Capital Planning and Investment Control Policy and Overview

ML22021A897
Person / Time
Issue date:	01/21/2022
From:	Governance & Enterprise Management Services Division
To:
Valencia S
Shared Package
ML22021A940	List: ML22021A897 ML22021A982
References
Download: ML22021A897 (34)
v • d • e

Text

U.S. Nuclear Regulatory Commission CPIC Policy

Capital Planning and Investment Control Policy and Overview

Office of the Chief Information Officer Capital Planning and Investment Control Team

Version 2.6 January 2022

U.S. Nuclear Regulatory Commission CPIC Policy

Revision History

Date Version Summary of Changes Author

09/28/2015 1.0 Updated information technology (IT) Vickie Smith, Capital Planning and Investment Control OIS/PMPD/IPMB (CPIC) policy to reflect the Federal Approved by Darren Ash, Information Technology Acquisition OEDO/DEDCM Reform Act (FITARA) (December 2014) and associated Office of Management and Budget (OMB) requirements. Under FITARA, this policy is now publicly available.

Agencywide Documents Access and Management System (ADAMS) Accession No. ML15247A497.

12/28/2015 1.1 Updated to reflect organizational changes Vickie Smith, effective November 1, 2015. OCIO/PMPD/IPMB

ADAMS Accession No. ML15288A545. Approved by Darren Ash, CIO

10/21/2016 2.0 Updated significantly to reflect new policy Vickie Smith, requirements in the revised OMB OCIO/PMPD/IPMB Circular A-130, Managing Information as Approved by David a Strategic Resource (July 2016); OMB Nelson, CIO Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software (August 2016); and OMB Category Management Policy for Common IT.

ADAMS Accession No. ML16272A383.

12/31/2017 2.1 Revised to clarify the Chief Information Leah Kube, Officers (CIOs) role in IT contracting and OCIO/GEMS/PIMB incremental development, make minor Approved by David changes to definitions, update the major Nelson, CIO IT investment criteria, and make other minor updates.

ADAMS Accession No. ML17346A193.

12/31/2018 2.2 Added and updated definitions; made Leah Kube, other minor updates. OCIO/GEMS/IPSMB

Approved by David Nelson, CIO

i

U.S. Nuclear Regulatory Commission CPIC Policy

Date Version Summary of Changes Author

12/31/2019 2.3 Added and updated definitions; made Leah Kube, other minor editorial updates. OCIO/GEMS/IPSMB

Approved by David Nelson, CIO

4/28/2020 2.4 Updated IT CPIC policy to add CIO Cathy Smith, responsibilities according to Government OCIO/GEMS/IPSMB Accountability Office report GAO-18-93, Approved by David Critical Actions Needed to Address Nelson, CIO Shortcomings and Challenges in Implementing Responsibilities (August 2018). These were minor updates, and some of the responsibilities already existed in Version 2.3.

12/8/2020 2.5 Updated some formatting and definitions Lance Breeden, based on fiscal year 2021 guidance. Sandra Valencia, OCIO/GEMS/APIB

Approved by David Nelson, CIO

1/31/2022 2.6 Updated some formatting and definitions Jack Roscoe, based on fiscal year 2021 guidance. Sandra Valencia, OCIO/GEMS/APIB

Approved by David Nelson, CIO

Note: The U.S. Nuclear Regulatory Commission maintains detailed processes and operating procedures in separate documents to support continuous refinement of the agencys maturing investment management. This document sets forth the CPIC policy and gives an overview of CPIC processes.

ii

U.S. Nuclear Regulatory Commission CPIC Policy

Contents Background and Authorities..................................................................................................................... 1 Purpose........................................................................................................................................................ 2 Definitions.................................................................................................................................................... 3 Capital Planning and Investment Control Policy................................................................................. 16 Planning, Programming, Budgeting, and Selecting................................................................. 16 Acquiring Information Technology and Services..................................................................... 20 Information Technology Investment Design and Management............................................... 21 Responsibilities......................................................................................................................................... 23 Capital Planning and Investment Control Overview........................................................................... 27 Select...................................................................................................................................... 27 Control..................................................................................................................................... 29 Evaluate.................................................................................................................................. 30

iii

U.S. Nuclear Regulatory Commission CPIC Policy

Background and Authorities

Capital planning and investment control (CPIC) for information technology (IT) investments refers to a decision-making process that ensures IT investment s integrate strategic planning, budgeting, procurement, and management of IT in support of agen cy missions and business needs.1 The Clinger-Cohen Act of 1996 (CCA) (Public Law 104-106, forme rly known as the IT Management Reform Act of 1996) requires Federal agencies to use disciplined CPIC processes to acquire, use, maintain, and dispose of IT assets. Although o ther laws (e.g., the Paperwork Reduction Acts of 1980 and 1995, Government Performance and Res ults Act of 1993 (GPRA),

GPRA Modernization Act of 2010 (GPRAMA), and Federal Acquisitio n Streamlining Act of 1994) also require agencies to develop and implement a disciplined pr ocess to maximize the value of IT investments while balancing risks, the CCA went a step furth er by mandating a specific, more rigorous methodology for managing IT investments that integrate s IT capital planning with other agency processes.

Specifically, the CCA mandates that agencies implement CPIC pro cesses to do the following:

• Provide for the selection, control, and evaluation of agency I T investments.

• Integrate with the processes for budget, financial, and progra mmatic decision-making.

• Include minimum criteria for whether to undertake an IT invest ment.

• Identify IT investments that woul d result in sharing of benefi ts or costs with other Federal agencies or State or local governments.

• Provide means for quantifying the net benefits and risks of IT investments.

• Allow for senior management to obtain timely information on an investments progress.

The Federal Information Technology Acquisition Reform Act (FITA RA), enacted on December 19, 2014, established additional requirements. The Off ice of Management and Budget (OMB) issued guidance on implementing FITARA in Memorand um M-15-14, Management and Oversight of Feder al Information Technology, dated June 10, 2015. FITARA strengthens the CCA by empowering Federal Chief Information Off icers (CIOs) with increased oversight for (1) budget planning, (2) governance structures, ( 3) portfolio risk management, (4) hiring practices within IT offices, (5) data center consoli dation planning and execution, and (6) reporting of progress and metrics to the OMB. Building on t he CPIC requirements of the CCA, FITARA establishes the Common Baseline for IT Management, which defines the roles and responsibilities of the CIO and other senior agency officia ls while ensuring that the CIO retains accountability.

To assist agencies in meeting CCA and FITARA requirements, the OMB issues the document IT BudgetCapital Planning Guidance annually as part of OMB C ircular A-11, Preparation,

1 The Office of Management and Budget (OMB) provides this definition in the Integrated Data Collection Common Definitions. See 40 U.S.C. 11302 for statutory requirements.

1 U.S. Nuclear Regulatory Commission CPIC Policy

Submission, and Execution of the Budget, and maintains its sup plement, the Capital Programming Guide, to help agencies implement CPIC processes and meet requirement s for reporting to Congress. OMB Circular A-130, Managing Informatio n as a Strategic Resource, dated July 27, 2016, provides additional guidance for implement ing CPIC and FITARA requirements. The OMB updates these circulars based on current, relevant statutes and executive orders.

As part of FITARA, the OMB has also issued the category managem ent policy in a series of memoranda, including the following:

• OMB Memorandum M-16-02, Category Management Policy 15-1: Impr oving the Acquisition and Management of Common Information Technology: La ptops and Desktops, dated October 16, 2015

• OMB Memorandum M-16-12, Category Management Policy 16-1: Impr oving the Acquisition and Management of Common Information Technology: So ftware Licensing, dated June 2, 2016

• OMB Memorandum M-16-20, Category Management Policy 16-3: Impr oving the Acquisition and Management of Co mmon Information Technology: Mobile Devices and Services, dated August 4, 2016

On August 8, 2016, the OMB also issued Memorandum M-16-21, Fed eral Source Code Policy:

Achieving Efficiency, Transparency, and Innovation through Reus able and Open Source Software. The CCA, FITARA, and associated OMB policy, circular s, and guidance serve as the basis for CPIC policy, processes, and procedures at the U.S. Nu clear Regulatory Commission (NRC).

