February 14, 2006

Instructions for Completing the OMB Exhibit 300,
Capital Asset Plan and Business Case

What is the purpose of these instructions?
Which IT investments require an Exhibit 300?
What is the purpose of the Exhibit 300?
What is the schedule for updating and submitting an Exhibit 300?
Is the Exhibit 300 Information used in any other OMB Exhibits?
Who is responsible for developing the Exhibit 300?
What is OMB’s basis for determining if an investment is at risk?
Do Infrastructure, Office Automation and Telecommunications (I/OA/T) investments require an Exhibit 300?
Do Enterprise Architecture (EA) investments need an Exhibit 300?
Where do I enter the Exhibit 300 information?
On what should an Exhibit 300 for an operational system focus?
May an Exhibit 300 be publicly released?
Part I. Title and Screening (Yes/No) Questions
Part I. Summary of Spending for Project Stages Table and Life Cycle Budget and Financing Table
I.A. Investment Description
I.B. Justification
I.C. Performance Goals and Measures
I.D. Project Management
I.E. Alternatives Analysis
I.F. Risk Inventory
I.G. Acquisition Strategy
I.H. Project and Funding Plan
Part II. Additional Business Case Criteria for Information Technology
Section II.A. Enterprise Architecture
Section II.B Security and Privacy
What if I have additional questions regarding the Exhibit 300 or eCPIC?

What is the purpose of these instructions?

These instructions complement and reinforce the Office of Management and Budget’s (OMB) guidance on developing the Exhibit 300, Capital Asset Plan and Business Case, in support of funding for major information technology (IT) investments as contained in OMB Circular A-11, Part 7. In addition these instructions address custom fields added by the Department to the Exhibit 300 primarily to populate and verify the Exhibit 53 and other required reports.

Which IT investments require an Exhibit 300?

An Exhibit 300 must be developed for major investments. A major investment is a system or investment that requires special management attention because it:

• Was defined as a major project in the previous fiscal year

• Is a financial system costing more than $500,000 in any one fiscal year

• Has high executive visibility

• Has significant program or policy implications

• Has been determined to be major by OMB or Commerce’s Capital Planning and Investment Control process

• Any investments that are not major are referred to as “non-major.”

What is the purpose of the Exhibit 300?

The Exhibit 300 business case is a high level summary of the investment’s current justification and management plans including a project plan, benefit-cost analysis, alternatives analysis, acquisition plan, risk management plan, human resources management plan, enterprise architecture and IT Security plan. In the case of IT investments that are proposed or underway, this information is used by the operating unit, the Department’s Capital Investment Technology Review Board (CITRB), and OMB to determine if investment funding should be recommended or continued. For investments that are now steady state, the Exhibit 300 is used to review the investment’s current status and, assess how well the investment is accomplishing its goals. In addition, the Exhibit 300 is required when requesting a delegation of procurement authority from the CIO through the CITRB or the Acquisition Review Board to proceed with a large contract.

What is the schedule for updating and submitting an Exhibit 300?

The Exhibit 300 information in Commerce’s on-line electronic Capital Planning and Investment Control system (eCPIC) should be kept up to date. The operating units are expected to review and approve the Exhibit 300 before it is submitted to the Commerce Information Technology Review Board (CITRB), Acquisition Review Board (ARB) or the Department Office of the CIO as part of the budget review process. At a minimum, all exhibit 300s are reviewed by the Department in August for submission to OMB in early September as part of the Department budget request. Following the OMB Passback in late November, updated Exhibit 300s are reviewed by the Department for submission to OMB in early January in support of the President’s Budget to Congress.

Is the Exhibit 300 Information used in any other OMB Exhibits?

Yes, eCPIC extracts data from the major and non-major Exhibit 300s to produce the Exhibit 53 IT Investment Portfolio report, which lists all IT funding broken out by major activity. Each OU may generate an Exhibit 53 that contains only data from the OU. Exhibit 53s for the whole Department are submitted in September and January to OMB. The information in the Exhibit 300 and Exhibit 53 is also used to verify the data in the Exhibit 52 for financial systems and the Federal Information Security Management Act (FISMA) report on security expenditures for IT systems.

Who is responsible for developing the Exhibit 300?

Developing an investment business case and summarizing the results in an Exhibit 300 are the responsibility of the Project Manager and the operating unit CIO. Following completion of the project or its main goals, the Exhibit 300 will be the foundation for any post-implementation review.

What is OMB’s basis for determining if an investment is at risk?

The basis for OMB’s rating is the Exhibit 300 scoring criteria explicitly defined in OMB Circular A-11 Section 300. Currently, business cases receiving an overall score of less than 31 or score 3 or less in IT Security are placed on OMB’s Watch List and may not be recommended for funding.

Do Infrastructure, Office Automation and Telecommunications (I/OA/T) investments require an Exhibit 300?

I/OA/T are defined by OMB as “… all IT investments that support common user systems, communications, and computing infrastructure. These investments usually involve multiple mission areas and might include general LAN/WAN, desktops, data centers, cross-cutting issues such as shared IT security initiatives, and telecommunications.”

The Department produces a single Exhibit 300 covering all I/OA/T investments. This business case, which appears in Part 2 of the Department’s Exhibit 53, IT Portfolio Funding, consolidates all of the operating units I/OA/T investments not directly associated with a specific programmatic goal. Each operating unit must submit this information to the Consolidated Infrastructure Team (CIT) Project Manager so that a single Exhibit 300 can be created. The specific information requested will be defined in the IT Budget Call.

Do Enterprise Architecture (EA) investments need an Exhibit 300?

Starting with the 2007 budget cycle each agency’s EA investments are reported separately as non-major investments.

Where do I enter the Exhibit 300 information?

All Exhibit 300 Business Cases, as well as information on non-major systems, are entered into eCPIC. This on-line system, accessible throughout the Department, collects and stores the Exhibit 300s and automatically generates the Exhibit 53. In completing the Exhibit 300, answer all the questions. If an answer isn’t yet known, state the reason and/or date or milestone when the information will be available.

On what should an Exhibit 300 for an operational system focus?

An operational system’s Exhibit 300 should demonstrate that the investment undergoes operational analysis to ensure that it is meeting its cost, schedule and performance goals. As part of the operational analysis the Exhibit 300 should reflect the results of an “E-Government Strategy” review to analyze and identify smarter, more cost effective methods for achieving the desired goal. For further information see the Department’s Operational Analysis and Performance Reporting guidance.

May an Exhibit 300 be publicly released?

