HHS OCIO Procedures for Information Technology (IT) Capital Planning and Investment Control (CPIC)

Table of Contents

Appendices are found in CPIC Procedures Appendices

 Overview

Purpose

The purpose of the Health and Human Services Information Technology Capital Planning and Investment Control Procedures is to define the processes and activities necessary to optimize HHS’s Information Technology (IT) portfolio. This is accomplished by providing clearly defined steps that ensure investments are well planned, cost-effective, and support the missions and business goals of the organization. This document is based on guidance from the Office of Management and Budget (OMB) and the Government Accountability Office (GAO), HHS policies, and industry best practices. The document’s over-arching purpose is to provide investment managers a practical handbook to use as they shepherd their project through the CPIC process.

Several guiding principles govern the HHS Capital Planning and Investment Control (CPIC) process, and are reflected in the detailed CPIC document. The CPIC Process will:

• Define Accountability:  All parties will have clearly defined roles and responsibilities, and are expected to follow the process
• Add Value: CPIC is not merely a regulatory requirement, but an opportunity for HHS IT to better govern and manage its portfolio, increasing Return On Investment. Only metrics that will be acted on will be captured.
• Be Relevant: The process will be simple and flexible, yet effective. HHS will seriously consider input from Operational Divisions (OPDIVs) on process and solution needs, and will strive for consistency and to accommodate unique OPDIV needs.
• Manage Exceptions: All investments meeting Department-Level CPIC review thresholds will be reviewed by the HHS CPIC Team. Only projects that deviate from acceptable tolerances will be elevated to the CIO Council or ITIRB Control for reviews. [1]  All other investments are assumed to be meeting cost, schedule, and performance goals.
• Generate Decisions:  Decisions will be clearly sought, made, documented, and communicated by the appropriate governing body.

This procedures document is intended to be a practitioner’s manual. Each HHS OPDIV will adhere to the same policy and processes, making modifications, as appropriate. Evaluation of compliance to these processes will be conducted annually in order to ensure the entire HHS is following the CPIC guidance. Refer to HHS OCIO IT CPIC Policy (HHS-OCIO-2005-0005.001) for further policy details.

Capital Planning and Investment Control (CPIC) is HHS’s primary process for: (1) making decisions about initiatives and systems in which HHS should invest, (2) assessing the investment process’s effectiveness, and (3) refining policies and investment procedures as necessary.

CPIC Overview

CPIC is a structured approach to managing IT investments. CPIC ensures that IT investments align with the HHS mission, strategic goals, and objectives, and support business needs, while minimizing risks and maximizing returns throughout the investments’ life cycle. CPIC relies on systematic selection, control, and continual evaluation processes to ensure that the investments’ objectives are met efficiently and effectively.

At the highest level, the CPIC process contains 3 sequential phases that reflect an investment’s advancing maturity:

• Select Phase:  An investment is requested by high-level directive, or, conversely, a business specialist proposes IT investments. For proposed investments, executive decision-makers assess each investment’s contribution to HHS’s strategic and mission needs. Promising investments are then selected for further planning and analysis.

Project planning activities such as performing a cost benefit analysis (CBA), developing functional requirements, and constructing a high-level project plan follow. Based on an initiative’s strategic, technical, and financial merits, the ITIRB selects IT investments for inclusion in the IT portfolio.

• Control Phase: Through timely oversight, quality control, and executive review, HHS ensures that the investment manager is managing development activities to meet planned cost, schedule, and performance goals.
• Evaluate Phase: Actual results of the implemented projects are compared to expectations to assess investment performance. This is done to assess the investment’s impact on mission performance, identify any investment changes or modifications that may be needed, and revise the investment management process based on lessons learned.

Mature systems are assessed to ascertain their continued effectiveness in supporting mission requirements, evaluated for the cost of continued maintenance support, assessed for potential technology opportunities, and considered for retirement or replacement options.

Each of these three phases is structured with common elements that provide a consistent, predictable, and coordinated flow of activities within each phase. The relationship between the three phases is expressed in Figure 1.

Figure 1. The Three CPIC Phases and the Common Elements within Each Phase

(Investments move through phases Select through Evaluate and must pass through a control that scores each investment based upon the relative strengths of its entry, process, and exit criteria.)

The information flows shown in Figure 1 displays a feedback mechanism to institutionalize lessons learned. Approved investments become part of the HHS IT investment portfolio maintained by the Office of the Chief Information Officer. This portfolio is an inventory of HHS IT investments, as well as sup­porting strategic, technical, and financial information related to each investment’s risk and return profile. When all IT investments are consolidated into the Department’s portfolio, the HHS Office of the CIO can ensure that all systems support HHS’s mission and goals, and work in concert with each, when appropriate, including systems under development, systems currently in use, and systems scheduled for retirement and or replacement. All IT investment information required for the HHS CPIC Process is captured and maintained in the HHS Portfolio Management Tool (PMT). IT investment data captured in the PMT will be reported annually to OMB via Exhibit 53 and Exhibit 300, as required by OMB Circular A-11.

CPCC and the HHS IT Management Process

CPIC is the central process that integrates the overall HHS IT Management Process; it is not a stand-alone process. The Strategic and Performance Plan, the Enterprise Architecture, and IT Security Management Plan inform the CPIC process’ relation to the Budget Formulation and Execution cycle. CPIC, thereby, ensures that IT budgets that HHS requests and receives from OMB are aligned with the strategic priorities of the Department and of the IT organization.

Strategic and Performance Planning

The Government Performance and Results Act (GPRA) requires Federal agencies to develop strategic plans, develop annual performance plans that are tied to the Department goals and budget allocation, and report the actual results against performance plans. HHS develops and maintains a HHS-wide Strategic Plan that addresses HHS’s mission, goals, and objectives, the relationship of the goals and objectives to annual performance plans, and the factors affecting achievement of business goals or objectives. The IT Capital Planning and Investment Control process attempts to link all IT investments to the strategic goals of the Department. The Business Case for each IT investment, must identify its linkage to the Department’s mission, goals, and objectives, and address how it will enable and facilitate the achievement of the strategic goals and objectives. Investments that do not support a HHS goal, or cannot be directly tied to a goal, should be re-evaluated.

An HHS Annual Performance Plan is combined with the accountability report and is issued annually as the “Performance and Accountability Report”. It is developed to identify the major performance goals for the Department. Each performance goal establishes a current baseline (a reference position) from which progress is measured consistent with the HHS strategic plan objectives and tied to the Federal Enterprise Architecture (FEA) Performance Reference Model (PRM). The plan includes a goal that measures the extent to which IT investments are maintained within 5% of their planned cost and schedule. The data to measure this performance is derived from the IT Capital Planning and Investment Control process. In effect, the Annual Performance Plan is the culmination of the results of the performance of HHS’s capital investments as tied to the Strategic Plan.

HHS’s IT Investment Management Philosophy

IT Strategic Plan

The Department’s IT management philosophy is based on its IT Strategic Plan, which sets the following five tenets of strategic IT investment:

• Each IT investment should be justified and demonstrate benefit to HHS’s mission;
• The process used to select, control, and evaluate investments should be integrated with Department processes for budget, financial, and program decisions;
• IT investments should be managed as a portfolio;
• The portfolio should strive to balance investments so that strategic infrastructure and IT investments supporting HHS programs are in harmony; and
• Managers (business sponsors) are responsible and accountable for management of respective IT investments.

Enterprise Architecture (EA)

Departments are required to establish an integrated Enterprise Architecture (EA), which is tied to the Federal Enterprise Architecture (FEA). IT Investment Management, as illustrated in Figure 1, covers the three interrelated processes required by Federal statutory requirements, regulations, and guidance for both IT Capital Planning and Investment Control process and Enterprise Architecture.

The HHS Enterprise Architecture reference models conform to those of the Federal Enterprise Architecture (FEA) and are supported by several architecture teams, both at the Department level and at the Operating Division level. The HHS Enterprise Architecture Repository is a systems inventory and the primary tool used in the development of the modernization blueprints. The OPDIV Enterprise Architecture Repository is the systems inventory for the individual OPDIV level architecture management of OPDIV unique business requirements and is also considered to be a portion of the "integrated HHS EA".

CPIC and EA Alignment

Alignment with the HHS Enterprise Architecture (EA) is a critical step in the review and evaluation of investments through the HHS CPIC process.  The HHS Chief Enterprise Architect, through the EA Critical Partner Role, will ensure that the HHS Enterprise Architecture Program supports, augments, and reinforces the HHS CPIC process to ensure achievement of the mission, strategic and operational business needs of HHS. Refer to the HHS Enterprise Architecture Policy for a description of the HHS Enterprise Architecture Program.

