FITARA & OMB Guidance June 22, 2015

Federal Information Technology Acquisition Reform Act (FITARA)

FITARA Overview Enacted December 19, 2014 Major Goals: Increase CIO authority Increase Transparency Improve Risk Management Strategic Sourcing Initiative Portfolio Review Major Goals: Increase CIO authority Specifically, FITARA requires that CIOs have significant involvement in the decision, management, and oversight processes Increase Transparency FITARA requires the Director to make available for the public: Cost Schedule; and Performance data For new investments and the Operations and Maintenance of existing investments Improve Risk Management Major IT investments must be categorized by levels of risk There must be a review for investments that are designated High Risk over 4 consecutive quarters Strategic Sourcing Initiative FITARA requires the development of a SSI for Governmentwide acquisition of software Portfolio Review OMB required to implement a process to assist agencies in increasing efficiency and effectiveness of IT portfolios

Increase CIO Authority Budget Formulation Review Delegation Budget Formulation FITARA outlines that the Director of the OMB shall require each agency CIO: Approve the agency’s IT Budget As part of that approval CIOs must: Certify investments adequately implement development Review all positions with IT responsibilities that are requested in the budget, ensuring they are required Review Agencies cannot: Enter a contract or agreement without review and approval of CIOs Divert IT program funds without review and approval of CIOs Agencies can: Use the governance process of the agency to enter a contract or agreement if the CIO is a full participant in the process Delegation Only for non-major IT investments can the CIO delegate the approval of a contract or agreement and only to someone who reports directly to them Agency CIOs shall approve any appointment of additional CIOs within their agency

Increase Transparency Quarterly Review and Certification Investment Evaluations Continuously Available As stated in the Overview, FITARA requires the Director to make available for the public: Cost Schedule; and Performance data For new investments and the Operations and Maintenance of existing investments Quarterly Review and Certification For the aforementioned data requirements, at least once every quarter, for each major IT investment, the agency CIO and program manager must: Certify the information is current and accurate Identify an data quality issues Failure to do so, or incomplete certification, will result in the agency being publically identified by the Director Investment Evaluations For each major IT investment, the CIO shall: Categorize each by level of risk Risk rating is no lower than the higher of the Cost Rating Schedule Risk Rating Risk rating cannot be lower than medium for investments not employing incremental development Continuously Available All of this information must be publically available 24/7 Exception: When such information would pose a national security threat as evaluated by the Director

Improve Risk Management High Risk Process: Identify Report Post Evaluation High Risk Process For investments that receive high risk ratings for 4 consecutive quarters, the Administrator of the Office of Electronic Government (OEG), the agency CIO, and the program manager of the investment shall: Identify The root causes of risk If these causes can be addressed, and; The probability of future success for the investment Report OEG Administrator will report these findings to: The Committee on Homeland Security and Government Affairs and the Committee of Appropriations of the Senate The Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives, and; Any committee of Congress at their request Post Evaluation After one year, if the investment is still rated high risk, the Director shall: Deny funding requests for additional development, modernization, or enhancement This denial shall last until the agency’s CIO certifies that: The causes have been addressed, and; The investment can deliver on cost and schedule for remaining increments

Strategic Sourcing Initiative SSI Government User License Agreement SSI Developed by the Administrator of General Services and the Secretary of Defense Intent is to enhance Governmentwide acquisition, shared use, dissemination of software, and compliance with end user license agreements Government User License Agreement The SSI developed must allow for the purchase of license agreements that to greatest extent practical are one user