Exhibit 300s submitted to the Department and OMB during the budget process are considered pre-decisional pending their approval by OMB and inclusion in the President’s Budget, and may not be publicly released per OMB Memoranda 01-17 and 01-21. Exhibit 300s that are publicly released in response to a Freedom of Information Act (FOIA) request or at the initiation of the operating unit must be redacted to remove security, procurement-sensitive, or other non-public information. This redaction may also include out-year funding and alternative analyses that impact a current or proposed acquisition contract. Responses to all FOIA requests must be coordinated with your operating unit FOIA officer.

Part I. Title and Screening (Yes/No) Questions

How do I answer the "Has this project been reviewed by...(CFO, Project Manager, Investment Board, Procurement Executive ... )" questions if no review has occurred yet?

Generally a "No" answer to these and most other yes/no questions will cause OMB's IT investment reviewers to recommend no funding for that investment. All major Department of Commerce IT investment initiatives are reviewed by the Commerce Information Technology Review Board (CITRB) when they are first proposed. This Board includes the CFO and the Procurement Executive.

What is the basis for creating a unique ID number for an investment?

Section 53 of OMB Circular A-11 defines the unique ID (UID) code associated with each investment as summarized below.

• For the sample UID 006-00-02-13-01-3201-24-118-062

• First 3 digits - Department code, “006” for Commerce

• Fourth and fifth digits - Operating unit code, “03” is used to identify Department-wide investments such as Commerce Business Systems

• Sixth and seventh digits - Portion of the Exhibit 53, i.e., Infrastructure/ Office Automation/Telecommunications “02,” Mission Area Systems “01,” Enterprise Architecture and Planning “03,” Grants Management “04”

• Eighth and ninth digits – A Mission Area that is selected from an automated pick list. Some Mission Areas are defined by operating units, other mission areas such as “01” for Financial systems are Department-wide categories. Contact the eCPIC system administrator if your operating unit wants to add a mission area.

• Tenth and eleventh digits – Indicates type of investment. “01” is for a major investment, a non-major is “02.”"03" represents an IT investment that is part of a larger asset with an existing business case. "04" identifies a major IT investment for which another agency has the lead management and reporting responsibility

• Twelfth through fifteenth digits – A unique 4 digit project code. Each operating unit has been assigned a number range. Per the listing below “3201” identifies this as a NOAA investment.

o PMA E-Gov – 0001 through 0050

o Dept-wide – 0051 through 0299

o OS, OGC –-- 0300 through 0599

o OIG –- 0600 through 0699

o ESA and BEA -- 5000 through 5499

o BIS –- 5500 through 5999

o Census – 4000 through 4999

o EDA – 6000 through 6499

o ITA --- 6500 through 6999

o MBDA - 0900 through 0999

o NOAA – 3000 through 3999

o NIST, TA/OTP – 7000 through 7299

o NTIA -- 7300 through 7499

o NTIS -- 2000 through 2199

o PTO – 8000 through 8999

• Sixteenth and seventeenth digits – Specifies the kind of investment or year it was first reported. An E-Government initiative endorsed by the President's Management Council (PMC) or an individual agency's participation in a PMC E-Government initiative is identified by a “24.”

• Eighteenth, nineteenth, and twentieth digits - Maps to the primary Business Area and Line of Business from the Federal Enterprise Architecture Business Reference Model (FEA BRM) as follows:

o 1XX: Primary mapping to the Services for Citizen layer

§ Investments that map to Services for Citizens must also show a Mode of Delivery mapping in the BRM table in the Exhibit 300.

o 2XX: The Mode of Delivery may NOT be used as a primary mapping layer

o 3XX: Primary mapping to the Support Delivery of Services layer

o 4XX: Primary mapping to the Management of Government Resources layer

The Business Reference Model lists and defines each of the business lines and their sub-functions.

• Twenty-first, Twenty-second, and Twenty-third digits - Identify the primary Sub-Function within the FEA BRM Line of Business that this IT investment supports.

Can an Exhibit 300's funding be split into multiple Exhibit 53 investment or mission areas?

No, OMB requires that each Exhibit 300 have a unique user ID that refers to only one investment on Exhibit 53. If an investment falls into two or more mission areas, keep all the funding under the most important mission area for that investment.

What does " “the “Program Number and Name” mean?

Commerce does not use program numbers. Program name represents the lowest level in the budget submission document that funds this investment. Write the operating unit’s account name, activity or line office and, if applicable, sub-activity, and line item. Ask your budget office for clarification.

When is an investment a "mixed life cycle" type?

If budget year funding is provided for more than one of the project stages (Planning, Acquisition, and Maintenance) then it is "mixed." Steady State is synonymous with the Maintenance stage shown in the Summary of Spending table.

When is an investment considered development, modernization and enhancement (DME), not steady state?

Steady State investment is for routine maintenance, helpdesk support and refreshment of completed systems. Any significant activity required to substantially increase the investments capability and capacity, especially when it is needed by a specific time, qualifies as a development effort. From a project management perspective, if an activity has risks that are distinct from the steady state effort then it is a development project.

When is an investment considered fully funded?

According to OMB guidance all projects are supposed to be fully funded. The key criterion distinguishing fully funded from incrementally funded is whether the funding is sufficient to provide a useful end product. Some examples of fully funded projects are ones where funding completes the planning stage or where funding is sufficient to develop an application that collects, generates, or distributes useful data.

How do I know if the investment is covered by GPEA?

If you are uncertain whether your investment is included under the Government Paperwork Elimination Act (GPEA) provisions regarding information collection from the public, contact your operating unit's GPEA Coordinator or Diana Hynek at dhynek@doc.gov.

How do I know if the investment needs a Privacy Impact Assessment and what does it involve?

Privacy Impact Assessments (PIA) are conducted to ensure adequate protection as required under the Privacy Act. The Office of the Chief Information Officer is responsible for developing IT privacy policy and guidance concerning when a Privacy Impact Assessment (PIA) is required. An operating unit must conduct a PIA for any Commerce IT system that collects and maintains personally identifiable information (name, address, social security number) from the public. The PIA results in a statement that identifies ways to enhance privacy protections in information systems and to ensure that they are adequate. This statement guides system owners and developers in assessing privacy through the early stages of development when requirements are being analyzed and decisions made about data use and system design. To create the PIA statement you must gather data and analyze privacy issues relating to the system and identify and resolve privacy risks. Operating units may conduct discretionary PIAs as they deem necessary for sensitive information other than personally identifiable information. Examples of PIAs may be found at the IRS and PTO websites.

How do I know if the investment has been reviewed as part of FISMA?