Purpose

This document sets forth the NRCs CPIC policy. It establishes the business rules and guidelines for consistency and compliance in executing the NRC CPIC processes and procedures, including the procurement of IT assets. This docume nt contains updates that reflect FITARA, OMB Circular A-130, the OMBs category management polic y, and OMB Memorandum M-16-21 requirements; therefore, it supersedes all p revious versions of the NRCs CPIC policy.

This document also gives a brief overview of the NRC CPIC proce sses. It is worth noting that CPIC processes and procedures are continuously evaluated and re fined; therefore, the NRC maintains separate documents on the detailed processes and proc edures. This allows for timely updates and implementation and is consistent with best practice s. It also supports the NRCs goal of continuously maturing it s IT investment management practices to achieve an IT portfolio that leverages IT for strategic outcomes in support of the NRC s mission.

2 U.S. Nuclear Regulatory Commission CPIC Policy

Definitions

The definitions in this section lay the foundation for, and bui ld better understanding of, the CPIC policy and processes.

Adequate incremental development refers to the planned and actual delivery of new or modified technical functionality to users at least every 6 mont hs during the development of software or services, which must be identified in OMB reports.

Agile software development is a software development appr oach under which requirements and solutions evolve through the collaborative effort of self-o rganizing and cross-functional teams and their customers or end users. It advocates adaptive p lanning, evolutionary development, early delivery, and continual improvement, and it encourages rapid and flexible response to change. The use of agile software development is ex pected, although it is no longer broken out in OMB guidance.

Alternatives analysis is a method for assessing the various options for meeting the performance objectives of an investment; it includes assessment of the return on investment of each option. The analysis is performed before the initial decis ion to implement a solution, and is updated periodically, as appropriate, to capture changes in the context for an investment decision. These terms refer to best practices outlined in the C apital Programming Guide in Section I.4, Alternatives to Capital Assets, and Section I.5. 1, Evaluate Asset Options.

Note: Alternatives analysis shall be performed for investments with projects in the planning stage or the development, modernization, and enhancement (DME) stage, whereas strictly operational investments require operational analyses (OAs) until a decision is made to reevaluate them or to resume DME.

Baseline refers to the approved work breakdown structure, costs, schedul e, and performance goals for a given investment. OMB Memorandum M-10-27, Informat ion Technology Investment Baseline Management Policy, dated June 28, 2010, provides addi tional information on baselines and baseline management.

Benefit-cost analysis (BCA) refers to the recommended technique to use in a formal economic analysis of Government pr ograms or projects. OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs, contains guidance for performing a BCA.

Capital programming refers to an integrated process within an agency that focuses on the planning, budgeting, procurement, and management of the agency s portfolio of IT capital investments to achieve the agencys strategic goals and objecti ves with the lowest overall cost and least risk.

CIO evaluation refers to the CIOs best judgment of the current level of risk for an investment relative to its ability to accomplish its goals (40 U.S.C. 1131 5(c)(2)). The evaluation should be

3 U.S. Nuclear Regulatory Commission CPIC Policy

informed by (1) risk management, (2) requirements management, (3) contractor oversight, (4) historical performance, (5) human capital, and (6) other fa ctors that the CIO deems important to forecasting future success. Each evaluation includ es a narrative to explain the rating; this is particularly important when the rating has chan ged since the last evaluation.

CIO TouchPoints are direct one-on-one discussions between the NRCs CIO and the members of the integrated project team (IPT) for a major IT investment (including IT project managers, subject-matter experts (SMEs), business process owners, informa tion system security officers, system owners, and others as appropriate), especially IT projec t managers executing projects under the investment.

Cloud computing refers to a model for enabling convenient, on-demand network a ccess to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing promotes availabi lity. It comprises five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (cl oud software as a service (SaaS),

cloud platform as a service (PaaS), and cloud infrastructure as a service (IaaS), and four deployment models (private cloud, community cloud, public cloud, and hybrid cloud). Key enabling technologies include fast wide-area networks; powerful, inexpensive server computers; and high-performance virtualization for commodity hardware.

Cloud First policy refers to the OMBs Cloud First policy, also known as the Fede ral Cloud Computing Strategy, which was launched in December 2010. This p olicy is intended to accelerate the Governments realization of the value of cloud c omputing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments.

Note: The Federal Cloud Computing Strategy requires agencies to do the following:

• Evaluate their technology sourcing plans to include consideration and application of cloud computing solutions as part of the budget process.

• Seek to optimize the use of cloud technologies in their IT portfolios to take full advantage of the benefits of cloud computing to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize costs.

• Default to cloud-based solutions when evaluating options for new IT deployments, if a secure, reliable, cost-effective cloud option exists.

• Continually evaluate cloud computing solutions across their IT portfolios, regardless of investment type or life cycle stage.

Fulfilling this promise, the Administration has developed a new strategy to accelerate agency adoption of cloud-based solutions: Cloud Smart. The new strategy is founded on three key pillars of successful cloud adoption: security, procurement, and workforce. Collectively, these elements embody the interdisciplinary approach to IT modernizat ion that the Federal enterprise

4 U.S. Nuclear Regulatory Commission CPIC Policy

needs in order to provide improved return on its investments, e nhanced security, and higher quality services to the American people.

Commodity IT refers to a category of back-office IT services used by most, i f not all, agencies (e.g., infrastructure and asset management, e-mail, hardware an d software acquisition, and help desks). Commodity IT is related to the OMBs PortfolioStat initiative; it plays a key role in a CIO-led business approach to the delivery of IT infrastructure, enterprise IT, and administrative and business systems that encour ages agencies to pool purchasin g power across their entire organization, by both providing and using shared services inste ad of implementing independent services with similar functions. This approach aims to eliminat e duplication, rationalize each agencys IT investments, and drive down costs.

There are three categories of Commodity IT:

• enterprise IT: e-mail; collaboration tools; identity and access management; IT security (apart from identity and access management); and Web hosting, infrastructure, and content

• IT infrastructure: desktop systems, mobile devices, mainframes and servers, and telecommunications

• business systems: financial management, human resources management, grant-related Federal financial assistance, and grant-related transfer to State and local governments

Cost is defined in Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, dated September 2, 1993, as the monetary value of resources used. It is defined more specifically in Statement of Federal Financial Accounting Standards (SFFAS) No. 4, Managerial Cost Accounting Concepts and Standards, dated July 31, 1995, as the monetary value of resources used or sacrificed or liabilit ies incurred to achieve an objective, such as to acquire or produce a good or to perform a n activity or service. Depending on the transaction, cost may be charged to operations immediate ly (i.e., recognized as an expense of the period), or it may be charged to an asset accoun t for recognition as an expense of subsequent periods. In most contexts within SFFAS No. 7, Ac counting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, dated May 10, 1996, cost is used synonymously with expense.

Cost avoidance (as defined in OMB Circular A-131, Value Engineering, dated December 26, 2013) refers to an immediate action that will decr ease costs in the future. An example of a cost avoidance action is an engineering improvemen t that increases the mean time between failures and thereby decreases operation and maint enance costs.

Cost savings (as defined in OMB Circular A-131) refers to the reduction in a ctual expenditures to achieve a specific objective.

Development, modernization, and enhancement (DME) refers to projects and activities that lead to new IT assets or systems, or that change or modify exis ting IT assets or systems, to

5 U.S. Nuclear Regulatory Commission CPIC Policy

substantively improve capability or performance, meet legislati ve or regulatory requirements, or fulfill agency leadership requests. A DME activity may occur at any time during a programs life cycle. Capital costs involved in DME may include costs of hardw are and software development and acquisition; commercial off-t he-shelf acquisition; Government labor; and contracted labor for planning, development, acquisition, system integration, and direct project management and overhead support.

Disposition cost refers to the cost of retiring a capital asset (generally a sy stem or investment) once its useful life is over or a replacement asset has superse ded it; disposition costs may be included in operational activities near the end of the assets useful life.

Earned value management (EVM) refers to an integrated management system that coordinates the work scope, schedule, and cost goals of a progr am or contract and objectively measures progress toward these goals. EVM is a tool used by pro gram managers to (1) quantify and measure program or contract performance, (2) p rovide an early warning system for deviation from a baseline, ( 3) mitigate risks associated wi th cost and schedule overruns, and (4) provide a means to forecast final cost and schedule outcome s. A description of the qualities and operating characteristics of an earned value management sys tem (EVMS) appears in American National Standards Institute/Electronic Industries All iance Standard 748-1998, Earned Value Management Systems, dated May 19, 1998. Addition al information on EVM is available at https://www.acq.osd.mil/asda/ae/ada/ipm/index.html.

