CIO Responsibilities

August 2008

RESPONSIBILITIES OF COMMERCE OPERATING UNIT
CHIEF INFORMATION OFFICERS

Below is a summary of key responsibilities of operating unit Chief Information Officers in the area of Information Technology Management. Each section includes a list of deliverables with corresponding due dates.

Element: Information Technology (IT) Capital Planning and Investment Control

Objective: To ensure that Commerce uses information technology to develop the best value, most useful, and most effective products and services to support its mission. As part of this process, ensure that Commerce officials have thorough and accurate information to inform IT decision making.

Activities:

• Implement an effective process for managing IT resources in accordance with Commerce policy, the Clinger-Cohen Act, Office of Management and Budget (OMB) Circular A-130, and other Federal guidance. Provide regular briefings to the Department’s CIO on your IT program activities.
• Prepare a Strategic IT Plan covering a five-year horizon and submit it annually to the Office of the CIO. Ensure that it is current to within one year.
• Prepare an annual Operational IT Plan at the beginning of the fiscal year to reflect the current year IT operations and development.
• Implement a process for the selection, control, and evaluation of IT investments. Link this process to the budget process, as needed. A recommended approach is to:
• Establish an IT Review Board (or process in smaller operating units) to advise the head of the operating unit on critical IT matters, to assess IT initiatives in the budget review process, to control ongoing IT investment implementation, and to conduct post-implementation reviews of completed projects to benefit from lessons learned. Present to the Commerce IT Review Board as requested for Information Technology Procurement Authority, Control Reviews, Post Implementation Reviews, Portfolio Management Reviews, etc.
• Implement a standard process and establish standard IT investment scoring and ranking criteria for the operating unit’s Board to use to determine which IT investments are best suited to meet operating units needs.
• Implement a standard process to manage the selection, control, and evaluation of IT investments. The Department uses the electronic Capital Planning and Investment Control System (eCPIC) to support this strategy. Keep the operating unit’s IT investment information in eCPIC current.
• Use the eCPIC default investment form to document all major investments as well as IT initiatives recommended by your operating unit’s IT Review Board. This form includes the requirements in Office of Management and Budget (OMB) Circular A-11, Exhibit 300, Capital Asset Plan and Business Case Summary and in Exhibit 53, IT Investment Portfolio, as well as additional information approved by the Commerce CIO. Update this information for review by the Commerce IT Review Board.
• Document all of the operating unit’s IT investments in eCPIC, including the operating unit’s infrastructure and enterprise architecture investments. Use this information to generate an operating unit specific OMB Circular A-11, Exhibit 53, IT Investment Portfolio. Use this as a tool to manage a balanced IT portfolio and Operational IT Plan.
• Document in eCPIC all requests for changes to IT investment baselines, and for investment replans and rebaselines, provide justification and impact analysis in a memorandum to the Department CIO.
• Annually assess, and document in the Strategic IT Plan, the maturity of each part of your IT capital planning process using the Commerce IT Capital Planning and Investment Control Maturity Model. Ensure that your IT capital planning process continually matures according to the Maturity Model.
• Keep abreast of Commerce guidelines for developing and maintaining operating unit IT capital planning and investment control processes.

Contact: Stuart Simon at (202) 482-0275 or ssimon@doc.gov.

__________________________________________________

Element: Program Management

Objective: To ensure that Commerce’s IT Development, Modernization, and Enhancement (DME) projects and Steady State investment initiatives are managed in an efficient and cost-effective manner.

Activities:

• Implement standard project management practices throughout the operating unit to ensure that all facets of the project management processes, as identified in the Project Management Institute’s Project Management Body of Knowledge (PMBOK^® Guide) are addressed and that proper project management documentation is developed and maintained.
• Implement and maintain Earned Value Management Systems (EVMS) that comply with the requirements of the ANSI/EIA-748 for all major DME IT projects.
• Provide monthly Earned Value Management reports for all major DME IT projects, providing, for the previous month, cumulative Planned Value, Earned Value, and Actual Cost figures. These Earned Value data points must include full-time employee costs as well as contract costs.
• Provide quarterly performance reviews of steady state investments, detailing financial and technical performance of the investment during the previous quarter
• Report directly to the attention of the Department’s CIO any investment showing a 10% or greater negative cost or schedule variance.
• Conduct annual Operational Analyses of all steady state IT investments. Operational Analyses must address the four factors identified on the Department’s Operational Analysis Web page. Provide a report of the annual Operational Analysis to the Department’s Office of the CIO.
• Submit, following the suggested format, resumes of project managers managing major DME IT projects and Steady State investments. Ensure that project managers meet the Federal Acquisition Certification for Program and Project Manager (FAC-P/PM) requirements.