All IT systems and IT security programs must be self-assessed annually. See section 6.3.1 of the IT Security ProgramPolicy and Minimum Implementation Standards, as well as section II.B.2.C below for details.

How do I identify the appropriate Homeland Security category for the investment?

Check yes to the Homeland Security designation only if the investment has been included in OMB’s Homeland Security (HS) Database Crosscut or has been nominated for inclusion in the HS database by the Department. Select only the category under which the investment is identified in the HS database.

How do I determine if an investment is National Critical, Mission Critical, or a Business Essential service?

Systems are National Critical where the mission served, or the information that the system processes, affects the security of critical national infrastructures or key national assets. Systems are designated as national critical only by the DOC Critical Information Assurance Officer (CIAO) – who is the DOC CIO. Through the CITRB process, new national critical systems are identified. These systems normally carry a high sensitivity for at least one of three security elements: confidentiality (e.g., unauthorized disclosure could result in loss of life); integrity (e.g., unauthorized modification or inaccurate data such as severe weather warnings could result in loss of life); or availability (e.g., service interruptions cannot exceed 72 hours without significant impact on the national economy).

Mission critical systems are associated with an agency’s mission-specific or agency-specific activities and often vary from agency to agency. These systems also support services to citizens and business partners through various delivery functions such as e-commerce transactions, statistical information calculation and disclosure, and decennial census required by law. Business Essential systems support internal activities common to most agencies, and are associated with support services and internal management of agency resources. NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems provides more information for categorizing information and information systems.

What/where are the Performance Assessment Rating Tool recommendations?

Over the next few years OMB plans to review all governmental agency programs using the Program Assessment Rating Tool (PART) comprising assessment criteria on program performance and management. These assessments often identify specific IT weaknesses or organizational weaknesses that might have an IT solution. Every year OMB will evaluate whether progress has been made towards addressing the previously published PART recommendations. See the PART recommendations, which are part of the President's Budget.

How is the Financial Percentage used?

The financial percentage field in the eCPIC Exhibit 300 is used to generate a financial systems cost estimate. This is aggregated by operating unit and compared and reconciled against the Inventory of Financial Systems and the Exhibit 52 (Summary of Financial Systems). Coordinate with your operating unit's financial systems reporting office when calculating this percentage to ensure consistency between the Exhibit 300, Exhibit 53 and Exhibit 52.

How do I calculate the percent funding for IT Security?

Estimate the full cost of maintaining the IT investment's confidentiality, integrity, and availability. This cost should include an appropriate share of centrally funded security activities such as, awareness training, intrusion detection, incident response, and security certification and accreditation if these are not otherwise reported on the Exhibit 53. Also include the estimated value of security requirements that are embedded in programs, functions, or applications. Be sure to enter a non-zero value as a zero percent response will indicate that the system is not secure.

The same value, e.g., 2%, for all investments is not acceptable. Each investment must be evaluated independently. The IT security percentage reported for each investment is used to calculate the total IT security budget for each operating unit. Coordinate with your unit's IT Security Office to ensure that this calculation agrees with the IT Security funding data each operating unit transmits in its September FISMA report.

Part I. Summary of Spending for Project Stages Table (SOS) and Life Cycle Budget and Financing Table

What distinguishes the Planning and Acquisition Stages from the Maintenance Stage?

The Planning and Acquisition stages in the Summary of Spending table (SOS) are the same as Development/modernization/enhancement (DME) on the Exhibit 53, while the Maintenance stage is the same as Steady State. OMB Exhibit 53 guidance defines planning and acquisition as "changes or modifications to existing systems that improve capability or performance, [and] changes mandated by Congress or agency leadership...". Prototype funding must be reported in the Acquisition stage. Include under the Maintenance stage funding for operating and maintaining the system at current capability and performance level. This encompasses the cost of corrective active and replacement of broken equipment. Major functional enhancements, modernization or replacement of a portion of an operational system is included under the planning and/or acquisition stages.

What is the difference between budgetary resources and outlays?

Budgetary resources represent how much money you are allowed to spend based on the budget authority provided (or requested) in the Appropriations Act, including any limits placed on the use of reimbursable funding. Normally the budgetary resources amount in the Summary of Spending table matches the annual budget request. Budgetary resources can also include direct appropriations, working capital funds, and revolving funds. Outlays, also called disbursements, represent payment of obligations, and are expected to closely match the section I.H. Actuals and planned outyear spending. Major investments often plan on outlay rates of 35% per year. As a result, the final year or two of an investment may have $0 budgetary resources but significant outlays. Check with your budget office to derive the appropriate outlay rate and verify the prior year disbursement amount.

Should FTE funding be included in each Project Stage?

Yes, the FTE total displayed at the bottom of the Spending for Project Stages table should equal the FTE amount included in each of the three stages above.

Should funds received from or provided to other federal agencies be reported?

To avoid double counting across government, funds received from another federal agency towards a Commerce IT investment are not entered in the Summary of Spending table. Funding received from other agencies should be identified in the Investment Description, section I.A.. Also, non-governmental funding may be identified in the funding sources table under the account heading “reimbursable funding.” If such funding is included in the (Section H) Spend Plan then it must be separately identified and the funding source properly identified in the column “funding agency.” A recommended alternative for tracking funding from other agencies is to attach a comprehensive spend plan/actuals spreadsheet onto the investment’s eCPIC folder.

IT funding DOC sends to another agency must be reported under that investment’s name in Commerce’s Exhibit 53. If the recipient agency is the managing partner of the investment then it and not DOC maintains the Exhibit 300. For the investment's unique identifier use the 4 digit UID and Business Reference Model codes provided by the lead agency. Entering "04" in the 10th and 11th digits of the project's UID identifies it as funding provided to another agency.

What if an investment is funded from multiple appropriation accounts?

Use the pick list in eCPIC Exhibit 300, Part I, Life Cycle Budget and Financing table to identify each appropriation account’s name and number. Then enter the funding amount from each appropriation. The annual total and grand total from this table must match the budgetary resources annual and grand totals on the Summary of Project Spending table. If an appropriation account cannot be found on the eCPIC list, call the eCPIC Help Desk. Note that all tables in eCPIC record figures in thousands of dollars. Summary of Spending totals are automatically converted to millions of dollars upon export to the Exhibit 53. Internal reimbursements should only be accounted in a single investment’s budget, either the giver or the receiver. Reimbursements that are included in the receiving investment’s budget should be accounted for in a separate funding source line that clearly identifies where the funds originate. If reimbursable funds are included in the SOS table then they also need to be included in the other Exhibit 300 sections such as the spend plan, and EVM calculations.