Note: For lower cost programs and projects for which the high cost of using EVM may be prohibitive, an alternative approach must be described under risks in the program or project plan, or in a separate risk management plan, as appropriate.

Enterprise architecture (EA) refers to an organizations documentation of the current and desired relationships among business and management processes a nd IT. An EA includes the rules, standards, and systems lif e cycle information to optimiz e and maintain the environment that the agency wishes to create and maintain through its IT po rtfolio. An EA must contain a strategy for the agency to maintain its current state, as well as a roadmap for transition to its target environment. An EA defines principles and goals and sets a direction for such issues as the promotion of interoperabilit y, open systems, public access, end user satisfaction, and IT security.

Note: Although this document does not establish EA standards, the selection and evaluation criteria found within should align with, and be reflected in, the NRCs target EA and Enterprise Roadmap.

Enterprise Roadmap refers to a document that describes the business and technology plan for the entire organization using EA methods. The Enterprise Roadma p provides current views, future views, and transition plans at an appropriate level of d etail for all IT investments, services, systems, and programs. It also contains an IT asset i nventory using the Federal Enterprise Architecture reference models, as well as other atta chments or appendices giving more information on Roadmap plans for CPIC, EA, shared services, and other planning products requested by the OMB.

6 U.S. Nuclear Regulatory Commission CPIC Policy

Federal IT Dashboard (ITDB) refers to a Web site (https://viz.ogp-mgmt.fcs.gsa.gov/) where Federal agencies, industry, the general public, and other stake holders can view details of the performance of Federal IT investments. The administration and C ongress use the ITDB to inform budget and policy decisions. The ITDB is also known as I T Collect.

Financial management systems are systems necessary to support financial management.

They include automated and manual processes, procedures, contro ls, data, hardware, software, and support personnel dedicated to the operation and maintenanc e of system functions.

Examples of financial management systems include (1) core finan cial systems, (2) procurement systems, (3) loan systems, (4) g rants systems, (5) payroll syst ems, (6) budget formulation systems, (7) billing systems, and (8) travel systems. OMB Circular A-127, Financial Management Systems, dated January 9, 2009, contains additional information and guidance.

Functional/business sponsor refers to the agency official responsible for a program or function supported or implemented by an investment (44 U.S.C. 3 501(a)(4)). The sponsor is responsible for expressing the value of the investment, ensurin g its successful implementation, and providing accurate and timely data to the agency CIO and th e OMB. The sponsor may (or may not) be the same person as the business process owner or SME serving on the IPT. Each major and nonmajor IT investment must include the name and titl e of the functional or business sponsor.

Information and communication technology (ICT) refers to IT and other equipment, systems, technologies, or processes whose principal function is the crea tion, manipulation, storage, display, receipt, or transmission of electronic data and inform ation, as well as to any associated content. Examples of ICT include software applications, Web sit es, videos, electronic documents, computers and peripheral equipment, information kios ks and transaction machines, telecommunications equipment, customer premises equipment, mult ifunction office machines, and digital signs.

Information Resource Management (IRM) Strategic Plan refers to a document that comprehensively addresses an agencys IRM. Agencies must develo p and maintain their IRM Strategic Plans as required by 44 U.S.C. 3506(b)(2) and OMB Cir cular A-130. IRM Strategic Plans should support the Agency Strategic Plan required by OMB Circular A-11; describe how IRM activities support the agencys mission delivery area and p rogram decisions; and ensure that IRM decisions are integrated with management support areas, including organizational planning, budget, procurement, financial management, and human resources management.

Information security refers to all functions pertaining to the protection of Federal information and information systems from unauthorized access, use, disclosu re, disruption, modification, and destruction. It includes the development, implementation, a nd maintenance of security policies, procedures, and controls throughout the entire inform ation life cycle. Information security activities should include those described in National Institute of Standards and Technology (NIST) Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations, among which are (1) sec urity awareness training (but not the technical infrastructure required for the delivery of t raining), (2) compliance reporting

7 U.S. Nuclear Regulatory Commission CPIC Policy

under the Federal Information Security Management Act, (3) deve lopment of a security policy, and (4) security audits and testing.

Note:

• IT security should include systems that oversee agency IT needs.

• IT security does not include IT costs related to identity or access management systems or solutions.

• IT security does not include physical protection of an organization (e.g., guards, cameras, and facility protection).

Information system refers to a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, transmission, or dissemination of information, in accordance with defined procedures, whether automated or man ual.

Information technology (IT) is defined as follows:

• IT includes any services or equipment, or interconnected system (s) or subsystem(s) of equipment, that are used by an agency in the automatic acquisit ion, storage, analysis, evaluation, manipulation, management, movement, control, displa y, switching, interchange, transmission, or reception of data or information.

• Such services, equipment, or systems are considered used by an agency if either the agency uses them directly, or a contractor uses them under a co ntract with the agency that requires either full or significant use of them to perform a service or furnish a product.

• IT includes computers; ancillary equipment (such as imaging pe ripherals and input, output, and storage devices necessary for security and surveill ance); peripheral equipment designed to be controlled by the central processing u nit of a computer; software; firmware; and related resources, procedures, and serv ices (including provisioned services such as cloud computing and support servic es for any point of the equipment or service life cycle).

• IT includes high-performance computing capabilities, including those that are not communal in nature.

• IT does not include any equipment a cquired by a contractor inci dentally to a contract that does not require its use.

IT assets are any IT-related items (tangible or intangible) that have val ue to an organization, including, but not limited to, computing devices; IT systems, n etworks, and circuits; software (either installed or physical instances); virtual computing pla tforms (which are common in cloud

8 U.S. Nuclear Regulatory Commission CPIC Policy

and virtualized computing); related hardware (e.g., locks, cabi nets, keyboards); and people and intellectual property (including software).

Note: Assets are the lowest level at which IT is planned, acquired, implemented, and operated.

All IT hardware and software shall be associated with the comprising system or investment and tracked and monitored throughout its life cycle, in accordance with the NRCs IT asset management processes.

IT investment refers to the expenditure of IT resources to enable mission de livery and management support. An IT investment may include one or more projects for the DME or maintenance of either a single IT asset or a group of IT assets with related functionalities, or for the subsequent operation of the asset(s) in a production enviro nment.

Note: All IT investments shall have a defined life cycle with start and end dates, with the end date representing the end of the currently estimated useful life of the investment, consistent with the investments most recent alternatives analysis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement shall be reported as a new, distinct investment, with its own defined life cycle information.

There are five types of IT investment:

(1) Funding transfer investment refers to the portion of funding a partner agency contributes to an investment managed by another agency. The description of the investment should indicate the unique investment identifier (UII) of the managing partners investment.

Note: As a partner agency on multiple funding transfer investments (e.g., E-Gov, line-of-business (LoB), and shared services), the NRC shall budget for and report the funding provided to each managing agency on the Agency IT Portfolio Summary that it submits to the OMB. During the Select process, funding transfer investments shall be considered in the alternatives analysis. If a funding transfer investment is not selected, the agency must provide a business justification for the solution selected instead, which must be approved by the CIO and submitted to the OMB for approval.

(2) IT migration investment refers to the costs associated with a partner agencys migration to a shared service that are not captured by the mana ging partner. The description of the investment should indicate the UII of the ma naging partners investment.

Note: The NRC shall plan, budget for, and report the IT cost of migrating to new investments or to funding transfer investments. When migrating to a funding transfer investment, the NRC shall report the cost as an IT migration investment in the Agency IT Portfolio Summary. When migrating to a new investment that is not a funding transfer investment, the NRC shall report the cost as planning DME in the new investments life cycle cost table.

9 U.S. Nuclear Regulatory Commission CPIC Policy

(3) Major IT investment refers to an IT investment requiring special management attenti on because of its importance to the mission or function of the Gov ernment; significant program or policy implications; h igh executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major through the agencys CPIC process. Major IT investments include all major automated information systems (as defined in 10 U.S.C. 2445) and all major acquisit ions (as defined in the Capital Programming Guide) that include information resources. The OMB may work with the agency to declare IT inv estments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices to determine which investments are considered major.