Based on the Federal Enterprise Architecture (FEA), HHS has developed an architecture framework as a logical structure for organizing complex information about an enterprise. This information includes the enterprise’s business processes, participants, the hardware and software systems that support those processes and participants, and the rules and constraints under which the enterprise operates.  The HHS Enterprise Architecture framework helps HHS organize and present aspects of its architecture in a way that is understandable by all participants in the enterprise and by those outside the enterprise with which they must interact.

The HHS Enterprise Architecture (EA) enables HHS to:

• Analyze business processes to take advantage of standardization based on common functions to customers.
• Ensure that automated systems optimally support the business processes and minimize the data collection burden.
• Acquire new systems and coordinate technology investments with the Federal business systems and architecture.
• Facilitate IT Capital Planning and Investment Control and coordinate information technology investments.

The HHS EA supports the HHS CPIC process by defining a target direction for future IT investments, as well as facilitating IT investment decision-making. The HHS EA process provides checkpoints during the life cycle of the IT investment and manages the technical standards comprising the target technical architecture. The goal is to ensure that an IT investment provides demonstrable alignment with the HHS business processes and technological architecture. 

As the HHS EA matures, the two functions, EA and CPIC, continue to interact. The HHS EA development function creates enterprise architecture and the processes guiding the CPIC functions. The CPIC function, in turn, yields information that guides changes to the HHS EA. The architecture alignment and assessment process provide the mechanism to integrate the functions.

FEA frameworks such as the Business Reference Model (BRM), Technical Reference Model (TRM), Service Reference Model (SRM), Data Reference Model (DRM), and Performance Reference Model (PRM) provide means of describing, analyzing, and improving the Federal Government information systems. All proposed investments must be evaluated against the criteria established in these reference models as a means of assuring the most efficient use of IT resources.

Business Reference Model (BRM) is a function-driven framework that describes the Lines of Business and Internal Functions performed by the Federal government independent of the agencies that perform them. All IT investments (including non-major) are mapped to the BRM to identify collaboration opportunities.

Technical Reference Model (TRM) provides a framework to describe the standards, specifications, and technologies supporting the delivery, exchange, and construction of business (or Service) components and e-Gov solutions. The Federal TRM unifies existing Department TRMs and electronic Government guidance by providing a foundation to advance the re-use of technology and component services from a government-wide perspective.

Service Component Reference Model (SRM) provides a common frame­work and vocabulary for characterizing the IT and business components that collectively comprise an IT investment. The SRM will help agencies rapidly assemble IT solutions through the sharing and re-use of business and IT components. A component is a self-contained process, service, or IT capability with pre-determined functionality that may be exposed through
a business or technology interface.

Data Reference Model (DRM) describes, at an aggregate level, the data and information that supports government program and business line operations. This model enables agencies to describe the types of interaction and exchanges that occur between the Federal Government and citizens.

Performance Reference Model (PRM) is a standardized framework to measure the performance of major IT investments and their contributions to program performance. This model helps produce enhanced performance information to improve strategic and daily decision-making; improves the alignment and better articulates the contribution of inputs to outputs and outcomes; and identifies performance improvement opportunities that span traditional organizational structures and boundaries.

CPIC and IT Security

IT security is an explicit part of the IT CPIC process. All IT investments must demonstrate that costs are appropriate to assure reasonable IT security controls are explicitly incorporated into the life cycle planning of all systems in a manner consistent with FISMA and OMB guidance for IT investments. Cost reasonableness must be weighted with effective security of HHS information systems and is an integral component of business operations as required by OMB A-123.

Each business case should include costs associated with all aspects of security program expenses that would normally occur. For example: ongoing cyclical Certification and Accreditation (C&A), risk identification & mitigation activities, and day-to-day investment level security operations activities.

Budget Formulation and Execution

HHS’s IT CPIC process is closely aligned to HHS’s budget cycle processes. Annually, agencies are required to submit, in accordance with the requirements of OMB Circular A-11, IT investments as part of HHS’s budget request. All IT investments are to be included in the Federal budget request whether they are existing investments and systems, incremental increases for existing investments and systems or new initiatives. During the budget process, the reasonableness of the cost estimates is examined and agencies are held accountable for meeting the cost goals. Alternative analyses are conducted for each IT investment. The selection of the best alternative is based on a Cost Benefit Analysis (CBA) that uses a systematic analysis of expected benefits and costs. Estimates of risk adjusted costs and benefits show explicitly the performance, budget changes, and risks that result from undertaking the investment.

System Development Life Cycle

CPIC is formulated to align with the System Development Life Cycle (SDLC) procedures in order to provide the integration of system life-cycle management with IT investment management, specifically CPIC and EA, and information security procedures and practice.

Scope of CPIC

HHS’s CPIC covers IT investments originating at the supporting offices of the Operating Divisions to Department-wide systems originating in HHS level offices. All HHS IT investments are identified in the HHS IT portfolio management tool. OPDIV IT governance boards must follow the Department’s IT CPIC Process.

Key Decision Making Bodies — General Guidance

During the CPIC process, the following decision-making bodies are responsible for ensuring that proposed investments meet the Department’s strategic, business, and technical objectives:

The HHS CIO, as the Secretary’s delegated agent, makes the final decision based on the ITIRB’s recommendation.

HHS Information Technology Investment Review Board (ITIRB)

The Departmental-level IT governing body is the ITIRB. It is responsible for the following activities:

• Giving business approval (including funding level and source) for IT investments for which the HHS ITIRB has CPIC review authority.
• Establishing cost, schedule and performance baselines for all HHS IT investments approved by the HHS ITIRB.
• Ensuring that the Department’s IT investments individually and collectively maximize mission and financial returns.
• Establishing a prioritized HHS IT investment portfolio during each annual budget cycle to support HHS budget formulation.
• Ensuring that each IT investment requiring Department-level review complies with CPIC and other management policies (e.g., IT, financial, acquisition, enterprise architecture, and security).
• Recommending changes to Department policies relevant to IT investment management.
• Approving exceptions to established CPIC policy and procedures.

Requirements for Operating Division Management Review Boards[2]

Operating Divisions are required to establish and maintain active IT review boards modeled on the Departmental ITIRB. These boards are required as part of each Fiscal Year President’s Budget Select Phase. They will also be structured to conduct the Control, Evaluate, and Steady State monitoring activities. Specifically, Operating Division review boards will be structured to perform the following additional activities:

• Review on-going IT investments to ensure that their status, progress, and outlook are satisfactory and consistent with project plans.
• Identify deficiencies in project management and monitor corrective actions.
• Provide recommendations to the ITIRB and CIO Council to support their decision to continue, reduce, terminate, or defer IT investments.
• Conduct periodic reviews of investment status, control, performance, risk and outlook for approved and funded IT investments.
• Establish and execute the necessary project controls to manage requirements; risk; cost, schedule, and performance baselines; and performance outcomes.

Critical Partners provide input to ensure that IT investments comply with HHS policy in the respective critical partner functional areas and to advise the HHS IT Governance Boards and individual IT investment managers regarding functional issues in their areas of expertise.

The Critical Partners are Subject Matter Experts from Enterprise Architecture, Security and Privacy, Acquisition, Finance, Budget, and Human Resources.

As part of the IT CPIC process, HHS has instituted an IT Investment Management improvement effort based on the Government Accountability Office’s (GAO) guidelines for IT Investment Management (ITIM) maturity framework. The objective is to establish a Department-wide IT portfolio managed by the HHS OCIO, composed of functional or operational OPDIV portfolios, including equipment, services, applications, staff, and managers. HHS’s portfolio will be effectively managed to change as new IT initiatives are added, new technology is introduced, new policy is implemented, or investments are retired or replaced while still remaining true to the Department’s overall mission. As a result, investment managers, business sponsors, and system managers will be guided by one all-encompassing process with well-defined sub-processes, following GAO’s recommendations.

