FDA STAFF MANUAL GUIDES, VOLUME III - GENERAL ADMINISTRATION
INFORMATION RESOURCES MANAGEMENT
INFORMATION TECHNOLOGY ACQUISITIONS
AGENCY-WIDE POLICY FOR INFORMATION TECHNOLOGY PURCHASES
Transmittal Number 99-35 -- Date: 08/02/1999
Effective Date: 08/01/1999
|2. Authority Delegated|
|10. Effective Date|
The Chief Information Officer (CIO) is responsible for establishing a comprehensive Agency-level information technology (IT) policy consistent with the Clinger-Cohen Act of 1996 (CCA). This Staff Manual Guide (SMG) establishes the Agency-wide policy for information technology purchases.
The following officials are delegated the authority to approve requests for IT hardware (except computers); software; support services; and services costing $25,000 or less.
A. Centers: Center Directors
B. Office of Regulatory Affairs (ORA): Associate Commissioner for ORA
C. Non-Center Headquarters (NCHQ): Deputy Commissioners, Senior Associate Commissioners, Associate Commissioners, Office Directors, and Chief Counsel.
Delegated officials will continue to submit IT requisitions over $25,000 to the Office of the Chief Information Officer for approval in accordance with the conditions outlined under Section 6, POLICY.
These authorities may only be redelegated to a single individual who has overall Information Resources Management (IRM) responsibility. The CIO will be notified of any redelegations.
The CCA replaced the General Services Administration procurement authority established by the Brooks Act; streamlined the IT acquisition process by holding agencies directly accountable for management of IT resources; established new requirements for the IT planning process that emphasized the management of IT resources as a "capital investment"; and linked these IT planning activities to budget and performance measures. The Act reflects the importance that the management of IT resources plays in contributing to efficient government operations. In December 1996, the Office of Information Resources Management issued an interim acquisition policy that positioned the Agency to achieve efficiencies and savings by requiring consolidation of microcomputer purchases. A SMG was published in October 1997, which established policy in accordance with the new legislation (CCA). In response to an external Agency audit, the SMG was revised in April 1998 to reflect increased controls on use of the bankcard to acquire sensitive IT resources. This SMG is revised again to reflect another policy change regarding bankcard purchases.
Information technology as defined in the CCA means any equipment or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the Agency. The term "information technology@ includes computers, ancillary equipment, software, firmware and related resources.
A computer is a high-speed electronic device that processes, retrieves, and stores programmed information or data. This includes microcomputers (desktop and laptop) and servers.
Information Systems Architecture (ISA) provides a blueprint for development and implementation of an Agency-wide common computing environment. It sets forth the information management environment with an applications, hardware, and software infrastructure to provide a uniform capability to communicate and exchange information across platforms and organizations.
Specially designated personnel as defined by the Office of Facilities, Acquisitions, and Central Services (OFACS) are cardholders who are appointed by the Center/Office who have received specific training by the Personal Property Management Branch and the FDA Bankcard Program Coordinator.
Waiver, for purposes of this policy, is a request for an exception to the IT consolidated bulk purchase process and/or established ISA standards. The requests must include a justification, functional specifications, and quantity desired.
Year 2000 compliant means information technology that can accurately process date/time data (including, but not limited to, calculating, comparing, and sequencing) from, into, and between the twentieth and twenty-first centuries, and the years 1999 and 2000 and leap year calculations. Furthermore, Year 2000 compliant information technology, when used in combination with other information technology, shall accurately process date/time data if the other information technology properly exchanges date/time data with it.
It is the policy of FDA to develop, maintain, and facilitate the implementation of a sound and integrated IT architecture for the Agency and to manage technology. This policy implements measures that will better assure IT acquisition strategies pursued by the Agency are supported by sound business cases and are cost-effective investments. In addition, this policy assures that IT acquisitions comply with established and emerging ISA standards, and are Year 2000 compliant.