(4) Nonmajor investment refers to any investment in the agencys IT portfolio that does not meet the definition of a major IT investment, funding transfer investment, or IT migration investment.

(5) Standard investment refers to an IT infrastructure investment that has disaggregat ed to its discrete components, which are managed separately.

IT program managers and IT project managers are the personnel who lead the IPT for a given investment. In some cases, IT program or project managers can hold positions in other classification series; however, they must still meet the applic able Federal certification or IT program management experience requirements. Further definitions are available in the Office of Personnel Managements Job Family Standard for Administrative W ork in the Information Technology Group (Series 2200 in the Federal Classification and Job Grading Systems).

IT resources include all of the following:

• agency budgetary resources, personnel, equipment, facilities, and services that are primarily used in the management, operation, acquisition, dispo sition, or transformation of IT, or in other activity related to the IT life cycle

• acquisitions or interagency agreements that include IT, and the services or equipment they provide

IT resources do not include grants to third parties that establ ish, or support IT not operated directly by the Federal Government.

IT service refers to a means of delivering IT, together with any personnel or processes of value, to facilitate outcomes that customers want to achieve without t he costs and risks of ownership.

Integrated project team (IPT) refers to a multidisciplinar y team associated with an IT investment. Each IPT is led by an IT program or project manager responsible and accountable for planning, budgeting, and procurement, as well as life cycle management to achieve the investments cost, schedule, and performance goals. Team skills include budgetary, financial, capital planning, procurement, user, program, architecture, EVM, security, and other skills, as appropriate.

10 U.S. Nuclear Regulatory Commission CPIC Policy

Note: For the OMB to approve the budget for a major IT investment, its IPT must include at least the following:

• a qualified, fully dedicated IT program/project manager

• a contracting specialist, if applicable

• an IT specialist

• an IT security specialist

• a business process owner or SME

The IPT might also include the following:

• an enterprise architect

• an IT specialist with specific expertise in data, systems, or networks

• a capital planner

• a budget contact

• a contracting officers representative

• an information system security officer

• a performance specialist

Key members of the IPT should be co-located during the most critical junctures of the program, to the maximum extent possible. Agencies should establish individual performance goals for IPT members, to hold them accountable for both individual functional goals and the overall success of the program. The IPT should be defined in a program or an IPT charter.

Interagency acquisition refers to the use of the Federal Supply Schedules, a multiagen cy contract (i.e., a task order or delivery order contract establi shed by one agency for use by multiple Government agencies to obtain supplies and services, c onsistent with the Economy Act, 31 U.S.C. 1535), or a Governmentwide acquisition contract (i.e., a task order or delivery order contract for IT established by one agency for Governmentw ide use, operated by an executive agent, as designated by the OMB pursuant to CCA Secti on 11302(3)).

Life cycle costs are all costs, including Government full-time equivalents (FTEs ), from the beginning of an investment until the end of its estimated usefu l life (or the composite estimated useful lifetimes of the assets within it), independent of the f unding source (e.g., revolving fund, appropriated fund, working capital fund, trust fund). The Capit al Programming Guide and OMB Circular A-131 contain more information about life cycle costs.

Maintenance refers to the activity necessary to keep an asset functioning a s designed during the operations and maintenance phase of an investment. Maintena nce activities include, but are not limited to, operating system upgrades, technology refreshes, and security patch implementations. As defined in SFFAS No. 10, Accounting for In ternal Use Software, dated October 9, 1998, maintenance excludes activities aimed at expan ding an assets capacity or otherwise upgrading it to serve needs different from or signifi cantly greater than those originally intended. Such activities are considered DME.

11 U.S. Nuclear Regulatory Commission CPIC Policy

Note: Maintenance activities of notable cost or duration with predetermined start and end dates should be managed as projects and reported in the project and activity tables in Section B of the Major IT Investment Update.

Managing partner refers to the lead agency that is responsible for coordinating the implementation of a funding transfer investment. The managing p artner maintains an IT shared service, with approval from agency leadership for intra-agency services and from the OMB for interagency services. The managing partner organization, often referred to as the Program Management Office, develops, implements, and maintains financia l and service models, as well as contracts with customers and suppliers, using strategic sour cing vehicles whenever practicable. The Program Management Office is responsible for t he success of the IT shared service; it reports on its intra-agency shared service using th e agencys own metrics, and on interagency LoBs using metrics developed by the Federal CIO Cou ncils Shared Services Subcommittee. Managing partners are also responsible for mainta ining contracts with customer agencies that allow the customer agency to terminate the contra ct if specified levels of service are not maintained.

Modular development refers to the approach of delivering investments, projects, or activities of a specified capability by progressively expanding on delivered capabilities until the full capability is realized. Investments may be decomposed into discrete projec ts, increments, or useful segments, each of which is under taken to develop and implement products and capabilities that form part of the overall investment. The OMBs Contracting Gui dance to Support Modular Development, dated June 14, 2012, provides more information.

Operational analysis (OA) refers to a method of examining the ongoing performance o f an operating asset and measuring it against established cost, sche dule, and performance goals.

An OA is by nature less structured than the performance reporti ng methods applied to developmental projects. It should trigger considerations of how to better meet the investments objectives, how to reduce costs, and whether the organization s hould continue performing a particular function. The Capital Programming Guide contains gui dance on OAs. Best practices also appear in the Government Accountability Office (GAO) repor t GAO-13-87, Information Technology: Agencies Need to Strengthen Oversight of Billions o f Dollars in Operations and Maintenance Investments, issued October 2012.

Operations refers to the day-to-day management of an asset while it is in a production environment, producing the same product or providing a repetiti ve service. Operations include, but are not limited to, activities in data centers, help desks, operational centers, telecommunication centers, and end-user support services.

Operations and maintenance refer to the expenses required to operate and maintain an IT asset that is operating in a production environment. It include s costs associated with operations, maintenance activities, and maintenance projects needed to sust ain the asset at the current capability and performance levels. Specifically, it covers the costs of Federal and contracted labor, corrective hardware and software maintenance, voice and data communications maintenance and service, replacement of broken or obsolete IT e quipment, overhead, business

12 U.S. Nuclear Regulatory Commission CPIC Policy

operations and commercial services, and asset disposal. It is a lso commonly referred to as steady state.

Partner (customer) agency refers to the agency in an inter-or intra-agency collaboratio n, such as an E-Gov, LoB initiative, or Federal shared service, that co ntracts with and pays a managing partner for an IT shared service. While the managing partner ha ndles major contract issues and resolves escalation items with suppliers, the partner agency ma y need to interact with suppliers to handle day-to-day service issues. The partner agency usually provides resources (e.g., funding, FTEs) for the management, development, deployme nt, or maintenance of a common solution. The partner agency is also responsible for inc luding the appropriate line items in its own IT Portfolio Summary budget submission to reflect th e amount of its contribution to each of the initiatives for which it provides resources.

Planning refers to preparing, developing, or acquiring the information needed to design an asset; assessing the benefits, risks, and risk-adjusted costs o f alternative solutions; and establishing realistic cost, schedule, and performance goals fo r the selected alternative, before either proceeding to full acquisition or terminating the projec t.

Note: Before the acquisition phase can begin, planning must progress to the point where the agency is ready to commit to specific goals for the completion of the acquisition.

Information-gathering activities and tools to support planning may include the following:

• market research on available solutions (see Federal Acquisition Regulation (FAR)

Part 10, Market Research)

• architectural drawings

• engineering and design studies

• prototypes

Planning may be general, for the overall investment, or it may be specific to a useful component. For investments developed or managed using an iterative or agile methodology, planning will occur throughout the entire acquisition, focusing on each iteration or sprint.

Post-implementation review (PIR) refers to an evaluation of how successfully the objectives of an investment or project were met and how effectively the proje ct management practices kept it on track. A PIR can be conducted after the completion of a proj ect or at the conclusion of the implementation phase of an investment. The Capital Programming Guide contains additional details on the PIR process.

Privacy impact assessment (PIA) refers to the process for examining the risks and ramifications of using IT to collect, maintain, and disseminate information in identifiable form from or about members of the public. PIAs are also used to iden tify and evaluate protections and alternative processes to mitigate the privacy impact of col lecting such information.

13 U.S. Nuclear Regulatory Commission CPIC Policy

Consistent with OMB Memorandum M-03-22, Guidance for Implement ing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003, agencies must conduct and make publicly available PIAs for all new or signifi cantly altered IT investments that administer information in identifiable form collected from or a bout members of the public.