What if funding comes from more than one budget line?

Identify in the Initiative Summary Sheet form in eCPIC the funding coming from each budget line (account, sub activity, line item, program) supporting this investment. Save this Initiative Summary Sheet in eCPIC under the investment's resource library.

Should there be a direct linkage between the Summary of Project Spending amounts and the figures shown in I.E.3., the financial table for the selected alternative, and I.H., project and fund plan?

Yes, the linkage between the figures in all three tables should be clear. This linkage is made clearer by formatting the financial tables in Section E and H using the stages (Planning, Development, and Maintenance) displayed in the Summary of Project Spending table.

I.A. Investment Description

What sort of description is appropriate?

Provide a short summary of what the investment is, what it has achieved or will achieve, and where it is in the Capital Planning and Investment Control (CPIC) process, for example, “reviewed and approved by the NOAA IT Review Board and Commerce IT Review Board.” If the investment is related to a larger E-Government or Line of Business initiative, describe how this investment supports the larger effort.

Should the description focus on the technical solution or the investment's purpose?

The Exhibit 300 is a business case, not a technical solutions document. Focus on what problem this investment solves and how the solution is linked to measurable outcomes. The intended audience is people whose familiarity with the program/function is largely limited to this description.

What goes under the Assumption section?

Describe what resources need to be available or what activities need to be accomplished that are outside the scope of this investment in order to achieve this investment's goals. This is also the best place to provide background information for other sections that don't allow free form text, for example, assumptions behind information in the performance measure, alternatives analysis, or project schedule sections.

What is appropriate supporting documentation?

Support your business case by citing third party studies or market research that identify the need and/or verify the appropriateness of the proposed solution. Where possible, provide dates when the documentation was completed. Refer to industry benchmarks where appropriate. Many DOC operating units subscribe to benchmarking services.

I.B. Justification

What is the President's Management Agenda (PMA) as cited in OMB's scoring criteria?

The PMA priorities are strategic management of human capital, competitive sourcing, improving financial performance, expanded electronic government (E-government), and budget and performance integration. Identify, with supporting details, the one PMA priority that the investment best supports (most IT investments are tied to the e-government PMA strategy). Where applicable include any current or planned collaboration with other agencies and organizations in and outside of the Federal Government to reinforce that the investment meets OMB's e-government criteria. See PMA for detailed information.

What qualifies as a multi-agency initiative?

Describe any financial or significant non-financial resources contributed by other non-Commerce agencies. If there are such contributions then you must specify the nature of the partnering arrangement with the contributing agencies.

What's an appropriate response to the reengineering question?

Business process reengineering should always occur before a process is automated. A negative response would suggest a serious weakness in the project plan.

I.C. Performance Goals and Measures

When should Table 2 be used?

All goals for FY 2006 and onward should be entered in the Performance Reference Model (PRM) Table 2. Use performance measures that are part of the Annual Performance Plan or that can be tied directly to those measures.

What if the only tangible achievements are historical?

Focus the business case on the value of future achievements, not past gains from already sunk costs.

How many measures are needed during the project life cycle?

Starting the year the project is completed a minimum of one performance goal per year is required in each of the four areas of the Federal Enterprise Architecture's (FEA) Performance Reference Model (PRM), which cover outcomes, outputs, and inputs. Strive to identify performance measures that have a clear connection ("line of sight") to each other and to your operating unit’s annual performance goals. See below and the latest PRM for details and examples.

During planning and development select performance measures that certify or demonstrate the impact of completed phases, for example incremental production increases, IT security certification and/or accreditation for a system or sub-system” or “completed documentation of use cases. However, do not repeat what is entered in the Section I.H Project and Funding Plan tables.

Do performance measures need to be customer focused?

Yes, at least some of the performance measures should explicitly address who the customers are and how the investment will benefit them. This is especially important for projects in the operations and maintenance stage where a crucial question is whether customers are receiving the benefits they expect from the system.

What are the Measurement Areas and Measurement Categories cited in Table 2?

Table 2, which should be used for all new investments, requires the identification of the measurement area and category for each performance measure. The PRM identifies four measurement areas and several groupings within each area that describe the attribute or characteristic measured as follows:

• Mission and Business Results - Outcome measure tied to level 1 (Services for Citizens) and 3 (Management of Government Resources and Support Delivery of Services) of the FEA Business Reference Model. The measurement categories are services provided, support for services, management of resources, and financial

• Customer Results - Outcome measure tied to level 1 and 3 of the FEA Business Reference Model. Measurement categories: satisfaction, service coverage, quality, timeliness

• Processes and Activities - Output measure that defines the direct effect of daily activities and broader processes. Aligned with level 2 (Mode of Delivery) of the FEA Business Reference Model. Measurement categories: financial, productivity and efficiency, cycle time, quality

• Technology - Inputs, key enablers measured through their contribution to outputs. Measurement categories: financial, quality and efficiency, information and data, reliability and availability, user satisfaction

What is meant by baseline and should it remain constant?

A baseline is a specific quantitative or qualitative measure that existed or was established before the investment began and thus does not change over time. For example a baseline storm warning lead time of 12 minutes would be compared against the proposed performance targets for years 3, 4, and 5, to assess the net benefit from this investment.

What is meant by performance improvement goal?

Describe the performance target in narrative terms, for example, "Improve Tornado Warning Lead Times." Then, under planned performance metric, translate the goal into a measurable amount, e.g., 7 minutes for 2005 and 8 minutes by 2007.

I.D. Project Management

Do the Project Manager, Contract Officer, and Project Sponsor need to be different people?

Yes; each position must be held by a different person.

What information should we provide besides names?

Specify the Project Manager’s experience and training including project management certification. State the certification level of the project as well as the certification level of the Project Manager.

What skills should be represented on the Integrated Project Team?

An Integrated Project Team (IPT) should be composed of a qualified project manager, necessary personnel from the user community as well as budget, accounting, procurement, value management, and other functions as appropriate for the stage and complexity of the project.

Does the Project Manager need to be working full time on that investment?

Yes, the Project Manager needs to be devoted full time to each proposed investment. Having one person as project manager of more than one major investment is an unacceptable project risk as good management practices, supported by OMB, state that one person cannot provide sufficient monitoring and control of multiple investment.

How does a Project Manager become validated as qualified?

Each Project Manager is required to enter their experience and other qualifications into a standard Commerce resume format that is found in the eCPIC application’s Resource Library. Send this to your operating unit CPIC representative for submission to the Department’s CIO Office. The Department will review the information and validate if the qualifications are appropriate for the size and complexity of the investment that is being managed. The eCPIC Resource Library contains a matrix table comparing the assessment of a project’s size and complexity (on a 1 to 3 scale) with the qualifications needed by a project manager (also on a 1 to 3 scale.