HHS’s IT CPIC Process Overview

HHS’s IT management is based on the fundamental phases of an IT CPIC process, as described by the OMB, the GAO, and Federal Chief Information Officers’ (CIO) Council guidance. This guidance directs that investment control processes must include the three essential phases: Select, Control, and Evaluate. Each phase is conducted as part of a continual interdependent management effort aimed at moving from a fixation on project-by-project focus to a bigger perspective on investment trends, directions, and outcomes. The CIO Council document, “Smart Practices in Capital Planning,” states: “Effective capital planning requires long range planning and a disciplined budget process as the basis for managing a portfolio of assets to achieve performance goals and objectives with minimal risks, lowest life cycle costs, and greatest benefits to the business.” Best practices include a multi-tiered process to assure an optimal IT investment portfolio. Each tier is empowered to make decisions and approvals through formal charters. Approval decisions may result in reallocating or requesting new funding, adding new investments, and postponing, or even canceling, investments.

1.    Introduction

This document describes the United States Department of Health and Human Services (HHS) Information Technology (IT) Capital Planning and Investment Control (CPIC) process. It outlines a framework for HHS to manage its IT investment port­folio. This investment management process allows HHS to optimize the benefits of scarce IT resources, address the strategic needs of HHS, and comply with applicable laws and guidance.

CPIC is a structured approach to managing IT investments. CPIC ensures that IT investments align with the HHS mission, strategic goals, and objectives, and support business needs, while minimizing risks and maximizing returns throughout the investment’s life cycle. CPIC relies on systematic selection, control, and continual evaluation processes to ensure that the investment’s objectives are met efficiently and effectively.

Through sound management of these investments, the Information Technology Investment Review Board (ITIRB) makes recommendations regarding the IT direction for HHS, and ensures that OPDIVs and offices manage IT investments with the objective of maximizing return to the Department and achieving business goals.

Seven statutes require Federal agencies to revise their operational and management practices to achieve greater mission efficiency and effectiveness. These laws include:

• The Chief Financial Officer (CFO) Act of 1990
• The Government Performance and Results Act of 1993 (GPRA)
• The Federal Acquisition Streamlining Act of 1994 (FASA)
• The Paperwork Reduction Act of 1995 (PRA)
• The Clinger-Cohen Act of 1996 (CCA)
• The Government Paperwork Elimination Act of 1998 (GPEA)
• The Federal Information Security Management Act (FISMA - 2002)
• E-Gov Act of 2002

This CPIC Procedures document is based upon the IT aspects of these laws, and focuses specifically on the Clinger Cohen Act (CCA) requirements. The CCA’s objective is that senior managers use a CPIC process to systemically maximize the benefits of IT investments. The CCA further describes CPIC as follows:

“The Head of each executive agency shall design and implement in the executive agency a process for maximizing the value and assessing and managing the risk of the information technology acquisitions of the executive agency,” and

“The process shall:

• Provide for the selection of information technology investments to be made by the executive agency, the management of such investments, and the evaluation of the results of such investments;
• Be integrated with the processes for making budget, financial, and program management decisions within the executive agency;
• Include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, criteria related to the quantitatively expressed projected net risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative investments;
• Provide for identifying information systems investments that would result in shared benefits or costs for other Federal agencies of State or local governments;
• Require identification of quantifiable measurements for determining the net benefits and risks of a proposal investment; and
• Provide the means for senior management to obtain timely information regarding the progress of an investment, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.”

Beyond the legislative background, there is extensive guidance from the Federal Chief Information Officer (CIO) Council, the Office of Management and Budget (OMB), the Government Accountability Office (GAO), and others in the area of IT investment management.

The CPIC process is primarily supported and maintained by the HHS Office of the Chief Information Officer (OCIO). For further information about this Procedures document or the CPIC process, please contact the HHS CPIC Office.

All Departmental IT system development, maintenance efforts, and infrastructure computing resources at all levels of sensitivity, whether owned and operated by HHS, or operated on behalf of HHS must comply with this CPIC guidance.

IT investments that meet one or more of the thresholds described in section 4.1.5 of the HHS CPIC Policy (HHS-OCIO-2005-0005.001) shall be designated for Department-level review. All other IT investments shall be designated for HHS OPDIV-level review. It is expected that each individual HHS OPDIV will have a similar CPIC process, manage its own portfolio, and create associated criteria. At a minimum, each OPDIV is expected to use the CPIC process to manage its IT investments.

IT investments are designated as either “major,” “tactical,” or “supporting.” The criteria for an investment are described in the following section.

Figure 2:  IT Investment Categories

Notes:

1.  Major IT investments are defined as those HHS IT investments that:

• Have total planned outlays (i.e., Development, Modernization, Enhancement (DME) and Steady State) of $10 million or more in the budget year.
• Are for financial management and obligate more than $500,000 annually.
• Are otherwise designated by the HHS CIO as critical to the HHS mission or to the administration of HHS programs, finances, property or other resources.
• Have life-cycle costs equal to or greater than $50 million.

2.Tactical IT investments are defined as those IT investments that have not been designated as major IT investments and:

• Have planned total outlays (i.e., DME and Steady State) of $3 million or more in the budget year.
• Are otherwise designated by the HHS CIO as significant to the HHS mission or to the administration of HHS programs, finances, property or other resources.

3. Supporting IT investments are those IT investments not otherwise designated as major or tactical that:

• Have planned total outlays (i.e., DME and Steady State) of less than $3 million in the budget year.
• Have been designated by the HHS CIO as supporting IT investments.

For a detailed list of requirements by investment categories see Appendix A: Requirements by Investment Categories.

The following decision-making bodies and personnel have been established. For further details regarding the various roles and responsibilities refer to HHS OCIO IT CPIC Policy (HHS-OCIO-2005-0005.001).

The HHS Information Technology Investment Review Board (ITIRB): A cross-functional executive review committee responsible for overseeing the management of the HHS IT portfolio, approving the allocation of IT resources to best achieve HHS strategic goals and objectives within budget limits, and leveraging opportunities for collaboration across HHS OPDIVs on IT investments that support common lines of business. The HHS ITIRB shall ensure that the HHS IT investment portfolio meets the business needs of the Department in the most effective and efficient manner.

HHS Chief Information Officer (CIO): Responsible for setting Departmental IT policy, reviewing all IT investments; and, as the chair of the ITIRB and Secretary’s designated Information Technology (IT) manager makes final decisions regarding HHS IT investments.

HHS CIO Council: A cross-OPDIV review committee responsible for reviewing the technical and managerial soundness of IT investments and providing technical recommendations to the ITIRB. Other organizational entities shall, as required, support the CPIC process and the ITIRB and CIO Council deliberations.

HHS CPIC Advisory Board (CPIC-AB): Serves, through the HHS Chief Enterprise Architect, as the primary advisory board to the HHS Chief Information Officer (CIO) and the HHS CIO Council on CPIC policy, procedures, tool configuration, and data standards for the tool. The CPIC-AB shall be chaired by the HHS Capital Planning and Investment Control Officer with membership comprised of the HHS Portfolio Management Tool Program Manager, a representative from each HHS OPDIV, and a technical representative from the IT Service Center.

HHS CPIC Team: Provides subject matter expertise to HHS OPDIVs in IT CPIC and investment portfolio management to ensure consistency in meeting Federal and Departmental CPIC policy intent. The team manages the CPIC process to ensure consistency across the Department, and provide clear understanding of process roles, responsibilities, and timing among all accountable parties. The HHS CPIC Team also manages, measures, and improves the CPIC policy, process, procedures, and tools to promote continuous improvement of the CPIC process and its outcomes. The HHS CPIC Team coordinates the review and articulation of issues coming before the HHS IT Governance Boards; provides guidance to HHS OPDIVs on Board-established reporting and presentation requirements for Board reviews; and determines whether HHS OPDIVs have satisfied Board-established review requirements.

HHS CPIC Critical Partners:  Responsible for providing input to ensure that IT investments comply with HHS policy in the respective critical partner functional areas and to advise the HHS IT Governance Boards and individual IT investment managers regarding functional issues in their areas of expertise.

Operating Division Chief Information Officer: Responsible for implementing Departmental policy, reviewing OPDIV specific investments, and making recommendations to the OPDIV or office ITIRB.

Integrated Project Team (IPT): Established by the manager of each IT investment with technical and critical partner expertise appropriate to the size, complexity and operational requirements of the investment. The IPT shall be headed by a qualified Investment Manager. Investment Managers shall be deemed as possessing professional qualifications on the basis of criteria established by the HHS CIO.

Budget Analyst: Official responsible for serving as the primary interface between the investment and the Budget Office.