Programming refers to an integrated process within an agency that focuses o n the planning, budgeting, procurement, and management of a program to achieve the agencys strategic goals and objectives with the lowest overall cost and least risk.

Note: Any program that leverages IT to support its mission shall include the CIO in its programming to advise on and approve the IT aspects of the program.

Project refers to a temporary endeavor undertaken to provide a unique product or service. A project has a defined start and end point and specific objectiv es that, when attained, signify completion. Projects can be undertaken for the DME, disposal, o r maintenance of an IT asset.

Projects are composed of activities.

Note: When reporting project status, to the maximum extent practicable, agencies should detail the characteristics of increments under modular contracting, as described in the CCA, and the characteristics of useful segments, as described in OMB Circular A-130.

Risk management refers to a systematic process of identifying, analyzing, and responding to risk. It includes maximizing the probability and consequences o f positive events and minimizing the probability and consequences of adverse events. Risk manage ment should be conducted throughout the entire life cycle of a program.

Risk management plan refers to a documented and approved plan, developed at the ons et of an investment and maintained throughout, that specifies the inv estments risk management process.

Shadow (hidden) IT refers to IT spending that is not fully transparent to the age ncy CIO, and to IT resources included in a program whose primary purpose is not IT related. An example would be a grants program in which a portion of the spending goes to equipment, systems, or services that provide IT capabilities for administering or delivering th e grants.

Shared service refers to a service that one Federal organization provides to other Federal organizations that are outside the providers organizational bo undaries. Shared services may be intra-agency or interagency. There are three categories of shar ed services in the Federal Government:

(1) Common solutionstechnology or contracts that can be used by more than one Federal agency. May be Government-to-Government or citizen-to-Government.

14 U.S. Nuclear Regulatory Commission CPIC Policy

(2) Shared servicesservices consolidating routine or standard operations to a lim ited number of organizations. May use c ommon solutions (technology or contracts) and share human resource expertise either within an agency or acros s agencies.

(3) Centralized servicesservices providing a single Governmentwide location for highly standardized activities, allowing organizations and users to be nefit from consistent and uniform processes.

Note: Shared commodity IT and support services are considered to be IT; associated costs must be included and reported as part of the IT Portfolio Summary.

Shared service provider refers to the provider of a technical solution or service that supports the business of multiple agencies using a shared architecture. For multiagency services, this is the managing partner of the investment.

TechStat sessions are a tool for anticipating critical problems in an investment, turning around underperforming investments, or terminating investments if appr opriate. Agencies report the outcomes of all TechStat sessions through the quarterly Integra ted Data Collection (IDC) process.

Unique investment identifier (UII) refers to a persistent numeric code applied to an investment in an agencys IT portfolio that allows it to be identified and tracked across multiple fiscal years.

The UII consists of a three-digit agency code linked with a uni que nine-digit investment number generated by the agency. Some nine-digit numbers are reserved f or the OMB to assign to funding transfer investments and may not be assigned by agencie s.

15 U.S. Nuclear Regulatory Commission CPIC Policy

Capital Planning and Investment Control Policy

All NRC IT resources shall be managed in accordance with Federa l mandates, OMB requirements, and agency procedures. This policy establishes th e business rules and guidelines for the management and oversight of IT resources, including FTE s, under all IT investments, except where it is stated that the rules apply only to major IT investments.

Planning, Programming, Budgeting, and Selecting (1) All IT resources shall be planned, budgeted, executed, and reported under an approved IT investment in the NRC IT Portfolio Summary submitted to the OMB during the annual budget submissions.

(2) For each IT investment, descriptive and financial data (inc luding data on the investments performance and the expenditure of IT resources) m ust be developed and maintained to justify the budget request to the OMB and Congres s.

(3) An IT investment shall be cla ssified as a major IT investment if it meets one or more of the following OMB criteria:

• importance to the mission or function of the Government

• significant program or policy implications

• high executive visibility

• high development, operations, or maintenance costs, which the N RC defines as budget planning year costs of $10 million or more 2

• unusual funding mechanism

• financial systems with annual cost and spending of $500,000 or more, as dictated by mandates and guidance on financial systems, such as OMB Circular A-127

• definition as major by the NRCs CPIC process All other NRC IT investments are considered nonmajor or standar d investments, apart from funding transfer investments and IT migration investments. The NRC is a partner agency on a number of investments managed by other agencies. Th ese investments are considered major IT investments of the managing agencies, and t he NRC shall report contributions to the managing partners in the NRC IT Portfolio Summary.

(4) During the planning, programming, and budgeting processes, all IT resources shall be identified and separated from non-IT resources to allow visibil ity to the CIO and the IT/Information Management (IM) Portfolio Executive Council (IPE C). Budgeting for IT resources in all programs (not just programs that are primarily IT-oriented) shall follow the IT budget guidance issued by the Office of the Chief Inform ation Officer (OCIO) and

2 The OMB establishes the criteria for a major IT investment but allows agencies to establish the dollar threshold.

16 U.S. Nuclear Regulatory Commission CPIC Policy

shall take place in tandem with the overall agency budget formu lation process issued by the Office of the Chief Financial Officer (CFO). The budgeting process includes defining the level of detail at which IT resources are budgeted and, in consultation with the Chief Acquisition Officer (CAO), defining processes to track planned versus actual expenditures for all transactions that include IT resources. Th e Chairman is regularly briefed on the status of IT investments and activities.

(5) As a co-chair of the IPEC, the CIO shall advise on and appr ove the IT aspects of all programs. In the case of major IT i nvestments, more extensive involvement shall occur through monthly updates, CIO evaluations, and CIO TouchPoints.

(6) The IT budget formulation process and the annual agency IT Portfolio Summary submission process shall ensure that the budget justification m aterials in the NRCs initial budget submission receive the appropriate CIO approvals and certifications and include the corresponding affirmation statements, as listed in OMB Circulars A-130 and A-11.

(7) The CIO and CFO shall define and, as the co-chairs of the I PEC, shall oversee the process by which the CIO, CFO, CAO, and Chief Human Capital Off icer (CHCO) work with program leadership to plan an overall IT portfolio that ef ficiently and effectively leverages IT to further program and business objectives aligned to the agencys Strategic Plan.

(8) An IT investments justification, cost, schedule, measureme nt indicators, and other management and technical artifacts shall describe the discrete and unique set of IT products and services it encompasses and how they contribute to the NRC mission or mission support functions. For all major IT investments, the ag ency shall document and report all of the above to the OMB (when requested). 3

(9) Major IT investments shall adhere to the principles established by the OMB in Appendix 6, Principles of Budgeting for Capital Asset Acquisit ions, to the Capital Programming Guide.

(10) No two IT investments shall serve the same purpose or deliver t he same discrete and unique set of products or services. If duplicative investments are identified, an alternatives analysis shall be performed, and a plan developed to eliminate the duplication and associated cost.

(11) When two or more IT investments deliver products or servic es through the same IT component (i.e., system or platform), the set of products or se rvices delivered through that component by each investment shall be discrete and unique and clearly distinguishable from the products and services delivered by the other investments through the same component. In addition, there must be a consis tent, reliable means of determining an equitable cost of the shared platform for each i nvestment, to ensure

3 NRC CPIC procedures for Major IT Business Cases are based on the OMBs annual IT BudgetCapital Planning Guidance issued as part of OMB Circular A-11.

17 U.S. Nuclear Regulatory Commission CPIC Policy

accurate planning, budgeting, and reporting of the total cost o f ownership of each investment.

(12) All IT investments shall have a defined life cycle with st art and end dates, with the end date representing the end of the currently estimated useful lif e of the investment, consistent with the investments most recent alternatives analy sis, if applicable. When an asset is essentially replaced by a new system or technology, the replacement shall be reported as a new, distinct investment, with its own defined li fe cycle information.

(13) Information security, privacy, records management, public transparency, and supply chain security issues must be considered for all resource plann ing and management activities throughout a systems development life cycle.

(14) All major IT investments shall have a committed IPT compri sing the required minimum membership (as noted in the definition of IPT) and program char ter. All IT projects shall have an IPT, project charter, project management plan, and sche dule.

