FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION
INFORMATION RESOURCES MANAGEMENT
INFORMATION TECHNOLOGY MANAGEMENT
IT INVESTMENT MANAGEMENT
Effective Date: 08/23/2004
|7. Effective Date|
This Staff Manual Guide (SMG) establishes Agency IT governance policy to structure how FDA selects, controls and evaluates its information technology (IT) investments. The purpose of this policy is to establish and maintain a partnership, common understanding, quality framework, and decision structure between FDA's business and IT communities that will be followed throughout the life cycle of all IT investments. This partnership begins at the Executive level (i.e., Commissioner, Center Directors, CFO and CIO) with IT policies governing how IT investments are selected, controlled and evaluated. The partnership continues at the Program level (i.e., Center / Office) with IT processes guiding how the IT community can best support business; and extends to the Project level with IT processes and templates guiding what project artifacts are generated to ensure good management and legislative compliance.
This policy is issued to government and contractor staff supporting the Agency in order to establish and sustain a common understanding of how IT investments are to be managed throughout the organization. Reference the IT Project Management Policy for specific guidance on how FDA manages its IT investments at the project level.
The Clinger-Cohen Act (CCA) of 1996 was passed to compel Federal organizations to be fully accountable for economic and efficient management of IT and directed agencies to establish a Chief Information Officer (CIO) position specifically for that purpose.
To be in compliance with the CCA, the Agency requires that investments in IT be driven by FDA business needs / priorities and follow both Federal and Agency guidelines for Capital Planning and Investment Control (CPIC), Enterprise Architecture (EA) and Security. These guidelines are described in "Section 4 - Policy".
The word and term definitions to be used for all IT policy are provided in the FDA Master IT Glossary located on the Office of the CIO Intranet website.
It is the policy of the FDA to govern its IT investment management program in the following manner.
A. IT Portfolio Organization and Accountability
Standard information for all FDA IT Investments are collected and maintained in a single Agency level IT Investment Portfolio managed by the FDA CIO and used to support IT decision making, review board activities, OMB/HHS data calls and management reporting.
At the Program level, Centers and Offices are expected to collect and maintain detailed investment information as defined by the FDA IT Investment Management (ITIM) Lifecycle for each IT investment and be able to demonstrate sound IT management practices as required by the FDA Chief Information Officer (CIO). The level of detail needed to manage an investment should be commensurate with the size and complexity of the investment. Each Center / Office IT Director is responsible for the performance of their Center / Office IT portfolio (collection of IT investments) and the establishment and facilitation of a Center / Office level IT Investment Review Board (ITIRB) to perform required "select-control-evaluate" activities. These activities are described later in this policy. To insure adequate attention to strategic IT management, Center / Office IT Directors are required to designate staff accountable for:
- Portfolio coordination purposes (i.e., investment review board activities, data calls, stage gate reviews, etc.);
- Enterprise architecture purposes (i.e., monitor EA program compliance, review board activities, technical standards, etc.); and
- Security purposes (i.e., monitor security program compliance, implement & maintain security plan & operations, etc.).
B. Classifying IT Investments. The FDA classifies all IT investments under one of three categories: Major Investments, Tactical Investments and Supporting Non-Major Investments.
Definitions used to define IT investment classification categories are determined by FDA IT management and comply with OMB and DHHS CPIC requirements.
Classification of an IT investment is initially recommended by the Center / Office IT Director and validated by FDA business leaders and the FDA CIO during ITIRB Select activities.
The FDA Investment Summary must be completed and updated periodically for all Major and Tactical and Supporting Non-Major Investments using the Agency's Portfolio Management Tool. All IT Investments must complete additional information as required by the OMB, HHS and FDA budget cycles.
C. IT Acquisition Approval:
The Center / Office IT Director must review and approve all IT acquisitions at any funding level (i.e., Requisitions, Requests for Information/Proposal/Quote, Cooperative Research and Development Agreements, etc.) for their respective Center / Office.