Why do I need to provide the Project Manager’s Qualifications status?

The project manager’s qualification status field feeds the Exhibit 53. All project managers should be evaluated or undergoing evaluation to meet the OMB qualifications for a PM. This field may be left blank for investments in the Enterprise Architecture part of the Exhibit 53.

What if the Project Manager doesn't have project management certification?

If the Project Manager doesn't have certification, describe what training she/he will receive to achieve that goal. Identify and initiate project management teams, sponsors, and project management training now if you haven't yet done so, so you can answer affirmatively to all the questions in this section.

I.E. Alternatives Analysis

What if there are more than three alternatives?

More than three alternatives can be listed, but only three will go to OMB. In the Alternatives Analysis table’s “Send to OMB” column, mark True next to alternatives to be submitted to OMB. Examples of alternatives include buy-it, out source it, or build-it yourself. Other possible alternatives are incrementally improve or totally rebuild. Meld and summarize choices to show at least three distinct alternatives. For operational systems, focus on future-oriented alternatives such as collaboration with other agencies, or transforming the current process by adopting e-business technologies such as XML, Java, or .Net.

How often does the alternatives analysis need to be updated?

It should be updated approximately every three years to account for new technological solutions and changes in the operational environment, or whenever a major shift in system strategy is proposed.

Does the alternative analysis need to account for risk?

Yes, among other criteria, qualitative risk needs to be considered along with a projected net, risk-adjusted return on investment for each project stage (planning, development and maintenance).

What is included in the Life Cycle Cost table?

The Life Cycle costs should include costs for all investment phases design, acquisition and operations and maintenance. Two minimize confusion include all costs already incurred and displayed in the summary of spending table. See below for instructions on defining cost elements.

What are cost elements and should they be organized by project stage?

Cost elements are the major cost categories of an investment, for example government personnel, vendor services, vendor personnel, hardware/equipment, software, inter-agency services, and supplies/other. As defined in OMB Circular A-11 these cost elements are separated into project phases and the cost of risk must be accounted for either as an explicit entry or contained within other cost elements.

Do the amounts in the Life Cycle Costs table need to match the summary of spending table?

Yes. The expectation is that if the alternatives analysis is properly done then the annual estimated costs for the selected alternative should be very similar to the totals in the Summary of Project Spending table.

What is needed besides the financial comparison in choosing among alternatives?

Incorporate issues such as risk, mission contribution, security, and timeliness in addition to financial criteria. The business case is more easily understood when the benefits and non-financial factors are grouped by the alternative strategy they're associated with.

Is a cost-benefit spreadsheet template available?

Yes, a spreadsheet template is in the eCPIC Resource Library under the folder entitled Cost Benefit/EVA. Use benchmarks and market studies to identify the cost of alternatives.

Which cost/benefits are included?

Do not include sunk costs (costs incurred before the investment is scheduled to begin and cannot be recovered). Do calculate costs that would be avoided if this investment was approved. Note that the "alternative" of leaving an existing system in place may still have significant direct costs for system maintenance, repair, parts replacement, technical support as well as potentially substantial indirect costs in terms of foregone mission opportunities.

Do costs and benefits need to be discounted?

Yes. The discount factors for investments of various time spans are published in OMB Circular A-94 and updated periodically.

Which Return on Investment (ROI) measure should I use?

There are numerous ROI formulas that are used to evaluate investments such as ROI %, net present value (NPV), pay back period, and internal rate of return (IRR). Use the ROI that makes the most sense for your operating unit's time horizon and investment criteria. Smaller, shorter term investments are often measured by their payback period while the ROI % or Net Present value is usually applied in measuring the benefit of higher cost, long term investments (ROI % is [(Discounted benefits - discounted costs)/ discounted costs] x 100%). A positive ROI, NPV, pay back, and IRR will occur only if the project’s financial benefits exceed their costs, so generally these measures won't provide useful information unless societal benefits are included in the financial table prepared for the selected alternative (Table I.E.3).

I.F. Risk Inventory

What is the goal of the risk inventory?

Use the risk inventory to identify all key project risks and describe how they will be mitigated. It should summarize the findings of a more detailed Risk Management Plan. In listing mitigation measures, include technical solutions and cite the modular design strategies that will be used. Depending on the specific project a modular approach helps reduce several risks including technical obsolescence, lack of interoperability with other investments, risk of creating a monopoly for future procurements, and overall technical risk.

How is the question "identify my highest risks and mitigation strategies” different than what is requested in the risk inventory?

The risk inventory structure is not always ideal for identifying the most likely risks. Only the top few risks, those that have high potential to affect cost and/or schedule, should be discussed here.

What risk assessment factors need to be addressed?

Separately address each of the 19 risk areas/factors listed in the Exhibit 300 instructions, and document updates to your risk management plan as the investment cycle proceeds.

How should the risk management inventory align with other sections of Exhibit 300?

The Project Manager should be able to cross-walk from each item on the risk management table to the risk-adjusted costs displayed for each investment stage of the selected alternative analysis table and project and fund plan table. Also, there should be a direct correlation between the risks/mitigation identified in the risk management plan with the cost and schedule variances identified in the spend plan.

What is an example of an acceptable Risk Inventory and assessment?

Use the table below as a guide to identify risks facing the investment in each of the 19 risk categories.

Does the Risk Management Inventory need to be kept current?

Yes, the inventory includes risk mitigation targets and activities. The current table reflects whether or when these milestones are achieved and what new risk measures are needed as the project reaches later stages of development.

I.G. Acquisition Strategy

What if the investment involves multiple contracts or task orders?

In answering the acquisition questions, explicitly address each major task order or contract associated with the investment. A critical component of the acquisition strategy is incorporating performance-based contracting.

Does any other information need to be provided to supplement the Exhibit 300 for a Delegation of Procurement Authority (DPA) review?

Yes, supplementary information is required to support the Exhibit 300 when seeking DPA approval from the Department. This supplementary information is defined in a Department of Commerce document called "Attachment A" to the Exhibit 300.

Is use of commercial off the shelf software (COTS) products a requirement?

All IT investments should use COTS whenever possible. Detailed justification must be provided in response to questions 5, 5A, and 5B if COTS products are not used or are used and significantly modified.

Do the proposed acquisitions need to be performance-based?

An investment that doesn't use performance-based acquisitions will score no higher than 3 for the acquisition criteria. The Department's Office of Acquisition Management offers training for IT Project Managers to help them develop performance-based acquisition plans.