(15) Alternatives analysis shall be performed for investments w ith projects in the planning or DME stages. The alternatives analysis shall include both Govern ment-provided (internal, interagency, and intra-agency) and commercially available optio ns, as well as cloud solutions, where applicable.

(16) The alternatives analysis for a new investment shall inclu de the Three-Step Software Solutions Analysis described in OMB Memorandum M-16-21, which a ddresses Federal source code policy.

(17) To strengthen understanding of the requirements for an IT service, qualitative and quantitative research methods shall be used to determine the go als, needs, and behaviors of current and prospective managers and users of the service.

(18) All acquisition planning shall adhere to the planning prov isions in FAR Subpart 7.1, Acquisition Plans, and FAR Part 10.

(19) Planning for IT acquisitions shall substantiate the NRCs commitment to achieving specific goals through the completion of each acquisition. Plan ning activities and results shall be documented, and final plans approved before the acquis ition phase begins. For investments developed or managed using an iterative or agile me thodology, proper planning for each iteration or sprint shall be conducted throug hout the life of the investment.

(20) All IT hardware and software shall be planned, acquired, d eployed, managed, and disposed of under IT investments in the NRCs IT Portfolio Summ ary and in accordance with the NRCs IT asset life cycle management processes and pro cedures.

(21) In analyzing and prioritizing IT investments for selection into the agency IT portfolio, all decisions to select (acquire or develop) an information system technology or service shall be merit-based and shall consider factors including, but not limited to, the following:

• alignment to the NRCs Strategic Plan

• ability to meet operational or mission requirements

18 U.S. Nuclear Regulatory Commission CPIC Policy

• conformance to the current and target EA and alignment to the Enterprise Roadmap

• total life cycle costs of ownership and ability to sustain suc h costs

• performance

• security risks

• interoperability

• privacy

• accessibility

• ability to be shared or reused

• resources required to switch vendors to avoid being locked in

• availability of high-quality support at a reasonable cost (22) The decision to improve, enhance, or modernize an existing IT investment or to develop a new IT investment shall be based on an alternatives analysis that covers both Government-provided (internal, interagency, and intra-agency, w here applicable) and commercially available options, from which the option offering the best value to the Government shall be selected.

(23) Preference shall be given to using available and suitable Federal information systems, technologies, or shared services or information-processing faci lities, or to acquiring open-source or commercially available off-the-shelf software or technologies, over developing or acquiring custom or duplicative solutions.

(24) Decisions to acquire custom or duplicative solutions must be justified by their overall life cycle cost-effectiveness or their ability to meet specific high -priority mission or operational requirements.

(25) The security levels of information systems shall be commen surate with the risk that may result from unauthorized access, use, disclosure, disruption, m odification, or destruction of the information they contain, consistent with NIST standards and guidelines.

Acquiring Information Technology and Services

When acquiring IT and IT services, the NRC shall adhere to the following:

• all relevant Federal mandates, such as 41 U.S.C. 2308, Modula r Contracting for Information Technology

• OMB policy, including but not limited to the category manageme nt policies for improving the acquisition and management of common IT, such as the follow ing:

- laptops and desktops (OMB Memorandum M-16-02)

19 U.S. Nuclear Regulatory Commission CPIC Policy

- software licensing (OMB Memorandum M-16-12)

- mobile devices and services (OMB Memorandum M-16-20)

• the FAR, including the planning provisions in Subpart 7.1 and Part 10 to be implemented before an acquisition

• NRC Management Directive 11.1, NRC Acquisition of Supplies an d Services, dated May 9, 2014

During the acquisition process, all of the above must be refere nced and applied as appropriate.

This includes, but is not limited to, the following policy guid elines:

(1) Develop a thorough benefit-cost analysis of all procurement requirements based on market research, including an alternative analysis.

(2) Effectively use competition, analyze risks (including supp ly chain risks) associated with potential contractors and the products and services they provid e, and allocate risk responsibility between the Government and the contractor.

(3) Conduct definitive technical, cost, and risk analyses of a lternative design implementations, considering, for example, the full life cycle costs of IT products and services, which include but are not limited to planning, analys is, design, implementation, sustainment, maintenance, recompetition, and retraining costs, scaled to the size and complexity of individual requirements.

(4) When developing planned information systems, consider exis ting Federal contract solutions or shared services available from within the same age ncy, from other agencies, or from the private sector, to avoid duplicative inve stments.

(5) Initiate development of new information systems or of cust om solutions to improve existing information systems onl y when no existing private-sector or Government source can efficiently meet the need, taking into account long-term su stainment and maintenance.

(6) Structure acquisitions for major IT investments into usefu l segments, each of narrow scope and brief duration, to reduce risk, promote flexibility a nd interoperability, increase accountability, and better match mission need with current tech nology and market conditions.

(7) To the extent practicable, award modular contracts for IT, including orders for increments or useful segments of work, no more than 180 days af ter issuing the solicitation. If an award cannot be made within 180 days, consi der canceling the solicitation. The IT acquired should be delivered no more than 18 months after the solicitation was issued.

(8) Align IT procurement requirements with the agencys strateg ic goals.

(9) Promote innovation in IT procurements; in particular, cond uct market research to maximize the use of innovative ideas.

20 U.S. Nuclear Regulatory Commission CPIC Policy

(10) Include requirements for security, privacy, accessibility, records management, and other relevant considerations in solicitations.

(11) Ensure that the CIO reviews and approves all acquisition strategies, plans, and requirements (as described in FAR Part 7, Acquisition Planning ) and all interagency agreements (such as those used to support purchases through ano ther agency) that involve IT. These approvals shall consider the following factor s:

• alignment with mission and program objectives in coordination with program leadership

• appropriateness with respect to the mission and business objec tives supported by the NRCs IRM Strategic Plan

• inclusion of innovative solutions

• appropriateness of contract type for IT-related resources

• appropriateness of IT-related portions of statement of needs o r statement of work

• ability to deliver functionality in short increments

• inclusion of Governmentwide IT requirements, such as informati on security

• opportunities to migrate from and retire end-of-life software and systems

(12) Consistent with the FAR, include in contracts for custom s oftware development provisions that reaffirm the right to reuse the software throug hout the Federal Government.

(13) Enter all acquired IT hardware and software into the NRCs IT asset inventory and management tools.

Information Technology Investment Design and Management

The NRC shall, to the extent practicable and financially respon sible, implement the following requirements:

(1) Information systems and processes shall support and maximiz e interoperability and access to information, where appropriate, by using documented, scalable, and continuously available application programming interfaces and o pen machine-readable formats.

(2) Information systems and technologies must facilitate intero perability, application portability, and scalability across networks of heterogeneous h ardware, software, and communications platforms.

21 U.S. Nuclear Regulatory Commission CPIC Policy

(3) When ICT is developed, procured, maintained, or used, it mu st be in compliance with Title 36 of the Code of Federal Regulations 1194.1, Standards for Section 508 of the Rehabilitation Act.

(4) In designing, developing, integrating, or implementing IT s olutions, the practices and architecture must conform to the NRC IT/IM Technical Standards.

(5) All information life cycle processes and stages, including the design, development, implementation, and decommissioning processes for information systems, must fully incorporate electronic records management (ERM) functions, policies, and retention and disposition requirements or have electronic recordkeeping mitigation strategies in place.

Laws and regulations under the National Archives and Records Administration (NARA) require agencies to manage information throughout the lifecycle regardless of the media. This applies particularly to Internet resources, including storage solutions and cloud-based services such as software as a service, platform as a service, and infrastructure as a service.

(6) A PIA and security impact assessment must be performed up f ront, and the appropriate security planned, budgeted, and built in at the start of the pr oject.

(7) IT investments shall use an EVMS and Integrated Baseline Re view, when appropriate, as required by FAR Subpart 34.2, Earned Value Management Syste m. When an EVMS is required, agencies must have a documented process for a ccepting a contractors EVMS. When an EVMS is not required, a baseline val idation process must be implemented as part of an overall investment risk management strategy consistent with OMB guidance.

(8) All IT development projects shall appropriately implement incremental development and modular approaches, as defined in the OMBs Contracting Guidance to Support Modular Development.

(9) Maintenance activities of notable cost or duration with pre determined start and end dates should be managed as projects. In the case of major IT in vestments, the project and activity tables in Section B of the Major IT Investment Upd ate shall track, monitor, and report the cost and schedule.

