Skip to Main Content Skip to Left Navigation Skip to Footer
Commerce Seal montage illustrating the work Commerce does
 
Print without left or right navigation

CIO Responsibilities

RESPONSIBILITIES OF COMMERCE OPERATING UNIT
CHIEF INFORMATION OFFICERS

Below is a summary of key responsibilities of operating unit Chief Information Officers in the area of Information Technology Management. Each section includes a list of deliverables with corresponding due dates.

Element: Information Technology (IT) Capital Planning and Investment Control

Objective: To ensure that Commerce uses information technology to develop the best value, most useful, and most effective products and services to support its mission. As part of this process, ensure that Commerce officials have thorough and accurate information to inform IT decision making.

Activities:

    • Implement an effective process for managing IT resources in accordance with Commerce policy, the Clinger-Cohen Act, Office of Management and Budget (OMB) Circular A-130, and other Federal guidance. Provide regular briefings to the Department’s CIO on your IT program activities.

    • Prepare a Strategic IT Plan covering a five-year horizon and submit it annually to the Office of the CIO. Ensure that it is current to within one year.

    • Prepare an annual Operational IT Plan at the beginning of the fiscal year to reflect the current year IT operations and development.

    • Implement a process for the selection, control, and evaluation of IT investments. Link this process to the budget process, as needed. A recommended approach is to:

    • Establish an IT Review Board (or process in smaller operating units) to advise the head of the operating unit on critical IT matters, to assess IT initiatives in the budget review process, to control ongoing IT investment implementation, and to conduct post-implementation reviews of completed projects to benefit from lessons learned. Present to the Commerce IT Review Board as requested for Information Technology Investment Authority, Control Reviews, Post Implementation Reviews, Portfolio Management Reviews, etc.

    • Implement a standard process and establish standard IT investment scoring and ranking criteria for the operating unit’s Board to use to determine which IT investments are best suited to meet operating units needs.

    • Implement a standard process to manage the selection, control, and evaluation of IT investments. The Department uses the electronic Capital Planning and Investment Control System (eCPIC) to support this strategy. Keep the operating unit’s IT investment information in eCPIC current.

    • Use the eCPIC default IT investment form to document all major investments as well as IT initiatives recommended by your operating unit’s IT Review Board. This form includes the requirements in Office of Management and Budget (OMB) Circular A-11, Exhibit 300, Capital Asset Plan and Business Case Summary and in Exhibit 53, IT Investment Portfolio, as well as additional information approved by the Commerce CIO. Update this information for review by the Commerce IT Review Board.

    • Document all of the operating unit’s IT investments in eCPIC, including the operating unit’s infrastructure and enterprise architecture investments. Use this information to generate an operating unit specific OMB Circular A-11, Exhibit 53, IT Investment Portfolio. Use this as a tool to manage a balanced IT portfolio and Operational IT Plan.

    • Document in eCPIC all requests for changes to IT investment baselines, and for investment replans and rebaselines, provide justification and impact analysis in a memorandum to the Department CIO.

    • Monitor and certify the “health” of all IT investments. Submit supporting documentation and self-assessments on the status of your major IT investments to be reviewed as part of the Department’s monthly CIO rating assessment and the Federal IT Dashboard ratings.

    • Annually assess, and document in the Strategic IT Plan, the maturity of each part of your IT capital planning process using the Commerce IT Capital Planning and Investment Control Maturity Model. Ensure that your IT capital planning process continually matures according to the Maturity Model.

    • Keep abreast of Commerce guidelines for developing and maintaining operating unit IT capital planning and investment control processes.

    • Account for all non-major IT funding in a ”non-major” eCPIC Exhibit 300 form.

OCIO Deliverables

Due Date

CIO rating assessment documentation & self-assessment

10th of each month, monthly

Strategic IT Plan

February, annually, or on different annual schedule determined by operating unit

Capital planning maturity model self-assessment

Annually, with the Strategic IT Plan

Exhibit 300 for IT initiatives

May, annually, with the budget submission; update as needed throughout the year or as part of the Operational IT Plan

Exhibit 53 A and Exhibit 53 B

August and December, semi-annually (generated automatically from the information entered in eCPIC) as part of the OMB and Presidential Budget submissions.