Business Steering Committee:  whether at the HHS or OPDIV level, reviews and recommends IT investments in its particular business area to ensure integration and alignment with HHS business goals and objectives, and to ensure that the proposed portfolio of systems in that particular business area meets HHS business requirements. A Business Steering Committee looks across the organization and its key business functions to determine impacts on other systems, business operations, etc. A Business Steering Committee interfaces with business sponsors and investment managers and provides recommendations to respective ITIRBs regarding business issues. Members of a Business Steering Committee include key business managers from the organization.

Contracting Officer: Official responsible for serving as the primary acquisition support for the investment and interface between the investment and the Office of Acquisition and Property Management.

CPIC Sponsor: Responsible official for providing executive sponsorship of the investment; should be a senior level executive within the applicable mission area or office or OPDIV.

IT Investment Manager: Trained or experienced official responsible for management and completion of one or more IT investment projects.

Business Sponsor or Functional Manager: Business official responsible for the strategic business processes under development or enhancement and for ensuring their integrity; also serves as the primary user interface to the CIO and ITIRB.

System Owner: Responsible for ensuring that the system is evaluated on an annual basis and receives an appropriate level of funding for the operations and maintenance of the system.

The CPIC is a structured process in which proposed and ongoing IT invest­ments are continually monitored throughout their lifecycle. Successful investments and those that are terminated or delayed are evaluated both to assess the impact on future proposals and to benefit from any lessons learned. The CPIC contains three phases (Select, Control, and Evaluate). The HHS process also includes multiple sub-processes as shown in Figure 1-1. As detailed in this document, each sub-process contains the following common elements:

Purpose: Describes the objective of the specific sub-process;

Entry Criteria: Describes the sub-process requirements, and thresholds for entering the process;

Process: Describes the type of justification, planning, and review that will occur in the sub-process; and

Exit Criteria: Describes the action necessary for proceeding to the next sub-process.

Completing one complete phase and the sub-processes within each is normally necessary before beginning a subsequent phase. Each phase is overseen by the ITIRB, which ultimately approves or rejects an investment’s advancement to the next phase. This ensures that each investment receives the appropriate level of managerial review and that coordination and accountability exist. Figure 1-1 below provides a diagram of the phases and sub-processes described within this document.

Figure 1-1 – CPIC Process Overview

The processes and sub-processes shown in Figure 1-1 provide the basis for HHS CPIC activities. The key HHS and Operating Division (OPDIV) organizational entities and how they relate to the IT Governance structure are shown in Figure 1-2 below.

                                Figure 1-2 Key Organizational Entities and IT Governance

Figure 1-3 represents a suggested model for working with a large scale and complex portfolio of HHS-wide IT investments. 

Figure 1-3 Suggested Major Investment Oversight and Governance for Large-Scale and Highly Integrated Subportfolios of IT Investments

These organizations and their various roles will be referred to within this document.

HHS OPDIVs and staff offices that have new IT investments meeting the threshold for Department-level CPIC Review must prepare a business case according to the guidelines provided in this document. Each business case is analyzed by the CPIC Team for quality and conformance to policies and guidelines and reviewed against the applicable strategic investment criteria. A recommendation is then prepared and forwarded to the ITIRB for approval or disapproval. Approval, if granted, is an approval of the business case and its concept for the select phase, indicating that the office or OPDIV has done the preparatory work necessary to fully justify the investment, and has the mechanisms in place to manage the investment through the other CPIC phases. The investment must still compete for funding through HHS’s budget process and the Secretary’s Budget Council (SBC). The business case is further refined and submitted for HHS ITIRB approval at each subsequent phase.

All IT investments must conform to any guidance issued by the ITIRB in conjunction with the Modernization Blueprints for key lines of business.

Approved investments must move through the CPIC processes to obtain investment funding. They must conform to any guidance issued by the HHS ITIRB. The HHS CPIC Team in the HHS OCIO is responsible for monitoring the CPIC processes.

This document is divided into eight chapters and 11 appendices as described below:

Chapter 1: Introduction. Describes the CPIC purpose, scope, thresholds, roles, process, and documents the structure.

Chapter 2: Select Phase Screening Process. Provides a process and mechanism to assess an investment’s support of the Department’s strategic and mission needs.

Chapter 3: Select Phase Pre-Selection Process. Provides tools to ensure that IT investments are chosen that best support the department’s mission and that support HHS’s approach to enterprise architecture.

Chapter 4: Select Phase Portfolio Prioritization Process. Provides a process to select and fund the most appropriate and feasible proposed investments. Investments are compared and a portfolio of IT investments is created.

Chapter 5: Control Phase Periodic Review Process. Provides guidance to ensure that IT investment initiatives are conducted in a disciplined, well-managed, and consistent manner, which promote the delivery of quality products and result in initiatives that are completed within scope, on time, and within budget.

Chapter 6: Control Phase Milestone Review Process. Provides guidance for conducting reviews of investment to ensure continued alignment with mission and IT portfolio priorities.

Chapter 7: Evaluate Phase Post Implementation Review Process. Provides guidance on comparing actual to expected results once a project has been fully implemented.

Chapter 8: Evaluate Phase Annual Evaluation Review Process. Provides a means to assess mature systems to ascertain their continued effectiveness in supporting mission requirements and to evaluate the cost of continued support or potential retirement and replacement.

Appendices:

A: Requirements by Investment Category. Provides the requirements for investment categories of Major, Tactical and Supporting investments

B: CPIC Process Checklist and IT Management & Budget Formulation Timeline. Provides a checklist of the process steps investments must complete for each CPIC phase and timeline of the budget formulation events.

C: Sample Prospectus Form. Provides a sample prospectus for establishing an IT investment need.

D: Risk Management. Provides guidance on conducting a risk identification, qualification, response development, and response control for IT capital planning

E: Performance Measurement. Provides guidance on developing performance measures for IT investments

F: Project Management. Provides guidance on managing IT investments

G: Earned Value Analysis. Provides guidance on conducting earned value analysis

H: Post-Implementation Reviews. Provides guidance on conducting a Post-Implementation Review (PIR)

I: Operational Analysis. Provides a template for evaluating investments in the Evaluate Phase-Existing Investments

J: IT Investment Rating and Ranking Criteria. Provides the scoring criteria used by the ITIRB during the annual investment review

K: References. Provides a list of references used to develop this document.

2.  Select Phase

Screening Process

The Screening process provides a way to evaluate a proposed new investment’s concept and its support of the Department’s strategic plan and mission. It is during this phase that the business or mission need is identified and relationships to the Department strategic planning efforts are established. The Phase allows project teams to begin the process of defining business requirements and associated system performance metrics, performance measures, benefits, and costs and initial project planning efforts in preparation for inclusion in the Department’s IT portfolio.

Prior to entering the Select Phase, Screening process, investments must have a concept to address the mission need that is anticipated to include an IT component.

During the Screening process, mission analysis results in the identification of a mission need, which necessitates considering IT alternatives. The mission analysis and corresponding development of the HHS Portfolio Management Tool (PMT) Prospectus Form are closely linked to the strategic planning process of HHS. Following mission analysis, the Business Sponsor, or Functional Manager, first checks to see if the mission need may be addressed in an existing investment within HHS’s Enterprise Architecture. If not, he or she further develops the proposed solution’s concept. The Prospectus Form with budget estimates is completed and stored within the HHS PMT. The level of detail required varies and should be commensurate with the size, complexity, and cost of the proposed investment.

Figure 2-1 provides a summary of Screening process, as well as the individual(s) and or group(s) responsible for completing each process step. Each step is detailed in the following diagram. For a checklist of steps required for the Select, Control, and Evaluate phases see Appendix B: CPIC Process Checklist and IT Management & Budget Formulation Timeline.

Figure 2-1 Select Phase Screening Process Steps

2.3.1 Identify Business Need, Business Sponsor and Investment Manager

For each accepted proposal HHS or an Operating Division (OPDIV) Sponsor ensures that the business need is clearly identified and a Business Sponsor is selected to be the proponent for the investment. The Business Sponsor will normally not be the same person as the Investment Manager, especially if the investment is crosscutting, strategic, or high visibility. The Business Sponsor should be a senior individual in the organization with requisite management, technical, and business skills to lead the investment or supervise a designated Investment Manager. The Business Sponsor usually assigns an Investment Manager whose experience meets the HHS IT Investment Manager (IM) Qualification level criteria for IT managers. This depends on the level and complexity of the proposed investment

The Business Sponsor is the business leader responsible to the HHS ITIRB for the investment as it continues through the CPIC process. Commercial and government best practices show that IT investments championed by a business leader have the best chance for successful deployment. This commitment by the Business Sponsor to the HHS ITIRB represents accountability for the investment.