I.H. Project and Funding Plan

Can I name eCPIC as my Earned Value Management System (EVMS)?

This section captures a high level summary of an EVMS process. eCPIC is not a substitute for developing an earned value management process appropriate for your project's scale. The eCPIC Resource library contains an EVM template that can be used by Project Managers to help capture and track planned and actual cost and schedule information, as well as produce the required EVM graph.

How do I know whether the business practices I'm using qualify as an EVMS under the ANSI/EIA Standard 748?

Software can help support an EVMS but does not constitute an EVMS. ANSI/EIA Standard 748 describes the practices to be followed in employing an Earned Value Management System (EVMS). Each operating unit is responsible for ensuring that its own processes and procedures as well as those of contractors, continue to satisfy the EVMS Standard (and to verify that those processes and procedures are being followed appropriately). This EVMS verification is commonly called “surveillance.” An excellent model for establishing and maintaining an EVMS surveillance process is the National Defense Industrial Association (NDIA) Program Management Systems Committee’s “Surveillance Guide.”

Is an explanation needed if the Project Baseline is changed?

Yes. Under the earned value management system question enter the explanation for why the investment is being re-baselined.

What is meant by original baseline (Table I.H.2)?

Original baseline is the first OMB approved project baseline. Normally this is kept unchanged throughout the project lifecycle. Table I.H.3 is needed only if there are major changes proposed in the original baseline such as receiving much less funding than expected or having originally accounted for only a few of the years of multi-year investment. In that case provide a proposed change as soon as it is confirmed, along with an explanation, to the operating unit and departmental CPIC coordinators. If OMB approves the change enter the corrected plan in I.H.3 for the OMB Request phase and then make this the original baseline in the January Passback phase. Changes proposed in table I.H.3 are entered into table I.H.4.

What level of detail should be provided in the funding plan?

The funding or spend plan should correspond to the third level of the investment’s work breakdown structure and account for all spending included in the Summary of Spending by Project Stages table, i.e. cover the full investment life-cycle. Break out spending by stage (planning, development/acquisition, operations and maintenance) and by contract wherever possible. This simplifies the project managers identification of variances and ability to take corrective action. Limit submilestone durations to a single fiscal year or less. Include multiple functional milestones or sub-milestones each year for at least CY, BY, and BY+1. To facilitate this, eCPIC allows the import of MS Project Plans. Also, eCPIC allows creation of sub-milestones several levels down while automatically aggregating the cost and schedule totals to the highest level.

How does the Exhibit 300 spend plan relate to the integrated baseline established in your EVMS?

The Exhibit 300 spend plan should be a high level summary sufficient to allow reviewers to determine if the investment is on schedule and within cost. Usually the Exhibit 300 milestones (which can accommodate sub-milestones) correspond to Level 3 of the investment's Work Breakdown Structure.

Do projects in the Operations and Maintenance (O&M) stage need an EVMS?

No, the performance of projects in steady state or O&M is measured through the use of operational analyses. See the Operational Analysis guidance for more details. However, to ensure that the spend plan accounts for all investment funding, include the annual O&M total as separate rows in the Original Baseline and in the Plan versus Actual table.

What if the investment project is on schedule but the EVMS funding amounts are different than the budgeted amount?

EVMS track expenditures based on accruals, which are usually closer to outlays than they are to Budgetary Resources. Still, total project funding for the current stage shown in the Proposed or OMB Approved Baseline Tables must match the Budgetary Resources total shown on the Summary of Spending table.

How does eCPIC calculate earned value?

eCPIC earned value calculations are based on the plan data in the OMB Approved Baseline and Actuals table compared to the actuals through the “As of Date”, which you must manually enter. The “As of date” field appears immediately after the plan vs. actual variance table. The resulting calculations are only accurate if the funding period for the "actuals" matches the funding period shown on the spend plan.

Can the EVMS statistics be entered manually?

Yes, the EVMS statistics can be calculated by an external system and then entered into eCPIC. If you do so, you must answer the question “If the EVM data provided below has been gathered from or provided by an outside system identify which fields are hand entered and where the data came from.” The eCPIC resource library includes an EVMS file with applicable statistical formulae. If you choose not to use eCPIC automatic calculations, attach a spreadsheet containing your work to the investment's resource library in eCPIC.

How often should EVMS data be calculated and updated?

To be considered compliant with ANSI/EIA Standard 748-A, EVMS data must be calculated at least monthly. The Spend Plan and EVMS data in eCPIC is expected to match the quarterly EVM report sent to the Department. When recalculating the EVMS data the user must enter the new ‘As of Date’. The user must also update the OMB Approved Baseline and Actuals table with the latest ‘Actuals’. Click on “Calculate” at the bottom of the EVMS table to have eCPIC recalculate the EVMS statistics. Click “Save” to commit the new data to the database.

Is the externally generated EVMS graph stored in eCPIC?

An EVMS graph must be plotted monthly for every investment in the planning and acquisition stage. Whenever the Exhibit 300 is to be submitted to the Department, attach the latest EVMS graph to eCPIC in the investment's resource library.

Does the Agency Head need to approve program continuation if the cost, schedule or performance variance are 10% or greater (see H.4.G)?

If the negative variance is 10% or greater a “Yes” answer is required to the “Corrective Actions/Continuance” question in order for OMB to give the investment any further consideration. In explaining cost or schedule variances address any changes to the spend plan baseline and associate all variances with specific risks and mitigation strategies cited in the risk management section.

Part II. Additional Business Case Criteria for Information Technology

For operational systems all questions in Part II must be answered with a focus on an E-Gov strategy review, a comprehensive review that identifies smarter and more cost effective methods for delivering the performance.

Section II.A. Enterprise Architecture

Have all the Federal Enterprise Architecture Reference Models been issued?

The Business Reference Model, the Service Component Reference Model, the Technical Reference Model and the Performance Reference Model and a Data Reference Model have all been issued.

Is this investment identified in your agency's enterprise architecture? If not, why?

Each investment should be a product of comparing the current architecture with the target architecture and developing a gap analysis. The intent of the investment should be to bridge one or more of the gaps identified. If the investment is driven by new legislative mandates, then the architecture may not have been updated to reflect the changes, but should be.

Regardless of how the Architecture is documented, the initiative should be clearly identifiable in the Target Architecture.

Explain how this investment conforms to your departmental (entire agency) enterprise architecture?

