints ................................................................................. 43 Evaluate Process: Learn, Recommend, and Adjust ................................................................ 44 Postimplementation Reviews ............................................................................................... 45 Operational Analysis ............................................................................................................ 46 Appendix A: The U.S. Nuclear Regulatory Commissions Information Technology Portfolio Structure.................................................................................................. 48 Appendix B: Information Technology Budget Certification and Approval ................................... 51 3

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix C: Related Definitions ................................................................................................. 53 4

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

Background

Capital Planning and Investment Control (CPIC) for information technology (IT) investments refers to a decision-making process that ensures IT investments integrate strategic planning, budgeting, procurement, and management of IT in support of agency missions and business needs.1 The Clinger-Cohen Act of 1996 (CCA) requires Federal agencies to use disciplined CPIC processes to acquire, use, maintain, and dispose of IT assets. Specifically, CCA mandates that an agencys CPIC processes (1) provide for the selection, control, and evaluation of agency IT investments, (2) integrate with the processes for budget, financial, and programmatic decisionmaking, (3) include minimum criteria for considering whether to undertake an IT investment, (4) identify IT investments that would result in shared benefits or costs for other Federal agencies or State or local governments, (5) provide the means for identifying quantifiable measurements for IT investment net benefits and risks, and (6) provide the means for senior management to obtain timely information on an investments progress. To meet these requirements, CPIC relies on three distinct, yet interdependent, sets of processes Select, Control, and Evaluate.

More recently, the Federal Information Technology Acquisition Reform Act (FITARA), enacted on December 19, 2014, established additional requirements. The Office of Management and Budget (OMB) issued guidance on implementing FITARA in Memorandum M-15-14, Management and Oversight of Federal Information Technology, dated June 10, 2015. FITARA builds upon CCA by empowering Federal Chief Information Officers (CIOs) with increased oversight for (1) budget planning, (2) governance structures, (3) portfolio risk management, (4) hiring practices within the IT offices, (5) data center consolidation planning and execution, and (6) reporting of progress and metrics to OMB. To build upon and strengthen the CPIC requirements of CCA, FITARA establishes the Common Baseline for IT Management, which defines the roles and responsibilities of the CIO and other senior agency officials while ensuring that the CIO retains accountability.

To further assist agencies with meeting the requirements in CCA and FITARA, OMB issues its annual IT BudgetCapital Planning Guidance as part of OMB Circular A-11, Preparation, Submission, and Execution of the Budget, and maintains its supplement, the Capital Programming Guide, to assist agencies with the implementation of CPIC processes. OMB Circular A-130, Managing Federal Information as a Strategic Resource, updated July 27, 2016, provides additional guidance. OMB updates these circulars based on current, relevant statutes and Executive orders. CCA, FITARA, and associated OMB guidance serve as the basis for CPIC policy, processes, and procedures at the U.S. Nuclear Regulatory Commission (NRC).

The NRCs CPIC policy set forth in Capital Planning and Investment Control Policy and Overview is available on the NRC IT Policy Archive at https://www.nrc.gov/.

1 The Office of Management and Budget defined the CPIC process in the Integrated Data Collection Common Definitions (see 40 U.S.C. § 11302 for statutory requirements and CCA).

5

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Purpose This document describes the NRCs CPIC processes and explains how they support the NRCs IT/information management (IM) governance. The descriptions of the NRCs CPIC processes include the flow of inputs and outputs between the three distinct, yet interdependent, sets of CPIC processesSelect, Control, and Evaluate. Towards that end, this document supplements the Capital Planning and Investment Control Policy and Overview by describing associated tools, techniques, and artifacts. Individual step-by-step procedures used to implement the processes are working documents developed and maintained by the Capital Planners in the Office of the Chief Information Officer (OCIO).

The NRCs IT/IM Governance The NRCs CPIC processes are critical to the management and oversight of the agencys IT/IM resources because they implement the means for providing quality information and recommendations to executive decisionmakers on IT investments for inclusion in the agencys IT portfolio. IT investment management comprises the NRCs CPIC and IT budget processes and is part of the agencys integrated IT/IM governance framework. The NRCs CPIC processes support the CIOs involvement in relevant governance boards and ensures that IT investments integrate and adhere to the frameworks other disciplines: (1) strategic planning and enterprise architecture (EA), (2) project management methodology (PMM), and (3) information and records management quality principles.

The NRCs CPIC processes also ensure that IT investments are reviewed for compliance with internal cybersecurity standards set forth by the NRCs Information Security Directorate in OCIO and with external cybersecurity standards mandated by the National Institute of Standards and Technology and U.S. Department of Homeland Security throughout their life cycle.

The NRCs IT Investment Review Boards The NRC uses various investment review boards to ensure that IT investments are reviewed at the appropriate levels of the organization. The review boards encompass strategic business planning (which occurs at the executive level), program-level systems planning (which occurs across program offices), and technical architecture review (which occurs within OCIO). These two review boards include the IT/IM Portfolio Executive Council (IPEC) and the IT/IM Board (ITB).

The IT/IM Portfolio Executive Council The CIO serves as one of the cochairs on the IPEC along with the Chief Financial Officer (CFO). The IPEC is an executive-level IT governance body established to determine the NRCs strategic direction for IT/IM and to manage the agencys IT portfolio by setting current fiscal year (FY) priorities and determining the funding of IT investments that effectively integrate into the IT portfolio, as required by CCA, OMB Circular A-130, the Federal Information Security Management Act of 2002, and other Government requirements. This executive-level IT governance body has established roles, responsibilities, and processes consistent with those required by FITARA. In addition to the IPEC cochairs, voting members include the Chief Acquisition Officer, Chief Human Capital Officer, and Chief Information Security Officer (collectively referred to as the CXOs); directors of the major program offices; and a Regional 6

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Administrator to represent all NRC regional offices. The directors of the major program offices also serve as business line leads in budget formulation and execution and functional/business sponsors of IT investments. In these roles, the IPEC members provide insight into organizational funding needs and describe impacts on the mission if the required funding is not available. As directors of major programs and as CXOs, IPEC members can provide valuable input and advice on the many aspects of the NRCs mission and business needs.

Collaboratively, IPEC members provide an enterprise perspective on what is in the best interest of the agency and its mission. The IPEC has the following responsibilities:

  • Decide IT/IM direction, values, information security activities, and the agencys risk tolerance for IT activities to achieve strategic program objectives.
  • Approve major investments that will effectively integrate into the IT portfolio.
  • Ensure that the agencys capital plan supports the NRCs priorities.
  • Review the IT portfolio in the year of execution to address current FY priorities.
  • Oversee the execution of the portfolio by reviewing portfolio health on a quarterly basis against established direction, values, and risk tolerance.
  • Communicate IPEC discussion and decisions to other NRC boards and committees.

The Information Technology/Information Management Board The CIO established the ITB as a management-level review board to review and recommend changes to the agencys IT portfolio based on the NRCs mission and business needs. The mission of the ITB is to align IT investments and technology standards with the NRCs strategic plan and architecture portfolio; provide resource, investment, and priority recommendations to the IPEC; and ensure that IT investments are made in accordance with the agencys directions set by the IPEC. The ITB reviews new proposals and current IT investments to ensure the following:

  • alignment with the IPEC priorities, the agencys strategic direction, and budget
  • ability to integrate into the NRCs IT architecture
  • conformance with technology standards
  • identification of potential risks to the NRC environment The ITB leverages the expertise of subject matter experts (SMEs) for technical reviews. The NRCs CPIC processes and team also support and facilitate the ITB reviews. The Capital Planners work closely with the Integrated Program/Project Teams (IPTs) of existing investments to execute Control and Evaluate processes that inform ITB reviews. ITB reviews can result in minor corrective actions or in recommendations to the IPEC for matters warranting executive decision.

7

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control To support ITB reviews of new proposals, the Capital Planners facilitate SME reviews, the Preselect process, and the Select process based on input from office-level stakeholders. The Capital Planners will ensure that proper facilitation occurs throughout the entire IT governance process and that the most viable solution to meet the business need is considered for inclusion in the NRCs IT portfolio. As the secretariat of both the IPEC and the ITB, the Capital Planners facilitate the meetings of both boards and act as a channel for communicating information, recommendations, and decisions between boards and among stakeholders.

8

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Capital Planning and Investment Control The NRC recognizes that IT investment management is dynamic. As such, IT investments are selected and continuously monitored and evaluated to ensure that each IT investment in the NRC IT portfolio effectively and efficiently supports the agencys mission and strategic goals.

The NRC CPIC is designed to facilitate sound IT governance and the maturation of the agencys IT investment management. The NRCs CPIC model in Figure 1 relies on three distinct, yet interdependent, sets of processesSelect, Control, and Evaluate.

All three are applied concurrently to an IT investment once it becomes part of the NRC IT portfolio. After the IT investments initial funding in the Select process, it goes through the Control and Evaluate processes for review and reselection until it is determined that the investment has come to the end of its life. Upon this determination, the investment is decommissioned and removed from the portfolio.

Figure 1 Flow of data between CPIC processes 9

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Select Process: Screen, Compare, and Choose Preselect and Select Phases The purpose of the Preselect and Select phases of the NRCs IT investment life cycle is to identify and prioritize requests for new or enhanced IT capabilities that best support the NRCs mission and needs at an acceptable level of risk and cost. Throughout the activities encompassed by these phases, the key objectives include the following:

  • identifying and evaluating the efficacy of proposed IT investments relative to the agencys mission and its strategic plans and priorities
  • assessing the risks and returns of each proposed new or enhanced IT capability before committing funds
  • validating the proposed investments alignment with the agencys EA
  • selecting those IT investments that will best support the agencys mission needs Figure 2 illustrates that the Preselect and Select phases integrate with a wide range of organizational functions and processes designed to ensure the agency leverages its IT funding as effectively as possible.

10

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 2 Preselect and Select phase process integration summary During the Preselect and Select phases, current and potential IT capabilities are evaluated from a business and technical perspective to validate their efficacy and cost relative to potential alternatives. This evaluation represents a critical pillar in conjunction with the agencys Control and Evaluate phase activities, which support the continuous evolution and optimization of the agencys IT portfolio.

