Frequently asked questions

Sections

Overall Guidance
Submission of Deliverables
Budget Formulation and Planning
Acquisition and Execution
Organization and Workforce
Definitions

Overall Guidance

What is OMB planning to do to make sure agencies successfully and completely implement these requirements?

OMB will work with agencies to ensure that they are meeting the Common Baseline in Section A of the memorandum through existing oversight methods including PortfolioStat. In addition, our memorandum states that agencies will post their plans to meet the Common Baseline publicly, helping to enable Congressional and public oversight.

Would this memorandum make it more difficult for mission programs to select software and solutions that meet their needs?

This memorandum would require agencies to ensure that their CIO and other management officials have a common baseline of roles and responsibilities. For some agencies, these responsibilities may include greater involvement of the CIO in planning and execution decisions regarding IT used by programs or components outside of the Office of the CIO. Each agency should establish appropriate processes that work in its environment to meet the Common Baseline of roles and responsibilities. In the memorandum, a key part of the CIO’s role is to be a partner in supporting programs’ efficient and effective accomplishment of their missions through the use of IT. To succeed in this, it is critical that CIOs understand the program environments that are supported by IT resources. This includes greater involvement with program governance boards and planning processes, as well as greater program inclusion of the CIO in acquisition and requirements planning—as described in the Common Baseline. At its core, this memorandum seeks to achieve greater agency CIO accountability for the agency’s use of IT resources through increased collaboration and communication between the CIO and the full scope of agency programs and units.

The CIO shouldn’t be in charge of how programs manage their resources; instead, the program leadership should maintain this control. How is that reflected in this memorandum?

Through TechStat sessions, PortfolioStat sessions, and CyberStat sessions, OMB has seen agencies struggle with successful implementation of IT projects that lack close coordination between the program leaders and the CIO. Strengthening these relationships and strengthening the collaboration between program leadership and the CIO’s organization is a major objective of this memorandum.

Won’t this make today’s CIOs a bottleneck and damage agencies’ ability to deliver their programs?

Through extensive outreach and collaboration, we believe we have developed a memorandum that is applicable to all agencies in a way that gives them flexibility to implement the law’s requirements and does not create unnecessary bottlenecks. This was an initial primary concern of many CIOs and agency executives. In response, we created the CIO assignment plan to allow the CIO to assign, in a rules-based manner, certain responsibilities to other people in their department. This keeps the accountability with the CIO but allows each agency to realistically meet the law’s requirements while minimizing the chance for bottlenecks.

The new processes described in the common baseline are either redundant with existing agency processes or not aligned with how certain processes function today. How should agencies implement these in their existing structures?

In some cases and in some agencies, the roles and responsibilities identified in the Common Baseline may be implemented through existing practices, as long as those practices completely deliver the requirements described in the Common Baseline. However, in other instances, agency practices may need to be revised or strengthened, and agencies may need to establish new practices.

Can the CIO overrule an agency head such as a Secretary on decisions about IT?

CIOs, like other senior management officials, work within the organizational structures of their agencies. This guidance emphasizes the role and responsibilities of the CIO and other management officials in that context.

Why does the memorandum include requirements not described in the FITARA law?

Other legislation, primarily the Clinger-Cohen Act of 1996 and the E-Government Act of 2002, require the Director of OMB to issue management guidance for information technology and electronic government activities across the government. Moreover, while the FITARA law contains some specific requirements, it also contains more general requirements that require interpretation for successful FITARA implementation.

Submission of Deliverables

M-15-14 directs agencies to update their self-assessments. What are the expectations for this deadline?

Per M-15-14, Agencies are required to conduct annual self-assessment reviews and updates. The first update must be completed by April 30, 2016. To fulfill this requirement, OMB has developed two templates for agency updates rather than requiring updates to the implementation plans. OMB has pre-populated the below tables with (1) your Agency’s approved self-assessment scores, and (2) the actions/milestones (and corresponding due dates, if provided) that are listed in your Agency Implementation Plans, Self-Assessment table or a separate source that agencies may be using to track progress. Agencies are required to complete both templates and submit them to OMB by April 30th.

Guidance can be found here. Pre-filled templates were emailed to agency Deputy Secretaries.