Contact: Jerry Harper at (202) 482-0222 or jharper@doc.gov.

__________________________________________________

Element: Enterprise Architecture

Objective: To develop, maintain, and facilitate the implementation of a sound and integrated enterprise architecture to achieve interoperability and portability of systems, integration of work processes and information flows, and information exchange and resource sharing to support strategic goals within Commerce and with external partners.

Activities:

• Develop an Enterprise Architecture (EA), in accordance with Commerce policy, the Clinger-Cohen Act, Office of Management and Budget Circular A-130, and other Federal guidance, which serves as an integrated framework for managing the acquisition and use of IT assets to achieve the agency's strategic goals and information resources management goals.
• Develop and periodically review and update:
• The enterprise architecture vision, objectives, and principles.
• The baseline of the environment focusing on the goals and performance measures of your operating unit, work that your operating unit performs to support these goals and measures, the interfaces to external partners, the information required to do the work, the applications required to process the information, and the technology required to support the applications.
• The target architecture, including the security architecture, depicting a model of your operating unit’s enterprise in three to five years.
• The gap analysis identifying the differences between the baseline and target architectures.
• The migration or sequencing plan identifying the steps to bridge the gaps between the baseline and the target architectures and including specific schedules and resources needed. Additionally, account for the effects of change on all related systems.
• Implement and monitor the progress of the migration plan and demonstrate the linkage to the IT capital planning process.
• Develop and maintain your operating unit’s Standards Profile and Technical Reference Model (TRM) in accordance with the Department’s Standards Profile and TRM.
• Link the architecture to strategic and operational IT planning, IT investment review, and IT security planning.
• Align the architecture with the Federal Enterprise Architecture, specifically the Business Reference Model (BRM), the Performance Reference Model (PRM), the Service Component Reference Model (SRM), the Technical Reference Model (TRM), and the Data Reference Model (DRM).
• Establish, document, and implement a Governance Structure to ensure enterprise-wide compliance with the architecture. Include architectural compliance as an integral part of your IT Review Board process.
• Annually assess the maturity of the architecture using OMB’s Enterprise Architecture Assessment Framework. Ensure that the architecture continually matures according to this model.
• Demonstrate the practical results of your architecture efforts, e.g., expanded capabilities, elimination of redundant systems, streamlined processes, efficiencies, etc.
• Keep abreast of Commerce guidelines for developing and maintaining operating unit architectures.

Contact: Tom Pennington at (202) 482-5899 or tpennington@doc.gov.

_________________________________________________________

Element: Information Technology (IT) Security

Objective: To ensure the integrity, availability, and confidentiality of Commerce’s IT systems.

Activities:

• Establish an IT Security Program within each operating unit in accordance with Commerce IT Security Program Policy and Minimum Implementation Standards, the Federal Information Security Management Act (FISMA), Office of Management and Budget Circular A-130, and other Federal guidance.
• Appoint an IT Security Officer (ITSO) and alternate in writing. The ITSO has responsibility for managing the IT Security Program for the operating unit. Ensure that the ITSO, alternate, and operating unit Information Systems Security Officers (ISSOs) are properly trained and that IT security duties are reflected in their performance plans.
• Establish and maintain the systems inventory, consistent with the Department’s master inventory database (e.g., CSAM), that identifies all IT systems within the operating unit linked to their respective IT security plan.
• Use the Department’s FISMA reporting tool (i.e., CSAM) to track the conduct of required risk, vulnerability, and annual system self-assessments, security plan updates, contingency plan update and testing, certification and accreditation of systems, as well as update and implementation of Plans of Action and Milestones (POA&Ms).
• Assist senior program officials with the designation of a System Owner for each IT system, and ensure System Owners appoint ISSOs as necessary to ensure adequate security of major systems is maintained.
• Establish a continuous monitoring program to manage the risks to each IT system, consistent with the magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of the information in the system. The monitoring program should conform to Department’s IT Security Program Policy and Minimum Implementation Standards.
• Ensure that IT security and the associated costs are incorporated and accounted for throughout the life cycle of all IT systems. Specifically,
• Initiation Phase: identify security requirements and assess risk;
• Development/Acquisition Phase: define security controls, verify adequacy of controls to protect the system, and build/acquire systems that meet the security requirements;
• Implementation Phase: test effectiveness of security controls prior to operating in a production environment;
• Operation and Maintenance Phase: manage risk, maintain and monitor the adequacy and effectiveness of security controls, and maintain current security documentation; and
• Disposal Phase: remove sensitive information from systems.
• Ensure that System Owners create an IT security plan for each new system under development and that they review plans for existing systems annually for compliance with NIST Special Publication 800-18.
• Ensure that System Owners implement secure system configurations and establish mechanisms to ensure effective configuration and patch management.
• Ensure that System Owners perform a formal risk assessment update and re-approval of the IT system every three years (or whenever significant changes have occurred that may impact security).
• Ensure that System Owners develop, update, and test contingency/continuity of support plans for all moderate or higher systems according to policy.
• Ensure that sponsors of IT procurements complete an IT security procurement compliance checklist prior to solicitation issuance.
• Conduct annual compliance review to ensure that all contractor systems comply with FISMA and Departmental requirements.
• Use the Commerce Learning Center as a primary platform to provide IT security awareness training to all employees as well as all personnel involved in the management, operation, programming, systems administration, maintenance, or use of IT systems. Specifically, require an IT security awareness briefing for new employees before they are allowed access to your IT systems; provide all employees with refresher training at least annually; ensure personnel with significant IT security roles receive specialized training (such as architecture-based, IT security concepts, or critical infrastructure protection skills).
• Implement a Computer Incident Response Capability for your operating unit, unless it is delegated to the DOC Computer Incident Response Team (CIRT)
• Report IT security intrusions and incidents to your local Computer Incident Response Capability and report incidents to the DOC CIRT. Ensure incidents are reported to the U.S. Computer Emergency Readiness Team (US-CERT).
• Identify critical infrastructure assets required for the protection of national security, national economic security, or public health and safety.
• Protect nationally-critical IT assets (e.g., systems and infrastructure) in accordance with Homeland Security Presidential Directive 7, Critical Infrastructure Protection (CIP).
• Establish and regularly test continuity of operations plans (COOP) and reconstitution and response plans for critical assets.
• Establish a program to address the recruitment and retention requirements necessary to ensure continuity of critical assets.
• Participate at the Department’s compliance and oversight assessment of your IT Security Program.
• Comply with the IT Security Program Policy as well as OMB Circular A-123 control requirements by participating at an annual control review. The control review must be conducted to assess the overall status of your security program as required under FISMA.
• Link IT security planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning. Incorporate IT security measures in enterprise architecture plans.