The FDA CIO (or Deputy CIO) must review and approval all IT acquisitions at funding levels greater than $25,000 (i.e., Requisitions, Requests for Information/Proposal/Quote, Cooperative Research and Development Agreements, etc.) for their respective Center / Office
D. Governance Bodies (IT Review Boards):
The Agency requires that all IT investments be selected, controlled and evaluated by an ITIRB at either the Agency or Center/Office level. The Agency ITIRB / CIO is responsible for reviewing major and crosscutting investments, validating the results of Center / Office level ITIRB activities against Agency goals and priorities, and adjusting the overall Agency IT Portfolio accordingly. Investments not reviewed at the Agency level must be reviewed by the appropriate Center / Office level ITIRB. All ITIRB meetings are conducted at least quarterly to address appropriate "Select-Control-Evaluate" activities. All ITIRB activities and decisions at the Center / Office level must be formally documented and reported to the CIO on a periodic basis.
E. Select Review Process (Portfolio Prioritization and Approval):
The FDA IT Investment Management (ITIM) Select Process is used to annually select all IT investments (new development, steady state and mixed lifecycle) that comprise the overall FDA IT portfolio and supporting sub-portfolios for each Center or Office.
Center/Office Level Select Activities
Center/Office Select Activities are conducted by each Agency component (e.g., Center, ORA and OC) and result in a prioritized portfolio of IT investments with budget estimates for each IT investment to be sponsored by the Center or Office. Specifically, Center / Office IT Directors are required to partner with executive and business leaders to schedule, facilitate and formally document program level ITIRB activities that select and prioritize their IT investments. Center / Office prioritization should focus on unique business needs for the Center / Office level and also identify major and crosscutting IT investments for potential consolidation at the Agency level. Typically, Center / Office Select Activities begin annually in March with documented results provided to the CIO by the end of April.
Agency Level Select Activities
Agency Select Activities are conducted once Center /Office level ITIRB activities have concluded and been reported to the CIO. The Agency's IT portfolio management staff under the CIO compiles the documented Center / Office Select results, conducts appropriate Enterprise Architecture Review Board (EARB) assessment of major and crosscutting IT investments (as necessary), validates overall ITIRB results with the CIO and Center / Office IT Directors, and assists the CIO in presenting the prioritized Agency IT portfolio to the FDA ITIRB for final validation and approval. Unresolved IT issues requiring business action are referred to the appropriate business area or governance body for resolution. Typically, Agency Select activities begin annually in April with documented results provided to the Agency ITIRB by the middle of June.
F. Control Review Process (Monitoring Investment Performance):
The FDA ITIM Control Process is used to monitor the progress of IT investments that include new development or mixed lifecycle activities that comprise the overall FDA IT Portfolio and supporting sub-portfolios for each Center or Office.
Center / Office Level Control Activities
Center/Office IT Directors are required to conduct quarterly Control reviews on all development and mixed lifecycle IT investments in their Center / Office Portfolio. Control review emphasis should focus on cost, schedule and performance of the investment with the results captured in the Agency IT Portfolio Management and Enterprise Architecture tools, as appropriate. Corrective actions/issues can be escalated to the CIO at the discretion of the Center/Office IT Director. All Program level Control review activities must be formally documented and provided to the FDA CIO and Business Sponsor on a quarterly basis.
Agency Level Control Activities
The FDA CIO will conduct quarterly Control reviews on all major and crosscutting investments undergoing new development or mixed lifecycle activities. Control review emphasis should focus on cost, schedule and performance of the investment with the review results captured in the Agency IT Portfolio Management and Enterprise Architecture tools, as appropriate. Agency Control reviews will include assessment by global CIO areas including: Enterprise Architecture, Security, Investment Management and IT Shared Services. Corrective actions/issues can be escalated to the Agency ITIRB at the discretion of the CIO. All Agency level Control review activities must be formally documented and provided to the Agency ITIRB, Business Sponsor and IT Project Manager on a quarterly basis.
G. Evaluate Review Process (Assessing the Existing Portfolio):
The FDA ITIM Evaluate Process is used to evaluate whether steady state IT investments should continue to reside in overall FDA IT Portfolio and supporting sub-portfolios for the Centers or Offices.