FITARA requires that “the Chief Information Officer of each covered agency, in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) of the covered agency and the Administrator of the Office of Electronic Government, shall conduct an annual review of the information technology portfolio of the covered agency.” Has OMB issues instructions for this requirement?

OMB recently issued instructions to agencies to conduct an annual review of their PortfolioStat reviews. To fulfill this, OMB asked each Deputy Secretary to certify that they have reviewed their agency’s IT portfolio with their CIO and that the status of their current PortfolioStat Action Items are correct as reported in the OMB E-Gov Integrated Data Collection. In April, each agency is required to submit a statement from the Deputy Secretary certifying the review and status of your agency’s PortfolioStat action items.

According to the template provided to each agency, the Self-Assessment Update is due to the OFCIO Desk Officer. Delivery of the Implementation Plan Status simply requires the .json file. However, the e-mail implies that all materials should be sent to the OFCIO. Please confirm that all 3 items, the FITARA Self-Assessment Update, the FITARA Implementation Plan Update (in document format), and the certification from the Deputy Secretary should be sent to one recipient, with the addition of posting the .json file.

a. The 3 deliverables are:

i. Self-assessment update -Complete the pre-filled template and email it to your desk officer.

ii. FITARA milestones -Agencies should use the example JSON file and schema at management.cio.gov/schema to generate a FITARAmilestones.json describing these milestones and post this to agency.gov/digitalstrategy. Use the pre-filled template as a starting point.

iii. Annual review of your IT Portfolio -a statement from the Deputy Secretary certifying the review and status of your agency’s PortfolioStat action items.

b. For these 3 deliverables, #1 and #3 should be emailed to your OMB desk officer (cc ofcio@omb.eop.gov) and #2 should just be posted online. However, you may want to do the following: email your desk officer with the two attachments (self-assessment and certification) and also include the direct link to the JSON file you posted in the email body.

For those agencies that are not structured simply, how should CIOs or those with CIO responsibilities who are managed by a different agency be listed in order to help build the Bureau IT Leadership Directory? For example, an agency may have facility CIOs who are managed by a different agency within the organization. Should we list a direct chain of command?

The guidance does not define the scope of bureau IT, either organizationally or by title. Therefore, anyone who has the duties or function of a CIO should be listed, regardless of title. The broad definition of “bureau” as used in M-15-14, “Management and Oversight of Federal Information Technology,” should be used in this context.

If an organization rates itself as a “3” on their Self-Assessment Plan because it has developed its own IT governance process (in conjunction?) with boards, is it necessary to submit a copy of these newly developed charters?

Yes, if these charters strengthen the evidence of the self-assessment, they should be referred to in the agency’s self-assessment and included in the IT Policy Archive that was due to be posted on the agency’s website in August 2015.

To support a self-assessment of “3”, what documentation is required to show that the job is being completed as described?

The documentation type will be specific to each agency. Provide evidence that will be persuasive given your agency’s environment and evaluation.

Should agencies respond to the required questions using the matrix template provided in M-15-14 or a separate Word document (separate from other attachments demonstrating compliance)?

The matrix template should be used for agency self-assessments (see editable Self-Assessment template here), but a standalone document (not to exceed 25 pages) is sufficient (and encouraged) for the implementation plan. Refer to the “Plan” sections in the matrix.

Please ensure that the self-assessment includes references to relevant sections of their Implementation Plan. The structure of CIO Assignment Plans will probably vary pretty significantly as the methods by which CIOs assign portions of their responsibilities throughout agencies may be complex.

When submitting the Common Baseline Self-Assessment and Plan (Attachment C) with a “1” or “2” rating and the appropriate explanation, is a timeline outlining when actions will be completed also necessary?

Yes, as it will strengthen the plan.

Is there a template available for the CIO Assignment Plan? If not, what are the guidelines/format requirements for the submission?

The only template we have is for the Self-Assessment.

In addition to this template or another approved by OMB, please provide an implementation plan and supporting documents, not to exceed 25 pages. There is no suggested format for the plan beyond the template found in Attachment C.

