2135.2B CIO GSA Information Technology (IT) Capital Planning and Investment Control
GENERAL SERVICES ADMINISTRATION
Washington, DC 20405
November 26, 2008
SUBJECT: GSA Information Technology (IT) Capital Planning and Investment Control
1. Purpose. This Order establishes agency-wide policies, roles and responsibilities for GSA’s IT Capital Planning and Investment Control process (CPIC). CPIC is an integrated management process for the continuous selection, control, and evaluation of IT investments over their life cycles and is focused on achieving desired outcomes in support of GSA’s missions, goals, and objectives. GSA’s CPIC process must be closely aligned to GSA IT enterprise architecture, IT security, IT acquisition, strategic planning, and capital budgeting processes. This order updates GSA’s CPIC policy, consistent with the Clinger-Cohen Act and Office of Management and Budget (OMB) guidance.
2. Cancellation. This order cancels CIO 2135.2A dated September 29, 2006.
3. Background. The Clinger-Cohen Act of 1996 created the Office of the Chief Information Officer (OCIO) in Federal agencies and mandates that CPIC be established to significantly improve how agencies plan, select, fund, control and evaluate IT investments. It also requires agencies to undertake enterprise architectures designed to guide the IT investment decision process. OMB Circular A-130, Management of Federal Information Resources, provides general guidance for the Clinger-Cohen and related Acts, including focus on linking budget formulation and execution, and achieving agency missions and specific program outcomes. OMB Circular A-130 requires management to devote attention to operational information resources management (IRM) planning, by providing a one-to-five year focus on agency IT activities and projects. Agencies must develop and maintain a Five Year Plan as required by 44 U.S.C. 3506 (Paperwork Reduction Act of 1995). The annually updated OMB Circular A-11, Preparation, Submission, and Execution of the Budget, provides specific guidance for content and presentation of the IT Capital Asset Plan and Business Cases (Exhibit 300s), the Agency IT Investment Portfolio (Exhibit 53) and how agencies are to use and analyze earned value data to manage IT investment performance using an ANSI Standard 748, Earned Value Management (EVM) system and methodology.
4. Applicability. This order applies to all GSA Service and Staff Offices (SSOs) including the Regional Offices. All GSA IT investments are to be managed as set forth in this Order. This order does not apply to GSA business line (e.g., FEDSIM) fee-for-service IT investments conducted for other agencies.
5. CPIC objectives.
a. Demonstrate and document clear alignment of the IT Portfolio to GSA’s mission and business objectives, and with the strategic and tactical goals specified in the Information Technology (IT) Strategic Plan and the GSA Strategic Plan.
b. Ensure sufficient and appropriate business planning and justification in the selection and control of GSA IT capital investments.
c. Implement Enterprise Architecture transition plans by selecting IT investments that will move toward achievement of the target Enterprise Architecture.
d. Implement a decision making process in accordance with approved governance policies that appropriately balances investment benefits, costs, risks, and business priorities.
e. Monitor performance by measuring actual achievement of cost, schedule, and performance milestones against approved performance measurement baselines (PMB).
f. Support timely and effective monitoring and reporting of initiatives’ performance to established management and governance bodies.
6. Linkages between CPIC and other management processes. CPIC links to other agency planning and management processes.
a. Strategic and performance planning. The Government Performance and Results Act of 1993 (GPRA) requires Federal agencies to develop strategic plans and annual performance plans that are tied to the agency mission, goals and budget allocation, and to report actual results against performance plans. In the CPIC process, IT investments must demonstrate how they are aligned to the agency’s strategic business goals and how they support the long term and annual performance plan goals.
b. Performance Management Process (PMP). The PMP is GSA’s strategic planning, budget, and performance management cycle, managed by the Office of the Chief Financial Officer. The PMP process is designed to enable sound long-term strategic, operational, and tactical business plans based on past performance data and future performance targets established by GSA’s SSOs. The IT Capital Planning process supports the PMP by aligning ongoing and proposed IT initiatives to the agency’s strategic plans.
c. Information Technology (IT) strategic planning. The agency annually updates its IT Strategic Plan that addresses all of the agency’s information resources. The IT Strategic Plan supports the GSA Strategic Plan; provides a description of IT goals, objectives, initiatives, and influences; and describes the strategy for assuring the agency IT vision and goals are supported and that IT decisions are consistent with agency planning, budget, procurement, financial management, human resources management, and program decisions.