(10) For operational investments, OAs shall be performed until a decision is made to reevaluate the investment or to resume DME.

(11) All applicable decisions about system and service investme nts shall be reflected in new or updated entries (e.g., system, service, application) in the NRC information system inventory, as required by statute ( 44 U.S.C. Chapter 35, Coordination of Federal Information Policy, among others) and OMB policy.

22 U.S. Nuclear Regulatory Commission CPIC Policy

Responsibilities

Responsibilities of the Chairman

Review the IT budget request included in the overall agency bud get recommended by the Executive Director for Operations (EDO) and the CFO and submit final recommendations to the Commission.

Responsibilities of the Commission

Review and approve the agencys IT budget request as part of th e overall agency budget.

Responsibilities of the Executive Director for Operations

(1) Serve as the Chief Operating Officer and, as such, supervi se the activities of the Assistant for Operations, who serves as the Performance Improve ment Officer, in accordance with the GPRAMA.

(2) Ensure that the NRCs planning and budgeting process for I T investments is consistent and integrated with the agencys overall planning, budgeting, a nd performance management (PBPM) process.

(3) Ensure that program office and IT officials participate in the PBPM process for IT investments throughout their life cycle.

(4) Ensure that statutory responsibilities for IT investments and their oversight are appropriately assigned to the agencys CIO.

(5) Together with the CFO, review and approve the selections a nd budget for the annual IT investment portfolio recommended by the IPEC and submit recomme ndations to the Chairman.

(6) Assign the CIO to be the Designated Approving Authority for mally responsible for approving the operation of an IT system at an acceptable level of risk based on an agreed-on set of implemented securi ty controls, in accordance with the Federal Information Security Management Act and NIST guidelines.

Responsibilities of the Chief Information Officer

(1) Assist and act for the EDO in executing the EDOs responsibility for IT infrastructure, application development, project management, IM services, and information system security oversight.

(2) Oversee, guide, and coordinate with the Deputy CIO and the Chief Information Security Officer.

(3) Develop and implement an agenc ywide framework of policies, processes, and procedures for IT investment management, strategic planning and EA, information and records management, and informati on security. This framework sh ould support the

23 U.S. Nuclear Regulatory Commission CPIC Policy

NRCs mission, conform to Federal statutes and regulations and to OMB and GAO guidance, and be consistent with the NRCs overall PBPM program s.

(4) Co-chair the IPEC with the CFO, set the agenda for and fac ilitate meetings to achieve the IPECs goals and objectives, and approve revisions to its c harter, as needed.

(5) As co-chair of the IPEC, jointly with the CFO, define the l evel of detail with which IT resources are described distinctly from other resources through out the planning, programming, and budgeting stages. The level of detail provides transparency for the IT budget and serves as the primary input for the IT CPIC document s submitted to the OMB with the agencys overall budget.

(6) Review and approve the major IT portion of the budget reque st; the CFO shall affirm this CIO approval in the NRCs budget justification materials.

(7) Review and collaborate with program leadership on planned I T support for major program objectives and significant increases and decreases in I T resources.

(8) Jointly with the CFO, affirm that the IT portfolio contains appropriate estimates of all IT resources included in the IT budget request.

(9) Jointly with the CFO and the IPEC, provide an executive IT investment review function as required by the OMB, make decisions on the IT portfolio, and recommend the IT budget to the EDO for consideration in the NRCs overall budget.

(10) Establish other executive and technical review or advisor y bodies, as necessary, to involve business and technical SMEs in IT investment planning a nd management oversight; ensure agencywide coordination; and fulfill CPIC req uirements for IT investments, strategic planning and EA, security, and informati on and records management policies, as stated in the Capital Programming Guide and OMB Circular A-130.

(11) Jointly with the CFO and CAO, define agencywide policy for the level of detail of planned expenditure reporting for all transactions that include IT reso urces.

(12) As a member of the Strategic Sourcing Group, review and ap prove all acquisitions over

$1 million, and provide oversight to ensure that all acquisitio n strategies and plans that involve IT apply adequate incremental development principles, u se appropriate contract types, contain appropriate statements of work for the IT portio ns, support the mission and business objectives in the IT strategic plan, and align mis sion and program objectives (in consultation with program leadership).

(13) Review and approve all new IT purchases, regardless o f dollar value.

(14) Recommend to the Commission any movement of funds for IT r esources that requires congressional notification.

(15) Jointly with the CHCO, develop a set of competency require ments for IT and IT acquisition staff (including IT and IT acquisition leadership p ositions), and develop and maintain a current workforce planning process so that the agenc y can anticipate and respond to changing mission requirements, maintain workforce sk ills in a rapidly

24 U.S. Nuclear Regulatory Commission CPIC Policy

developing IT environment, and recruit and retain the IT talent needed to accomplish its mission. Continually assess the existing IT workforce to identi fy deficiencies and provide such assessments to the Chairman as part of the annual Human Ca pital Commission Briefing.

(16) Formally assume responsibility for operating major systems and networks at acceptable risk levels; evaluating the mission, business case, and budgeta ry needs for NRC systems in view of their security risks; and permitting or deny ing operations or use based on security risk.

(17) Provide an annual report on the NRC Cybersecurity Prog ram, the NRC Privacy Program and the findings of the NRC Inspector Generals review of these programs, signed by the Chairman.

(18) Oversee the NRC Cybersecurity Program, which provides a q uarterly report on the information security responsibilities of all senior agency offi cials, using a cybersecurity performance metric based on five major criteria: (1) computer s ecurity awareness training, (2) role-based training, (3) continuous monitoring, ( 4) cybersecurity incidents, and (5) phishing.

(19) As part of regular CIO evaluations, perform risk revie ws covering three major areas:

(1) managing active risks, (2) maintaining risk logs and active ly managing risk mitigation strategies, and (3) identifying and managing risk triggers.

(20) As part of the CIO evaluations, review investments tha t meet the criteria for a TechStat.

A TechStat is required for any high-risk investment that remain s red or at risk for 3 consecutive months or more.

(21) Jointly with the CAO, share acquisition and procurement responsibilities. The CIO reviews all IT-related cost estimates and ensures that all acqu isition strategies and plans that involve IT apply adequate incremental development principl es.

Responsibilities of the Capital Planning and Investment Control Team

(1) Facilitate IT SME reviews for policy compliance, security, IT project management, and infrastructure impact, and consolidate SME recommendations for the IPEC.

(2) Facilitate IT investment reviews (e.g., Control Reviews, Te chStats, CIO TouchPoints) with the CIO and appropriate IT governance boards.

(3) Coordinate with the Enterprise Architect to verify mapping between the NRCs EA and the Federal EA, and to ensure that investments align with the N RCs Strategic Plan, IT/IM Strategic Plan, and Enterprise Roadmap.

(4) Coordinate with the NRCs Program and Project Management Te am to establish project control gates and to ensure that project management standards a nd best practices are implemented throughout the life cy cle of each IT investment.

(5) Coordinate with other functional areas of OCIO on security-related requirements to support the development and review of IT business cases and pro ject plans and the monitoring and evaluation of IT investments throughout their li fe cycle.

25 U.S. Nuclear Regulatory Commission CPIC Policy

(6) Help IT investment owners understand and comply with the CP IC process and related OMB requirements, including preparation of the NRCs IT Portfol io Summary and Major IT Business Case submissions.

(7) Work with IPTs and IT program and project managers for each major investment to update Major IT Business Cases and ensure complete and timely s ubmission of updates to the OMB.

(8) Serve as a single point of contact for NRC inquiries about IT governance and CPIC processes and procedures.

(9) Coordinate input for the annual IT planning and budgeting guidance.

(10) Maintain an inventory of the agencys capitalized IT inve stments (i.e., Major IT Business Cases), and provide the current list to the Office of the Chief Financial Officer for inclusion in the NRCs budget justification materials.

(11) Provide input to educational outreach activities and train ing related to CCA, FITARA, and OMB requirements, and present training to IPTs and IT proje ct managers on the CPIC portfolio and investment management and submission tool, O MB reporting requirements, and the NRCs IT governance.

(12) Establish requirements and criteria for selecting investme nts for the NRCs IT portfolio.

(13) Define and implement processes and procedures to monitor and evaluate IT investments throughout their life cycle.

