1.1.4 Agency IT Authorities – OMB Guidance

This section consists of language from OMB guidance that further demarcates, expands upon, or clarifies IT authorities assigned to agencies. This language directly or indirectly tasks the CIO with duties or responsibilities pertaining to IT leadership and accountability. See sections on OMB Memoranda and OMB Circulars for more information about these forms of OMB guidance. See sections on Office of Inspector General (OIG) and Government Accountability Office (GAO) to review how compliance with policies is measured.

Governance
In support of agency missions and business needs, and in coordination with program managers, agencies shall:

Define, implement, and maintain processes, standards, and policies applied to all information resources at the agency, in accordance with OMB guidance;
Require that the CIO, in coordination with appropriate governance boards, defines processes and policies in sufficient detail to address information resources appropriately. At a minimum, these processes and policies shall require that:
1. Investments and projects in development are evaluated to determine the applicability of agile development;
2. Open data standards are used to the maximum extent possible when implementing IT systems;
3. Appropriate measurements are used to evaluate the cost, schedule, and overall performance variances of IT projects across the portfolio leveraging processes such as IT investment management, enterprise architecture, and other agency IT or performance management processes; (Federal Acquisition Streamlining Act of 1994.)
4. There are agency-wide policies and procedures for conducting IT investment reviews, operational analyses, or other applicable performance reviews to evaluate IT resources, including projects in development and ongoing activities;
5. Data and information needs are met through agency-wide data governance policies that clearly establish the roles, responsibilities, and processes by which agency personnel manage information as an asset and the relationships among technology, data, agency programs, strategies, legal and regulatory requirements, and business objectives; and
6. Unsupported information systems and system components are phased out as rapidly as possible, and planning and budgeting activities for all IT systems and services incorporate migration planning and resourcing to accomplish this requirement;
Ensure that the CIO is a member of governance boards that inform decisions regarding IT resources to provide for early matching of appropriate information resources with program objectives. The CIO may designate, in consultation with other senior agency officials, other agency officials to act as their representative to fulfill aspects of this responsibility so long as the CIO retains accountability;
Require that information security and privacy be fully integrated into the system development process;
Conduct TechStat reviews, led by the CIO, or use other applicable performance measurements to evaluate the use of agency information resources. The CIO may recommend to the agency head the modification, pause, or termination of any acquisition, investment, or activity that includes a significant IT component based on the CIO’s evaluation, within the terms of the relevant contracts and applicable regulations;
Establish and maintain a process for the CIO to regularly engage with program managers to evaluate IT resources supporting each agency strategic objective. It shall be the CIO and program managers’ shared responsibility to ensure that legacy and ongoing IT investments are appropriately delivering customer value and meeting the business objectives of the agency and the programs that support the agency; and
Measure performance in accordance with the GPRA Modernization Act and OMB Circular A-11, Preparation, Submission, and Execution of the Budget. (OMB Circular A-130. Managing Information as a Strategic Resource. Policy. July 2016.)

Risk Management

Risk Identification
OMB Circular No. A-123 requires agencies to identify and assess risk as part of the agency’s risk profile. A critical component of developing the risk profile is the determination by management of those risks in which the application of formal internal control activities is the appropriate risk response. (OMB M-18-16. Appendix A to OMB Circular No. A-123, Management of Reporting and Data Integrity Risk M-18-16.June 2018.)

Materiality
Management has responsibility in determining risk to achieving reporting objectives and aligning the level of control activities to provide reasonable assurances over reporting. (Ibid.)

Governance
The responsibilities of managing risks are shared throughout the Agency from the highest levels of executive leadership to the service delivery staff executing Federal programs. (OMB M-16-17. Circular A-123. Management’s Responsibility for Enterprise Risk Management and Internal Control. July 2016.)