Operational IT Plan

December, annually

Request for investment replan and rebaseline

Completion of form in eCPIC and justification memorandum whenever needed throughout the year.

Contact: Stuart Simon at (202) 482-0275 or ssimon@doc.gov.

__________________________________________________

Element: Program Management

Objective: To ensure that Commerce’s IT Development, Modernization, and Enhancement (DME) projects and Steady State investment initiatives are managed in an efficient and cost-effective manner.

Activities:

    • Implement standard project management practices throughout the operating unit to ensure that all facets of the project management processes, as identified in the Project Management Institute’s Project Management Body of Knowledge (PMBOK® Guide) are addressed and that proper project management documentation is developed and maintained.

    • Implement and maintain Earned Value Management Systems (EVMS) that comply with the requirements of ANSI/EIA-748 for all major DME IT projects.

    • Provide monthly Earned Value Management reports for all major DME IT projects, providing, for the previous month, cumulative Planned Value, Earned Value, and Actual Cost figures. These Earned Value data points must include full-time employee costs as well as contract costs.

    • Provide quarterly performance reviews of steady state investments, detailing financial and technical performance of the investment during the previous quarter

    • Report directly to the attention of the Department’s CIO any investment showing a 10% or greater negative cost or schedule variance.

    • Conduct annual operational analyses of all steady state IT investments. Operational analyses must address all four factors of the investment: customer results, strategic and business results, financial performance, and innovation. Provide a report of the annual operational analysis to the Department’s Office of the CIO.

    • Submit, following the suggested format, resumes of project managers managing major DME IT projects and Steady State investments. Ensure that project managers meet the Federal Acquisition Certification for Program and Project Manager (FAC-P/PM) requirements.

OCIO Deliverables

Due Date

Earned value management report for major IT investments in the planning and development stages

10th of each month, monthly

Quarterly financial and technical performance reviews of major IT investments in the steady state phase

January 15, April 15, July 15, and October 15, quarterly

Annual operational analysis report for major IT investments in steady state

February 15, annually

Approved FAC-P/PM certification applications and waiver requests

Ongoing

Resumes of project managers and contracting officers

Ongoing

Exhibit 300 cost and schedule performance table

10th of each month, monthly

CIO rating assessment documentation

10th of each month, monthly

Contact: Jerry Harper at (202) 482-0222 or jharper@doc.gov.

__________________________________________________

Element: Enterprise Architecture

Objective: To develop, maintain, and facilitate the implementation of a sound and integrated enterprise architecture to achieve interoperability and portability of systems, integration of work processes and information flows, and information exchange and resource sharing to support strategic goals within Commerce and with external partners.

Activities:

    • Develop an Enterprise Architecture (EA), in accordance with Commerce policy, the Clinger-Cohen Act, Office of Management and Budget Circular A-130, and other Federal guidance, which serves as an integrated framework for managing the acquisition and use of IT assets to achieve the agency's strategic goals and information resources management goals.

    • Develop and periodically review and update:

    • The enterprise architecture vision, objectives, and principles.

    • The baseline of the environment focusing on the goals and performance measures of your operating unit, work that your operating unit performs to support these goals and measures, the interfaces to external partners, the information required to do the work, the applications required to process the information, and the technology required to support the applications.

    • The target architecture, including the security architecture, depicting a model of your operating unit’s enterprise in three to five years.

    • The gap analysis identifying the differences between the baseline and target architectures.

    • The migration or sequencing plan identifying the steps to bridge the gaps between the baseline and the target architectures and including specific schedules and resources needed. Additionally, account for the effects of change on all related systems.

    • Implement and monitor the progress of the migration plan and demonstrate the linkage to the IT capital planning process.

    • Develop and maintain your operating unit’s Standards Profile and Technical Reference Model (TRM) in accordance with the Department’s Standards Profile and TRM.

    • Link the architecture to strategic and operational IT planning, IT investment review, and IT security planning.

    • Contribute to the Federal Data Center Consolidation Initiative (FDCCI) and include consolidation efforts in the EA.

    • Address electronic stewardship in the EA, the Strategic Sustainability Performance Plan (SSPP), and the FDCCI.