Portfolio Review Process Metrics and Performance Indicators Reviews Federal Data Center Consolidation Process Director of OMB must implement a process to help agencies evaluate IT portfolios This must help identify/develop: Ways to increase efficiency and effectiveness of IT investments Opportunities for consolidation Plans to optimize portfolios, programs, and resources Potential sources of waste and for savings Ways to align portfolios, programs, and resources with long –term plans Multi-year strategies for reducing waste Metrics and Performance Indicators To assist aforementioned process, OMB must develop standardized cost saving and performance indicators Reviews Annual CIO, CO and Administrator of OEG must conduct annual review of agency portfolio Quarterly Administrator of OEG must submit a quarterly report on cost savings and duplication reductions that resulted from reviews to: The Committee on Homeland Security and Government Affairs and the Committee of Appropriations of the Senate Any committee of Congress at their request The Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives, and; Federal Data Center Consolidation General Agency head and CIO will submit, on an annual basis, to OMB: Inventory of data centers Strategy for optimizing/consolidating data centers With a timeline, measurement of progress, and a year-by-year calculation of cost and savings CIO will submit a statement, made publicly available, to the OMB. This will assert whether the agency has or has not done the aforementioned process. If the agency has not, the CIO must justify why Administrator Responsibilities Will make a deadline and establish requirements for the aforementioned submissions Ensure information is made public in a timely fashion Annually update the cumulative savings from this initiative Monitor the implementation of each agency’s strategies Establish metrics for consolidation and optimization of data centers With respect to: Costs Efficiencies Any other metric established by the Administrator Congressional Update After 1 year, Administrator will make a goal Annually, the Administrator will take the reported savings and optimizations and compare them to the predicted goal This goal will be broken down year-by-year for planned savings and optimizations that will be achieved through this initiative This prediction and comparison must be submitted to Congress. Additionally, there must be accompanied by a statement regarding whether each agency submitted a comprehensive inventory and consolidation strategy GAO Review Annually, the Comptroller General will review and verify quality and completeness of the inventories and strategies. They will publish a report on their findings Ensuring Cybersecurity Standards Agencies will follow all federal guidance when carrying out this initiative’s guidance

Office of Management and Budget (OMB) FITARA Guidance

OMB Guidance Overview Issued June 10, 2015 Major Goals: Consistent Interpretation Implementing the Common Baseline Reporting Federal Data Center Consolidation IT Acquisition Initiatives Consistent Interpretation To implement FITARA, OMB established a Governmentwide interpretation of: “Information Technology Resources,” and; “Information Technology” OMB Circular A-130, OMB Circular A-11, and the FAR will be updated to reflect these new interpretations Implementing the Common Baseline The “Common Baseline” provides guidance and a framework for the CIO’s and other Senior Agency Officials’ roles and responsibilities for the management of IT. Reporting In addressing Transparency, Risk Management, Reviews, and Reporting; OMB’s guidance refers to existing structures that will aide agencies in adhering to FITARA Federal Data Center Consolidation OMB dictates that agencies will continue the reporting of phase one of FDCCI in their quarterly IDC submissions. Additionally, OMB will publish an updated FDCCI guidance by the end of FY 2015 that will describe the second phase and how it will fit into FITARA requirements IT Acquisition Initiatives Additional Requirements Civilian CFO Agencies shall continue to send annual Acquisition Human Capital Plans to OMB OFPP New reporting elements detailed, will be discussed in further detail on appropriate slide Category Management and the Federal Strategic Sourcing Initiative Upcoming New Rule Purchases of services and supplies of types offered under an FSSI agreement without using an FSSI agreement Agencies will be required to comply with this rule Other strategies around category management being developed by OFPP Practice where spending is managed by common categories of spending Helps avoid duplicative spending and activities Governmentwide Software Purchasing Program GSA and OMB will create a Governmentwide enterprise software licenses through new awards

Consistent Interpretation “Information Technology Resources” “Information Technology” As mentioned previously, in order to implement FITARA, OMB established a Governmentwide interpretation of these terms. OMB Circular A-130, OMB Circular A-11, and the FAR will be updated to reflect these new interpretations. “Information Technology Resources” Includes all: “Agency budgetary resources, personnel, equipment, facilities, or services that are primarily used in the management, operation, acquisition, disposition, and transformation, or other activity related to the lifecycle of information technology. Acquisitions or interagency agreements that include information technology and the services or equipment provided by such acquisitions or interagency agreements.” Does not include: “Grants to third parties which establish or support information technology not operated directly by the Federal Government.” “Information Technology” “Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Where such services or equipment are ' used by an agency' if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product. The term " information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources. The term " information technology" does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.

The Common Baseline: What is it? Attachment A of Guidance Set of Responsibilities and Processes Required Implementation by December 31, 2015