Indicate specifically how the investment conforms to the DOC EA. This can be done by showing use of common infrastructure components, adherence to the DOC Technical Reference Model (cite specific items), consolidation of duplicative business processes, and/or increasing access to shared data, for example. Additionally, the initiative should be identified in the Gap Analysis of your Enterprise Architecture (EA). The investment should comply with the architecture principles of each architecture view, and the technical solution must be in full compliance with the DOC and operating unit Technical Reference Model.

What if there was no reengineering done as part of the investment?

Any investment that provides new or altered capabilities by definition changes the way business is conducted. After all, if there is no change, then why is the action being done? The only case where there will rarely be reengineering is for technology refreshment or for a purely hardware upgrade. A full process review and redesign should always precede a decision on whether or how to make an IT investment to improve the process.

How do you identify the Lines of Business and add new Sub-Functions within the Federal Enterprise Architecture Business Reference Model that will be supported by this initiative?

The Federal Enterprise Architecture Business Reference Model version 2 is designed to categorize all activities of the Federal Government into well-defined lines of business. These lines of business are based on function and not organization. Each line of business is subdivided into additional categories to delineate sub-functions within the primary line of business. If the primary mapping of the investment is to the “Services for Citizens” business area there must also be a secondary mapping to the “Mode of Delivery” business area in this table. See the FEA Guidance for additional information. In BY 2007 only 3 secondary mappings may be sent to OMB in this table.

To add a new sub-function to Table II.A.1, select a Business Area, then select a Line of Business, then select a Sub-Function pausing between each selection while the system refreshes the list of choices, and click ‘ADD’. If you wish to edit or delete a row on the table, click on the EDIT link to the extreme right of the row you wish to edit. This will pull the selected row’s data into the select boxes. Make adjustments as needed and either click UPDATE to submit the change to the table or DELETE to delete the row from the table.

Was this investment approved through the Enterprise Architecture (EA) Review committee at your agency?

Cite the review conducted within your operating unit or the review conducted by the Commerce IT Review Board (CITRB). All major investments are reviewed by the CITRB.

What are the implications for the agency business architecture?

Every new IT investment should impact the business architecture, changing it for the better. It would be difficult to defend the need for that investment if it had no such impact. Indicate what changes to organization, business processes, etc. are engendered by this initiative.

II.A.2 Data

What types of data will be used in this investment project?

A project may often use several different types of data, such as financial, statistical, and geospatial.

Does the data needed for this investment project already exist at the Federal, State, or Local level? If so, what are your plans to gain access to that data?

Where possible, existing data should be used at the source, not replicated and used locally. Access to the data may require interfaces to existing systems, which involve not only the technical solutions but also all security and privacy considerations.

Are there legal reasons why this data cannot be transferred? If so, what are they and did you address them in the barriers and risk sections above?

Legal reasons typically include privacy and security concerns that are specifically documented either by law, regulation, or directives from the White House or OMB.

What is spatial data and OMB Circular A-16?

Spatial data refers to data used to generate maps of various types as well as support geographical information systems. OMB Circular A-16 requires that such systems adhere to adopted standards (see information quality below) to maintain the accessibility of the data and allow exchange of the data with other systems.

Does the Department have information quality guidelines?

Yes. See Commerce's Information Quality Guidelines for ensuring and maximizing the quality, objectivity, utility, and integrity of disseminated information.

II.A.3 Application and Technology

What should be included in discussing the investment's relationship to the application and technology layers of the EA?

This discussion should include the number and types of servers and the operating system to be used, the software products used to deploy the application (indicate if it is a COTS or custom developed application), as well as the network infrastructure used to deploy the application. The discussion must also include the type of system architecture used (client/server, Web based, n-tier, host based, etc.), how the end users access the application, and all interfaces to other systems, internal and external.

Are all of the hardware, applications, and infrastructure requirements for this investment included in the EA Technical Reference Model?

The Technical Reference Model (TRM) and associated Standards Profile describe in detail the requirements for the various software, hardware, and telecommunications components of the EA. To be compliant with the TRM, a product must at least meet the requirements of all applicable standards, otherwise it is not an "approved" product.

How is SRM data entered into eCPIC?

To add a new row to the Service Component Reference Model Table from the existing SRM, step through the drop down menus for Service Domain, Service Type, and Service Component, making a selection from each menu and waiting for the screen to refresh after each selection. Once you have made three selections, click on SUBMIT to add the row to the table. If you wish to edit a row on the table, click on the EDIT link to the extreme right of the row you wish to edit. If you wish to delete a row from the table, click on the EDIT link to the extreme right of the row you wish to delete then click on the DELETE button at the bottom of the select boxes.

How do I Customize a Service Component in the SRM?

To add a custom Service Component to the SRM table follow the above steps but leave blank the Select a Service Component drop down menu. Click on the radio button next to YES for a New Component and add the title and description of the new Service Component in the New Component Description box below. Click on Submit to add the new service component to the table. Repeat in every investment that uses this custom service component

How do I map the TRM with the SRM?

OMB has requested that all TRM mappings be mapped to the SRM. A new column has been added to the TRM table that maps the row back to the SRM. To enter the mapping, EDIT the row and select the appropriate SRM mapping from the drop down list at the bottom of the entry field, then click UPDATE

Section II.B Security and Privacy

How important is it to fully answer all these questions?

Any IT investment rated 3 or less in the security area will be put on OMB's watch list and as a result may not be recommended for funding.

What information should be addressed in Section II.B of the Exhibit 300?

Describe the system security controls in familiar terms - preferably the terms used in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. Address both overarching security and security specific to the investment (i.e. system/application). This guidance describes security in terms of three control classes (Management, Operational, and Technical) that comprise the 17 control families (see NIST Special Publication 800-53, section 3.2.1, page 6). Provide accurate and consistent descriptions of security controls associated with an investment. For example if there are multiple systems associated with the investment state this to avoid confusion. If different system associated with the same investment are in different system life cycle phases identify which phase they are in and use the correct verb tense to describe the security controls in place or planned.

II.B.1: Explain how security is provided and funded for the investment project.

Briefly describe - the key security controls, either by the overall control areas (Management Controls, Operational Controls, and Technical Controls), or by selecting key controls from the list of 17 control families cited above. Select elements that are not discussed in section II.B.2. For example, under Management Controls, describe the process for periodic review of security controls (control family 2) and how security is considered in the project's life cycle (control family 3). Under Operational Controls, describe the process for physical and environmental protection (control family 6), configuration management (control family 8), and contingency planning (control family 7). For Technical Controls, describe how identification and authentication provides security (control family 14).When discussing controls describe the use of secure configuration standards/settings, configuration management, and patch management as they pertain to the investment. Also state whether a life cycle methodology was followed for the system, and that it covers IT security considerations throughout the system’s life cycle. In addition, the Exhibit 300 should indicate that a Configuration Management Plan has been documented for the system. Adopting secure configuration standards, documenting them in the system security plan, maintaining them throughout the life cycle by effective configuration and patch management processes, and testing their continued effectiveness is key to ensuring that an adequate level of security is retained.