2.3.2 Develop Concept

Concept development includes analytical activities that evaluate the capacity of the Department’s assets to satisfy existing and emerging demands for services. Concept development also includes mission analysis to enable the Department to determine and prioritize the most critical capability shortfalls and best technology opportunities for improving HHS overall security, capacity, efficiency, and effectiveness in providing services to customers.

Concept development is conducted within the framework of the Department’s enterprise architecture and long-range strategic goals. In turn, this analysis contributes strongly to the evolution of strategic planning and HHS IT architecture development.

Concept development activities identify critical needs the Department should address. It estimates the resources the Department will likely be able to commit to each mission need, in competition with other needs, within the constraint of a realistic projection of future department budget authority. Resources are more accurately quantified later during further investment analysis if the investment is selected as part of the Department’s portfolio. The resource estimate is a function of the benefit to the department and the mission area, the cost of not addressing the need (e.g., poor customer responsiveness, increased maintenance cost, lost productivity, etc.), and the likely extent of required changes to the Department’s infrastructure.

If the analysis reveals a non-IT solution (e.g., a rulemaking or policy change, operational procedural change, or transfer of systems between sites) that can satisfy a capability shortfall and can be achieved within approved budgets, it can be implemented without proceeding further in the CPIC process as a non-IT initiative.

Analysis should identify the business drivers (e.g., Department mission, vision, goals, objectives, and tactical plans.) Business drivers often involve the need to assist customers in a particular service area such as providing improved access to health information or more efficient processing of Medicare services.

Once the key business drivers have been identified, a business requirements analysis is conducted. The business requirements analysis identifies how personnel conduct business activities in order to fulfill mission requirements, meet objectives and perform their tactical plans.

The following activities are conducted during concept development:

• Assess Mission Needs.
• Identify business objectives based on mission analysis and outline the functional aspects of the investment.
• Identify the Investment Manager assigned to the investment, the type of investment (Major, Tactical, or Supporting), funding sources and status, and any Government FTE required to support it.
• Identify high-level performance measures. (Detailed measures will be developed as part of Pre-Selection process.)
• Determine key selection criteria to evaluate concept alternatives that support high-level performance measures and business objectives.
• Ensure solution aligns with Department standards for Security and Privacy, Enterprise Architecture and e-Government Planning.

After concept development, the program sponsor conducts preliminary planning to address Select Phase Pre-Selection preparation: alternative analysis approach and business redesign or reengineering. If the investment is selected for further study, any plans for redesign or business process reengineering (BPR) should be presented as part of the Business Case in the Select Phase Pre-Selection Process. (Departmental policy requires that before new systems are fielded the business process owners must simplify or otherwise redesign their existing processes before they invest in new IT to support the process.)

The Prospectus Summary form in the HHS Portfolio Management Tool (PMT) provides the necessary information to build support and make funding decisions for an investment. While the primary emphasis of the Screening Process is on mission and strategic needs analysis, it also requires that the Business Sponsor and/or Investment Manager begin identifying alternative solutions and developing an order of magnitude estimate of costs and benefits (both quantitative and qualitative) that may be realized by a given investment. Prospectus form development activities include a preliminary budget estimate.

Prepare preliminary budget estimate. The preliminary budget estimate should provide an estimate of costs necessary to support more detailed planning and concept development prior to investment selection, and provide an order of magnitude estimate of budget requirements to support a five-year budget plan and lifecycle costing. The estimation process will support the identification of the investment as major, tactical, or supporting.

As part of the preliminary budget estimate, a preliminary security analysis should be performed to determine estimated baseline costs. This information should be included with the investment’s preliminary budget estimate.

Prepare Projected Costs and Benefits. This preliminary research will provide anticipated costs and benefits of the proposed investment. Costs should be the same as those identified in the budget estimate and benefits should be aligned with the investment objectives and high-level performance measures. The level of detail required varies and should be commensurate with the size, complexity, and cost of the proposed investment.

The Investment Manager prepares the Prospectus Form in preparation for the various HHS’s investment reviews. Appendix C: Sample Prospectus Summary Form includes a sample PMT Prospectus Summary Form.

2.3.4 Review or Approve Investment Submission

The Business Sponsor reviews the investment document and requests that the Investment Manager update the Prospectus Form, or makes changes as needed. The Business Steering Committee then reviews and approves the investment submission and can also request changes. The Business Steering Committee reviews the concept for possible integration and/or consolidation with any cross-cutting IT or Business systems already in existence. Following approval the updated Prospectus Form is sent to the CPIC Team for review.

2.3.5 Review Initiative and Recommend Appropriate Action

The CPIC Team reviews the Prospectus Form and provides any comments and or questions to the Investment Manager. The IM addresses the issues, updates the form in the PMT, and notifies the CPIC Team that it is available for review in the PMT. Simultaneously, various functional experts, the Critical Partners, review the form for any EA, security, budget, acquisition, and HR issues, questions, etc. The CPIC Team and Critical Partners assess the investment with an emphasis on mission alignment and the proposed concept description. The CPIC Team forwards their investment recommendations to the IT Governance Boards, including any Technical Review organization, such as the HHS CIO Council, and the ITIRB, for the final decision.

The CPIC Team prepares materials for Technical Reviews, including the PMT Prospectus form and other appropriate reports. The Technical Review Board, CIO Council, or other technical review organization reviews these materials and makes recommendations regarding initiation of additional planning activities for the investment. If the documentation is not approved, it may be returned to the Investment Manager for additional work.

2.3.6 Make Final Investment Decisions

The ITIRB reviews any Technical Review recommendations for funding or cancellation of the investment. If the ITIRB approves the recommendation, the investment moves forward into Select Phase Pre-Selection Process. If it is not approved, it could return to the Investment Manager for additional work or cancellation. All decisions and results are documented within the PMT by the CPIC Team. Official minutes reside within the system.

Prior to exiting the Select Phase Screening Process, investments must obtain HHS ITIRB approval for the concept. This is milestone 0.

Table 2-1 provides a summary of the documents generated during Select Phase Screening process, as well as the whether the document requires approval or whether the document is required only for the file for record keeping purposes.

Table 2-1 Summary of documents generated during Select Phase Screening Process.

3.    Select Phase

Pre-Selection Process

In the Pre-Selection process, the HHS ITIRB ensures that the IT investments that best support the mission and HHS’s approach to enterprise architecture are chosen and prepared for success (e.g., have a trained or experienced project manager, risk management, etc.). Investments are also reviewed to ensure no duplication of E-government initiatives or existing HHS system applications. Individual investments are evaluated in terms of technical alignment with other IT systems and for projected performance as measured by Cost, Schedule, Benefit, and Risk (CSBR). Milestones and review schedules as part of a work breakdown structure are also established for each investment during the Pre-Selection process (see Appendix F: Project Management).

During this process, business case submissions (as captured in the HHS Portfolio Management Tool) are assessed against a uniform set of evaluation criteria and thresholds related to planning, Budgeting, Acquisition, and Management of Capital Assets, as identified in OMB Circular A-11, Part 7. The investment’s CSBR are then systematically scored using scoring criteria and the investment is ranked and compared to other investments. (See Appendix J: IT Investment Rating and Ranking). The HHS ITIRB provides guidance for any new questions and works with the various investment managers to resolve questions. Finally, the HHS ITIRB selects which investments will be included in the Department’s portfolio.

Prior to entering the Select Phase Pre-Selection Process, investments must have obtained ITIRB approval for the mission need and concept as documented within the PMT Prospectus Form.

The Pre-Selection Process begins with an investment concept (approved during the Screening Process) and moves through the development of the business case, including an acquisition plan, a risk management plan, performance measures, and an overall project management plan. These plans lay a foundation for success in subsequent phases. The Pre-Selection Process culminates in a decision whether to proceed with the investment for inclusion in the HHS IT Portfolio. Ongoing investments are reviewed in addition to proposed new ones.

Figure 3-1 provides a summary of the Pre-Selection process, as well as the individual(s) and or group(s) responsible for completing each process step. Each step is detailed in the diagram on the following page.

Figure 3-1 Select Phase Pre-Selection Process Steps

3.3.1 Approve Integrated Project Team Membership

The Business Sponsor approves the selection of the IPT members that will assist the Investment Manager in the initiative’s development. The IPT brings together expertise from functional areas as required by the specifics of the initiative.