Risk Management Council
To provide governance for the risk management function, agencies may use a Risk Management Council (RMC) to oversee the establishment of the Agency’s risk profile, regular assessment of risk, and development of appropriate risk response. RMC structures will vary by Agency, and in some cases may be integrated with existing management structures. An effective RMC will include senior officials for program operations and mission-support functions to help ensure those risks are identified which have the most significant impact on the mission outcomes of the Agency. Should agencies choose to use an RMC, the RMC should be chaired by the Agency [COO] or a senior official with responsibility for the enterprise. In cabinet-level Agencies this is the Deputy Secretary. (Ibid.)

Risk Profile
Agencies must maintain a risk profile. The primary purpose of a risk profile is to provide a thoughtful analysis of the risks an Agency faces toward achieving its strategic objectives arising from its activities and operations, and to identify appropriate options for addressing significant risks. The risk profile must consider risks from a portfolio perspective and be approved by an Agency’s RMC or equivalent. (Ibid.)

Appropriate Content and Format
Agencies have discretion in terms of the appropriate content and format for their risk profiles; however, in general risk profiles should include the following seven components: (Ibid.)

Identification of Objectives
Identification of Risk
Inherent Risk Assessment
Current Risk Response
Residual Risk Assessment
Proposed Risk Response
Proposed Action Category

Risk Identification
The identification of risk is a continuous and ongoing process. Once initial risks are identified, it is important to re-examine risks on a regular basis to identify new risks or changes to existing risks. (Ibid.)

Risk Response
As part of developing the risk profile, management must determine those risks for which the appropriate response includes implementation of formal internal control activities as described in Section III of this guidance and which conform to the standards published by GAO in the Green Book. Identification of the existing management process that will be used to implement and monitor proposed actions. Those proposed actions that will be discussed with OMB as part of the annual Strategic Review must be identified, (OMB Circular A-11. Section 270, Performance and Strategic Reviews) as well as proposed actions to be considered during formulation of the President’s Budget. (OMB M-16-17. Circular A-123. Management’s Responsibility for Enterprise Risk Management and Internal Control. July 2016.)

Annual Reviews
After initial implementation, the agency’s risk profile must be discussed each year with OMB as a component of the summary of findings from the Agency strategic review and FedSTAT. (OMB Circular A-11. Section 270, Performance and Strategic Reviews.)

Risk Governance and Internal Control
Agencies must have a Senior Management Council (SMC) to assess and monitor deficiencies in internal control. This SMC may be a subset of the Risk Management Council; however, agencies have discretion in determining the appropriate structure. A Senior Management Council may include the [CFO], [Chief Human Capital Officer (CHCO)], [CIO], [CISO], [CAO], Senior Agency Official for Privacy, Designated Agency Ethics Official, and Performance Improvement Officer and the managers of other program offices, must be involved in identifying and ensuring correction of systemic material weaknesses relating to their respective programs. (OMB M-16-17. Circular A-123. Management’s Responsibility for Enterprise Risk Management and Internal Control. July 2016.)

Internal Control Sources of Information
The Agency’s assessment of internal control may be documented using a variety of information sources to include: (Ibid.)

Management reviews and annual evaluations and reports related to information technology, information security, and information resources pursuant to the Federal Information Security Modernization Act of 2014 and OMB Circular No. A-130, Responsibilities for Protecting Federal Information Resources;
Outputs of governance mechanisms for information technology resources published by the Agency, pursuant to the “CIO Authorities” described in the Federal Information Technology Acquisition Reform Act (FITARA).

Enterprise Risk Management (ERM) Requirements
All executive agencies are required by OMB Circular No. A-123 to integrate ERM processes and internal controls and are required to include consideration of internal controls over reporting [ICOR] in their annual assurance statement. This update aligns ICOR with existing OMB Circular No. A123 ERM efforts. This framework for internal controls over reporting may be phased in over several years as the agency’s ERM process matures. As an agency’s ERM process matures, the agency risk profile may begin to identify and link some enterprise risks with formal internal controls. As this integration occurs, management must include consideration of these controls in the OMB Circular No. A-123 assurance process. (OMB M-18-16. Appendix A to OMB Circular No. A-123, Management of Reporting and Data Integrity Risk M-18-16.June 2018.)