Implementing the Common Baseline Agency Self-Assessment and Plan Support Ongoing Oversight Conduct Annual Review and Update Federal CIO Council Support PMC Follow-Up Agency Self-Assessment and Plan By 2016, each agency shall: Conduct a self-assessment to identify current conformity with the Common Baseline. Develop a plan to implement changes to rectify any gaps in conformity identified Implement the aforementioned plan Self-assessments and implementation plans due to OMB Resource Management Office by August 15, 2015 Also, the agencies must post their implementation plans on their public website within 30 days of OMB approval Support Ongoing Oversight Agencies must follow all guidance in the implementation of the Common Baseline and report any problems/issues to OMB Conduct Annual Review and Update Agency self-assessments must be updated annually to document any obstacles or incomplete implementations First update by April 30, 2016 and each April 30 subsequently Federal CIO Council The Council shall develop and share on-going support and tools At least once per quarter, the Council must dedicate time to discuss current Common Baseline topics The Council should work with CFO council to develop materials to support changes related to the Common Baseline Additionally, required to provide examples of agency governance processes and IT policies to assist agencies Support PMC Follow-Up President’s Management Council must select three members by June 30, 2015 to provide updates on Governmentwide implementation of FITARA Updates required on a quarterly basis through the end of FY 2016

Attachment A

Example Page from Guidance

Summary of Common Baseline from Guidance

Reporting Standardized Metrics and Indicators Monthly Reporting TechStat Sessions PortfolioStat Sessions Standardized Metrics and Indicators As a part of the Integrated Data Collection (IDC) reporting requirements, agencies will continue to report cost savings and avoidance achieved through adopted strategies This will be used to provide agencies with a scorecard The scorecard will provide agency specific performance data and portfolio analysis This information will be reported to Congress and the general public on a quarterly basis by OMB Monthly Reporting At least once every month, agencies will provide updates on Major IT investment risk, performance, and activity to the Federal IT Dashboard If the data used in the update is not timely or reliable the CIO must notify OMB Within 30 days, the CIO must develop a plan to address inefficiencies Updates on this plan and its progress must be provided on a quarterly basis until the issue is resolved TechStat Sessions TechStat sessions are face-to-face reviews with agency leadership of an IT program. The sessions are a tool for addressing problems with investments and, when appropriate, terminating struggling investments. Outcomes of the sessions are to reported through the quarterly IDC Investments with a High Risk rating for more than 3 consecutive months must have a TechStat session held by their agency. Must be held within 30 days of the third month If High Risk remains after one year, OMB can take “appropriate performance and/or budgetary actions” until the problem is fixed PortfolioStat Sessions PortfolioStat is a data-driven tool for agencies to use in assessing their IT portfolio management processes Must be held on a quarterly basis Held with: OMB Agency CIO During the sessions, agencies will: Discuss and update a multi-year strategy for reducing duplication and waste from the portfolio Identify/develop ways to increase efficiency and effectiveness Identify/develop ways to increase use of shared-services delivery models Develop plans to optimize the agency’s IT portfolio, programs, and resources Review investments Develop ways to better align long term goals with the agency’s IT portfolio, programs, and resources Status of action items must be reported in the IDC by agencies Must be on at least a quarterly basis Agency heads must review and certify the status of these items with the CIO annually by April 30. This must be then submitted to OMB. OMB will use information submitted to asses agency PortfolioStat progress

Federal Data Center Consolidation 2012 OMB FDCCI Guidance Updated Guidance As stated previously, OMB dictates that agencies will continue the reporting of phase one of FDCCI in their quarterly IDC submissions. Additionally, OMB will publish an updated FDCCI guidance by the end of FY 2015 that will describe the second phase and how it will fit into FITARA requirements 2012 OMB FDCCI Guidance This guidance provided agencies with an outline of goals, responsibilities, and reporting requirements through the end of FY 2015. Updated Guidance By the end of FY 2015, OMB will publish guidance describing the second phase of the initiative and how the initiative will comply with FITARA

IT Acquisition Initiatives Additional Requirements Category Management Governmentwide Software Purchasing Program Additional Requirements New Reporting Elements/Additional Requirements for civilian CFO Act agencies to those established in Acquisition Workforce Development Strategic Plan for Civilian Agencies – FY2010 – 2014. IT Acquisition Cadres Must explain if they have developed this position. Why or why not? Personnel Development Must explain if their agency has taken steps to develop personnel for IT acquisition and training. Specialized Career Path for IT Program Managers Must explain if agency has utilized the specialized career path for IT program managers and if they have strengthened IT program management Direct Hire Authority Must detail if agency has used Direct Hire for IT acquisition personnel Peer Reviews Must explain if agency has conducted peer reviews of IT acquisition Pilot Programs Must explain if agency has made use of pilot programs for IT acquisition Category Management Upcoming New Rule As stated previously, the upcoming new rule regards the: Purchases of services and supplies of types offered under an FSSI agreement without using an FSSI agreement Agencies will be required to comply with this rule FAR Council initiated rulemaking in February 2015 Creates a preference for strategically sourced vehicles Once finalized, contract files will be required to include a brief analysis of the comparative value between services and supplies offered under the FSSI, to that of the source(s) purchased from Other strategies around category management being developed by OFPP As stated previously, category management: Is a practice where spending is managed by common categories of spending Helps avoid duplicative spending and activities OMB launched the Category Management Initiative in December 2014 Governmentwide Software Purchasing Program Through new awards, GSA and OMB will create and allow agencies access to Governmentwide enterprise software licenses These awards, at a minimum, will allow for licensee agreements available for use by all Executive Agencies