The IPT should consider the need for expertise from:

• Business Functional Manager
• IT Manager
• Security Specialist
• Budget Analyst
• Contracting Specialist
• Enterprise Architecture representative
• E-Government representative
• Human Resources
• Office of Finance
• Additional team members may be added from other functional areas

3.3.2 Identify Funding Source and Obtain Department Approvals

The Business Sponsor identifies a potential funding source for the ITIRB to continue investment support. The Business Sponsor then gets approval from the appropriate management office.

3.3.3 Develop Business Case and Hi-Level Project Management Plan

The Business Sponsor ensures, that for each investment, the following studies, as appropriate to the size and complexity of the investment, are completed and the results are submitted to the OCIO:

Business Profile:

• Performance Measures (see Appendix E: Performance Measurement) and a Hi-Level Project Management Plan.
• Business Process Reengineering Studies
• Concept of Operations Plan
• Stakeholder Identification and Requirements
• Functional Requirements
• Cost Benefit Analysis
• Feasibility Study

Risk Profile:

• Risk Management Plan (see Appendix D: Risk Management)

Financial Profile:

• Return on Investment (ROI) and CBA
• Update life cycle cost projections
• Alternatives Analysis
• Funding Source Identification

Technological Profile:

• Technical Requirements
• Security Plan
• Enterprise Architecture Plan
• Relationship to Existing Systems (dependencies)
• Prototype or Pilot Plans (as applicable)

Project Management and Planning Profile

• Project Plan, including a list of team members
• Acquisition Plan and strategy

3.3.4 Prepare Business Case and Hi-Level Project Management Plan

The Investment Manager prepares the Business Case and enters all data into the HHS Portfolio Management Tool (PMT). Refer to the HHS Portfolio Management Tool Desktop Guide for detailed guidance on completing the forms and required information to be entered into them. From this point forward, all investment related data will be captured and updated via the PMT. Specific functional areas that need to be completed are:

Business Case:

• Business Need
• High-Level Description and Investment Identification Data
• Funding Source(s)
• Alignment to Strategic Goals (PMA, DHHS, IT, OPDIV)
• Alternatives Analysis/Cost & Benefit Data

Project Management Plan:

• New Investment (if applicable)
• Cost Information
• Risk Management Plan
• Performance Goals and Measures
• Acquisition Strategy
• Cost and Schedule Baseline
• A Information
• Security and Privacy Information

The PM reviews the scorecard for any errors, and validates the accuracy of all business case data.

3.3.5 Review and Update Business Case Data and PM Plan

The CPIC Team reviews and analyzes the data and identifies any risks or issues to be brought to management’s attention. Critical Partners also review the information to ensure the investment complies with standards for EA, security, budget, acquisition, and HR. Suggested revisions, additions, etc. are entered into the PMT forms. The Investment Manager reviews the comments and makes changes to the business case and project plan as necessary.

3.3.6 Prepare IT Governance Materials, Conduct Reviews, Make Recommendations

The CPIC Team prepares appropriate materials for the CIO Council (Technical Review) and the ITIRB and their reviews of Department-wide IT investments. The CIO Council reviews the business case and makes a recommendation for approval. Recommended funding is allocated for the entire project cost. The CPIC Team documents recommendations made during CIO Councils, updates the data in the PMT, and communicates decisions to appropriate parties. The CPIC Team posts official minutes of the meetings. The investment Manager updates the business case data as needed, based on feedback. The ITIRB reviews the investment in a similar manner.

The ITIRB uses standard criteria to objectively compare investments based on the data presented, and scores projects using the criteria listed in Appendix J: IT Investment Rating and Ranking Criteria. The ITIRB forwards its findings and recommendations to the CIO for final decisions regarding the investment.

3.3.7 Make Final Investment Decisions

The HHS CIO makes the final investment decisions. If the HHS CIO approves the ITIRB recommendation, then the decision is implemented and the investment moves into the Portfolio Prioritization Process.

Prior to exiting the Pre-Selection Process, investments must have executed the following activities:

Established performance goals and quantifiable performance measures.

Developed a hi-level project plan which includes quantifiable objectives including an acquisition schedule, project deliverables, and projected and actual costs.

Identified costs, schedule, benefits, and risks.

Established security, Section 508 (IT accessibility), Privacy Act assessment, data, and architecture goals and measures.

Established ITIRB investment review schedule for the Control Phase.

Determined whether another key line of business should be identified for recommendations to the ITIRB for the preparation of a comprehensive IT Modernization Blueprint.

Signed the Project Manager Accountability Agreement

Obtained ITIRB approval as a selected project for the Portfolio Prioritization Process.

Table 3-1 provides a summary of the documents generated during the Pre-Selection process, as well as the whether the document requires approval or whether the document is required only for the file for record keeping purposes. This list is applicable for a Major Project. A subset is required for Tactical and Supporting documents depending on the complexity, scope, cost, etc. of these projects.

Table 3-1 Summary of documents generated during Pre-Selection Process.

4. Select Phase

Portfolio Prioritization Process

The objective of the Portfolio Prioritization Process is to select and fund the most appropriate and feasible proposed investments. During this process, the approved IT investments are compared across portfolios. The HHS Secretary’s Budget Council then selects and creates a final portfolio of IT investments to be funded for the budget year.

The purpose of IT Portfolio Management is to ensure that an optimal IT investment portfolio with manageable risk and returns is selected and funded. Portfolio Management includes the following steps:

• Defining portfolio goals and objectives
• Understanding, accepting and making tradeoffs
• Identifying, eliminating, and minimizing risks
• Monitoring portfolio performance
• Determining whether desired goals and objectives have been obtained
• Determining how each portfolio fits into the overarching architecture for the Department as a whole, including, IT Modernization Blueprints for key lines of business.

The benefits of IT Portfolio Management are that it:

• Provides the information necessary for monitoring cost and performance
• Helps determine whether an investment should be continued, modified, integrated with others, or terminated
• Encompasses the entire investment management process (select, control, and evaluate)
• Aids investment management decision-making by providing the necessary information

In order to perform the activities associated with selecting, funding and managing an optimal IT investment portfolio, adequate resources must be provided for executing the process.

All investments within the portfolio have been analyzed and prioritized based on each investment’s alignment with mission and strategic goals, cost, benefit, schedule and risks throughout its life-cycle, and that the Department has defined its common portfolio categories.

Prior to entering the Portfolio Prioritization Process, investments must have executed the following activities:

Developed a business case and project plan which has been approved by all IT Governance bodies, including the ITIRB and the CIO

Obtained ITIRB approval as a selected investment for the Portfolio Prioritization Process

The portfolio management process ensures that each IT investment board collectively analyzes and compares all investments and proposals to select those that best fit the strategic business direction, needs, and priorities of the Department. In addition, HHS has fiscal and workforce constraints that have to be weighed against the risks and the long-term return on investments for items that are within the portfolio. When making portfolio decisions, executives must consider use of IT resources, along with work force, and contracting options to meet mission objectives.

To address these practical limits, portfolio management uses categories to aid in investment comparability and cost, schedule, benefit and risk (CSBR) oversight. Once all investments within the portfolio are categorized, investments and proposals can be compared to one another within and across portfolio categories, and the best overall portfolio can be selected and funded.

During this process, all investments are compared across multiple portfolios from the HHS Operating Divisions. Those investments scoring highest using agreed upon rating and ranking scoring criteria are selected for inclusion into the overall HHS portfolio. This portfolio is sent to OMB and Congress as appropriate for future funding in the President’s Budget.

Portfolio Management is an integral component of the CPIC process; however, IT Portfolio Management cannot be accomplished without first establishing an IT investment foundation.

Building an IT investment foundation using GAO’s IT Investment Management maturity model, as described in GAO/AIMD-10.1.23, requires that HHS first establish IT investment management processes to ensure the following activities:

• IT investment is selected based on established selection criteria
• An Investment proposal is business driven
• ITIRB establishes and maintains an asset inventory of current IT investments
• ITIRB oversees these investments

With maturity and experience in establishing an IT investment foundation, HHS can move forward with developing a complete investment portfolio. Based on the GAO model cited above, portfolio management maturity efforts to develop the HHS IT portfolio are based on the following principles:

• Ensuring the alignment of the various ITIRBs
• Developing portfolio selection rating, and ranking criteria that supports HHS mission and strategic goals
• Conducting continuous analysis of each investment at every phase of it’s life-cycle
• Developing IT portfolio performance measures

 Figure 4-1 provides a summary of the Portfolio Prioritization Process, as well as the individual(s) and or group(s) responsible for completing each process step. Each step is detailed in the diagram on the following page.