Key Preselect and Select Phase Concepts Understanding and participating in the agencys Preselect and Select phase processes requires an understanding of several important concepts, including the following:

  • the drivers for proposed additions, enhancements, or retirements to the IT portfolio
  • phase outcomes, including selection, reselection, and deselection of IT capabilities
  • portfolio selection versus funding prioritization 11

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Drivers for Proposed Additions, Enhancements, or Retirements to the IT Portfolio Proposals for new or enhanced capabilities, as well as retirement of existing capabilities, are driven by several internal and external factors, including the following:

  • changes in the agencys broader mission and support objectives
  • evolving business and technical strategies
  • changes in the agencys required mission capabilities or shifts in priorities
  • changes in the agencys statutory and regulatory requirements
  • new or updated Federal mandates
  • trends in the nuclear materials industry
  • the evolution of vendor technologies and technical approaches that enable cost reductions, performance improvements, or new opportunities for innovation
  • the sunsetting of vendor support for legacy systems or solutions These factors create a continual requirement for assessment, review, and selection of current and potential IT capabilities, as well as ongoing analysis of new technologies that may increase the efficiency or effectiveness of the agency.

Phase Outcomes: Selection, Reselection, and Deselection of IT Capabilities and Enhancements The Select phase results in three primary outcomes for an existing or proposed IT capability or enhancement:

(1) Selection is the approval or disapproval of the addition of a new IT capability or enhancement to an existing capability.

(2) Reselection is the approval or disapproval for the continued investment in and operation of an existing IT capability or ongoing enhancement, which may include one or more additional proposals for desired enhancements to fully realize the benefits of an IT capability.

(3) Deselection is the cancellation or decommissioning of a current capability or ongoing enhancement.

Based on the outcome for a given IT capability or enhancement, the agencys IT portfolio is modified to reflect the decision, and funding is adjusted when appropriate.

12

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Portfolio Selection versus Funding Prioritization Selection or reselection of an IT capability or enhancement represents only an initial step in the broader Select phase. The agencys IT portfolio and its respective funding requirements generally exceed the funding available; therefore, the agency leverages a prioritization process that facilitates the ranking of the NRCs investments within its IT portfolio. This prioritization view of the IT portfolio enables agency leadership to continuously align the NRCs ongoing IT capabilities with the agencys priorities.

Roles and Responsibilities To function effectively, the Preselect and Select phases require a multidisciplinary team of functional roles that reside across the agencys mission and corporate support organizations.

Table 1 summarizes the primary functional roles associated with the agencys Preselect and Select phase processes.

Table 1 Primary Functional Roles of Multidisciplinary Team ROLE RESPONSIBILITY

  • Supports the assignment and adjustment of funding to selected IT Agency IT capabilities and enhancements within the IT budget consistent with the Budget Lead agencys budget processes and CIO decisions.
  • Interfaces with one or more offices business stakeholders and IT project managers (PMs)/Leads to help maximize the value of IT to the agency by working with a variety of business and technical SMEs to identify ways to Business better leverage existing IT capabilities or introduce new capabilities when Relationship appropriate.

Manager

  • Coordinates and facilitates the execution of enterprise processes by his or her assigned office(s), including the Preselect and Select processes, to ensure activities are executed efficiently and comply with associated policies.
  • Serves as manager or executive leader to advocate for, and to authorize, Business proposed IT capabilities or enhancements for one or more organizational Sponsor components.
  • For enterprise technologies, the business sponsor may be the CIO.
  • Uses agency IT capabilities to execute mission or corporate support functions and processes.
  • Identifies current or potential needs, issues, and opportunities that may Business be addressed through the introduction of new IT capabilities or changes Stakeholder to existing capabilities.
  • Is directly or indirectly impacted if a proposed IT investment is accepted and implemented.
  • Helps evaluate whether the proposed IT capability or enhancement Business supports mission objectives without placing undue burden on the NRC SME staff in the completion of its related tasks or whether it will likely result in the expected benefits.

13

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control ROLE RESPONSIBILITY

  • Supports and provides oversight over the end-to-end IT investment life-cycle phases, including selection, control, and evaluation of current Capital and proposed IT capabilities or enhancements.

Planner

  • Maintains the IT portfolio to reflect the current and planned IT investments, systems, and services and their associated activities.
  • Facilitates external reporting to OMB as required by Federal mandate.
  • Works alongside agency leadership to define the strategic priorities for IT and to formalize assumptions about the EA and the availability of CIO financial resources.
  • Serves as the primary approval authority on Select decisions and is accountable for the IT portfolio.
  • Supports the planning or identification, or both, of acquisition channels using existing or planned contract vehicles.

Contract

  • Manages the acquisition processes in conjunction with selection and Specialist funding processes.
  • May also act in the capacity of contracting officer for any resulting contract(s).
  • Helps evaluate whether the proposed capability or enhancement demonstrates a projected best value, based on an analysis of quantifiable and qualitative benefits and costs and projected return on investment, which is equal to or better than alternative uses of available public resources.

Enterprise

  • Helps ensure proposed capabilities and enhancements are consistent Architect with applicable Federal and NRC enterprise and information architectures.
  • Evaluates whether the proposed technologies or methods mitigate risks by using measures such as avoiding or isolating custom-designed components to minimize the potential adverse consequences on the overall project.
  • Acts as a critical liaison between the business organization and OCIO roles and services supporting the process across all aspects of the Select phase.

IT PM/

  • Develops or leads the development of key artifacts associated with the Program Preselect and Select phases.

Manager/Lead

  • Supports the presentation and discussion of the current or proposed IT capability or enhancement from a functional and technical requirements and solutions perspective.
  • Performs the role of office/system IT Budget Lead.

14

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control ROLE RESPONSIBILITY Information

  • Confirms whether the proposed IT capability or enhancement adheres to and Records records management requirements and standards.

Management

  • Ensures that all required planning artifacts are made available for review Analyst and historical records.
  • Assesses whether the proposed IT capability or enhancement adheres to Information computer security requirements and standards.

Security SME

  • Ensures that all required planning artifacts are made available for review and historical records.
  • Represents the broader agency perspective when contemplating specific IT proposals under consideration.

ITB

  • Reviews and provides input to the agencys proposed portfolio selections as a whole.
  • Provides executive-level engagement in the management and governance of the IT portfolio through collaboration and feedback with IPEC the CIO.
  • Serves as the initial approval authority for the annual agency IT budget submission.
  • Manages an offices IT budget processes and acts as a key interface between office leadership and OCIO throughout the budget cycle.

Office IT

  • Submits budget requests and requests for adjustment related to an Budget Lead offices existing and planned IT capability requirements.
  • An office/functional IT PM/Lead may perform the role.
  • Provides solution-level input on the recommended configuration of IT assets, alignment of the proposed solution to technology and service standards, technical feasibility, and application of new or specialized technologies.

Technical

  • Provides input to the Enterprise Architect on proposed and approved SME changes to the technical architecture.
  • Technical subject-matter areas include, but are not limited to, network, data center and cloud infrastructure, mobility, Web content, and information and communication technology accessibility (compliance with the Section 508 Amendment to the Rehabilitation Act of 1973).

The specific activities of each of these roles are noted within the process diagrams provided across the Preselect and Select phases.

Process Mechanisms The NCR uses several mechanisms to execute the identified steps across the Preselect and Select phase processes. As summarized in Table 2, these mechanisms are designed to help facilitate and standardize the process across the agency.

15

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Table 2 Mechanism Used To Perform the Identified Steps across the Preselect and Select Phase Processes MECHANISM DESCRIPTION

  • The Agencywide Documents Access and Management System (ADAMS) is the agencys repository for official records and represents the primary mechanism for publishing records to the public.

ADAMS

  • Although not explicitly represented in the processes, all documents used across the Preselect and Select phase processes are filed in ADAMS once processed.
  • E-mail is designated when the primary activity is the transmittal of E-mail information and the mechanism for transmittal is through the agencys e-mail system.
  • FEDPASS is the agencys Web-based repository of IT portfolio information that helps connect budget information to different dimensions of the portfolio.

FEDPASS

  • FEDPASS is also used to automate certain IT governance-, portfolio-,

and budget-related activities, providing forms for data capture, routing, tracking of approvals, and reporting.

Microsoft

  • MS Word and Excel represent form or worksheet templates for (MS) Word populating, saving, and routing information through e-mail or uploading it and Excel to SharePoint.
  • Meetings represent a live or virtual discussion to convey information, Meetings collect feedback, or secure a decision.

NRC System

  • The NSICD is the authoritative repository for the agencys inventory of Inventory systems, including system names, abbreviations, numbers, and Control descriptive information. All existing and planned systems must be Database recorded in the NSICD. System types include, but are not limited to, (NSICD) application, system/security boundary, and service.
  • PMM 2.0 is an agency repository for IT project information that is used for PMM 2.0 planning and executing IT projects.
  • SharePoint is a Web-based portal for capturing and transmitting SharePoint information through Web forms or for uploading documents to a centralized site or repository.

Strategic

  • STAQS is the agencys centralized procurement system that is used to Acquisition execute acquisition and contract processes and manage their associated System funding.

(STAQS)

Preselect and Select Phase Artifacts The Preselect and Select phases create and use a wide range of artifacts, including work products, deliverables, and reports, to facilitate processes, establish formal records, and share 16

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control information internally and externally. The primary artifacts created during these phases include the following:

  • Selection decisions are the formal decisional outcomes to select, reselect, or deselect specific capabilities established through the agencys governance and executive decision processes.
  • Agency IT Portfolio Summary is the agencys selection of IT capabilities and enhancements that includes all IT-related investments and documented changes to the NRCs IT portfolio structure or IT budget to reflect the addition or removal of one or more IT capabilities or enhancements.

Selection Decisions The agencys Preselect and Select phase processes have several key decision points that are captured and recorded as potential and current IT capabilities and enhancements are reviewed, selected, reselected, and deselected, including the following:

  • the Business Sponsors approval or denial to proceed with the development of a full business case based on an initial evaluation of a potential IT capability or enhancement
  • the CIOs approval or denial of the selection of a business case for a potential IT capability or enhancement
  • the CIOs approval or denial of a reselection or deselection of a current IT capability or enhancement into the IT portfolio In addition to the key decision points, governance recommendations and business and technical analyses are captured to complete the decision record for each potential and ongoing IT investment.