(14) Serve as the secretariat for the IPEC scheduling meetings, developing agendas, coordinating briefings and reviews, taking minutes to document decisions and action items, and tracking action items to completion.

Other Responsibilities Current charters fully describe and maintain the responsibiliti es of the IPEC, acquisition review boards, and IPTs. NRC Management Directive 2.8, Integrated Inf ormation Technology/Information Management ( IT/IM) Governance Framework, dated February 24, 2016, describes the responsibilities of the Enterp rise Architect and the project management function. The NRC, Information Technology Asset Management Policy, issued December 2016, describes the responsibilities of the hardware a sset manager and software manager.

The NRC uses NUREG-1908, Information Technology/Information Management Strategic Plan, to outline and refine internal processes, focusing on three key components: to empower, protect, and serve. Across both the public and the private sect or, there is increased focus on using technology to create transparency and efficiency and to i mprove the customer experience, both internally and externally. OCIO has completed a benchmark of the IT/IM Strategic Plan, and the NRC is in alignment with industry standards in both the private and the public sector.

26 U.S. Nuclear Regulatory Commission CPIC Policy

As of November 2019, the NRC has met the requirements establish ed by Congress in 2014, which include a special provision to the GAO to annually review agencies data center inventories and strategies. The GAOs objectives were to (1) ev aluate agencies progress and plans for data center closures and cost savings, (2) assess age ncies progress against the OMBs data center optimization targets, and (3) identify effect ive agency practices for achieving data center closures, cost savings, and optimization targets. T he GAO attained these objectives, presenting the results in GAO-16-323, Data Center Optimization: Agencies Making Progress, but Planned Savings Goals Need to Be Established, da ted March 4, 2016, and GAO-19-241, Data Center Optimization: Additional Agency Action s Needed to Meet OMB Goals, dated April 11, 2019. The NRC has met all requirements for maintaining an inventory and consolidating and optimizing data centers, as posted in the OMB IT Dashboard.

Capital Planning and Investment Control Overview

The NRC CPIC is critical to the management and oversight of the agencys IT resources. It provides a mechanism for delivering high-quality information an d recommendations to executive decisionmakers on investments to be included in the IT portfoli o.

Recognizing that IT investment management is dynamic, the NRC selects and continuously monitors and evaluates the investments in its IT portfolio to e nsure that they effectively and efficiently support the agencys mission and strategic goals. T he NRCs CPIC processes are designed to facilitate sound IT governance and the maturation o f the NRCs IT investment management. The CPIC model relies on three distinct, yet interd ependent, sets of processes:

(1) Select, (2) Control, and (3) Evaluate. An investment can be active concurrently in multiple CPIC processes. After an investment is initially selected and f unded, it repeatedly undergoes the Control and Evaluate processes for review and reselection u ntil it is determined to have come to the end of its useful life, at which point it is decomm issioned and removed from the IT portfolio.

Select

The purpose of the Select process is to identify the IT investm ents, projects, and activities that best support the NRC mission and current business needs at acce ptable risk levels and as cost-effectively as possible. The key objectives are to analyze the risks and returns of each investment or project before committing funds, and to select or reselect those investments and projects that will best support mission needs.

The Select process and procedures capture IT investments and th eir supporting projects and resources for consideration in the overall IT portfolio. Invest ments considered include both new proposals and current investments being evaluated for reselecti on, either as-is or with enhancements. Investments being decommissioned also remain in t he portfolio until they have been completely removed from the production environment and req uire no further funding.

Investments are captured, categorized, analyzed, prioritized, a nd either selected, rejected, or placed on a lower priority or nonfunded list.

New IT investments proposed and selected for funding shall meet the following criteria:

27 U.S. Nuclear Regulatory Commission CPIC Policy

• Support the NRCs core or priority mission functions.

• Fill a performance or capability gap in achieving the NRCs str ategic goals and objectives, yielding the maximum benefits at the lowest life cy cle cost among viable alternatives.

• Support a function that no alternative private-sector or Govern ment source can more efficiently support.

• Support work processes that have been simplified or otherwise r edesigned to reduce costs, improve effectiveness, and make maximum use of commercia l off-the-shelf technology.

• Demonstrate a projected best value, based on an analysis of qua ntifiable and qualitative benefits and costs and projected return on investment, that cle arly equals or exceeds that of any alternative uses of available public resources.

Benefits contributing to best value may include improved missio n performance in accordance with GPRA measures; reduced cost; increased quality, speed, or flexibility; and increased customer or employee satisfaction.

IT investment costs shall be adjusted for such risk factors a s the investments technical complexity, the organizations management capacity, t he likelihood of cost overruns, and the consequences of under-or non-performanc e.

• Be consistent with applicable Federal and NRC enterprise and in formation architectures.

• Reduce risk by employing measures such as avoiding or isolating custom-designed components so that their failure would have minimal adverse eff ects on the overall project; using fully tested pilots, simulations, or prototype i mplementations before beginning production; establishing clear measures and accountab ility for project progress; and securing substantial stakeholder involvement and buy-in throughout the project.

• Be implemented in phased, successive segments, modules, sprints, or other useful units as narrow in scope and brief in duration as practicable, each s olving a specific part of an overall mission problem and deliv ering a measurable net benefit independent of future segments or modules.

• Adhere to the standards in the NRCs Project Management Methodo logy 2.0, including the use of required artifacts.

• Adhere to security standards, including the use of required art ifacts.

• Employ an acquisition strategy that allocates risk between the Government and contractors, effectively uses competition, ties contract paymen ts to accomplishments, and takes maximum advantage of commercial technology.

28 U.S. Nuclear Regulatory Commission CPIC Policy

Annually, the NRC shall review and evaluate all existing IT investments, based on data collected through the Control process and procedures and analyz ed in the Evaluate process and procedures, to determine whether each investment meets the following criteria for reselection and funding:

• The investment continues to meet business needs and expected pe rformance goals.

• Business needs and expected performance goals can be met more c ost-effectively by maintaining, enhancing, or modifying the investment than by rep lacing it.

• The investments current risk management plan and risk log show effective risk mitigation, including the managem ent and closing of cybersecuri ty risks identified through continuous monitoring as listed on the investments pla n of actions and milestones.

• The investment adheres to projected costs and expected benefits throughout its life cycle.

Control

The purpose of the Control process is to ensure that, as projec ts develop and expenditures are made, each investment and its associated projects and activitie s continue to meet mission or business needs at the expected cost and risk levels. The key ob jectives are (1) to ensure quick corrective action to address any deficiencies in project or ope rational components, and (2) to enable the NRC to adjust investment objectives and modify expected outcomes if its mission or business needs have changed.

The Control process and procedures encompass various tools and techniques for monitoring and reporting on the performance of IT investments and the risk s associated with them. These are key to obtaining high-quality data on the status of project costs and schedules, risks (including plans of actions and milestones), and investment per formance, to inform decisions on changes to investments, projects, or the portfolio. The Control process and procedures include the annual updates and submissions of services, ledgers, and fi nancial data; major IT investment monthly reviews and CIO evaluations; quarterly portf olio reviews; major IT investment control reviews; and CIO TouchPoints. Data and infor mation collected from the monitoring of investments provide input for the evaluation of i nvestments and support OMB reporting requirements.

Evaluate

The purpose of the Evaluate proces s is to compare actual versus expected benefits and costs of IT investments and projects to assess return on investment, customer satisfaction, and value to the NRC in meeting its missi on and business needs. The key objectives are as follows:

• Assess the capacity of a project or investment to meet performa nce expectations within cost and schedule limits and in compliance with IT policies.

29 U.S. Nuclear Regulatory Commission CPIC Policy

• Identify any modifications needed on an investment (or on its a ssociated projects or activities).

• Update IT investment management policies, processes, and proced ures based on lessons learned.

The Evaluate process and procedures are used to analyze IT inve stment data to support the decision-making required to maximize the value of IT investment s and the maturation of the IT portfolio and IT management practices. This entails performing annual OAs, PIRs, and TechStats, as needed. Although all of these activities inform t he selection, reselection, and deselection of projects and investments within the IT portfolio, the OA is paramount. The NRC has based its OA process on the requirements in Section III, M anagement In-Use, of the Capital Programming Guide. The OA allows for a periodic, structured assessment of cost, performance, and risk trends over time to help determine when t he cost and risk of an investment outweigh the value it provides.

30