Summary of Agency Deadlines and Requirements

Summary of Agency Deadlines and Requirements

Summary of Agency Deadlines and Requirements

Reception

What has been said Don’t Leave it to Agencies How Flexible Should FITARA be? Not Just an Update Real and Lasting Impact Don’t Leave it to Agencies “Dave Powner, GAO’s director of IT management issues, said Congress needs to stay involved in the process, too. ‘History tells us that if you leave it up to the administration -- OMB and the agencies -- it doesn't work as well,’ Powner said of past efforts to transform the way the government budgets for and spend IT.” Powner pointed to the TechStat sessions that were started in 2010 and had great success, saving $3 billion. However, since March 2013, OMB has not conducted any sessions and has not listed any savings from the sessions since June 2012. Instead, OMB has left the process to agencies to handle internally and, thus, lost billions in potential savings. --June 11, 2015, NextGov http://www.nextgov.com/cio-briefing/2015/06/agencies-get-fitara-marching-orders-congress-still-has-role-play/115081/ How Flexible Should FITARA be? There are cultural issues that could impeded acceptance of the centralized agency CIO authority in highly federated departments according to Richard Spires, former CIO of the Department of Homeland Security. Seeing that with the attempted carve-out by the Department of Energy in the Senate appropriations bill for the department "One-size-fits-all models don’t work well, and I am concerned that this well-intentioned law could make it more difficult to develop the technology we need to support the Department of Energy’s research and national security missions,“--Sen. Lamar Alexander (R-Tenn.) “Rep. Gerry Connolly (D-Va.), one of the original sponsors of FITARA, warned administration officials that agency leaders are looking to Congress for exceptions…He urged the administration to "resist that temptation" to grant one-off exceptions to certain programs or agencies.” --June 10, 2015, FCW http://fcw.com/articles/2015/06/10/fitara-implementation.aspx Not Just an Update “FITARA, in many ways, isn't just updating the 1996 Clinger-Cohen Act, but reinforcing many of the requirements that agencies ignored, misinterpreted or just got lost in the business of government over the last two decades.” Knowing that it has been 20 years since the aforementioned law, Congress used FITARA to try and clean up some of the issues that have come to light over the years, including: OMB requirements for the CIO to: Be included in all internal planning processes for how the agency uses IT resources Approve the IT components of any plans, and; Be included in an agency-wide budget development process OMB expansion the definition of what IT is beyond the traditional ones found in Clinger-Cohen and in Circular A-11. --April 30, 2015, Federal News Radio http://www.federalnewsradio.com/?nid=513&sid=3848936&pid=0&page=2 Real and Lasting Impact Tony Scott, U.S. Chief Information Officer: “If you think about nothing else about FITARA, think about good governance and good conversation and pithy conversations that enable the leadership of whatever organization is involved to make the best possible decisions going forward.“ “…FITARA gives us good guidance in how governance and interaction among senior leaders…should exist.” Two reasons why he is confident in FITARA: Times have changed since Clinger-Cohen Act in 1996 Increased awareness of the importance of CIOs’ role Consistent oversight of implementation of FITARA by Congress Additionally, the article offers a third reason for confidence in FITARA’s success: The partnership between OMB and OFPP Working together to improve how agencies buy IT products and services Especially, enterprise buying software OFPP Administrator, Ann Rung has detailed plans for an interagency team (OFPP, GSA, & DoD) to develop a strategic plan to boost these agreements across government Additionally, Rung has stated that guidance from OMB can be expected later this summer concerning policy changes to improve the management of software acquisition --June 22, 2015, Federal News Radio http://www.federalnewsradio.com/517/3879465/OMBs-Scott-Rung-partnering-to-make-FITARAs-impact-real-lasting

Questions?

Your attention was appreciated! Thank You! Your attention was appreciated!