It is okay if the CIO Assignment Plan is outside of those 25 pages. Agencies should use a format that allows them to achieve the objective of the CIO Assignment Plan.

Regarding the requirement to post a compressed archive (file type .zip, .gz, .tar, or .rar) containing all public policy documents, is there a size limit of the zip file?

No

Can you explain what OMB is looking for in the “evaluation rating official title” and the “evaluation reviewing official title” fields for the Bureau IT Leadership Directory section? Are these the supervisors of the Bureau CIOs?

This should be the individual who is the rating or reviewing official for that employee’s annual performance evaluation. Some helpful information on performance reviews can be found on OPM’s website here.

In addition to the obvious such as policy documents, what are the expectations for evidence of complete implementation of the various elements of the Common Baseline?

The evidence included in the Self-Assessment should provide enough detail to demonstrate that the agency has turned the high-level language of the Common Baseline into specific details relevant to the agency environment. These should show enough detail to demonstrate that the agency has selected choices and trade-offs which connect the needs for IT resource visibility, CIO involvement, CIO authority, or other methods of the Common Baseline with other management processes of the agency, program objectives, and overall agency objectives in a way which applies effective IT management principles.

How should evidence that is not practical to post publically (e.g., process/procedures represented on internal agency web site) be provided?

The best way to do this is to provide the evidence to your OMB desk officer.

Will OMB require evidence that a particular policy is actually being followed in the form of completed artifacts? If so, how is that to be handled?

Where possible, include agency IT policies and processes related to evidence of common baseline implementation in your agency’s IT Policy Archive. As agencies implement the FITARA Common Baseline, updated policies should be reflected in updates to your IT Policy Archive during future IDC quarterly deadlines.

While the A-11 definition of and distinction between “agency” and “bureau” is clear, one reading of OMB M-15-14 suggests that only “agency” TechStats should be reported in the IDC and not those led within the agency by the “bureaus.” Is this the consensus reading?

M-15-14 states “For all agency-led TechStat reviews of investments, the agency shall contact egov@omb.eop.gov with the subject line, “[Agency Acronym] TechStat Notification,” at least two weeks ahead of the TechStat session.”

The agency-led TechStat reviews referenced above applies to all TechStats held within the department, including ones that were conducted by components or bureaus. The distinction is between TechStat sessions that are led by OMB and ones initiated by the agency.

Will there be a mechanism for updating the CIO Assignment Plan after OMB approves the initial one?

Any changes to approved plans will be coordinated through your OMB desk officer who would review the plan, ask for any additional details or documentation if needed, and let you know whether or not the new plan is approved. The public plan should then be updated to reflect the approved changes.

In addition, M-15-14 requires covered agencies to update the self-assessment annually to identify any obstacles or incomplete implementation of Common Baseline responsibilities that occurred over the preceding 12 months. The first update will be due April 30, 2016, and each April 30 on an annual basis thereafter.

Does OMB view Attachment I as a comprehensive list of action items to implement the requirements identified in Attachment H? Or should does Attachment I outline hard OMB deliverables to date and agencies should use discretion in determining internal deadlines to meet outstanding requirements?”

Attachment I outlines OMB deliverables and agencies are free to set additional internal deadlines to help them meet the OMB requirements and deliverables.

Do small agencies such as USACE and NARA need to report to the FITARA questions on the Integrated Data Collection (IDC)?

No, only CFO Act agencies are required to report on those questions.

For the Bureau IT Leadership Director, what are you looking for as far as how far do you want to go down, anyone with the title CIO, or just those in the direct chain under the CIO?

We are not defining the scope of “bureau” IT organizationally nor by title–so please include anyone who has the duties/function of a CIO regardless of title. Apply the definition of “bureau” used in M-15-14, which is rather broad.

In responding back to all questions are you expecting us to fill out the matrix and send that back in or are you expecting a word document in return with no more than 25 pages total?

Use the template for your self-assessment, but it is fine and probably encouraged to complete the implementation plan as a standalone document not to exceed 25 pages. Refer to Plan sections in the matrix.

In responding back as a 1 or 2 after providing the explanation for the rating under agency plan of action are you expecting timelines of when actions will be completed along with plan?

Timelines would certainly strengthen the plan, yes.