IT Portfolio Summary The Agency IT Portfolio Summary provides a description, basic categorization, and budgetary information for all IT investments and is used as a means for budgeting for, and tracking and reporting expenditures on, all agency IT resources, including full-time equivalent (FTE) personnel. The Agency IT Portfolio Summary is an OMB-required CPIC document that the NRC submits with its overall budget. In addition to providing a means for the NRC to request funding for, and report actual spending on, the agencys IT investments, the NRC and OMB use the Agency IT Portfolio Summary data for trending and analysis of individual investments and the overall portfolio.

The specific information provided in this artifact is driven by updated guidance in Section 55 of OMB Circular A-11, with specific details provided in the annual IT BudgetCapital Planning Guidance. This annual guidance lays out the requirements and data to be reported for each IT investment in the Agency IT Portfolio Summary (formerly known as Exhibit 53).

The Agency IT Portfolio Summary reflects all agency IT resource costs and any breakout of certain costs as dictated by OMB, such as a summary of the NRCs total provisioned IT spending and a summary of the NRCs total infrastructure spending. For every submission, 17

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control funding levels reported in the Agency IT Portfolio Summary are consistent with program-level funding and agency summary funding tables, as provided to OMB in the agencys overall Performance Budget submission.

The NRC submits the Agency IT Portfolio Summary and required spending summaries to OMB twice during each FY. These include information and funding levels on all IT investments for the 3 years in the current budget cycle: (1) prior year (PY), (2) calendar year (CY), and (3) budget year (BY). The purpose of the first submission in September of each year is to make a preliminary budget request for the BY. The second submission in January of each year reflects changes based on OMB feedback (commonly referred to as passback) on the preliminary budget request and includes actual expenditures for the PY.

The NRC submits its Agency IT Portfolio Summary on the following schedule:

  • Last Week of August: draft Agency IT Portfolio Summary submission
  • Early September: Agency IT Portfolio Summary (including Provisioned IT Spending Summary and IT Infrastructure Spending Summary) submission
  • Early January: Final Presidents Budget Agency IT Portfolio Summary (including Provisioned IT Spending Summary and IT Infrastructure Spending Summary) submission The NRCs Capital Planners are responsible for completing and submitting the Agency IT Portfolio Summary and spending summaries to OMB (with CIO concurrence) and for establishing and maintaining procedures for the Agency IT Portfolio Summary submissions. This requires close collaboration and coordination with the Office of the Chief Financial Officer (OCFO) to ensure the resulting deliverables align with the overall agency budget process and budget justification materials submitted to OMB by OCFO.

Process Diagram and Notation Summary The Preselect and Select phases are segmented into individual processes, as summarized in the following sections. Figure 3 provides a key to assist in understanding the process diagrams within each section.

Figure 3 Process diagram key 18

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control The process diagrams in this document are intended to illustrate, at a high level, the processes that the NRC follows within the Preselect and Select phases. These processes are further supported by detailed procedures.

Preselect Phase Process Overview The Preselect phase focuses on the discovery and initial evaluation of potential opportunities to apply IT within the agency to add business value and may or may not result in the development of a proposal for new or enhanced technologies. These processes also help to ensure that the NRC is performing appropriate due diligence related to initial documentation and communication of proposals intended to make changes to the IT portfolio.

As summarized in Figure 4, the Preselect phase may include a number of iterative discussions with a wide range of stakeholders to better define the requirements and identify, at a high level, potential technical capabilities and solution options that could satisfy the requirements.

Figure 4 Preselect phase process summary With support from the agencys Enterprise Architect(s), business needs and potential technology opportunities are further elaborated to better define the basic IT capability or enhancement desired by the agency. One output of this Preselect phase is a recommendation to move forward with the development of a full business case for new or enhanced IT capabilities to initiate the Select phase processes.

Primary Sources for New IT Capabilities or Enhancements Although the introduction and proposal of new or enhanced IT capabilities may arise from a wide range of sources, the primary sources include the following:

  • planning for the introduction of new enterprise and infrastructure capabilities Examples include opportunities to increase efficiency or improve service performance through infrastructure modernization, new security capabilities, or cross-cutting systems such as e-mail or document management.

19

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • mission or support office requirements for new capabilities to address current or anticipated business requirements Examples include changes to a system to address emerging regulatory needs or an enhancement to unify disparate corporate systems into one application.
  • ideas, requests, or feedback captured through customer outreach or service delivery that suggest a change to the system or service portfolio Examples include reviews of service ticket feedback that identifies a need for improved self-service capabilities or new requirements identified through a community of practice meetings.
  • technical refreshes or upgrades of hardware or software led by vendor-driven innovations or end-of-life support termination Regardless of the source, the NRC requires that a business case accompany all recommended changes to the IT portfolio or to the approved architecture through the intake process. The business case should describe (in progressively elaborated detail) the intended value, recommended approach, expected cost, return on investment, and projected risks associated with the proposed change to the IT portfolio.

Preselect Phase Input Types Proposals for new or enhanced IT capabilities may come in many forms, including potential reductions in or elimination of existing capabilities and changes in the methods and approaches used to deliver or manage IT services. Table 3 summarizes the various types of requests (inputs) that may ultimately initiate the Select phase processes.

20

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Table 3 Request Types and Select Phase Processes INPUT TYPES INPUT TYPES New Systems or Solutions New Services or Utilities Functional Enhancements to Existing New or Revised Service Systems or Solutions Approaches or Methods System or Solution Retirement/ Termination of Decommissioning Existing Services Consolidation of Multiple Systems or New or Revised Approaches Solutions to Maintenance or Warranties System or Solution Platform Migration Changes to Agency Data Types, IT Asset Refreshes or Upgrades Models, and Sources Although frequently integral to their eventual delivery, new or revised acquisition or contracting approaches or vehicles are not considered IT capabilities and follow related, but separate, processes.

Preselect Phase Process Figure 5 summarizes the Preselect process, which represents both a triage and screening process designed to identify, quickly evaluate, and promote for further planning the IT capability or enhancement ideas that represent the greatest value to the agency.

21

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 5 Needs identification and initial solution planning For general IT users or stakeholders, the submission of an initial IT Needs Request form initiates internal discussions to evaluate or triage whether additional analysis and planning is warranted. If an agency IT PM/Lead initiates the need, he or she submits a New/Enhanced Capability Request form, which describes the general business justification for a new capability or enhancement. The request should provide a clear understanding of the current state, desired future state, and the initial approach recommendations or options for achieving the intended objectives.

One or more of the agencys Enterprise Architects reviews this initial request to ensure alignment with the NRCs mission and technology objectives and strategies. Additionally, during this phase, a wide range of business and technical stakeholders, including the following may engage to help better define the requirements and potential solution alternatives:

  • executive stakeholders
  • external stakeholders
  • business process owners
  • project/program managers
  • business architects
  • system/solution owners
  • system/solution users 22

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • service owners
  • data architects
  • system/solution integrated team members
  • dependent or parent system/solution integrated team members
  • staff members
  • infrastructure service users
  • infrastructure service integrated team members
  • Enterprise Architects
  • security and privacy officers
  • policy SMEs The type and number of roles involved in the Preselect process depends on the originator and the nature of the requirement. However, the agencys Enterprise Architect is responsible for ensuring that the appropriate individuals are engaged throughout the process.

Preselect Process Outcomes Summary Based on the outcomes of initial reviews and discussions with the primary stakeholders, the Enterprise Architect will submit a recommendation to the CIO for the development of a full business case. If approved by the CIO, the request exits the Preselect phase and advances into the Select phase. At this time, the requesting business sponsor must sign off on the effort to proceed with the allocation of resources to develop a full business case.

Select Phase Process Overview The agency segments the Select phase into three primary process groups:

(1) business case development and selection processes (2) prioritization and funding processes (3) reselection and deselection processes As illustrated in Figure 6, these processes are interconnected and work in combination to continuously select, fund, and evolve the NRCs IT portfolio to best address the agencys ongoing mission and corporate support requirements.

23

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 6 Select phase process summary The NRCs Select phase processes organize and integrate a range of business and technical functions and roles across the agency to help ensure that the IT portfolio is continuously optimized, appropriate due diligence is applied, and activities comply with agency and Federal standards and requirements.

Business Case Development and Portfolio Selection Processes Following the approval to exit the Preselect phase, the agency executes three subprocesses for managing formal portfolio selection:

(1) business case development process (2) business and technical review process (3) executive decision process The development of a business case for desired investments in IT capabilities represents an important planning step to help ensure that changes to the IT portfolio are fully documented, vetted, and approved before they are funded, implemented, and used. The business case also represents an important control to minimize nonauthorized investment or deployment of IT capabilities within the environment. The subsections below describe each process in more detail.

Business Case Development Process The NRCs business case development process, as illustrated in Figure 7, encompasses a variety of planning steps focused on helping the agencys business and technical leadership fully articulate its requirements and proposed solution(s).

24

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 7 Business case development Although the level of detail required for a business case may vary based on the scale, estimated cost, and expected impact of the investment, each business case is expected to include the following elements:

  • a definition of the underlying business requirements
  • an analysis of alternatives and their respective return on investment or net present value relative to the selected option
  • a description of the proposed IT capability expected to address the business requirements
  • expected outcomes, benefits, or returns of the investment in the new or enhanced IT capability
  • identified risks across business, technical, implementation, and operational dimensions
  • estimated life-cycle costs, including implementation, operation, retirement, and, if applicable, interim operation of legacy systems
  • the planned approach for implementation and ongoing operation or delivery
  • the general timing of the investment and realization of the expected benefits, inclusive of and compliant with incremental development mandates when appropriate Additional information associated with business case development and its associated components is available.

25

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Business and Technical Review Process As illustrated in Figure 8, once a business case is finalized, it proceeds through one or more technical, security, privacy, and records reviews to help refine and finalize it before its review and approval by the CIO.

Figure 8 Business and technical review As previously noted in the section, Roles and Responsibilities, the review is expected to validate whether the new capability or enhancement will do the following:

  • Adhere to a variety of internal and external policies and regulatory requirements.
  • Maintain an acceptable risk profile from security and privacy perspectives.
  • Adhere to, or further evolve, the agencys technical standards and approved technologies.
  • Deliver the expected benefits to its intended stakeholders.