d. IT Capital Planning. The IT Capital Plan is operational in nature, supports the goals and missions identified in the IT Strategic Plan, is a living document, and is updated twice yearly – first with the annual budget submission and secondly after the OMB pass back. The IT Capital Plan is the implementation plan for the budget year and the IT operating plan for the current year.
e. Enterprise Architecture (EA). EA is required by the Clinger-Cohen Act of 1996. The GSA Enterprise Architecture is GSA’s Business Modernization Blueprint. It consolidates GSA’s Enterprise Architecture efforts by establishing overarching architectural guidance. IT investments must be consistent with the GSA Enterprise Architecture. The EA is an essential tool for taking a strategic approach to planning and managing IT investments.
f. The Federal Information Security Management Act of 2002 (FISMA). FISMA requires agencies to integrate security into the capital planning and enterprise architecture processes, to have a security program to conduct annual self-assessments and audits of the program and its implementation. IT investments must demonstrate that costs of appropriate IT security controls are incorporated into the lifecycle planning of the overall system. IT security is one of the review criteria for IT investments.
g. Budget formulation. During budget formulation, agencies are required to submit, in accordance with the requirements of OMB Circular A-11, the proposed IT portfolio of investments as part of the agency budget request. IT investments are to be included in the budget request whether they are existing projects and systems, incremental increases for existing projects and systems, or new initiatives.
h. Budget execution. The Control Phase of the CPIC process occurs during the budget execution cycle.
i. Systems Development Life Cycle (SDLC). SDLC is a disciplined approach to development, enhancements and modifications. The SDLC phases identify the appropriate activities and deliverables through the lifecycle of a system. These activities and deliverables are essential references in preparing business cases. Movement from one SDLC phase to another is an appropriate milestone for measuring the degree of accomplishing planned progress.
j. Acquisition Strategy. In accordance with the Federal Acquisition Regulations, the GSA Order OGP 2800.1 of January 2004 requires acquisition planning. One of the select criteria for IT investments is its acquisition plan. OMB Circular A-11, Section 300 and the GSA Acquisition Manual (GSAM), require appropriate EVM clauses in all applicable solicitations and contracts. The Services Acquisition Reform Act also requires the Chief Acquisition Officer to ensure compliance with all acquisition laws and regulations in planning acquisitions.
k. Project/Program Management (PM). In response to the Federal CIO Council’s Workforce Capability Assessment, GSA conducted a workforce analysis and developed a PM training program to address identified skill gaps. The Office of Federal Procurement Policy’s memorandum of April 27, 2007, establishes the minimum requirement for Federal certification for PM. GSA Office of the Chief Acquisition Officer is currently drafting policy for the agency’s implementation of the OFPP standards.
7. CPIC policy. The following policy statements are based on OMB and Government Accountability Office (GAO) guidance and on best practices.
a. The GSA IT capital planning process will be accomplished in accordance with established GSA governance processes and mandates.
b. The IT capital planning process will leverage and be leveraged by GSA’s EA, Acquisition, Security, Financial Management Planning, Budget Formulation and Execution, and Performance Planning programs and processes.
(1) Reduce risk. Reduce risk by avoiding or isolating custom designed components, using components that can be fully tested or prototyped prior to full implementation or production, ensuring involvement and support of users in the design and testing of the asset.
(2) Useful segments. Structure major acquisitions into useful segments with a narrow scope and brief duration; make adequate use of competition and appropriately allocate risk between government and contractor.
(3) Enterprise architecture consistency. Investments having IT systems should be described by and consistent with the principles of the GSA Enterprise Architecture.
(4) System Development Life Cycle (SDLC) consistency. IT investments will use SDLC discipline to plan and execute projects. The project scope, cost and complexity will determine level of SDLC documentation and reviews that are required.
(5) Strategic Plan and Annual Performance Plan alignment. IT investments will be aligned with the agency strategic and annual performance plans which in turn are aligned with the President’s Management Agenda.
(6) Security. IT investments will include security costs and adhere to GSA security standards and policies.