    • Align the architecture with the Federal Enterprise Architecture, specifically the Business Reference Model (BRM), the Performance Reference Model (PRM), the Service Component Reference Model (SRM), the Technical Reference Model (TRM), and the Data Reference Model (DRM).

    • Establish, document, and implement a Governance Structure to ensure enterprise-wide compliance with the architecture. Include architectural compliance as an integral part of your IT Review Board process.

    • Demonstrate the practical results of your architecture efforts, e.g., expanded capabilities, elimination of redundant systems, streamlined processes, efficiencies, etc.

    • Keep abreast of Commerce guidelines for developing and maintaining operating unit architectures.

OCIO Deliverables

Due Date

Updated target architecture and implementation plan for all IT investments

Last business day of March, annually

Strategic Sustainability Performance Plan (SSPP)

April, annually or per data call

Contributions to the Federal Data Center Consolidation Initiative (FDCCI)

September, annually or per data call

Enterprise architecture accomplishments report

October 1, annually

Contact: Tom Pennington at (202) 482-5899 or tpennington@doc.gov

__________________________________________________

Element: Information Technology (IT) Security

Objective: To ensure the integrity, availability, and confidentiality of Commerce’s IT systems.

Activities:

    • Establish an IT Security Program within each operating unit in accordance with Commerce IT Security Program policy (ITSPP), the Federal Information Security Management Act (FISMA), Office of Management and Budget Circular A-130, and other Federal guidance.

    • Appoint an IT Security Officer (ITSO) and alternate in writing. The ITSO has responsibility for managing the IT Security Program for the operating unit. Ensure that the ITSO, alternate, and operating unit Information Systems Security Officers (ISSOs) are certified and that IT security duties are reflected in their performance plans.

    • Establish and maintain a systems inventory in the Department’s master inventory database in accordance with the Cyber Security Asset and Management (CSAM) program that identifies all IT systems within the operating unit and links them to their corresponding IT security plan.

    • Use the Department’s FISMA reporting tool (CSAM) to track the conduct of risk management, vulnerability, and system assessments, security plan updates, contingency plan update and testing, and security authorizations, as well as to implement and update Plans of Action and Milestones (POA&Ms) in compliance with Federal guidance.

    • Assist senior program officials with the designation of a System Owner for each IT system, and ensure System Owners appoint ISSOs as necessary to ensure adequate security of major systems is maintained.

    • Ensure that System Owners establish a continuous monitoring program conforming to Department’s ITSPP to manage the risks to each IT system, consistent with the magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of the information in the system in compliance with Federal guidance.

    • Ensure that IT security and the associated costs are incorporated and accounted for throughout the life cycle of all IT systems in compliance with Federal guidance. Specifically,

    • Initiation Phase: identify security requirements and assess risk;

    • Development/Acquisition Phase: define security controls, verify adequacy of controls to protect the system, and build/acquire systems that meet the security requirements;

    • Implementation Phase: test effectiveness of security controls prior to operating in a production environment;

    • Operation and Maintenance Phase: manage risk, maintain and monitor the adequacy and effectiveness of security controls, and maintain current security documentation; and

    • Disposal Phase: remove sensitive information from systems.

    • Ensure that System Owners create an IT security plan for each new system under development and that they review plans for existing systems annually in compliance with Federal guidance.

    • Ensure that System Owners implement secure system configurations and establish mechanisms to ensure effective configuration, patch, and vulnerability management in compliance with Federal guidance.

    • Ensure that System Owners develop, update, and test contingency/continuity of support plans for all moderate or higher systems according to policy.

    • Ensure that sponsors of IT procurements complete an IT security procurement compliance checklist prior to solicitation issuance.

    • Use the Commerce Learning Center as a primary platform to provide IT security awareness training to all employees as well as all personnel involved in the management, operation, programming, systems administration, maintenance, or use of IT systems.

    • Implement a Computer Incident Response Capability for your operating unit, unless it is delegated to the DOC Computer Incident Response Team (CIRT).

    • Identify critical infrastructure assets required for the protection of national security, national economic security, or public health and safety. Protect nationally-critical IT assets (e.g., systems and infrastructure) in accordance with Homeland Security Presidential Directive 7, Critical Infrastructure Protection (CIP).

    • Ensure that System Owners establish and regularly test continuity of operations plans (COOP) and reconstitution and response plans for critical assets.