The agencys business case review process is also intended to help validate and provide additional guidance and recommendations associated with the schedule, resource, and funding estimates to help ensure that approval is based on sound and experience-driven planning.

26

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Executive Decision Process After a business case proceeds through the review process and is updated as required, the business case and any associated recommendations and input resulting from the review process is presented to the CIO for review and approval, as illustrated in Figure 9.

Figure 9 Executive decision process At the CIOs discretion, the CIO may elect to elevate the business case to the IPEC for additional discussion and input before making a decision or conducting further review based on the potential impact, risk, or cost to the agency of the proposed IT capability or enhancement.

For proposed capabilities or enhancements that include development, the CIO will also confirm and certify the appropriate use of an incremental development approach consistent with the current OMB guidance at the time of the review. The Capital Planner will record the CIOs certification in the agencys IT Portfolio Management System.

If the proposal requires, but does not leverage, incremental development, the CIO will request an update and resubmission of the business case consistent with the business case development process. The CIO may also request changes to the business case to address any other perceived weaknesses or opportunities for improvement, thus returning the business case to the development process.

27

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Business Case Development and Portfolio Selection Outcomes Summary The business case expands upon the Preselect phases new capability request by describing the specific performance metrics, potential solution alternatives, projected life-cycle costs, estimated return on investment, risks, and assumptions. Evaluation, concurrence, and feedback from reviewers with functional expertise in EA, information security and privacy, infrastructure operations, accessibility, and information management are required to help ensure collective concurrence on the solution approach.

The review process is also used to identify (and document) any required exceptions to existing agency standards, assumptions surrounding solution implementation, and prerequisites or dependencies associated with the approach. If approved, the business case is provided a placeholder within the IT portfolio, at which time its future becomes subject to the decisions made during the appropriate funding process.

Prioritization and Funding Processes As previously stated, selection of an IT capability or enhancement represents only an opportunity for funding but does not guarantee that funding will be available or approved. In addition to an examination of the relative value of a proposed effort, funding decisions are based on an individual offices and the agencys broader priorities. The result of these prioritizations, as they pertain to funding, is that some business cases may have to wait for additional or adjusted funding before proceeding.

Prioritization and funding decisions for selected business cases are made through four subprocesses:

(1) portfolio and funding prioritization process (2) annual budget formulation process (3) execution year realignment process (4) execution year change request process Although these processes represent broader agency functions, understanding their role in the Select phase is critical for understanding the agencys IT portfolio selection activities. The subsections below summarize each of these processes.

Portfolio and Funding Prioritization Process To ensure that the NRCs strategic mission and IT priorities are met in accordance with their relative importance to agency mission functions, the NRC leverages an IT portfolio prioritization process to rank order the business cases that comprise the IT portfolio. As illustrated in Figure 10, this process is continuous and provides input to agency IT funding, strategic planning, and portfolio analysis.

28

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 10 IT portfolio prioritization This process is facilitated by an analysis of the strategic alignment to agency objectives, alignment with IT/IM strategic goals, assessment of the risk to agency operations, and relative criticality (benefit) to agency operations, as summarized in Figure 11.

Figure 11 Portfolio prioritization approach Throughout the year, as input to the various funding processes and as an element of the continual evaluation of the portfolio, the relative priorities of the items within the IT portfolio are reassessed through the IT portfolio prioritization process.

29

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Funding Selected Capabilities: Annual Budget Formulation Process Once a business case is approved, the newly approved IT capability, enhancement, or activity is available for funding through one or more funding processes, including the agencys annual budget formulation process. As summarized in Figure 12, during this period the agency and offices, including OCIO, may request funding for the approved items within the portfolio (internally described as budget items).

Figure 12 Funding request: annual budget formulation process The annual budget formulation process is intended to define the required resources (FTE and contract dollars) for the operations, maintenance, development, modernization, and enhancement of IT capabilities during the agencys BY, which is typically two future periods (years) from the present period. For example, budgeting for FY 2020 is expected to take place during FY 2018.

When resources are required sooner, offices may request funding using the agencys execution year realignment process or execution year change request process, as described in the following sections. Additional detailed descriptions and guidance associated with the agencys budget formulation process are available.

Funding Selected Capabilities: Execution Year Realignment Process The execution year realignment process is carried out as a means of right-sizing the resource needs related to funding requests for the upcoming FY. As illustrated in Figure 13, this process enables authorized IT stakeholders to reexamine and, where necessary, request adjustments based on changes to previously held expectations, requirements, needs, and assumptions in an effort to enable the optimal use of IT resources in the year of execution.

If new or additional funding is required, the agencys IT Budget Lead works with the CIO to reallocate excess funding identified in other areas. If unsuccessful, the request is placed on a funding shortfall list that captures the agencys selected, but unfunded, IT capabilities or initiatives. As the agencys OCFO makes new (not been previously earmarked) funding available, the funding may be released for use on the selected IT capability or initiative, consistent with the agencys funding prioritization process previously summarized in the section, Portfolio and Funding Prioritization Process.

30

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 13 Execution year realignment process At its core, this process represents an opportunity to identify potential shortfall allocation at the CIOs discretion. It is expected that, as the NRC moves into the execution year, it will possess improved and more accurate resource and funding estimates that may enable adjustments to the execution years funding assignments. However, this process does not represent an opportunity to reintroduce proposals that have been subsequently denied for selection into the portfolio.

Funding Selected Capabilities: Execution Year Change Request Process For selected IT capabilities and enhancements, the opportunity also exists to initiate or implement a selected capability or enhancement in the near term by requesting IT funding or adjustments to funding during the execution year, as illustrated in Figure 14.

31

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Figure 14 Funding request: execution year changes In some cases, an office may wish to shift funding from an existing activity to another to accelerate its delivery and the realization of its expected benefits. A fact-of-life change or more urgent requirements that emerge during the current year may necessitate office requests or excesses available for a shift in existing funding. An office may also request a shift of non-IT funding into the IT budget for a selected IT capability or enhancement. Regardless of the driver or request type, the CIO will review each request consistent with the previously described executive decision process.

This process and the budget formulation and realignment processes do not replace or bypass the requirement for offices to propose new IT capabilities or enhancements through the agencys Preselect and business case development and portfolio selection processes, which must occur before any associated funding decisions are made.

Prioritization and Funding Outcome Summary The overarching purpose of the agencys prioritization and funding processes is to ensure that the agency directs its resources to meet its most critical IT requirements. To this end, the agency facilitates integrated funding processes to help ensure that it can effectively connect its available, but limited, IT resources to meet its business requirements across planning and execution of the IT portfolio. When funding is not available, proposed investments remain on a shortfall list and are eligible for funding as new funding is made available consistent with their priority relative to other unfunded, but selected, IT portfolio capabilities or enhancements.

Reselection and Deselection Processes Throughout the year, selected IT capabilities and projects are reviewed and evaluated during the Control and Evaluate phases based on information collected through their operation or execution. As summarized in Figure 15, the agency uses this information to determine whether 32

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control to reselect the capability or project for continued investment or deselect (terminate) the capability or project.

Figure 15 Reselection and deselection processes Based on the results of the review and evaluation, delivery or management approaches may be adjusted to improve the expected results of the effort. In these cases, the capability is considered reselected for continued investment, and any suggested changes to delivery or management are communicated to the appropriate business and technical personnel.

In some cases, the evaluation may indicate that one or more enhancements to a capability are necessary to fully realize the investments expected benefits. In these cases, the capability is considered reselected pending the approval of the enhancement(s) through the previously described business case development and portfolio selection processes. In other cases, the project may require only new or adjusted funding, which follows the previously described IT prioritization- and funding-related processes.

The agency may also examine and identify alternatives to an existing capability that potentially represent a better value to the agency from the perspective of cost, benefits, or risk. If identified and desired, a proposal for the replacement capability would proceed through the agencys Preselect and business case development processes, including any decommissioning requirements.

33

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control A capability or ongoing enhancement project under evaluation may also be selected for termination, resulting in a deselection of the IT capability or enhancement. In this case, additional termination planning and execution activities will be performed and will commonly rely on the efforts existing funding source(s) to perform closeout activities.

The reselection and deselection processes represent only those activities within the Select phase that relate to the Control and Evaluate phase processes and are not intended to encompass or describe all activities within those phases. This document provides additional information associated with the agencys Control and Evaluate phase processes in their corresponding sections.

Reselect and Deselect Outcomes Summary The NRCs Control and Evaluate processes work in tandem to help the agency determine whether selected capabilities or enhancements will meet or continue to meet the following criteria for reselection and funding:

  • continues to, or is expected to once complete, meet the business needs and defined performance goals
  • can meet business needs and expected performance goals with enhancements or modifications and is more cost effective than replacing the investment (i.e., reselection with enhancements)
  • mitigates business, technical, security, privacy, delivery, and other risks effectively according to its current risk management activities
  • adheres to projected costs and expected benefits throughout the IT investments life cycle If an IT capability requires a change or enhancement to be reselected, the recommended change will follow the agencys business case development and portfolio selection processes.

Control Process versus Evaluate Process As previously mentioned, CPIC comprises three distinct, yet interdependent, sets of processes that provide continuous management and oversight for individual investments and for the agencys IT portfolio as a whole. At any given time, CPIC processes are being simultaneously performed for four different FYs:

(1) the PY for which actuals must be reported (2) the CY that is being executed (3) the BY for which a budget request has been submitted (4) the BY+1 for which the next budget request is being formulated The main distinction between the Control and the Evaluate processes is that the primary objective of the Control process is to monitor and inform during the CY to quickly take corrective actions to prevent larger issues and ensure investment health. A midyear assessment of major investments in the form of a control review may provide information for certain Select process 34

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control activities, such as a restacking or reprioritization; however, most outputs must inform Evaluate processes. The control processes gather data throughout each FY that serve as input to the evaluation of investments and support the evaluation of the overall portfolio. The Evaluate processes use the data to perform post implementation reviews and operational analyses (OAs), which include the evaluation of factors such as trends over multiple years of an investments life cycle, end-of-life planning, dependencies among investments, opportunities for innovation, and efficiencies. The findings and recommendations from post implementation reviews and OAs serve as input to the select processes.