(7) The IT capital planning process. This process will both leverage and inform GSA’s annual Strategic (Business) Plan and GSA’s IT Strategic Plan, supporting the mission, goals, and objectives of the agency.
c. GSA’s CPIC process incorporates the full IT capital planning lifecycle, as follows:
(1) Select phase. As part of the annual budget cycle, GSA service and staff offices will prepare business cases to justify and document proposed new and continuing IT capital initiatives. Business cases will be prepared and submitted, following annual budget and IT capital planning guidance issued jointly by the GSA OCFO and OCIO. The guidance will establish the requirements, milestones, and processes to document and approve the IT Capital Plan. Business cases must:
(a) demonstrate projected return on each investment that is clearly equal to or better than alternative uses
(b) identify simplification and/or redesign of work processes to reduce costs and/or improve effectiveness
(c) identify and plan for risk
(d) demonstrate compliance with applicable security and accessibility requirements
(e) demonstrate compliance with applicable acquisition planning requirements
(f) establish cost, schedule and performance baselines, including high level milestones that are consistent with the detailed Performance Measurement Baseline (PMB)
(2) Control phase. Institute performance measures and management processes that monitor and compare actual performance to planned results. The Control phase includes the following activities:
(a) maintaining/updating the Exhibit 300 for all major IT initiatives
(b) conducting Integrated Baseline Reviews (IBRs) of planned DME activity within six months of contract award and when there is a major modification to the PMB. The IBR will assure the accuracy and completeness of the PMB, and appropriate planning for cost, schedule, and technical risks.
(c) establishing rigorous EVM implementations to plan, control and report both contractor and government cost and schedule performance in accordance with applicable ANSI/EIA Standard-748 criteria
(d) conducting periodic Compliance and Surveillance Reviews of EVM implementations
(e) submitting regular reports of earned value management results
(f) developing and executing plans to address performance variances outside acceptable tolerances
(g) conducting annual Operational Analyses of steady state initiatives to determine how close the investment is to meeting its operational cost, schedule and performance goals
(h) presenting periodic In Process Reviews of initiative status and progress to established governance bodies
(3) Evaluate phase. Includes conducting Post Implementation Reviews of completed DME activity to measure actual performance against estimated benefits and costs, and document effective management practices (lessons learned).
d. GSA will publish EVM thresholds periodically, in accordance with established governance processes. Use of EVM for DME investments below the established threshold is encouraged to ensure effective monitoring and control.
e. Government project managers will follow project management processes such as those found in A Guide to the Project Management Body of Knowledge – Third Edition (also called the PMBOK® Guide – Third Edition). Government and contractor earned value data will be collected monthly, merged, and reported for a full picture of the performance progress of Major DME IT investments.
8. CPIC responsibilities. CPIC is managed by the GSA OCIO through the Office of Enterprise Management Services. The effort is carried out collaboratively with the SSOs.
a. GSA Administrator. The Administrator is a key stakeholder of CPIC, responsible for establishing CPIC as an agency-wide priority for IT investment decision making.
b. Heads of a Services or Staff Offices (HSSOs). HSSOs are the champions for CPIC implementation within their respective SSOs. HSSOs participate in executive-level governance bodies, and appoint qualified subordinates to represent the SSO in subcommittees, task forces, and related governance bodies.
c. GSA Chief Information Officer (CIO). The GSA CIO champions CPIC process implementation, and coordination of CPIC processes with the enterprise architecture, IT security, capital budgeting, performance management, and program management processes.
d. GSA Chief Financial Officer (CFO). The GSA CFO champions alignment of budget development processes and activities with the CPIC program to ensure necessary collaboration and consistency.
e. GSA Service and Staff Office Chief Information Officers (SSO CIOs) [or equivalent]. SSO CIOs establish and participate in GSA CPIC governance bodies, and champion the implementation and alignment of related governance processes at the SSO level, ensuring appropriate planning, documentation, and reporting of IT investments that support agency strategic business and IT plans. In addition they:
(1) Develop IT investment submissions in conformance with OMB Circular A-11 guidance and with the GSA Strategic Plan, the SSO Performance Plan, the IT Strategic Plan and the GSA IT CPIC Guide, and related GSA and external requirements. Ensure the SSO IT investment submissions contain the IT activities of the total organization including the requirements of Regional Offices.
(2) Develop IT performance goals and measures for the IT investment proposals that are consistent with and support business mission and the goals in the GSA and IT Strategic Plans and the SSO performance plans.
(3) Ensure the contractors supporting IT investments have appropriately compliant ANSI/EIA Standard 748 EVM systems from which the contractors report earned value performance data to the government.
(4) Ensure that designated IT investments with DME activities are closely monitored, using earned value management data, and that corrective action is taken if variances exceed established thresholds.
(5) Ensure that IT investments in steady state are monitored using operational analysis; take corrective action as necessary to ensure successful performance.
