U.S. Department of Commerce
Instructions for Completing the OMB Exhibit 300, Capital Asset Plan and Business Case Summary
What is the purpose of these instructions?
What is the definition of Information Technology
Which IT investments require an Exhibit 300?
What is the purpose of the Exhibit 300?
Where is Exhibit 300 information entered?
What is the schedule for updating and submitting an Exhibit 300?
When does a publicly releasable Exhibit 300 need to be prepared?
What information is not publicly releasable?
Is the Exhibit 300 Information used in any other OMB Exhibits?
Who is responsible for developing the Exhibit 300?
Do Infrastructure, Office Automation and Telecommunications (I/OA/T) investments require an Exhibit 300?
Do Enterprise Architecture (EA) investments need an Exhibit 300?
What do I enter in the Exhibit 300 when information is not yet available to answer the question?
Part I.A. Overview/Descriptive Information
IT Screening Questions
I.A.1 DOC Supplemental
I.B. Summary of Spending
I.C. Acquisition Strategy
I.D. Performance Goals and Measures
I.E. Security and Privacy
I.F. Enterprise Architecture
What is the purpose of these instructions?
These instructions complement and reinforce the Office of Management and Budget’s (OMB) guidance on developing the Exhibit 300, Capital Asset Plan and Business Case Summary, in support of funding for major information technology (IT) investments as contained in OMB Circular A-11, Section 300. These instructions also address questions added by the Department to the Exhibit 300 to meet Commerce IT Planning requirements including generating the Exhibit 53 IT Portfolio Report.
Information Technology as defined by the Clinger-Cohen Act of 1996 means any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. Commerce has applied this to mean that passive sensors that only acquire scientific information (such as wind speed or temperature) are not considered IT for the purposes of the OMB IT budget reporting, but when such sensors transmit the information to other locations and systems, such as transmitters on radar antennae, they are included as IT assets.
Which IT investments require an Exhibit 300?
The Exhibit 300 format in eCPIC needs to be at least partially completed for all IT investments except national security information systems. For major IT investments, complete the entire Exhibit 300, selecting Part II, Part III or Part IV depending on whether the investment is under development, in steady state or is part of the e-Gov effort. For non-major IT investments, complete the Exhibit 300 description field, as well as the summary of spending, funding sources, acquisition, performance, security, privacy, and milestones tables.
What distinguishes a Major from a Non-Major Investment?
A major investment is a system or investment that requires special management attention because it:
- Was defined as a major project in the previous fiscal year
- Is a financial system costing more than $500,000 in any one fiscal year
- Has high development, operating, or maintenance costs
- Has high executive visibility
- Has significant program or policy implications
- Has been determined to be major by OMB or Commerce’s Capital Planning and Investment Control process
Any investments that are not major are referred to as “non-major.”
In accordance with Department of Commerce policies and procedures an Exhibit 300 is required even for Non-major IT investments when:
- a Delegation of Procurement Authority is requested
- an IT budget initiative is requested
- it will be presented before the Commerce IT Review Board (CITRB) or, for budget initiative requests, before the Departmental (staff level) IT Review Board
- it will be presented before the Acquisition Review Board (ARB)
The Exhibit 300 is a high level summary of the planning, budgeting, acquisition, and management of Federal capital assets and helps meet reporting requirements for major IT investments. In the case of IT investments that are proposed or underway, this information is used by the operating unit, the Department’s Capital Investment Technology Review Board (CITRB), and OMB to determine if investment funding should be recommended or continued. For investments that are now steady state, the Exhibit 300 is used to review the investment’s current status and, assess how well the investment is accomplishing its goals. In addition, the Exhibit 300 is required when requesting a delegation of procurement authority from the CIO through the CITRB or the Acquisition Review Board to proceed with a large contract.
All information necessary to complete an Exhibit 300 should already exist within project specific documentation and such information should be up-to-date and readily available upon request.
All Exhibit 300s, whether for a major or non-major investment, are entered in the on-line electronic Capital Planning and Investment Control (eCPIC) system along with key supporting information such as CITRB presentations, DPA request and approval, and acquisition strategy documents. The data in the Exhibit 300s entered in eCPIC is used to generate the Department’s Exhibit 53 IT Portfolio report. For technical guidance on using eCPIC, access the on-line user guide directly from the “Help” module within eCPIC or contact the eCPIC helpdesk at email@example.com.