Table 4 illustrates the distinctions between the Control and Evaluate processes by FY.

Table 4 Control and Evaluate Process Distinctions FY CONTROL PROCESSES EVALUATE PROCESSES PY Gathers and records actuals (i.e., final costs, Analyzes data outputs from the Control schedule dates, and metrics results) to process and other sources to perform provide an input to Evaluate processes and to postimplementation reviews and annual OAs report to OMB for the prior FY CY Monitors investments (monthly or quarterly), Uses data from the Control process to keeps IT governance boards informed, and evaluate the current health of investments and takes minor corrective actions when identify investments in need of deeper necessary analysis or executive-level visibility Larger or more complex issues are escalated Performs a TechStat Accountability Session to the Evaluate process. (TechStat)2 on investments with issues that need executive direction and decisionmaking BY Helps gather and record data needed for Continuously evaluates changing business CPIC documents and submits artifacts to needs, agency priorities, and investment OMB health to inform the Select process and budget requests BY+1 Helps gather and record data needed for the Continuously evaluates changing business CPIC documents to be submitted to OMB needs, agency priorities, and investment health to inform the Select process and budget formulation Control Process: Monitor, Inform, and Correct The purpose of the Control process is to ensure that, as projects develop and investment expenditures are incurred, the investment and its associated projects and activities continue to meet mission or business needs at the expected levels of cost and risk. The key objectives are (1) to ensure that corrective actions are taken quickly to address any deficiencies in project or operational components and (2) to enable the NRC to adjust its objectives for an investment and appropriately modify expected outcomes if its mission or business needs have changed.

2 The NRCs TechStat Policy and Process Overview, Version 1.1, issued November 2015, is available through the NRCs IT Policy Archive at https://www.nrc.gov/public-involve/open/digital-government/policyarchive/.

35

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control The Control process is key to providing the data needed to monitor the status of project costs and schedules, the status of risks (including the plan of actions and milestones), and the performance of investments to inform decisions on changes to investments, projects, or the portfolio. The control process encompasses various tools and techniques to monitor and report on the performance and risks associated with IT investments and include the following:

  • major IT business case submissions
  • major IT investment monthly reviews and CIO evaluations
  • nonmajor investment quarterly reviews
  • major IT investments control reviews
  • CIO TouchPoints Data and information collected during the monitoring of investments provide input to the evaluation of investments, support executive decisionmaking, and ensure compliance with OMB reporting requirements.

Capital Planners are responsible for executing all Control processes. One Capital Planner is designated as the CPIC Lead to serve as the SME on capital planning guidance, major IT business case requirements, Control processes and procedures, and Federal IT Dashboard (ITDB) submissions. The CPIC Lead ensures that Control processes and procedures are documented, implemented, enforced, updated, and continuously enhanced.

Major IT Business Case Submissions Purpose The Major IT Business Cases (formerly Exhibit 300As) and Major IT Business Case Details (formerly Exhibit 300Bs) are companion exhibits to the Agency IT Portfolio Summary. Together, the Major IT Business Cases and Major IT Business Case Details provide the budgetary and management information necessary for sound planning, management, and governance of major IT investments. Throughout the implementation of major IT investments, CPIC processes are to be continuously applied, and actual outputs, project schedules, expenditures, and operational performance are tracked against established baselines. The Major IT Business Cases and Major IT Business Case Details provide the budgetary and management information necessary for sound planning and management. They provide a means to monitor and report on the performance and risks associated with major IT investments and a baseline for identifying when immediate corrective actions may be needed.

Description OMB provides guidance on planning, budgeting, procuring, and managing major IT investments the OMB Circular A-11 supplement, Capital Programming Guide. In addition, OMBs annual IT BudgetCapital Planning Guidance provides specific requirements for the current budget cycle with detailed requirements for major IT investments to be followed during the CY. The Major IT Business Case must capture general investment data, IPT information, investment life-cycle costs, and acquisition data. The Major IT Business Case Details must capture projects and activities, project and operational risks, and operational performance metrics.

36

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control The full Major IT Business Cases and Major IT Business Case Details must be submitted twice a year as supplements to the Agency IT Portfolio Summary. In addition, updates to the Major IT Business Case Details must be submitted when new data become available or at least monthly, as described later in this document.

Through the annual Major IT Business Cases approval process, the CIO will certify that all software development projects use incremental development practices. The CIO may request additional artifacts from the IT PMs to ensure that the use of incremental development is adequate.

Inputs Once OMB issues the annual IT BudgetCapital Planning Guidance, the Capital Planners provide the IT investment program manager and IT PMs with instructions for preparing and updating Major IT Business Cases and Major IT Business Case Details. For new major IT investments, the CIO-approved PMM business cases and budgetary decisions made by the IPEC become the main input for preparing the Major IT Business Cases and Major IT Business Case Details for submittal to OMB. For existing major IT investments, updates to the previous Major IT Business Cases and Major IT Business Case Details submitted to OMB will be based on CIO direction provided through the various Control and Evaluate processes (as described later in this document) and on budgetary decisions made by IPEC.

The Capital Planners give OCFO information needed for the IT table in the agencys budget justification materials and work with OCFO to keep informed of any budgetary changes resulting from decisions made by the Executive Director for Operations, the Chairman, and the Commission throughout the budget formulation process. The CIO is included in decisions that affect the IT budget to advise on potential impacts. After making any necessary changes to the Major IT Business Cases and Major IT Business Case Details based on the Commission-approved budget, the Capital Planners submit the final version to the CIO for final review and approval. Once the CIO approves the Major IT Business Cases and Major IT Business Case Details, the Capital Planners submit them to the ITDB.

OMB reviews the Major IT Business Case and Major IT Business Case Details and provides feedback to the NRC Capital Planners in December. At this time, the NRC also receives the OMB budget passback and revises the agency budget request for inclusion in the NRC Performance Budget (which OMB refers to as the Presidents Budget Request). The Capital Planners work with the IT investment program managers and IT PMs to address OMBs feedback and to update the Major IT Business Cases and Major IT Business Case Details to reflect the final budget funding levels for the Presidents Budget Request. The Capital Planners submit the final versions to the CIO for final review and approval. Once the CIO approves the Major IT Business Cases and Major IT Business Case Details, the Capital Planners submit them to the ITDB.

Deliverables and Timeline The Major IT Business Cases and Major IT Business Case Details must be submitted for each major IT investment twice a year using the following schedule provided by OMB in its annual IT BudgetCapital Planning Guidance:

37

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • The Agency Budget Request for Major IT Business Cases and Major IT Business Details is due in mid-September.
  • The Presidents Budget Request for Major IT Business Cases and Major IT Business Details is due in early February.
  • The following initial/updated documents and artifacts must be submitted within 5 business days upon OMB request:

- risk management plan

- investment charter, including the IPT charter

- investment-level alternative analysis and benefit-cost analysis

- OAs (for operational or mixed life-cycle systems)

- post implementation review results (investment level or project specific)

- documentation of investment rebaseline management approval(s)

- acquisition strategy

- release plan with budget baseline

- product backlog

- sprint plan with backlog and burndown chart Note that OMB may request additional supporting information from agencies as necessary.

Major IT Investment Monthly Reviews and Chief Information Officer Evaluations Purpose The major IT investment monthly reviews and CIO evaluations are performed to actively monitor and assess the health of the NRCs major IT investments throughout the year of execution. The key objectives are (1) to ensure that corrective actions are taken quickly to address any deficiencies in project or operational components and (2) to enable the NRC to adjust its objectives for an investment and appropriately modify expected outcomes if its mission or business needs have changed.

Description The approved Major IT Business Cases and Major IT Business Case Details provide the baseline for monthly reviews and CIO evaluations. The major IT investments are carefully monitored on a monthly basis throughout the year of execution, with the focus on tracking progress on project cost and schedules, risk mitigation, and operational performance. This helps identify concerns early to allow the implementation of corrective actions and the mitigation of risks. It also provides a means for meeting reporting requirements. OMB requires the Major IT Business Case Details to be updated on the ITDB as new information becomes available or at least monthly. Even though only the full Major IT Business Cases must be submitted semiannually (during annual and passback submissions), updates to IPT contacts, life-cycle costs, and acquisition data should be made whenever new information becomes available and can be submitted during a monthly submission.

During the first week of each month, the Capital Planners perform monthly reviews of their assigned major IT investments to track and monitor progress, performance, and risk. The 38

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Capital Planners must review the Major IT Business Cases and Major IT Business Case Details and identify data that need to be updated, areas for improvement, and potential areas of concern (e.g., delays in project schedules, increases in cost, failure to meet performance metrics).

The following key areas should be reviewed and monitored:

  • any updates to the IPT
  • contract end dates
  • addition of new contracts
  • modifications to existing contracts
  • contract information alignment with the Federal Procurement Data System
  • project activity projected start date (evolving date)
  • project activity projected completion date (evolving date)
  • project activity projected total cost (evolving cost)
  • project activity actual start date (coming up, past due, or delayed)
  • project activity actual completion date (coming up, past due, or delayed)
  • project activity actual total cost (coming up, past due, or delayed)
  • operational/performance metrics actuals
  • operational/risk information After this initial review, the Capital Planners provide an initial assessment and inquiries to the investment program managers and request responses and new or updated data within 3 business days of receiving monthly invoices. The invoices and the results of performance metrics are due to the investment program managers by the 15th of each month. Once the Capital Planners receive the new or updated data and responses to any inquiries, they enter the data into the portfolio management and submission tool, validate the data, run a comparison report, and submit the data to the ITDB. The Capital Planners will send the comparison report and a submission confirmation report to the CIO. In the e-mail, the Capital Planners are to highlight any significant changes; propose an updated rating and comment, if appropriate; and request approval to submit the updates to OMB. Once the CIO provides a final evaluation and approves the updates, the Capital Planners will finalize the data in the CPIC tool and submit the updates to the ITDB.

The CIO evaluations are updated as new information becomes available or at least quarterly.