Center / Office Level Evaluate Activities
Center/Office IT Directors are required to conduct annual Evaluate reviews on all steady state IT investments for their Center / Office. Evaluate review emphasis should focus on whether the investment should be planned for disposition or replacement by a new or existing IT investment with review results captured in the Agency IT Portfolio Management and Enterprise Architecture tools. Corrective actions/issues can be escalated to the CIO at the discretion of the Center/Office IT Director. All Program level Evaluate activities must be formally documented and provided to the FDA CIO and Business Sponsor on an annual basis. Typically, Center / Office Evaluate activities take place annually in August with documented results provided to the FDA CIO by the end of September.
Agency Level Evaluate Activities
The FDA CIO will conduct annual Evaluate reviews on all major and crosscutting steady state investments using information captured in the Agency IT Portfolio Management and Enterprise Architecture tools with emphasis on whether the investment should be planned for disposition or replacement by a new or existing IT investment. Agency reviews will include formal assessment by global IT areas including: Enterprise Architecture, Security, Investment Management and IT Shared Services. Corrective actions/issues can be escalated to the Agency ITIRB at the discretion of the CIO. All Agency level Evaluate activities must be formally documented and provided to the Business Sponsor, Agency ITIRB, and HHS on an annual basis. Typically, Agency Evaluate activities take place annually in August with documented results provided to the FDA CIO by the end of October.
To meet the requirements of the CCA and OMB Circular A-11 guidance, the FDA requires a strong partnership between business (i.e., programs) and IT. In order to accomplish this, both business and IT must be involved throughout an investment's lifecycle and have a common understanding of their responsibilities. The responsibilities for all roles and governance bodies are the following:
Agency Information Technology Investment Review Board (ITIRB). The Agency ITIRB is responsible for validating the results of the ITIM select-control-evaluate processes at the Agency and Center / Office levels, approving that the overall IT Portfolio aligns with strategic goals /priorities, authorizing resources for major and cross-cutting investments, and resolving IT issues escalated from FDA Programs or the CIO. The FDA Commissioner or Deputy Commissioner chairs the Agency ITIRB. ITIRB membership is comprised of FDA senior decision-makers including: Center Directors/Deputy Directors, Associate Commissioner for Regulatory Affairs, Chief Financial Officer (CFO), and the Chief Information Officer (CIO). Agency representatives from enterprise architecture, portfolio management, security, and financial management organizations serve as advisors. The Management Council serves as the FDA Agency level ITIRB.
Center / Office Information Technology Investment Review Board (ITIRB). The Center / Office ITIRB performs the same duties as the Agency level entity on investments specific to the Center or Office. Center / Office ITIRBs are chaired by the Center / Office Director and comprised of senior decision makers from each business/program and the Center / Office IT Director. Center / Office Portfolio Coordinator, Enterprise Architect and Information System Security Officer and a representative from the program's budget organization serve as advisors.
Chief Information Officer (CIO). The CIO is the highest ranking IT official at the FDA. The CIO provides advice and other assistance to the Commissioner and other senior management to ensure that IT is acquired efficiently and effectively and information resources are managed in a manner that implements the policies and procedures of the Clinger Cohen Act. To this end, the CIO is the formal leader of FDA's IT organization (including Center/Office IT Directors and their staffs and IT Shared Services). It is the responsibility of the CIO and the Agency IT organization to: develop, maintain, and facilitate the implementation of a sound and integrated IT architecture as well as promote the effective and efficient design and operation of information resources management processes including Enterprise Architecture, Security, Capital Planning and Investment Control.
The effective date of this guide is August 23, 2004.
Document History -- SMG 3210.2, IT Investment Management
|STATUS (I, R, C)||DATE APPROVED||LOCATION OF CHANGE HISTORY||CONTACT||APPROVING OFFICIAL|
|Initial||03/31/2005||N/a||Strategy and Planning Staff, OCIO, HFA-83||Rod Bond, Director|