COVID-19 and Mission Delivery
In response to the national emergency for COVID-19, agencies are directed to use the breadth of available technology capabilities to fulfill service gaps and deliver mission outcomes. The [Harnessing Technology to Support Mission Continuity] “frequently asked questions” are intended to provide additional guidance and further assist the IT workforce as it addresses impacts due to COVID-19. Additional technology related questions should be directed to the Office of the Federal CIO at OFCIO@omb.eop.gov. OMB will continue to provide updates and additional information as needed to support the resiliency of agency missions. (OMB M-20-19. Harnessing Technology to Support Mission Continuity. March 2020.)

Program Management
Program Management Improvement Accountability Act (PMIAA) Implementing Strategy 1 - Coordinated Governance: Overview of Organizational Changes
The PMIAA [established] a new governance structure and function at agencies for advancing the practice of [program/project management (P/PM)] across the Federal Government. This section provides guidance to agencies by describing how agency COOs should integrate P/PM as a component of the agencies’ broader management capabilities, providing the role and responsibilities of the PMIO, and defining the functions and composition of the PMPC.

Roles and Functions of the Program Management Improvement Officer (PMIO)
Improvements in program management should lead to improved program performance and effectiveness that advance progress towards the achievement of agency strategic goals and objectives. In order to enhance and coordinate the practice and application of program management at agencies, PMIOs will: (OMB M-18-19. Improving the Management of Federal Programs and Projects through Implementing the Program Management Improvement Accountability Act (PMIAA). Appendix 2. June 2018.)

Collaborate with and support CIOs to ensure IT programs and projects have trained and qualified program and project managers with the appropriate qualifications per the approved Federal IT PM Guidance Matrix and to enforce FITARA, OMB Memorandum M-04-19, and OMB Memorandum M-10-27 policy for IT programs.

Implementing Acquisition Portfolio Reviews: Acquisition Program Management
Several laws, regulations, and policies have provided direction for acquisition program management, including provisions in the Federal Acquisition Streamlining Act (FASA), the Clinger-Cohen Act, OMB’s Capital Programming Guide, and Part 34 of the Federal Acquisition Regulation (FAR). Agencies have developed detailed policies and procedures to implement these requirements, but too often, this guidance has not been reflected adequately in agency governance structures and protocols.

Identifying IT Programs vs. Non-IT Programs
Reviews of major acquisitions supporting IT programs shall build on portfolio reviews conducted pursuant to FITARA, 44 U.S.C. § 11319. Programs shall be considered IT programs if the investment scope is primarily information technology as defined in FAR Subpart 2.1. Programs with embedded systems or small IT components shall be considered non-IT, but collaboration with CIOs is expected for any significant components of the investment that involve IT. (Ibid, Appendix 5.)

Portfolio Management

Integrated Data Collection (IDC)
[OMB established] an Integrated Data Collection channel for agencies to report structured information. Agencies will use this channel to report agency progress in meeting IT strategic goals, objectives and metrics as well as cost savings and avoidances resulting from IT management actions. This data includes information previously reported by agencies as well as data which agencies [should have reported] by May 15, 2013 and then update every three months thereafter. Subsequent updates will be on the last day of August, November, and February of subsequent fiscal years. Appendix B provides more detail on this Integrated Data Collection and a link to reporting instructions and guidance for the May 15, 2013 deadline. This Integrated Data Collection will draw on information previously reported under PortfolioStat, the FDCCI, the Federal Digital Government Strategy, quarterly Federal Information Security Management Act metrics, the Federal IT Dashboard, and selected human resource, financial management, and procurement information requested by OMB. ( OMB M-13-09. Fiscal Year 2013 PortfolioStat Guidance: Strengthening Federal IT Portfolio Management. March 2013.)