Contacts:

• Earl Neal, Director, at (202) 482-4708 or DOCITSecurity@doc.gov
• Michael Castagna, CISO, at (202) 482-3210 or mcastagna@doc.gov

____________________________________________________________

Element: IT Privacy

Objective: To ensure that Commerce’s IT systems, including Web sites, protect the privacy of the public, businesses, employees, and contractors.

• Implement an effective IT Privacy Program in conformance with Commerce’s IT Privacy Policy, the E-Government Act, the Privacy Act, and other Federal guidance.
• Ensure that privacy considerations are addressed in your Internet Web pages, in accordance with the E-Government Act and Departmental and OMB policy regarding Web privacy. This includes posting Privacy Policies and implementing automated privacy preferences through the Platform for Privacy Preferences Project (P3P). Note that Commerce policy extends privacy protections to businesses.
• Ensure that Privacy Impact Assessments (PIAs) are prepared for IT investments in accordance with the E-Government Act and OMB and Commerce policy. Post the PIAs to the Web. Note that Commerce policy extends privacy protections to businesses.
• Contribute to the privacy section of the Federal Information Security Management Act reports.

Contact: Diana Hynek at (202) 482-0266 or dhynek@doc.gov.

___________________________________________________

Element: Electronic Government

Objective: To further the Department’s move to an e-government environment, enabling business functions to be conducted electronically and achieving paperwork elimination goals, both in transactions with Commerce’s customers and for internal operations.

Activities:

• Promote e-government ensuring that IT investments incorporate e-government components, as needed and practicable. Respond to the provisions of the E-Government Act, Paperwork Reduction Act, and associated OMB and Departmental guidance.
• Link e-government planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning. Specifically, address e-government through Operational Analyses of steady state investments, IT Review Board processes evaluating new investments or investments under development, as well as other means.
• Actively participate in OMB’s e-government and lines-of-business initiatives, in accordance with your operating unit’s mission and needs. File quarterly reports, as needed, of progress in implementing OMB’s e-government and lines-of-business initiatives. Annually prepare memoranda of understanding (MOU) to support these initiatives, as required by OMB.
• Ensure that your IT investments do not duplicate OMB’s e-government and lines-of-business initiatives.
• Report annually on progress in e-government activities per OMB’s guidance.
• For those CIOs who manage the Information Collection Budget function*, implement an effective process for submitting Information Collection Requests for clearance to the Departmental Paperwork Clearance Officer in accordance with the Paperwork Reduction Act and Commerce and OMB policy.
• Provide an Information Collection Budget annually in accordance with guidance issued by OMB.
• Ensure that the operating unit adheres to Commerce’s policy of zero PRA violations.
• Maintain an inventory of Web sites and servers annually.
• Implement an effective process for certification to the Department’s CIO annually that all Web sites of the operating unit comply with the Department’s Web policies. If any deficiencies exist, provide a plan to bring the Web sites into compliance.