    • Participate at the Department’s compliance and oversight assessment of your IT Security Program.

    • Comply with the IT Security Program policy as well as OMB Circular A-123 control requirements by participating in an annual control review. The control review must be conducted to assess the overall status of your security program as required under FISMA.

    • Link IT security planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning. Incorporate IT security measures in enterprise architecture plans.

OCIO Deliverables

Due Date

IT Security Plans of Action and Milestones (POA&Ms)

Monthly

FISMA report

Annually, plus updates quarterly (March, June, September, December)

Bureaus with financial systems – general IT compliance

Annually

IT Internal Control/IT Security Program assessments

March – June, annually

Contacts:

Tim Hurr, Acting Director, at (202) 482-4708 or DOCITSecurity@doc.gov

_____________________________________________________

Element: IT Privacy

Objective: To ensure that Commerce’s IT systems, including Web sites, protect the privacy of the public, businesses, employees, and contractors.

    • Implement an effective IT Privacy Program in conformance with Commerce’s IT Privacy Policy, the E-Government Act, the Privacy Act, other Federal guidance, and with the advice of the Commerce Chief Privacy Office (CPO).

    • Ensure that privacy considerations are addressed in your Internet Web pages, in accordance with the E-Government Act, and Departmental and OMB policy regarding Web privacy. This includes posting Privacy Policies and implementing automated privacy preferences through the Platform for Privacy Preferences Project (P3P). Note that Commerce policy extends privacy protections to businesses.

    • Ensure that Privacy Impact Assessments (PIAs) are prepared for IT investments in accordance with the E-Government Act, and OMB and Commerce policy, and are reviewed by the CPO. Post the PIAs to the Web. Note that Commerce policy extends privacy protections to businesses.

    • Contribute to the privacy section of the Federal Information Security Management Act reports.

OCIO Deliverables

Due Date

Privacy Impact Assessments

As needed, for new or significantly modified systems

FISMA report, privacy

September, annually plus updates quarterly (March, June, September, December)

Contact: Linel Soto at (202) 482-4990 or LSoto@doc.gov.

___________________________________________________

Element: Electronic Government

Objective: To further the Department’s move to an e-government environment, enabling business functions to be conducted electronically and achieving paperwork elimination goals, both in transactions with Commerce’s customers and for internal operations.

Activities:

    • Promote e-government ensuring that IT investments incorporate e-government components, as needed and practicable. Respond to the provisions of the E-Government Act, Paperwork Reduction Act, and associated OMB and Departmental guidance.

    • Link e-government planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning. Specifically, address e-government through operational analyses of steady state investments, IT Review Board processes evaluating new investments or investments under development, as well as other means.

    • Actively participate in OMB’s e-government and lines-of-business initiatives, in accordance with your operating unit’s mission and needs. Annually prepare memoranda of understanding (MOU) to support these initiatives, as required by OMB.

    • Ensure that your IT investments do not duplicate OMB’s e-government and lines-of-business initiatives.

    • Make high-value datasets more broadly accessible to the public through the government-wide Data.gov Web site.

    • Report annually on progress in e-government activities per OMB’s guidance.

    • For those CIOs who manage the Information Collection Budget function*, implement an effective process for submitting Information Collection Requests for clearance to the Departmental Paperwork Clearance Officer in accordance with the Paperwork Reduction Act (PRA) and Commerce and OMB policy.

    • Provide an Information Collection Budget annually in accordance with guidance issued by OMB.

    • Ensure that the operating unit adheres to Commerce’s policy of zero PRA violations.

    • Maintain an inventory of Web sites and servers annually.

    • Implement an effective process for certification to the Department’s CIO annually that all Web sites of the operating unit comply with the Department’s Web policies. If any deficiencies exist, provide a plan to bring the Web sites into compliance.

* Note that about half of the Paperwork Reduction Act Liaisons are not in the operating unit Office of the CIO.

OCIO Deliverables

Due Date

Inventory of Web Servers and Sites

August, annually

Certification of Web policy compliance

August, annually

E-Government Report

October, annually

E-Government memoranda of understanding

October, annually

Information collection budget

Annually (month varies)

Dataset contributions to Data.gov

Ongoing

Contact: Linel Soto at (202) 482-4990 or LSoto@doc.gov.