Budget Formulation and Planning

CIO Role in Pre-Budget Submission: If the organization says it’s a three (3) and they say it’s because they’ve developed IT governance process with boards do you require a copy of those Charters? I would think that would be part of the evidence of completion. Need to ensure those leads understand the requirement of evidence.

If sharing charters strengthens the evidence of your self-assessment please include them in the IT Policy Archive posted on your website in August and refer to them in your self-assessment.

How does OMB Circular A-11, Section 53.1 square with agencies who self-assess Control D as a 1 or 2? By definition, those agencies do not currently have the processes in place to make these statements. Can qualified statements be provided?

Agencies should accurately describe their CIO involvement in A-11 materials, keeping in mind that some agencies have not yet completely implemented this element of the Common Baseline.

Regarding elements C1 and C2, could you please provide further context regarding the scope of “program management” as it pertains to this question, as well as context for the intended CIO role in early planning?

This is in the “budget formulation” section of the Common Baseline. The intent is to strengthen agency CIO involvement in early planning phases for how an agency accomplishes its objectives through establishing or modifying programs. Early CIO involvement is intended to allow potential IT solutions to be explored before an overall approach for a program has been established. This is a critical step toward developing more innovative uses of IT to accomplish agency objectives. OMB and agencies have identified “late” CIO inclusion in program management as a key obstacle to innovation and a key factor in missing opportunities to reuse or share existing data and digital solutions because the program approach has already been selected.

The rest of C1 is intended to provide further context into what activities “program management” refers to—it is intentionally broad in scope: “The CIO shall be included in the internal planning processes for how the agency uses IT resources to achieve its objectives. The CIO shall approve the IT components of any plans, through a process defined by the agency head that balances IT investments with other uses of agency funding. This includes CIO involvement with planning for IT resources at all points in their lifecycle, including operations and disposition or migration.”

Agencies should define what aspects of their agency planning environment are included in “program management” as a part of their self-assessment and implementation plan discussing this element of the Common Baseline.

Has the budget submission changed since the implementation of FITARA?

Yes, each agency was required to include IT Resource Statements in their budget submissions to OMB. See below from page 3 of [section 51 in A-11] (https://www.whitehouse.gov/sites/default/files/omb/assets/a11_current_year/a11_2015.pdf):

“Your justification materials should include a section beginning with the words “IT Resource Statements” that provides the following: a statement from the CIO affirming that the CIO has reviewed and approved the major IT investments portion of your budget request; a statement from the CFO and CIO affirming that the CIO had a significant role in reviewing planned IT support for major program objectives and significant increases and decreases in IT resources; and a statement from the CIO and CFO that the IT Portfolio (Section 55.6) includes appropriate estimates of all IT resources included in the budget request. If for any reason any of the above is not accurate, briefly describe the nature of the inaccuracy. The above statements and discussion must also be included in your agency’s annual assurance statement described in OMB Circular A-123.”

Acquisition and Execution

Regarding the CIO’s (new) role in “the decision processes for all annual and multi-year planning, programming, budgeting, and execution decisions,” what is the scope of “project management,” as well as the intended role for the CIO in early planning?

As described in the “budget formulation” section of the Common Baseline, the intent of Sections C1 & C2 is to strengthen agency CIO involvement in early planning phases of how an agency can accomplish its objectives by either establishing or modifying programs. Early CIO involvement is intended to allow potential IT solutions to be explored before an overall approach for a program has been established. This is a critical step toward developing more innovative uses of IT to accomplish agency objectives. OMB and agencies have identified “late” CIO inclusion in program management as a key obstacle to innovation and a key factor in missing out on opportunities to reuse or share existing data and digital solutions because the program selected.

Section C1 is also intended to provide further context into what activities “program management” refers to and is intentionally broad in scope: “The CIO shall be included in the internal planning processes for how the agency uses IT resources to achieve its objectives. The CIO shall approve the IT components of any plans through a process defined by the agency head that balances IT investments with other uses of agency funding. This includes CIO involvement with planning for IT resources at all points in their lifestyles, including operations and disposition or migration.” Agencies should define which aspects of their agency planning environment are included in “program management” as a part of their self-assessments and implementation plans discussing this element of the Common Baseline.