Figure 4-1. Portfolio Prioritization Process

4.3.1 Develop, Refine, and Select Scoring Criteria

The CPIC Team, CIO Council, and ITIRB will work together to develop a set of scoring criteria to be used in scoring and ranking the IT investments. These criteria are reviewed on an annual basis. The criteria are revised as necessary to reflect changing priorities of the Department. Current scoring criteria can be found in Appendix J: IT Investment Rating and Ranking Criteria.

4.3.2 Review and Make Portfolio Recommendations

The CPIC Team develops the initial prioritized portfolio and presents it to the CIO Council and then the ITIRB for review. The portfolio may be adjusted based on these reviews or changing HHS strategic direction, funding issues, quality scores, etc. The CPIC Team posts minutes of portfolio review meetings in the PMT. The final prioritized IT portfolio as recommended and approved by the ITIRB is sent to the Secretary’s Budget Council (SBC) for final funding decisions.

4.3.3 Make Portfolio Funding Decisions and Fund Investments

The SBC makes the final funding decisions on the IT investment portfolio. Those investments which are funded advance to the Control Phase.

.To demonstrate that portfolio management is occurring, there must be physical, documentary and testimonial evidence of portfolio management activities. Table 4-1 provides a summary of the documents necessary for Portfolio Management, as well as the whether the document requires approval or whether the document is required only for the file for record keeping purposes.

Table 4-1 Summary of documents generated during Portfolio Management.Prioritization

5. Control Phase

Periodic Review Process

The Control Phase promotes the delivery of quality products and results in initiatives that are completed within scope, on time, and within budget. The objective of the Control Phase is to ensure, through timely oversight, quality control and executive review, that IT initiatives are conducted in a disciplined, well-managed, and consistent manner. Investments should be closely tracked against the various components identified in the Risk Management Plan developed in the Select Phase Pre-Selection Process (contained in the Business Case). During this process, senior managers regularly monitor the progress or performance of ongoing IT investments against projected cost, schedule, performance, and delivered benefits. The HHS ITIRB has the ultimate responsibility for project oversight.

Periodic Process Review activities require the continuous monitoring of ongoing IT initiatives through the development or acquisition lifecycle. Periodic control reviews are conducted monthly or quarterly depending on the size, scope, high profile visibility, cost, etc. of a project.

The review’s focus is on ensuring that projected benefits are being realized; cost, schedule and performance goals are being met; risks are minimized and managed; and the investment continues to meet strategic needs. Based on the results of a periodic control review, the HHS ITIRB will determine if a project is continued, modified, or terminated. Depending on the review’s outcome, decisions may be made to suspend funding or make future funding releases conditional on corrective actions. If the project is over budget and cost or behind schedule by more than 5%, a Corrective Action Plan (CAP) is required. Per HHS CPIC policy, if an investment is over budget and cost or behind schedule by more than 10% for more than two quarters, the investment must undergo a formal review by the ITIRB.

Prior to entering the Control Phase, investments must have executed the following activities:

• Established performance goals and quantifiable performance measures
• Developed a project plan which details quantifiable objectives, including an acquisition schedule, project deliverables, and projected and actual costs
• Identified costs, schedule, benefits, and risks
• Established security, Section 508 (IT accessibility), Privacy Act assessment, data, and architecture goals and measures
• Established an ITIRB investment review schedule for the Control Phase
• Obtained ITIRB approval to enter the Control Phase

During the Control Phase, an investment progresses from requirements definition to implementation. Throughout the Phase, OPDIVs CIO’s provide the CPIC Team with investment reviews to assist them in monitoring all investments in the portfolio. Investment reviews provide an opportunity for Investment Managers to raise issues concerning the IT developmental process, including security, telecommunications, enterprise architecture alignment, E-Government, GPEA compliance, Section 508 concerns, etc.

The Investment Manager uses a performance based management system to evaluate project performance and report variance. Earned Value Management is used according to the various Tier levels for projects as defined in the HHS IT Earned Value Management Policy (HHS-IT-2005-0004-001).

The HHS ITIRB periodically reviews project performance and requires corrective action if the project performance variance exceeds 5 percent from the project’s established baseline.

• The HHS ITIRB reviews are based on various factors including the strategic alignment, criticality, scope, cost, schedule, and risk associated with all initiatives.
• Periodic (quarterly or monthly) reports are required. These reports provide detail regarding cost and schedule progress and indicate Earned Value.

Figure 5-1 provides a summary of the Control Phase Periodic Review Process, as well as the individual(s) and or group(s) responsible for completing each process step. Each step is detailed in the following diagram:

Figure 5-1 Control Phase Periodic Review Process Steps

5.3.1 Establish and Maintain Costs, Schedule, and Technical Baselines

The Investment Manager maintains the project management and executive plans that were established in Select Phase Pre-Selection Process. s well as the procedures and practices to support initiative monitoring activities.  The Investment Manager directs the IPT to identify any new or existing internal risks based upon review of the work breakdown structure (WBS), project plan, risk checklist, and stakeholder interviews. The Investment Manager monitors financial, technical, operational, schedule, legal and contractual, and organizational risks. The Investment Manager ensures that all project documents remain current and final decisions are vetted through the ITIRB and SBC. The Investment Manager provides periodic updates to the OCIO and or CPIC Team on the investment’s status and security costs, schedule, and technical baselines. The Investment Manager ensures that the project has been planned realistically.

5.3.2 Maintain Current Cost, Schedule, Technical, and General Status Information

The Investment Manager collects actual information on the resources allocated and expended throughout the Control Phase. The Business Sponsor ensures that the investment still aligns with HHS mission, strategic plan, enterprise architecture, and E-Government. The Investment Manager compares the actual information collected to the estimated baselines developed during Select Phase Pre-Selection Process and identifies root causes for any differences. The Investment Manager reviews the security and infrastructure analyses for accuracy. The Investment Manager maintains a record of changes to the initiative’s technical components including hardware, software, security, and communications equipment. Technical component changes may trigger a new architecture review.

5.3.3 Assess Progress against Performance Measures

As part of the periodic reviews during the Control Phase, the Business Sponsor determines whether to continue the project. The Business Sponsor determines if the Investment Manager is managing investment cost and schedule variance, mitigating risks, and providing projections for future performance based upon work accomplished to date. The Business Sponsor determines whether current cost and schedule projections align with investment implementation (e.g., based upon an assumption of baseline actual costs 5 percent greater than actual, what are the expectations of future performance).

The Business Sponsor may apply control screening criteria (see Appendix J: IT Investment Rating and Ranking Criteria).

Using the control screening criteria to answer the questions on whether the project has met expectations will support the decision to continue with the investment, and identify any deficiencies and corrective actions needed. Updated investment information is submitted to the CPIC Team and the investment undergoes a periodic review by the HHS ITIRB. The results of these reviews are used by the HHS ITIRB for management of the IT investment portfolio.

5.3.4 Prepare Periodic Review

The Investment Manager updates the planning, risk information, and project performance investment data in the HHS PMT. This includes updating performance based management system metrics. Quarterly or monthly reports using updated data are prepared.

5.3.5 Evaluate Periodic Review

The CPIC Team reviews and evaluates the quarterly or monthly periodic review documents for project performance. A representative from the team may work directly with the Investment Manager to clarify the report data. The Critical Partners also review the documents and provide input and comments. The Investment Manager updates the review documents as applicable.

5.3.6 Review Control Documents and Recommend Appropriate Action

The OCIO CPIC Team prepares findings and recommendations, and forwards the updated package to the ITIRB for review. The ITIRB reviews the investment and determines whether to provide continued support to the investment.

5.3.7 Make Final Control Review Decisions

The HHS ITIRB issues a decision regarding the investment, based upon the recommendations received from the CPIC Team. The decision is sent to the Business Sponsor and Investment Manager.

5.3.8 Business Sponsor and Investment Manager Implement Decisions

The Business Sponsor and Investment Manager acknowledge and implement any corrective action recommended by the ITIRB.

Prior to the next scheduled review date, the Business Sponsor and Investment Manager update the investment information and initiate another preliminary assessment. This formal monitoring of investment progress, and the determination of risks and returns, continues throughout the Control Phase.

Prior to exiting the Periodic Review Process, investments must execute the following activities:

• Complete investment development, production deployment and or implementation.
• File all documents for quarterly and/or monthly reviews in the PMT.
• Demonstrate to the ITIRB conformance with any applicable guidance issued.