A. The acquisition policy for computers is outlined below.
1. The Agency will consolidate computer acquisitions with the exception of those computers integrated with laboratory equipment. See section 6.b, Laboratory Equipment. This includes microcomputers (desktops and laptops) and servers. An IT bulk purchase process will be made available to generally provide increased efficiencies and savings across the Agency.
2. Any quantity of:
a. microcomputers may be acquired through the Agency-wide IT bulk purchase process without the Office of Chief Information Officer authorization.
b. servers may be acquired through the Agency-wide IT bulk purchase process as long as they are consistent with the ISA baseline network architecture and deployed in accordance with the established network configuration standards.
3. The Office of Chief Information Officer retains the authority to approve all microcomputers and servers acquired outside the IT bulk purchase process, except as noted in Section 6.b, Laboratory Equipment.
4. Computer acquisitions will be consistent with established and emerging ISA standards, and will be Year 2000 compliant, regardless of procurement vehicle or dollar amount, except as noted in Section 6.b, Laboratory Equipment.
B. Laboratory Equipment. Delegated officials may authorize the acquisition of computers which are integrated with laboratory equipment and operated outside of the FDA network in a stand-alone mode. Such computers are exempt from compliance with ISA standards, but shall comply with Year 2000 requirements. The Office of Chief Information Officer shall be notified of these acquisitions.
C. The following policy statements relate to the acquisition of other IT resources (e.g., non-computers).
1. ISA Standards. Refer to the ISA Phase 1 Baseline Infrastructure to identify the established and emerging ISA standards which are discussed below.
The Office of Chief Information Officer retains the authority to approve the acquisition of exceptions to the established ISA standards for IT resources unless circumstances apply as stated in the following paragraph. Exceptions must be justified and submitted to the Office of Chief Information Officer for review and approval (see Section 8, WAIVERS).
Delegated officials may authorize the acquisition of exceptions to the established ISA standards for IT resources only for emergency needs or for those that are threats to the public health. The Office of Chief Information Officer will be notified of these acquisitions.
2. Emerging ISA Standards. Delegated officials may authorize the acquisition of IT resources for exceptions to emerging ISA standards. Emerging standards are those standards which are not yet established but are intended to be established. The Office of Chief Information Officer will be notified of these acquisitions.
3. Non-ISA Standard Resources. Delegated officials have the authority to approve the acquisition of non-ISA standard IT resources, if an ISA standard has not been established or not intended to be established.
D. International Merchant Purchase Authorization Card (IMPAC). The IMPAC (bankcard) may be used to purchase IT resources at the discretion/approval of the delegated official as noted below:
Only purchasing agents and specially designated personnel are allowed to use the IMPAC (bankcard) to purchase sensitive/accountable IT property, including computers and printers, in accordance with OFACS policy and under the following circumstances:
- From the IT bulk purchase process. After receiving prior approval for IMPAC use from the delegated official.
- Outside the IT bulk purchase process.
- When specifications identified in a waiver request are approved by the Office of the Chief Information Officer as conforming to an ISA standard, the waiver may then be used by the major organizational component (Center; NCHQ Office; ORA) to acquire up to ten microcomputers per month (see Section 8, WAIVERS).
- If the waiver was granted based on any other criteria (e.g., non-standard unique business need), the number of computers purchased must be limited to the quantity approved by the Office of the Chief Information Officer as identified in the waiver.
- Use of the IMPAC for printers must also be in accordance with Center/Office specific procurement policy.
Note: Use of bankcards must comply with the IMPAC policy published by OFACS; specifically, all sensitive/accountable property inventory requirements must be followed, and, requisitions must adhere to established approval processes. In addition, the purchase price of the IT resource must also be within the threshold of the cardholder's authority.
3. All cardholders may use the bankcard for operations and maintenance purchases to replace existing malfunctioning components or to upgrade existing components; e.g., memory chips, power supply or mother boards.
4. All cardholders may use the bankcard to purchase circuit boards, modems, etc., for special needs when time and logistics make it cost prohibitive to do otherwise, but such purchases should be limited to small quantities (1-3).
Note: Use of the IMPAC for non-sensitive/non-accountable IT resources must also be in accordance with Center/Office specific procurement policy.