The CIO evaluation criteria are a set of CIO-approved questions that cover risk management, requirements management, contracts, performance management, human capital, other areas (e.g., EA, CPIC, records management), and cybersecurity. During the last month of each FY quarter, the Capital Planners will schedule a meeting with IT PMs to discuss the CIO evaluation questions. Additionally, the Capital Planners will reach out to cybersecurity, EA, CPIC, and records management SMEs to discuss their respective focus area questions within the CIO evaluation process. All responses are entered in the CPIC tool, and each focus area is given a rating. The CPIC tool automatically provides a suggested rating for each investment, and a variance report is produced. All findings and proposed ratings are presented to the CIO the first month of each FY quarter. Upon CIO approval of the CIO evaluations, the Capital Planners will submit the investment-level ratings and comments to the ITDB.

39

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Inputs The IPTs (primarily the IT PMs) are responsible for providing the most current information about the investment, including, but not limited to, current data on the following:

  • IPT members
  • contracts
  • projects
  • activities
  • operational/performance metrics
  • operational risks
  • corrective actions
  • action items (i.e., ITB, IPEC, or TechStat action items)

The IPTs and IT PMs are also responsible for responding to any specific questions from the Capital Planners in a timely manner.

Additional input can also come from the CIO as a result of his or her review of the reports, such as an adjusted CIO evaluation.

Deliverables and Timeline The major IT investment monthly reviews provide the following deliverables:

  • Updates to the Major IT Business Cases should be made and submitted when new information becomes available or at least monthly.
  • CIO evaluations should be updated and submitted when new information becomes available or at least quarterly.

The NRC TechStat Policy in the NRC IT Policy Archive gives more information about how CIO evaluations can trigger and inform TechStat reviews.

Quarterly Investment and Portfolio Reviews Purpose This process allows the CIO to see planned expenditures for IT investments at the contract and task order levels and at all levels of the NRCs budget structure throughout the year of execution.

40

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Description Quarterly reports are generated using authoritative data from the following systems:

  • The Spend Plan module within the NRCs Budget Formulation System (BFS) tracks contract costs and projected funding needs based on planned spending combined with financial and contract information. The Spend Plan is a centralized, standardized tool that increases efficiency in budget execution planning and management.
  • The Financial Accounting and Integrated Management Information System (FAIMIS) is the NRCs core financial accounting system and the authoritative source for budget execution and fees for reimbursable work. FAIMIS also supports accounting for assets, liabilities, fund balances, revenues, and expenses in accordance with Federal standards.
  • The Human Resources Management System supports the submission, approval, and adjustment of employees hours and the management of time, attendance, leave, and payroll processing.

OCFO requires contracting officers representatives (CORs) in all offices to update their spending plans for active contracts on a quarterly basis for the upcoming 12 months. During FY 2015, the OCIO CPIC and IT budget staff, with OCFO support, piloted a process to compare spend plans, aggregated at office or product levels, or both, to the enacted budget to identify significant anomalies. Identified discrepancies were communicated to the responsible ITB representative, who was then tasked to work with the COR(s) to validate and explain the anomaly using contract-level and task-order-level reports. ITB representatives were asked to assess whether the anomaly was a short- or long-term deviation and determine whether the discrepancy resulted in projected excess funds that could be reallocated to other agency priorities or represented an unfunded need that could be met by rebalancing the IT portfolio or reallocating other non-IT agency resources. The collective findings of the ITB representatives were then presented to the CIO, CFO, and IPEC to facilitate FY 2015 rebalancing decisions. In FY 2016, the CIO refined and formalized the process to facilitate a repeatable, quarterly review of the execution of the IT budget; excess funds and unfunded needs were presented to the IPEC to facilitate rebalancing decisions, as appropriate. As implemented in FY 2017, these quarterly reviews provide visibility into all investments (major and nonmajor) and the overall health of the IT portfolio.

Inputs Quarterly investment and portfolio reviews are developed using the following inputs:

  • BFS spend plan reports
  • summary- and detail-level forward funding information and comparisons of IT budgets against actual expenditures generated using the FAIMIS Financial Analysis Reporting Suite
  • OCIO approvals and explanations about reallocations and emergent needs affecting the IT portfolio 41

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • reports from the BFS or Human Resources Management System, or both, that capture FTE budgets and actual utilization during the year of execution
  • input from ITB representatives and CORs on identified anomalies Deliverables and Timeline As implemented in FY 2017, the quarterly investment and portfolio review process yields the following deliverables on a quarterly basis:
  • summary- and detail-level reports to facilitate rebalancing decisions to accommodate the assessment of emergent needs and reallocation requests during the subsequent quarter
  • documented explanations and decisions about discrepancies or anomalies identified during the quarterly review and assessed by both the ITB and IPEC OCIO conducts this review and presents the findings and recommendations to the IPEC on a quarterly basis.

The NRC TechStat Policy in the NRC IT Policy Archive gives more information about how quarterly investment and portfolio reviews can trigger and inform TechStat reviews.

Major IT Investment Control Reviews Purpose Control reviews are used to identify and address issues early. As a result of these reviews, the ITB can issue minor corrective actions to IPTs or make recommendations to the IPEC on matters warranting an executive decision. The ITB can also assign action items, as appropriate (e.g., an action to update documentation or respond to requests for additional information).

Results from control reviews are used as input to the annual OA and can be used to inform CY budget reprioritization and reallocations.

Description During each year of execution, the Capital Planners are required to conduct a thorough review of all major IT investments based on data sources such as monthly reviews, any postimplementation reviews, and any findings from the annual OA performed on the PY data.

This review is to be done in collaboration with the respective IPTs with the full engagement of any IT PMs who are executing and managing projects within the investment. Together, they present the control review findings to the ITB. The control reviews help identify and address issues early and monitor and identify issues with performance, risk mitigation, cost and schedule, and current contracting plans or strategies. Although the focus is on the execution of any current projects and the associated cost, schedule, and milestones and the current burn rate for operations and maintenance, it is also important to present any significant findings from the previous years OA and any postimplementation reviews of functionality implemented during the previous or current FY.

Once all of the data have been compiled and analyzed, all significant findings will be presented to the ITB to increase the transparency of major IT investments; ensure that all ITB members 42

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control are made aware of the findings; provide a collaborative and open forum to discuss successes, risks, budgetary issues, and corrective actions; and implement governance over IT investments.

The Capital Planner compiles and edits all significant findings with input from, and in conjunction with, the appropriate investment program managers. Subsequently, the Capital Planner facilitates the compilation of the data, and the IT PMs present the data to the ITB.

Inputs The deliverables from the following processes provide inputs into the control reviews:

  • major IT investment monthly reviews and CIO evaluations
  • post implementation reviews
  • OA Additional sources of information include the following:
  • current risk logs and progress on the plan of actions and milestones
  • customer satisfaction surveys, if applicable Deliverables and Timeline The major IT investment control reviews before the ITB will occur during the second and third quarter of each FY. Ideally, holding these reviews early enough in the FY to take corrective actions, if needed, would support improved CY execution and the next business case updates that take place annually with the release of OMBs BY guidance in the June/July timeframe.

CIO TouchPoints Purpose CIO TouchPoints keep the CIO well informed and provide the opportunity for early mitigation or corrective actions, as appropriate. These discussions support risk categorization and CIO evaluations of major IT investments, as required by FITARA. CIO TouchPoints also provide an additional opportunity for the CIO to maintain involvement in major programs and to influence future planning and set the direction of the IT portion of major programs.

Description CIO TouchPoints are direct one-on-one discussions between the NRCs CIO and a major IT investments IPT, especially IT PMs executing projects under the investment. Each CIO TouchPoint is a 30-minute session that provides the opportunity for open, candid discussion on items such as the status of milestones and deliverables, changes in cost and schedule, open risks, major accomplishments, investment challenges, future planning (CY, BY, and BY+1), and changes in business needs or acquisition strategies. At a minimum, the CIO will hold one CIO TouchPoint session per year with each major IT investment. Additional CIO TouchPoints may be scheduled at the CIOs discretion.

Inputs The basis or starting point for these discussions will be the authoritative data captured in the CPIC tool, especially as contained in the current Major IT Business Cases, Major IT Business Case Details, CIO evaluations, and OA and the most current version of the investments 43

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control required artifacts. The CIO provides the Capital Planner with the main interest or topics of discussion for each investment, as appropriate.

Deliverables and Timeline The CIO holds one CIO TouchPoint per year for each major investment; however, he or she can request additional TouchPoints for any investment (major or nonmajor) at any time. CIO TouchPoints are scheduled around factors such as the timing of major milestones, deliverables, and corrective actions.

Evaluate Process: Learn, Recommend, and Adjust The purpose of the Evaluate processes is to compare actual versus expected benefits and costs of IT investments and projects to assess return on investment, customer satisfaction, and value to the NRC in meeting its mission and business needs. The key objectives are as follows:

  • Assess the capacity of a project or investment to meet performance expectations within cost and schedule thresholds and in compliance with IT policies.
  • Identify any needed changes or modifications to an investment (including associated projects or activities).
  • Update IT investment management policies, processes, and procedures based on lessons learned.

The Evaluate processes are used to analyze IT investment data to support the decisionmaking required to maximize the value of IT investments and the maturation of the IT portfolio and IT management practices. This entails performing annual OAs, postimplementation reviews, and TechStats as needed (the NRC TechStat Policy and Process Overview in the NRC IT Policy Archive has more information on TechStats). Although each one helps inform the selection, reselection, and deselection of projects and investments within the IT portfolio, the OA is paramount. The NRC has based its OA on the requirements in Section III, Management In-Use, of the Capital Programming Guide. It provides a periodic, structured assessment of the cost, performance, and risk trends over time to help determine when cost and risk associated with an investment are no longer reasonable and outweigh the value received from the investment.

Capital Planners are responsible for executing all Evaluate processes and facilitating the select processes. One investment analyst is designated as the CPIC Lead. The CPIC Lead serves as the SME on relevant Federal mandates, Executive Orders, OMB guidance, and agency policy and ensures that Evaluate processes and procedures are documented, implemented, enforced, updated, and continuously enhanced. The CPIC Lead serves as the SME on Select criteria and ensures that the Select processes and procedures are documented, implemented, enforced, updated, and continuously enhanced.