* Note that about half of the Paperwork Reduction Act Liaisons are not in the operating unit Office of the CIO.

Contact: Diana Hynek at (202) 482-0266 or dhynek@doc.gov.

___________________________________________________

Element: IT Workforce Management and Development

Objective: To ensure that Commerce maintains a robust workforce of well-qualified IT professionals.

Activities:

• Participate in IT workforce identification, assessment, and reporting activities such as the Federal CIO Council’s annual IT Workforce Assessment.
• In conjunction with the annual Workforce Assessment, develop an estimated population of the operating unit’s IT workforce.
• Develop and periodically review and update targeted skill and competency levels for all Specialized Job Activities addressed in the survey.
• Encourage maximum participation by the operating unit’s IT workforce in the annual Workforce Assessment by emphasizing the importance of the survey to the Department, offering dedicated time to participate in the survey, and making the operating unit’s full participation a high priority.
• Conduct comparisons of targeted skill and competency levels with actual skill and competency levels as determined by the annual IT Workforce Assessment, and provide the Department’s Office of the CIO an analysis of skill and competency gaps in the operating unit.
• Participate with the Department’s Office of the CIO in developing training, job rotation, and developmental assignment programs to maintain technical skills of the IT workforce at the highest levels
• Provide the Department’s Office of the CIO with quarterly reports of gains and losses in the IT workforce, classified by grade level and the Specialized Job Activities listed in the annual IT Workforce Survey.
• Coordinate the Federal Acquisition Certification Program for Program and Project Managers (FAC-P/PM) with the IT capital investment management process at the bureau-level. Review and approve applications for certification and review waiver requests.

Contact: Jerry Harper at (202) 482-0222 or jharper@doc.gov.

_______________________________________

Element: Information Quality

Objective: To ensure and maximize the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Commerce.

Activities:

• Review your Information Quality Guidelines, prepared in accordance with Section 515 of the Treasury and General Government Appropriations Act of FY 2001, annually to ensure accuracy and currency.
• Ensure that your Information Quality Guidelines are posted on your Web site with a link from your home page.
• Update your Information Quality Guidelines as OMB issues additional guidance.
• Respond to all requests for correction of information according to your guidelines. Forward all correspondence associated with requests for correction electronically to the Department’s Office of the CIO for posting on the Department’s Web site as soon as possible after receipt. Also, send draft responses to requests for correction prior to posting for coordination with OMB.
• Annually, submit a summary of requests for correction for the prior fiscal year per OMB requirements and guidance.
• Post on the Web agendas for peer review of Highly Influential Scientific Assessments and Influential Scientific Information.

* Note that Information Quality coordinators are often not in the operating unit Office of the CIO.

Contact: Diana Hynek at (202) 482-0266 or dhynek@doc.gov.

___________________________________________________

Element: Records Management

Objective: To ensure that records are created, maintained, safeguarded, and disposed of in accordance with government-wide and Commerce policies and procedures.

Activities:

• Implement Commerce and government-wide records management policies and procedures for the creation, use, maintenance, safeguarding, and disposition of records, including electronic records, and develop and implement operating unit policies and procedures as appropriate.
• Provide management oversight of the operating unit records management program to ensure that it remains vigorous and effective.
• Review and make recommendations on requests for the funding and acquisition of electronic records management systems in accordance with information technology capital planning and investment control procedures.
• Execute the annual Memorandum of Understanding (MOU) with the National Archives and Records Administration (NARA) for records storage.

* Note that many Records Managers are not in the operating unit Office of the CIO.

Contact: Dan Rooney at (202) 482-0517 or drooney@doc.gov.

___________________________________________________

Element: Electronic and Information Technology Accessibility

Objective: To ensure the accessibility of Commerce’s electronic and information technology to people with disabilities, including those with vision, hearing, dexterity, and mobility impairments.

Activities:

• Establish an IT Accessibility Program within your operating unit in accordance with Commerce policy, Section 508 of the Rehabilitation Act Amendments of 1998, the Access Board’s Standards for Electronic and Information Technology, and other Federal guidance.
• Ensure that acquisitions and Web sites conform to accessibility requirements.
• Request waivers for undue burden through your operating unit head to the Department’s CIO in accordance with Commerce policy.
• Respond to the periodic Section 508 Department of Justice survey.
• Link accessibility planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning.

Contact: Diana Hynek at (202) 482-0266 or dhynek@doc.gov.

__________________________________________________

Consolidated Calendar