PortfolioStat Sessions
In support of this review process, Agency [COO], on an annual basis, shall be required to lead an agency-wide IT portfolio review within their respective organization (PortfolioStat). A PortfolioStat session is a face-to-face, evidence-based review (e.g., including data on commodity IT investments, potential duplications, investments that do not appear to be well aligned to agency missions or business functions, etc.) of an agency’s IT portfolio.

CIOs, CFOs, and CAOs must support the PortfolioStat process by providing the necessary data and analysis, attending the PortfolioStat meeting, and support all decisions made through the process. This is necessary so that the portfolio-wide review results in concrete actions to maximize the investment in mission and support IT, consolidate the acquisition and management of commodity IT, reduce duplication, and eliminate waste.

To support this process, OMB is requiring that each agency take the following actions: (OMB M-12-10. Implementing PortfolioStat. March 2012.)

Designate Lead for Initiative
Complete a High-Level IT Portfolio Survey
Establish a Commodity IT Investment Baseline
Submit a Draft Plan to Consolidate Commodity IT
Hold PortfolioStat Session
Submit a Final Plan to Consolidate Commodity IT
Migrate at Least Two Duplicative Commodities IT Services
Document Lessons Learned

Agency PortfolioStat Conduct
PortfolioStat is a data-driven tool that agencies use to assess the current maturity of their IT portfolio management processes and select PortfolioStat action items to strengthen their IT portfolio. Covered agencies shall hold PortfolioStat sessions on a quarterly basis with OMB, the agency CIO, and other attendees. (These sessions were previously annual and required the attendance of the agency deputy secretary, see OMB M-12-10. March 2012, OMB M-13-09. March 2013, OMB M-14-08. June 2015.)

Data Management

Code Inventories and Discovery Inventories
Code Inventories and Discovery Inventories are a means of discovering information such as the functionality and location of potentially reusable or releasable custom-developed code. Within 120 days of the publication date of [the Federal Source Code Policy], each agency [should have updated]—and thereafter keep up to date—its inventory of agency information resources to include an enterprise code inventory that lists custom-developed code for or by the agency after the publication of this policy. Each agency’s inventory will be reflected on Code.gov. The inventory will indicate whether the code is available for Federal reuse, is available publicly as OSS, or cannot be made available due to a specific exception listed in this policy. Agencies shall fill out this information based on a metadata schema that OMB will provide on Code.gov. (OMB M-16-21. Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software. August 2016.)

Open Source Software Policy
As appropriate, Senior Agency Officials should also work with the agency’s public affairs staff, open government staff, web manager or digital strategist, program owners, and other leadership to properly identify, publish, and collaborate with communities on their Open Source Software (OSS) projects. (Ibid.) Each agency’s CIO—in consultation with the agency’s CAO—shall develop an agency-wide policy that addresses the requirements of this document. For example, the policy should address how the agency will ensure that an appropriate alternatives analysis has been conducted before considering the acquisition of an existing commercial solution or a custom-developed solution. In accordance with OMB guidance, these policies will be posted publicly. Moreover, within 90 days of the publication date of this policy, each agency’s CIO office [should have corrected or amended] any policies that are inconsistent with the requirements of this document, including the correction of policies that automatically treat OSS as noncommercial software. (Ibid.)

Open Data Policy
The Clinger-Cohen Act of 1996 assigns agency CIOs statutory responsibility for promoting the effective and efficient design and operation of all major Information Resources Management (IRM) processes within their agency. Accordingly, agency heads must ensure that CIOs are positioned with the responsibility and authority to implement the requirements of the Open Data Policy Memorandum in coordination with the agency’s [CAO], [CFO], Chief Technology Officer, Senior Agency Official for Geospatial Information, Senior Agency Official for Privacy (SAOP), [CISO], [Senior Agency Official for Records Management (SAORM)], and Chief Freedom of Information Act (FOIA) Officer. The CIO should also work with the agency’s public affairs staff, open government staff, web manager or digital strategist, program owners and other leadership, as applicable. (OMB M-13-13. Open Data Policy-Managing Information as an Asset. May 2013.)