44

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Post Implementation Reviews Purpose The post implementation review is used to evaluate stakeholder and customer/user satisfaction with the end product, mission/program impact, and technical capability and to provide decisionmakers with lessons learned to assist them in improving investment management and decisionmaking processes.

Description The post implementation review is an IT investment project evaluation tool. The pos timplementation review is conducted once a system, service, or new functionality has been operational for 6 to 12 months. The post implementation review is designed to achieve the following objectives:

  • Validate estimated project benefits and costs.
  • Evaluate stakeholder and customer/user satisfaction with the end product, mission/program impact, and technical capability.
  • Determine whether additional actions, modifications, or enhancements are needed.
  • Document effective management practices for broader use.

To maximize the value of the post implementation review process and minimize oversight costs, post implementation reviews are only required for projects within major IT investments.

However, the CPIC team and the IT governance boards will reserve the right to initiate a post implementation review on projects within nonmajor investments to assess lessons learned or identify areas of concern.

Section III of the Capital Programming Guide contains more information on post implementation reviews.

Inputs Each post implementation review will contain business case data that provide an overview of the project to be evaluated. The CPIC staff and EA SMEs will interview the IT PMs to complete the post implementation review, which includes five assessment areas:

(1) internal business (2) customer/user satisfaction (3) strategic impact and effectiveness (4) lessons learned and innovation (5) process improvement The PM should provide any lessons learned or best practices that can be applied to other projects. These lessons learned should be communicated throughout the investment portfolio as a method of knowledge sharing. They should also be shared with executive management to 45

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control highlight and assist in enforcing the use of best practices. Lessons learned should be communicated using the following methods:

  • communications to all IT PMs, IPTs, and PMM
  • PM community of practice
  • ITB meetings
  • updated policy/process documentation
  • training The CPIC tool will house the lessons learned from post implementation review for future reference by project teams.

Deliverables and Timeline The Capital Planners will use the data from the assessments to determine whether there are areas of critical concern that require additional action. The Capital Planners will make recommendations as to which areas should be addressed and, where appropriate, recommend specific actions to be taken. All findings and recommendations will be discussed with the IT PM and IPT to gain alignment and agreement on the next steps.

Once an action plan has been defined, the Capital Planners and IT PM will take the following actions:

  • The IT PM will communicate this action plan to the investment owner for his or her awareness.
  • Through the facilitation of the Capital Planners, the IT PM will present findings, recommendations, and action plans to the CIO, IPEC, or ITB as needed.
  • The Capital Planners will track all post implementation review action plans.
  • The IT PM and Capital Planners will incorporate lessons learned into the appropriate business processes.

Operational Analysis Purpose The OA examines the ongoing performance of an operating component under an IT investment and measures that performance against established cost, schedule, and performance goals.

The purpose is to determine how the investments objectives could be better met, how costs could be reduced, and whether the agency should continue performing a certain function.

Description During the requirements, design, development, test, and implementation phases of an investments life cycle, great emphasis is often placed on meeting the budget, scope, and schedule to ensure the desired functionality is delivered on time and according to requirements; however, these costs are only a fraction of the assets total life-cycle costs. Ownership costs, 46

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control such as operations and maintenance, including service contracts and disposition, can easily consume as much as 80 percent of the total life-cycle costs. For this reason, the periodic, structured assessment of the cost, performance, and risk trends over time is essential to minimizing costs in the operational life of the asset.

The OA is conducted annually to evaluate the cost of continued maintenance support, manage risk, assess technology opportunities, determine an investments continued effectiveness in supporting mission and stakeholder requirements, identify gaps and determine whether enhancements should be made, and consider potential retirement or replacement. The results of this analysis are used to provide recommendations on the assets continued use, modification, or termination/replacement.

In accordance with the requirements in Section III of the Capital Programming Guide, the OA must report performance in four areas:

(1) Customer satisfaction measures performance in terms of the extent to which the investment supports customer processes as designed. The focus is on how well the investment delivers the services it was funded to deliver (i.e., effectiveness) and considers stakeholder perception on whether the costs associated with providing the service are as low as they could be for the customer. Customer satisfaction data are typically collected in surveys and measured using both quantitative and qualitative metrics.

(2) Strategic and business results measure the investments impact on the performance of the NRC. These results provide a measure of how well the investment is meeting business needs, whether it is contributing to the achievement of the NRCs strategic goals, and whether it continues to align with the NRCs strategic direction. Strategic and business results should be unique to an operational domain. For example, performance metrics associated with paying vendor invoices are relevant to the finance operational domain. On the other hand, performance metrics associated with processing and managing grant applications are relevant to a research-oriented operational domain.

Strategic and business result metrics must be designed to measure the investments contribution to mission processes, independent of other aspects of the process such as the individual competencies of the people performing the process.

(3) Financial performance measures and compares current cost-related performance with the preestablished cost baseline. It also includes efficiency measures such as tracking actual costs of work performed against budgeted costs. Although financial performance is typically reported as a quantitative measure, the investment should also be subjected to regular reviews for cost effectiveness and efficiency.

(4) Innovation, when reviewed, provides an opportunity to conduct a qualitative analysis of the investments performance in terms of the three previously mentioned areas:

(1) customer satisfaction, (2) strategic and business results, and (3) financial performance. It should demonstrate the extent to which the project team is tracking emerging technologies and performing ongoing analyses of alternatives for achieving the same or better customer results and strategic goals at better cost, performance, and risk 47

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control levels than the current solution. This qualitative assessment should also demonstrate the investments ability to meet emerging requirements and support long-term strategic objectives given its engagement with strategic planning activities and its technical architecture.

Section III of the Capital Programming Guide contains more information on OAs.

Inputs In addition to the Major IT Business Cases and Major IT Business Case Details, all the data collected and outputs of the Control processes are used to perform the OA. For example, the analysis uses the outcomes of an investments control review, CIO TouchPoint, CIO evaluations, and the monitoring of the progress of any assigned corrective actions. In addition, the results of any customer surveys and interviews would be a valuable input to the OA.

Deliverables and Timeline During the first quarter of each FY, the Capital Planners will work with customer service, Enterprise Architects, OCIO financial management SMEs, and the appropriate IPT members to conduct the OA based on all the information collected, the investments performance during the FY that just ended, in addition to past operational data. The OA must look at the entire operational history and any trends.

Once the OA has been completed, the Capital Planners will do the following:

  • In collaboration with customer service, EA, and financial management SMEs, present the findings, analysis, and recommendations of the OA to the ITB and the CIO.
  • Ensure that any corrective actions and actions items are recorded and tracked.

48

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix A: The U.S. Nuclear Regulatory Commissions Information Technology Portfolio Structure The terms defined below explain how the information technology (IT) portfolio is organized and structured. Part refers to the section of the Agency IT Portfolio Summary where agencies are to list investments according to their purpose. The Office of Management and Budget (OMB) requires agencies to report investments individually within the following parts:

  • Part 1: IT Investments for Mission Delivery
  • Part 2: IT Investments for Mission Support
  • Part 3: IT Investments for IT Infrastructure, IT Security, and IT Management Program area refers to the mission delivery and management support areas within an agency.

The U.S. Nuclear Regulatory Commission (NRC) has four program areas: (1) Nuclear Reactor Safety, (2) Nuclear Materials and Waste Safety, (3) Financial Management, and (4) Corporate Support.

IT investment refers to the expenditure of IT resources to enable core functions and processes that support the agencys mission and operational business requirements. An IT investment may include one or more projects for the development, modernization, enhancement, or maintenance of a single IT asset or group of IT assets with related functionality and the subsequent operation of the asset(s) in a production environment. All investments should have a defined life cycle with start and end dates. The end date should represent the end of the currently estimated useful life of the investment based on its assets most current alternative analyses or the results of the investments most current OA summarizing the operational performance of its assets and the investments ability to deliver required functionality. There are five different types of investments:

(1) Major IT investment refers to an IT investment in Part 1 or Part 2 of the IT portfolio that requires special management attention because of its importance to the mission or function to the Government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agencys Chief Information Officer (CIO) or the Capital Planning and Investment Control process. A Major IT Business Case must be submitted for each major IT investment in an agencys IT portfolio to provide detailed justification for the associated IT budget request in the Agency IT Portfolio Summary and to provide supplemental data for monitoring the investments performance and risk throughout the calendar year execution. Major IT investments are continuously monitored, and updates are provided to the CIO and OMB on a monthly basis.

(2) Funding transfer investment refers to the portion of funding a partner agency provides to fund contributions to another investment managed by another agency. The NRC is a partner agency to a number of shared services (e.g., e-Gov initiatives, line of business solutions) that other agencies operate and maintain. Each managing partner lists the shared services as a major IT investment in Part 1 or Part 2, as appropriate, on its Agency IT Portfolio Summary. The NRC reports funding contributions to the managing 48

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control partner by including its portion of the funding on the NRCs Agency IT Portfolio Summary in Part 1 or Part 2, as appropriate.

(3) IT migration investment refers to the migration costs associated with systems in a shared service partner agency that the managing partner does not capture during the partner agencys migration to the shared service. The investments life cycle is for the duration of the migration. Once the migration is complete, the investment is retired, and the partner agency begins reporting the funding contributions to the managing partner of the shared service as a funding transfer investment described above.

(4) Nonmajor IT investment refers to any IT investment in Part 1 or Part 2 of the agencys IT portfolio that does not meet the definition of a major IT investment, funding transfer investment, or IT migration investment.

(5) Standard IT investment refers to a Part 3 investment that has been disaggregated to its discrete components and managed separately. Standard investments draw clear delineation between the types of IT investments that every agency needs to deliver the same basic IT services upon which the entire agencys mission and business capabilities depend. The standard investments across the Government are application, data center and cloud, delivery, end user, IT management, IT security and compliance, network, platform, and output.

(Note that each investment is assigned a unique investment identifier for tracking, budgeting, and reporting purposes, both internally to the CIO and Information Technology/Information Management Portfolio Executive Council and externally to OMB.)