(6) Perform and document analyses as necessary and appropriate to the life cycle phase of the IT investment. Provide required life cycle and acquisition management documentation to the OCIO and established governance bodies upon request.
(7) Ensure that Program/Project Managers have appropriate training in the project management discipline in accordance with OMB and GSA guidelines.
f. Program/Project Manager.
(1) Prepares business cases and manages IT investments in accordance with this order and other relevant orders, the CPIC Guide, and associated best practices.
(2) For development, modernization, or enhancement projects, or those in mixed life cycle, uses an appropriately compliant ANSI Standard 748 earned value management system to collect government earned value data and merge that data with the contractor’s earned value data for a full picture of the IT investment performance.
(3) Performs an Integrated Baseline Review within 6 months of contract award and when there is a major modification to the PMB, to establish and document the performance measurement baseline, and recognize and address cost, schedule, and technical risks.
(4) Conducts periodic Compliance and Surveillance Reviews to ensure the contractor’s earned value management system is appropriately compliant with ANSI Standard 748 criteria and follows its guidelines.
(5) Provides surveillance over contractors to assure they are planning and controlling investment activities and providing timely and accurate reports.
(6) For steady state projects, performs annual operational analyses to determine if assets are performing within baseline cost, schedule, and performance goals.
(7) Provides periodic reports to GSA OCIO and applicable governance bodies.
(8) For DME projects, performs regular analysis of earned value data and provides reports to GSA OCIO and applicable governance bodies. Develops and implements get-well plans and reports results to applicable governance bodies.
9. Waivers. Waivers from these policies will be granted by the appropriate authority, in accordance with approved IT governance processes. This order does not cover acquisition of IT products and services for agencies other than GSA.
10. References. The following documents provide further guidance. Each may be found on the sponsoring agency’s web site. Orders are found on InSite under References and Resources in the Directives Library.
a. The IT Capital Planning and Investment Control Guide. The IT CPIC guide is kept current and is found on the CIO web site under Capital Planning.
b. OMB Circular A-11. This circular provides annually updated guidance for budget formulation. It contains instructions for the IT Capital Asset Plan and Business Case (Exhibit 300), the Agency IT Investment Portfolio (Exhibit 53).
c. OMB Circular A-130. This circular provides guidance for the CPIC process.
d. OMB Capital Programming Guide. The Capital Programming Guide is a supplement to the OMB Circular A-11, Part 3: Planning, Budgeting, and Acquisition of Capital Assets.
e. OMB Memorandum M-04-24. Expanded Electronic Government (E-Gov) President’s Management Agenda (PMA) Scorecard Cost, Schedule and Performance Standards for Success.
f. OMB Memorandum M-05-23. Improving Information Technology (IT) Project Planning and Execution.
g. GAO Information Technology and Investment Management: An Overview of GAO’s Assessment Framework. The GAO framework provides investment management maturity stages and critical processes.
h. ANSI Standard 748, Earned Value Management System (EVM). The EVMS standard proscribes criteria that an EVM system must meet in order to report earned value of work completed.
i. Federal Acquisition Regulation (FAR) Subpart 34.2. Earned Value Management System; 34.201 Policy
j. A Guide to the Project Management Body of Knowledge – Third Edition (also called the PMBOK® Guide – Third Edition). Published by the Project Management Institute (PMI). A recognized standard handbook for project managers.
k. OPM 2210 Series IT Project Management Guidance. The Office of Personnel Management’s guidance of the competencies expected from IT project managers.
l. GSA Order CPO 1878.1, GSA Privacy Act Program.
m. GSA Order CIO 2110.2, GSA Enterprise Architecture Policy.
n. GSA Order CIO P 2100,1I, GSA Information Technology Security Policy.
o. GSA Order OGP 2800.1, Acquisition Planning.
11. Legal authority. The following laws apply to the IT CPIC process:
a. The Clinger-Cohen Act of 1996 (Pub. L. 104-106, Division E).
b. The Federal Information Security Management Act – Title 3 of the E-GOV Act of 2002.
c. The Government Performance and Results Act of 1993.
d. The Federal Acquisition Streamlining Act of 1994.
e. The E-GOV Act of 2002.
f. The Paperwork Reduction Act of 1995.
g. Services Acquisition Reform Act of 2003
h. Chief Financial Officers Act of 1990
i. Capital Programming Guide, Version 2.0, June 2006.
Chief Information Officer