___________________________________________________

Element: IT Workforce Management and Development

Objective: To ensure that Commerce maintains a robust workforce of well-qualified IT professionals.

Activities:

    • Participate in IT workforce identification, assessment, and reporting activities such as the Federal CIO Council’s annual IT Workforce Assessment.

    • In conjunction with the annual IT Workforce Assessment, develop an estimated population of the operating unit’s IT workforce.

    • Develop and periodically review and update targeted skill and competency levels for all Specialized Job Activities addressed in the survey.

    • Encourage maximum participation by the operating unit’s IT workforce in the annual IT Workforce Assessment by emphasizing the importance of the survey to the Department, offering dedicated time to participate in the survey, and making the operating unit’s full participation a high priority.

    • Conduct comparisons of targeted skill and competency levels with actual skill and competency levels as determined by the annual IT Workforce Assessment, and provide the Department’s Office of the CIO an analysis of skill and competency gaps in the operating unit.

    • Participate with the Department’s Office of the CIO in developing training, job rotation, and developmental assignment programs to maintain technical skills of the IT workforce at the highest levels

    • Provide the Department’s Office of the CIO with quarterly reports of gains and losses in the IT workforce, classified by grade level and the Specialized Job Activities listed in the annual IT Workforce Survey.

    • Coordinate the Federal Acquisition Certification Program for Program and Project Managers (FAC-P/PM) with the IT capital investment management process at the operating unit level. Review and approve applications for certification and review waiver requests.

OCIO Deliverables

Due Date

Estimated population of the operating unit’s IT workforce

June, annually

Targeted skill and competency levels

June, annually

IT Workforce Assessment

September, annually or per call

Skill and competency gap analysis

January, annually

IT workforce gains and losses report

Quarterly, January 15, April 15, July 15, and September 15

Approved FAC-P/PM certification applications and waiver requests

Ongoing

Contact: Jerry Harper at (202) 482-0222 or jharper@doc.gov.

_______________________________________

Element: Information Quality

Objective: To ensure and maximize the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Commerce.

Activities:

    • Review your Information Quality Guidelines, prepared in accordance with Section 515 of the Treasury and General Government Appropriations Act of FY 2001, annually to ensure accuracy and currency.

    • Ensure that your Information Quality Guidelines are posted on your Web site with a link from your home page.

    • Update your Information Quality Guidelines as OMB issues additional guidance.

    • Respond to all requests for correction of information according to your guidelines. Forward all correspondence associated with requests for correction electronically to the Department’s Office of the CIO for posting on the Department’s Web site as soon as possible after receipt. Also, send draft responses to requests for correction prior to posting for coordination with OMB.

    • Annually, submit a summary of requests for correction for the prior fiscal year per OMB requirements and guidance.

    • Post on the Web agendas for peer review of Highly Influential Scientific Assessments and Influential Scientific Information.

* Note that Information Quality coordinators are often not in the operating unit Office of the CIO.

OCIO Deliverables

Due Date

Summary of information quality requests for correction

December, annually

Correspondence, in or converted to electronic format, associated with information quality requests for correction, posted to Web

Ongoing

Peer review agendas, posted to Web

June and December, semi-annually

Contact: Jennifer Jessup at (202) 482-0336 or JJessup@doc.gov.

___________________________________________________

Element: Records Management

Objective: To ensure that records are created, maintained, safeguarded, and disposed of in accordance with Government-wide and Commerce policies and procedures.

Activities:

    • Implement Commerce and Government-wide records management policies and procedures for the creation, use, maintenance, safeguarding, and disposition of records, including electronic records, and develop and implement operating unit policies and procedures as appropriate.

    • Provide management oversight of the operating unit records management program to ensure that it remains vigorous and effective.

    • Review and make recommendations on requests for the funding and acquisition of electronic records management systems in accordance with information technology capital planning and investment control procedures.

    • Execute the annual Memorandum of Understanding (MOU) with the National Archives and Records Administration (NARA) for records storage.

* Note that many Records Managers are not in the operating unit Office of the CIO.