Component refers to any IT-related items (tangible or intangible) that have value to an organization, including, but not limited to, an IT system, service, function, network/circuit, hardware, software (either an installed instance or a physical instance), virtual computing platform (common in cloud and virtualized computing), or related hardware (e.g., cables, racks, servers). It also refers to people and intellectual property. Components have associated budget items, the lowest level at which IT is planned, acquired, implemented, and operated. Budgeting at this level provides the IT cost transparency required by the CIO, Chief Financial Officer (CFO), and Information Technology/Information Management Portfolio Executive Council for decisionmaking and for compliance with multiple relevant authorities. Appendix A, Legal Regulatory Authorities, provides a complete list of legal regulatory authorities.

(Note that each IT component is assigned a component identifier to assist with internal tracking, budgeting, and reporting activities and to facilitate the necessary rollup to meet OMB tracking and reporting requirements.)

Budget item (formerly referred to as activity) refers to planned and approved expenses, projects, and full-time equivalent personnel allocations that constitute the costs and resources associated with a given IT component. Funding for budget items is categorized as either operations and maintenance (O&M) or development, modernization, and enhancement (DME) as follows:

49

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • O&M refers to the expenses required to operate and maintain an IT asset that is operating in a production environment. O&M includes costs associated with operations, maintenance activities, and maintenance projects needed to sustain the IT asset at the current capability and performance levels. It includes Federal and contracted labor costs, corrective hardware and software maintenance, voice and data communications maintenance and service, replacement of broken or obsolete IT equipment, overhead costs, and costs for the disposal of an asset. O&M is also commonly referred to as steady state.
  • DME refers to projects and activities leading to new IT assets, as well as projects and activities that change or modify existing IT assets to substantively improve capability or performance, implement legislative or regulatory requirements, or implement an agencys executive leadership decision. A DME activity may occur at any time during a programs life cycle. As part of DME, capital costs can include hardware, software development and acquisition costs, commercial off-the-shelf acquisition costs; Government labor costs; and contracted labor costs for planning, development, acquisition, system integration, and direct project management and overhead support.

Starting in fiscal year 2018, the NRC will also break investment costs into IT towers and IT cost pools at the budget item level to ensure that the CIO has the visibility needed during budget execution and to collect data that will better inform strategic planning, decisionmaking, and future budget formulation:

  • IT towers are a set of defined IT categories that provides a means for categorizing the total cost for an IT investment into standard IT costs (i.e., common to all agencies). The categories are Application, Compute, Data Center, Delivery, End User, IT Management, IT Security and Compliance, Network, Output, and Storage. Breaking the total cost of each investment into these categories provides a CIO view or technical view of the IT costs associated with an investment. This view can be used to explain or justify the expenditure by tying the cost directly to the mission and business capabilities being supported. The IT towers are based on the technology business management taxonomy.

Appendix B, Technology Business Management IT Cost Pools and IT Tower Definitions, provides the IT tower definitions.

  • IT cost pools are a standard set of IT costs associated with each investment that provides a CFO view or financial view that can be mapped to the general ledger. Like the CIO view, the CFO view provides a direct line of sight between IT costs and the mission and business capabilities being support. It is intended to provide the ability to determine the cost per user by program area. The standardized IT cost pools are External Labor, Facilities and Power, Hardware, Internal Labor, Internal Services, Outside Services, Software, Telecom, and Other. The IT cost pools are based on the technology business management taxonomy. Appendix B provides the IT cost pool definitions.

(Note that numerous budget items are associated with the IT portfolio; therefore, this document does not list them. The agencys capital planning and portfolio management tool provides budget items associated with each component under every investment.)

50

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix B: Information Technology Budget Certification and Approval Once investments and projects are selected for inclusion in the information technology (IT) portfolio, IT resources must be included in the budget. As the secretariat for the IT governance boards, the Capital Planners are responsible for ensuring that selected investments, components, and projects are incorporated in the IT budget formulation process for funding. In addition, the Federal Information Technology Acquisition Reform Act (FITARA) requires that the Capital Planners facilitate the certification and approval of the IT budget. The IT budget staff within the Office of the Chief Information Officer work closely with a liaison from the Office of the Chief Financial Officer to ensure proper timing and alignment with the overall budget formulation process and to develop IT and information management budget instructions. The initial analysis and prioritization allows proper timing for the IT governance boards to begin their reviews, recommendations, and approvals of the IT budget for inclusion in the overall agency budget.

Once the Commission approves the final IT budget, the IT budget staff provides the resultant IT budget request to the Capital Planners for use in finalizing the IT Capital Planning and Investment Control documents. The Capital Planners will enter the data into the IT portfolio management and submission tool to update the Agency IT Portfolio Summary and Major IT Business Cases and work with the Office of the Chief Financial Officer to ensure that the IT table and IT statements are included in the U.S. Nuclear Regulatory Commissions (NRCs) overall Performance Budget submission to the Office of Management and Budget (OMB), as required by FITARA and described in the Common Baseline for IT Management established by FITARA; Section 51.3 of OMB Circular A-11, Preparation, Submission, and Execution of the Budget; and the OMB IT BudgetCapital Planning Guidance. The agencys budget justification materials in the initial budget submission to OMB must include the following affirmation statements:

  • The NRCs Chief Information Officer (CIO) affirms that he or she has reviewed and approved the major IT investments portion of the budget request.
  • The NRCs Chief Financial Officer and CIO affirm that the agencys CIO had a significant role in reviewing planned IT support for major program objectives and significant increases and decreases in IT resources.
  • The NRCs Chief Financial Officer and CIO affirm that the IT portfolio includes appropriate estimates of all IT resources included in the budget request.
  • The CIO's current common baseline rating for Element D, Item D1, CIO Reviews and Approves Major IT Investment Portion of Budget Request, is fully implemented.

The NRC has developed and implemented its plan to ensure that the necessary processes and procedures are in place to fulfill these common baseline FITARA responsibilities.

51

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control

  • The CIO can certify the use of modular approaches or incremental development practices, or both, for contracts and projects associated with the major IT investment portion of the NRCs IT budget request.

52

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Appendix C: Related Definitions The Office of Management and Budget (OMB) definitions listed below are useful for understanding Capital Planning and Investment Control processes. The current version of Integrated Data Collection Common Definitions, posted on MAX.gov, provides a complete list of related OMB definitions.

Adequate Incremental Development means that planned and actual delivery of new or modified technical functionality to users occurs at least every 6 months during the development of software or services.

Capital Programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of the agencys portfolio of capital investments to achieve the agencys strategic goals and objectives with the lowest overall cost and risk.

Cost Avoidance means an action taken in the immediate timeframe that will decrease costs in the future. For example, an engineering improvement that increases the mean time between failures and thereby decreases operation and maintenance costs is a cost avoidance action (as defined in OMB Circular A-131, Value Engineering, dated December 26, 2013).

Cost Savings refers to the reduction in actual expenditures to achieve a specific objective (as defined in OMB Circular A-131).

Digital Services means the software and related technology that the Federal Government provides for the public to access a service of the Federal Government or the software and technology that is custom built on behalf of the Federal Government to directly support the delivery of a service of the Federal Government to the public.

Information Life Cycle means the stages through which information passes, which is typically characterized as creation or collection, processing, dissemination, use, storage, and disposition (including destruction and deletion).

Information Management means the planning, budgeting, manipulating, controlling, and processing of information throughout the information life cycle.

Information Resources means information and related resources, such as personnel, equipment, funds, and information technology (IT) (44 U.S.C. § 3502).

Information System refers to a discrete set of IT, data, and related resources (such as personnel, hardware, software, and associated IT services) organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, in accordance with defined procedures, whether automated or manual (see OMB Circular A-130, Managing Federal Information as a Strategic Resource, dated July 27, 2016, and 44 U.S.C. § 3502).

53

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control Information System Life Cycle means all phases in the useful life of an information system, including planning, acquiring, operating, maintaining, and disposing/decommissioning.

Information Technology (IT) is defined as follows:

  • IT includes any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency, where such services or equipment are used by an agency if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires either use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.
  • IT includes computers; ancillary equipment, including imaging peripherals, input, output, and storage devices necessary for security and surveillance; peripheral equipment designed to be controlled by the central processing unit of a computer; software; firmware and similar procedures; services, including provisioned services such as cloud computing and support services that support any point of the life cycle of the equipment or service; and related resources.
  • IT includes high-performance computing capabilities, including capabilities that are not commodity in nature.
  • IT does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.

IT Asset refers to any IT-related items (tangible or intangible) that have value to an organization, including, but not limited to, a computing device; IT system; IT network; IT circuit; software (both an installed instance and a physical instance); virtual computing platform (common in cloud and virtualized computing); related hardware (e.g., locks, cabinets, keyboards); and people and intellectual property, including software. Assets are the lowest level at which IT is planned, acquired, implemented, and operated.

IT Investment refers to the expenditure of IT resources to address mission delivery and management support. An IT investment may include a project or projects for the development, modernization, enhancement, or maintenance of a single IT asset or group of IT assets with related functionality and the subsequent operation of those assets in a production environment.

All IT investments should have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most current alternatives analysis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement should be reported as a new, distinct investment, with its own defined life-cycle information.

IT Resources are defined as (1) all agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, disposition, and transformation or other activity related to the life cycle of IT and (2) acquisitions 54

U.S. Nuclear Regulatory Commission Capital Planning and Investment Control or interagency agreements that include IT and the services or equipment provided by such acquisitions or interagency agreements. IT resources do not include grants to third parties that establish or support IT that the Federal Government does not directly operate.

IT System refers to a discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual.

Interagency Agreement means, for the purposes of this document, a written agreement entered into between two Federal agencies that specifies the goods to be furnished or tasks to be accomplished by one agency (the servicing agency) in support of another agency (the requesting agency), including assisted acquisitions as described in OMBs guidance in Improving the Management and Use of Interagency Acquisitions, dated June 6, 2008, and other cases described in Part 17, Special Contracting Methods, of the Federal Acquisition Regulation.

Major IT Investment means an IT investment in Part 1 and Part 2 of the IT portfolio that requires special management attention because of its importance to the mission or function to the Government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agencys Capital Planning and Investment Control process. Agencies should also include all major automated information systems as defined in 10 U.S.C. § 2445 and all major acquisitions as defined in the OMB Circular A-11 supplement, Capital Programming Guide, which includes information resources. OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices on which investments are considered major. Investments that are not considered major are nonmajor.

55