II.B.1.A: FISMA requires that Project Managers integrate funding for the investment’s IT security controls into the life cycle cost of all IT investments. This funding must be adequate to certify and accredit the system, to mitigate IT security weaknesses during its operations as identified through annual self-assessments, and to support required monitoring of controls during the investment’s operational life. Identify total dollar amount spent on IT security for this investment in the budget year.

II.B.2 and sub-questions A through F:

Provide clear and descriptive responses to each question. OMB has put on the watch list investments that have failed to provide a recent date or adequate explanation to these questions.

II.B.2.A: An up-to-date security plan is one that was revised after the last significant system change or within three years of the current date, whichever is more recent. If a plan (or plans) exists, provide the plan approval date and state whether the plan complies with requirements of OMB and NIST guidance namely OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources and NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems. If an up-to-date, compliant plan(s) does not exist, explain why and provide the target completion date.

II.B.2.B: For the certification and accreditation methodology OMB requires with NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Special Publication 800-37, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems. If there are multiple C&A packages associated with one investment, document the C&A status of each system including the Commerce System ID number and corresponding system name. Specify the title of the program official serving as the Authorizing Official (AO) of each system. If full certification and accreditation have not been completed (for example, for new systems under development), of if any system is operating under an interim authority to operate, explain why, and provide the target C&A completion date.

Select the appropriate status from the e-CPIC C&A status field to feed information to the exhibit 53. This field may only be left blank for investments in the Enterprise Architecture (part 3) section of the exhibit 53. If a score of 00 or 25 is entered, provide a justification (such as the system or sub-system is in the development state of the life cycle)in section II.B.2.B.

II.B.2.C: Describe whether the Office of the Inspector General, General Accounting Office (GAO), or the DOC Compliance Review Program has audited the investment project. Such audits examine and test the effectiveness and adequacy of management, operational, and technical controls in accordance with GAO's Federal Information System Controls Audit Manual and other assessment best practices. Also, describe all internal self-assessments performed (e.g., required quarterly vulnerability scans and annual NIST 800-26 self-assessment checklist, etc. State the date of the most recent review(s). If the system(s) was/were certified and accredited within the past year state the extent to which management, operational, and technical controls were tested during the certification effort(s).

II.B.2.D: State whether system users have completed training in general IT security concepts within the past twelve months, as well as completed system specific security training if the investment pertains to a specific software application. Describe the nature of the IT security training provided (e.g., Web-based training, read-and-sign agreements, warning banners on system logon) and its frequency. DOC requires general IT security training at entry-on-duty, and annual refresher training thereafter. System-specific training and update of user agreements are conducted at the determination of the system owner. Describe any user manuals developed and distributed to system users, and specify whether training includes briefing users on the system rules of behavior and consequences of non-compliance.

II.B.2.E: DOC recommends a three-pronged response for “incident handling” that addresses prevention, detection, and correction/resumption:

• First, describe the implementation of specific operational and technical controls that detect intrusions into the investment's computing environment, and how such detections are handled. Begin with a statement that security is a priority, therefore controls have been strengthened, implemented, or are planned to prevent the opportunity for intrusion (cite one or two examples).

• Next, describe the detection capabilities in terms of established policies and procedures (provide dates issued and topics covered), use of audit logs (describe key events captured and frequency of review), technical devices (type of intrusion detection sensors installed and frequency of monitoring). Add that incidents are reported to the DOC Computer Incident Response Team (DOC-CIRT), or an operating unit-specific CIRT, as appropriate, which in turn reports incidents to the U.S. Computer Readiness Team (US-CERT).

• Conclude by describing the procedures in place to recover from minor and major interruptions in service or loss of data after an incident has been detected, isolated, and terminated, as well as the frequency of testing the recovery plan.

II.B.2.F: If contract services are included in system support and acquisition planning is described in section I.G. of the Exhibit 300, DOC requires application of Procurement Memorandum 2003-09 and the Commerce Acquisition Regulations (CARs) issued by that memorandum. In addition, DOC requires the application of CARs as stated in Commerce Acquisition Manual (CAM) section 1337.70, Security Processing Requirements for On-Site Service Contracts, and related CAM Notice 00-02. These provide facility access criteria and contract language for IT service contracts.DOC also recommends use of National Institute of Standards and Technology (NIST) Special Publication 800-64, Security Considerations in the Information System Development Life Cycle, which provides additional guidance for security considerations during the acquisition process. DOC requires that contractor operations be reviewed annually for compliance with IT security requirements by using the methodology in NIST Special Publication 800-26, Security Self Assessment Guide for Information Technology Systems. State that these clauses are incorporated in all IT service acquisitions associated with this investment. Also, state that the program manager ensures that the COR, in consultation with the IT Security Office, uses the NIST Special Publication 800-26 methodology to review contractor compliance with DOC IT security requirements.

II.B.3: State whether the investment project permits public access. If the project permits public access, describe the operational and technical controls in place to protect privacy (also see the earlier Q&A on "Privacy Impact Assessment"). Discuss whether the criteria in OMB Memorandum M-04-04 apply to the investment; and if so, that an e-authentication risk assessment has been performed. The results of this assessment (i.e. the information assurance level and associated controls consistent with NIST Special Publication 800-63) must be mentioned. This discussion may include a discussion of compliance with FIPS encryption standards (i.e., compliant algorithms and modes of operation).

II.B.4: State whether the investment project collects, uses, processes, transmits, or stores personal information. If so, state the reason and describe the policies and procedures in place to ensure the proper handling of personal information.

II.B.5: Answer “YES” to the PIA question only if the investment is required to submit a PIA under OMB criteria, and a PIA has been submitted. All other investments should answer this question “No”.

What if I need more help in preparing Section II.B of the Exhibit 300?

Consult with the system and IT security professionals knowledgeable with your specific project. In addition, your IT Security Officer and DOC Office Chief Information Officer's IT Security Program Team can assist you in responding to these questions.

What if I have additional questions regarding the Exhibit 300 or eCPIC?

If you have questions regarding this advice or need related assistance on using eCPIC to complete an Exhibit 300, please contact Stuart Simon at 202-482-0275, or, ssimon@doc.gov.