Letter F states that “The CFO, CAO and CIO should define agency-wide policy for the level of detail of planned expenditure reporting for all transactions that include IT resources.” Our question is: Is OMB referring to planned expenditures (current year) or future planned expenditures, or the execution and transaction of expenditures? Put another way, there is confusion as to whether the sentence refers to the accounting process for “transactions?” The CFO folks are particularly confused about this because transactions has a particular meeting in the accounting sense. Can you clarify the intent of the requirement?

All organizations and functions of the agency should provide enough detail to internal and external stakeholders about planned expenditures to ensure appropriate IT management. The agency’s selection of what level of detail is appropriate should be defined by the CFO, CAO, and CIO. This is to ensure that CIOs have sufficient visibility into expenditures that are planned to be committed to across the agency. This is not limited to reporting of expenditures after the fact, but rather focuses on ensuring that the agency CIO is included in early conversations that would lead to expenditures related to IT resources. Similarly, the CFO, CAO, and CIO should select the level of detail of expenditure reporting externally to ensure that other stakeholders may also adequately discern where and how decisions related to IT resources are being made.

Organization and Workforce

Letter I requires that “The CIO and CHCO will develop a set of competency requirements for IT staff.” Is OMB mandating that competency requirements be established for every IT staff person at the departments? Some agencies have competency requirements for IT program managers (FAC-P/PM) and mandate that they also take IT specialization training, but not necessarily for IT personnel who are not program managers, and believe that trying to achieve this in this calendar year is not realistic.

The CIO and CHCO should establish the competency requirements that are appropriate for the agency environment and use the Self-Assessment, Implementation Plan, and posted IT Policy Archive to describe the agency’s approach to such requirements. This element of the Common Baseline is not driven by the IT Acquisition Cadres section of FITARA, but rather by overall responsibility for strengthening the IT related workforce as described in the Clinger-Cohen Act.

Is the intent of the OMB FITARA guidance to require all agencies to develop a set of competencies for all IT staff, or is the intent focused on the statute, which is concerned with the IT acquisition cadres and the competency of IT program managers?

The CIO and CHCO should establish the competency requirements that are appropriate for the agency environment and use the Self-Assessment, Implementation Plan, and posted IT Policy Archive to describe the agency’s approach to such requirements. This element of the Common Baseline is not driven by the IT Acquisition Cadres section of FITARA, but rather by overall responsibility for strengthening the IT related workforce as described in the Clinger-Cohen Act.

OMB Guidance states that the Department CIO may delegate to the bureau CIOs; however, the law within the FITARA Guidance states that it has to be delegated to a direct report of the Department CIO. If the law supersedes the OMB Guidance, we need some clarification on this guidance. By direct report, is it understood that the CIO can only delegate to a person which he or she is first line supervisor for, or will he or she be able to delegate to subordinate employees that are second or third line as well since all of these subordinate employees are indirectly a direct report of the department CIO?

The short answer is that that portion of the statutory language does not affect the CIO Assignment Plan. The referenced portion of the law only applies to the contract approval portion of the CIO’s responsibility, and that section specifically says the agency “may use the governance processes of the agency to approve such a contract or other agreement if the CIO of the agency is included as a full participant in the governance processes.” The agency’s implementation of the Common Baseline and CIO Assignment Plan as approved by OMB constitute a governance process which includes the CIO as a full participant. This is why it is critical that the CIO Assignment Plan be designed by the CIO and structured in such a way that the agency CIO retains full accountability for any assigned portions of their role.

Definitions

To what extent are sensors and satellite systems included in the definition of IT resources?

Please see M-15-14: Information Technology - As described in Section A above:

a. Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency; where

b. such services or equipment are ‘used by an agency’ if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.

c. The term “information technology” includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources.

d. The term “information technology” does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.

IT Resources - As described in Section A above: All agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, disposition, and transformation, or other activity related to the lifecycle of information technology; acquisitions or interagency agreements that include information technology and the services or equipment provided by such acquisitions or interagency agreements but does not include grants to third parties which establish or support information technology not operated directly by the Federal Government.”