OCIO Deliverables

Due Date

MOU for the storage of records at NARA

September 30, annually, or within 60 days of receipt from NARA, whichever is later

Contact: Allen Winokur at (202) 482-0276 or AWinokur@doc.gov

_____________________________________________________

Element: Electronic and Information Technology Accessibility

Objective: To ensure the accessibility of Commerce’s electronic and information technology to people with disabilities, including those with vision, hearing, dexterity, and mobility impairments.

Activities:

    • Establish an IT Accessibility Program within your operating unit in accordance with Commerce policy, Section 508 of the Rehabilitation Act Amendments of 1998, the Access Board’s Standards for Electronic and Information Technology, and other Federal guidance.

    • Ensure that acquisitions and Web sites conform to accessibility requirements.

    • Request waivers for undue burden through your operating unit head to the Department’s CIO in accordance with Commerce policy.

    • Respond to the periodic Section 508 Department of Justice survey.

    • Link accessibility planning to strategic and operational IT planning, IT investment review, and enterprise architecture planning.

OCIO Deliverables

Due Date

Justice accessibility survey response

Per call memorandum (generally bi-annually)

Request for accessibility waiver

As needed by operating unit

Contact: Jennifer Jessup at (202) 482-0366 or JJessup@doc.gov.

__________________________________________________

Consolidated Calendar

OCIO Deliverables

Due Date

    Skill and competency gap analysis

    January, annually

    Earned Value Management report for major IT investments in the planning and development stages

    10th of each month, monthly

    Exhibit 300 cost/schedule performance table

    10th of each month, monthly

    CIO rating assessment documentation and self-assessment

    10th of each month, monthly

    Operational analysis report for major IT investments in steady state

    February 15, annually

    Strategic IT Plan

    February, annually, or on schedule determined by operating unit

    Updated target architecture and Implementation Plan for all IT investments

    Last business day of March, annually

    IT Internal Control/IT Security Program assessments

    March-June, annually

    Strategic Sustainability Performance Plann (SSPP)

    April, annually or per data call

    Exhibit 300 for IT initiatives

    May, annually, with the budget submission; update as needed throughout the year or as part of the Operational IT Plan

    Estimated population of the operating unit’s IT workforce

    June, annually

    Targeted skill and competency levels

    June, annually

    Peer review agendas, posted to Web

    June and December, semi-annually

    Exhibit 53 A and Exhibit 53 B

    August and December, semi-annually (generated automatically from the information entered in eCPIC) as part of the OMB and Presidential Budget submissions.

    Inventory of Web servers and sites

    August, annually

    Certification of Web policy compliance

    August, annually

    FISMA report, privacy

    September, annually plus updates quarterly (March, June, September, December)

    IT Workforce Assessment

    September, annually or per call

    Contributions to the Federal Data Center Consolidation Initiative (FDCCI)

    September, annually or per data call

    MOU for the storage of records at NARA

    September 30, annually, or within 60 days of receipt from NARA, whichever is later

    Enterprise Architecture accomplishments report

    October 1, annually

    E-Government Report

    October , annually

    E-Government memoranda of understanding

    October, annually

    Operational IT Plan

    December, annually

    Summary of information quality requests for correction

    December, annually

    IT Security Plans of Action and Milestones (POA&Ms)

    Monthly

    IT Workforce Gains and Losses report

    Quarterly (January 15, April 15, July 15, and September 15)

    Quarterly financial and technical performance reviews of major IT investments in the steady state phase

    Quarterly (January 15, April 15, July 15, October 15)

    FISMA report

    Annually, plus updates quarterly (March, June, September, December)

    Bureaus with financial systems – general IT compliance

    Annually

    Capital planning maturity model self-assessment

    Annually, with the Strategic IT Plan

    Information collection budget

    Annually (month varies)

    Resumes of project managers and contracting officers

    Ongoing

    Approved FAC-P/PM certification applications and waiver requests

    Ongoing

    Correspondence, in or converted to electronic format, associated with information quality requests for correction, posted to Web

    Ongoing

    Dataset contributions to Data.gov

    Ongoing

    Request for investment replan and rebaseline

    Completion of form in eCPIC and justification memorandum whenever needed throughout the year.

    Privacy Impact Assessments

    As needed, for new or significantly modified systems

    Justice accessibility survey response

    Per call memorandum (generally bi-annually)

    Request for accessibility waiver

    As needed by operating unit