A. OFFICE OF THE CHIEF INFORMATION OFFICER. The Office of Chief Information Officer is responsible for: 1) facilitating the consolidation of computer requirements/ specifications, 2) assuring that a vehicle is available for consolidated purchases, 3) approving exceptions to the consolidated acquisitions, and 4) assuring that computers are acquired in accordance with the ISA standards and are Year 2000 compliant.
B. MAJOR ORGANIZATION COOMPONENTS (Centers, ORA and NCHQ). The FDA delegated officials are responsible for assuring that these authorities are exercised in accordance with all applicable IT acquisition regulations and policies
C. TECHNICAL WORKING GROUP. Delegated officials will appoint a representative(s) to the Technical Working Group (TWG) which will meet quarterly, or as required by the IRM Council. The TWG will identify the consolidated microcomputer and server requirements for the Agency. The Center/Office representative(s) to the TWG will develop specifications and identify quantities of microcomputers and servers according to its requirements and in compliance with the ISA standards.
A. Computer Acquisitions. Occasionally, it may be necessary to acquire a computer (e.g., server) that is not consistent with ISA standards or Year 2000 compliant. These exceptions must be individually justified and submitted to the Office of Chief Information Officer for review and approval. Exceptions will be based on merit of the business case presented.
B. Consolidated Microcomputer Acquisitions. Occasionally, it may be necessary to acquire microcomputers from a different source than the consolidated bulk purchase process. These exceptions must be individually justified and submitted to the Office of Chief Information Officer for review and approval. Exceptions will be based on four criteria: 1) Availability of Discounted Purchase Price: Purchases can be made substantially below the discounted prices obtained for bulk purchases; 2) Time Factor: Impact of delaying the purchase of the product will severely and adversely impact the program operations; 3) Quantity Purchases: Bulk purchases are unlikely due to the uniqueness of the product and/or the probability of having multiple similar requests is deemed to be minimal; or 4) Technical Considerations: Distinct configuration requirements that would not normally be available through the IT bulk purchase process may be necessary for scientific and/or specialized needs.
The procedures are outlined below:
1. The delegated official will send an e-mail message or hard copy request to the Office of Chief Information Officer. A statement must be included indicating whether or not the waiver request is an emergency. The e-mail should be sent to the "OCIO, ACQUIS" mailbox address, created specifically to receive the waiver requests (key "OCIO"). The hard copy address is "HFA-80."
ORA Field. The ORA field personnel will send the waiver request via e-mail to ORA's headquarters IRM official, who will review and forward the e-mail request to the "OCIO" mailbox. A statement must be included indicating whether or not the waiver request is an emergency.
2. The requests must include the following items based on the criteria in Section 8.b, Consolidated Microcomputer Acquisitions.
a. Business case and/or technical justification
b. Functional specifications
c. Quantity of microcomputers needed and cost (by major component and total cost)
3. Upon review and approval of the request, the Office of Chief Information Officer will notify the delegated official by e-mail.
4. In the event the waiver is not approved, the Office of Chief Information Officer will notify the delegated official by e-mail of this decision and will convey an explanation outlining the basis for the denial.
5. The delegated official will include a copy of the waiver approval with the HHS Form 393 Requisition and forward to OFACS. The delegated official will also include with the requisition the names of three manufacturers which can supply comparable, acceptable equipment; or, if only one manufacturer's specific make and model is acceptable, provide a sole source justification.
ORA Field. The HHS Form 393 Requisition should be sent (along with a copy of the waiver approval) to the appropriate regional procurement official, with a copy to the ORA headquarters IRM official.
Please Note: If a microcomputer is intended to be purchased with the IMPAC (bankcard), the waiver must be provided to the Center/Office purchasing agent or specially designated personnel (see Section 6.d. IMPAC).
6. The Office of Chief Information Officer will process the waiver request within 48 hours during the business week, i.e., Monday through Friday. In an emergency situation, the request will be processed within 24 hours.
This supersedes Staff Manual Guide FDA 3240.1, with the effective date of April 1, 1998.
August 1, 1999.