Table 5-1 provides a summary of the documents generated during the Control Phase Periodic Review Process, as well as the whether the document requires approval or whether the document is required only for the file for record keeping purposes.

Table 5-1 Summary of documents generated during the Control Phase Periodic Review Process.

6. Control Phase

Milestone Review Process

The objective of the Control Phase Milestone Review Process is, as with the Periodic Review Process, to ensure, through timely oversight, quality control and executive review, that IT initiatives are conducted in a disciplined, well-managed, and consistent manner. Investments should be closely tracked against the various components identified in the Risk Management Plan developed in the Select Phase Pre-Selection Process. The Control Phase promotes the delivery of quality products and results in initiatives that are completed within scope, on time, and within budget. During this process, senior managers regularly monitor the progress or performance of ongoing IT investments against projected cost, schedule, performance, and delivered benefits.

Milestone Review activities require the specific monitoring of ongoing IT initiatives during designated milestones through the development or acquisition lifecycle. Milestone reviews are conducted at specific points in time during the system development life cycle.

Based on the results of a milestone review, the HHS ITIRB could also determine if a project is continued, modified, or terminated. The reviews focus on ensuring that the project is achieving cost, schedule and performance goals. Depending on the review’s outcome, decisions may be made to continue development or, if necessary, re-baseline the project   Usually, if the project is over budget and cost by more than 5%, a Corrective Action Plan (CAP) is required. If extenuating circumstances warrant, the project may be required to re-baseline projected costs and schedule data. Again, per HHS CPIC policy, if an investment is over budget and cost or behind schedule by more than 10% for more than two quarters, the investment must undergo a formal review by the ITIRB.

Prior to entering the Control Phase Milestone Review Process, investments must have executed the following activities:

• Established performance goals and quantifiable performance measures
• Developed a project plan which details quantifiable objectives, including an acquisition schedule, project deliverables, and projected and actual costs
• Identified costs, schedule, benefits, and risks
• Established security, Section 508 (IT accessibility), Privacy Act assessment, data, and architecture goals and measures
• Established an ITIRB investment review schedule for the Control Phase
• Obtained ITIRB approval to enter the Control Phase

During the Milestone Review Process, an investment progresses from concept development to operations. Throughout the Process, OPDIVs CIO’s provide the CPIC Team with milestone investment reviews to assist them in monitoring all investments in the portfolio. Investment milestone reviews also provide an opportunity for Investment Managers to raise issues concerning the IT developmental process, including security, telecommunications, enterprise architecture alignment, E-Government, GPEA compliance, Section 508 concerns, etc.

The HHS ITIRB reviews project progress and performance. If business processes, strategic direction, costs, technical problems, etc. are creating major impacts on the planned cost and schedule, a re-baseline may be required. Otherwise, if the project performance variance exceeds 5 percent from the project’s established baseline, a CAP is required.

The HHS ITIRB reviews are based on factors including the strategic alignment, criticality, scope, cost, and risk associated with all initiatives. The Investment Manager establishes milestones as part of the investment baseline against which performance will be measured throughout the Control Phase. Agencies are expected to uphold these milestones; OMB will hold agencies responsible for meeting milestones as originally indicated in the baseline. After establishing the milestones, the Investment Manager revises the project plan as required to meet the approved milestones. These milestone reviews typically include:

• Milestone 0 – Concept Definition (Select Phase Screening Process)
• Milestone 1 – Concept Development (Select Phase Pre-Selection Process)
• Milestone 2 – Systems Design and Prototype
• Milestone 3 – Systems Development and Testing
• Milestone 4 – System Deployment
• Milestone 5 – System Operation

Figure 6-1 provides a summary of the Control Phase Milestone Review Process, as well as the individual(s) and or group(s) responsible for completing each process step. Each step is detailed in the following diagram:

Figure 6-1. Milestone Review Process Steps

6.3.1 Establish and Maintain Costs, Schedule, and Technical Baselines

The Investment Manager maintains the project management and executive plans that were established in Select Phase Pre-Selection Process. s well as the procedures and practices to support initiative monitoring activities.  The Investment Manager directs the IPT to identify any new or existing internal risks based upon review of the work breakdown structure (WBS), project plan, risk checklist, and stakeholder interviews. The Investment Manager monitors financial, technical, operational, schedule, legal and contractual, and organizational risks. The Investment Manager ensures that all project documents remain current and final decisions are vetted through the ITIRB and SBC. The Investment Manager provides milestone review updates to the OCIO and or CPIC Team on the investment’s status and security costs, schedule, and technical baselines. The Investment Manager ensures that the project has been planned realistically.

6.3.2 Maintain Current Cost, Schedule, Technical, and General Status Information

The Investment Manager collects actual information on the progress, and resources allocated and expended throughout the Control Phase. The Business Sponsor ensures that the investment still aligns with the Department mission, strategic plan, enterprise architecture, and E-Government. The Investment Manager compares the actual information collected to the estimated baselines developed during Select Phase Pre-Selection Process and identifies root causes for any differences. The Investment Manager reviews the security and infrastructure analyses for accuracy. The Investment Manager maintains a record of changes to the initiative’s technical components including hardware, software, security, and communications equipment. Technical component changes may trigger a new architecture review.

6.3.3 Assess Progress against Baseline and Exit Criteria

As part of the milestone reviews during the Control Phase, the Business Sponsor determines whether to continue the project. The Business Sponsor determines if the Investment Manager is managing investment cost and schedule variance, mitigating risks, and providing projections for future performance based upon work accomplished to date. The Business Sponsor determines whether current cost and schedule projections align with investment implementation (e.g., based upon earned value performance indexes, what are the estimates to completion?).

The Business Sponsor may apply control screening criteria (see Appendix J: IT Investment Rating and Ranking Criteria) and review exit criteria for the milestone.

Using the control screening and milestone exit criteria to answer the questions on whether the project has met expectations will support the decision to continue with the investment, and identify any need for corrective action plans or, if applicable re-baselining. Updated investment information is submitted to the OCIO and the investment undergoes a milestone review by the HHS ITIRB. The results of these reviews are used by the HHS ITIRB for management of the IT investment portfolio.

6.3.4 Prepare Milestone Review

The Investment Manager updates the planning, risk information, and project performance data in the HHS PMT. This includes updating the performance based management system metrics. A corrective action plan is developed and proposed if the IM judges one to be necessary. A re-baseline may also be developed if applicable. A milestone review report is prepared.

6.3.5 Evaluate Milestone Review

The CPIC Team reviews and evaluates the milestone review documents for project performance. A representative from the team may work directly with the Investment Manager to clarify the report data. The Critical Partners also review the documents, provide input and comments, and recommend appropriate actions, as necessary. The Investment Manager updates the review documents as applicable 

6.3.6 Review Control Documents and Recommend Appropriate Action

The OCIO CPIC Team prepares findings and recommendations, and forwards the updated package to the ITIRB for review. The ITIRB reviews the investment and determines whether to provide continued support to the investment.

6.3.7 Make Final Control Review Decisions

The HHS ITIRB issues a decision, based upon the recommendations received from the CPIC Team. The decision is sent to the Business Sponsor and Investment Manager.

6.3.8 Business Sponsor and Investment Manager Implement Decisions

The Business Sponsor and Investment Manager acknowledge and implement any corrective action or re-baseline (as applicable) recommended by the ITIRB.

Prior to the next scheduled milestone review date, the Business Sponsor and Investment Manager update the investment information and initiate another preliminary assessment. This formal monitoring of investment progress, and the determination of risks and returns, continues throughout the Control Phase.

Prior to exiting the Milestone Review Process, investments must execute the following activities:

Complete the milestones as planned and scheduled through Milestone 5 – System Operation

Confirm the PIR schedule (if the application is a new investment)

Demonstrate to the ITIRB conformance with any applicable guidance issued.

Obtain HHS ITIRB approval to enter the Evaluate Phase- Post Implementation Review Process for new investments or the Annual Evaluation Process for existing investments.

Table 6-1 provides a summary of the documents generated during the Control Phase Milestone Review Process, as well as the whether the document requires approval or whether the document is required only for the file for record keeping purposes.

Table 6-1 Summary of documents generated during the Control Phase Periodic Review Process

7.1   Purpose

7.2   Entry Criteria

7.3   Process

7.4   Exit Criteria

8.1   Purpose

8.2   Entry Criteria

8.3   Process

8.4   Exit Criteria