The Exhibit 300 information in Commerce’s on-line electronic Capital Planning and Investment Control system (eCPIC) should be kept up to date. The operating units (OU) are expected to review and approve the Exhibit 300 before it is submitted to the Commerce Information Technology Review Board (CITRB), Acquisition Review Board (ARB) or the Department Office of the CIO as part of the budget review process. At a minimum, all exhibit 300s are reviewed by the Department in August for submission to OMB in early September as part of the Department budget request. Following the OMB Passback in late November, updated Exhibit 300s are reviewed by the Department for submission to OMB in early January in support of the President’s Budget to Congress.
Publicly releasable versions of the Exhibit 300s must be available by late January to meet the OMB requirement that all major Exhibit 300s be posted on agency Websites within two week of the release of the President’s budget. The version made publicly available must be a redacted version of the Exhibit 300 submitted to OMB in January which supports the President’s budget.
The basic parameters to follow in preparing a redacted, publicly releasable, Exhibit 300 are to delete all information that is pre-decisional, acquisition sensitive, or security sensitive. Some data specific guidelines are as follows –
Personally Identifiable Information:
The Exhibit 300 contains the name, phone number, and email address of at least the project manager, the privacy officer, and, in the contract table, the contract officers. The tightened regulations concerning personally identifiable information suggest that it would be prudent to minimize release of such information. However, OMB has specified that there be a contact name and phone number included in each Exhibit 300. One solution is to include the e-mail address of the contract officer(s) but to delete all other personal information.
Budget and Schedule Information:
Budget and Milestone information through the Budget Year are releasable. Budget data for BY+1 or beyond in the Summary of Spending and milestone tables are considered predecisional information and must be deleted. Other data elements considered predecisional, and thus non-releasable, are the Alternatives Analysis in Part II and the initial “Date of Submission” which appears at the start of the descriptive information section.
Other Predecisional Information:
In the project description or other text fields, reference to funding or program requests that were rejected by the Department or OMB is non-releasable information and must be deleted.
Acquisition Sensitive Information:
In the Acquisition section, information about proposed acquisitions that is not already in a publicly released document is considered acquisition sensitive. When in doubt, check with your operating unit acquisition office.
Performance Information can be released, with the possible exception of a performance measure that is being proposed for inclusion in a not-yet-released Statement of Work, as the target data may give a bidder inside information.
Security Sensitive Information:
Other information not releasable is the data in the two Security tables and the responses to questions 6a and 7 of the Security and Privacy Section (“If yes, specify a general description of the weakness ...”, and; “How are contractor security procedures monitored …). This data is security sensitive. Other Security and Privacy section responses are releasable.
The eCPIC system extracts data from the major and non-major Exhibit 300s to produce the Department of Commerce Exhibit 53 IT Investment Portfolio report, which lists all IT funding broken out by major activity. Each OU may generate an Exhibit 53 that contains only data from the OU. Exhibit 53s for the whole Department are submitted in September and January to OMB. The information in the Exhibit 300 and Exhibit 53 is also used to verify the data in the Exhibit 52 for financial systems and the Federal Information Security Management Act (FISMA) report on security expenditures for IT systems. Exhibit 300 Enterprise Architecture and performance information must also be consistent with the Enterprise Architecture submission to OMB.
Developing an investment business case and summarizing the results in an Exhibit 300 are the responsibility of the Project Manager and the operating unit CIO. Following completion of the project or its main goals, the Exhibit 300 will be the foundation for any post-implementation review.
Do Infrastructure, Office Automation and Telecommunications (I/OA/T) investments require an Exhibit 300?
I/OA/T are defined by OMB as “… all IT investments that support common user systems, communications, and computing infrastructure. These investments usually involve multiple mission areas and might include general LAN/WAN, desktops, data centers, cross-cutting issues such as shared IT security initiatives, and telecommunications.”
The Department produces a single Exhibit 300 covering all I/OA/T investments. This business case, which appears in Part II of the Department’s Exhibit 53, IT Portfolio Funding, consolidates all of the operating units I/OA/T investments not directly associated with a specific programmatic goal. Each operating unit must submit their information into an operating unit specific “Infrastructure” Exhibit 300 in eCPIC. From the operating unit Exhibit 300s, a single Department consolidated Exhibit 300 is created. The specific information requested is defined in the IT Infrastructure Budget Call, which is issued in early July and due to the Department in early August, the same time as all other Exhibit 300s.
Each operating unit’s EA investment is reported separately as non-major investments.
If an answer isn’t yet known, state the reason and/or date or milestone when the information will be available.
What is the basis for creating a unique project ID number for an investment?
Section 53 of OMB Circular A-11 defines the Unique Project ID (UPI) code associated with each investment as summarized below.
For the sample UID 006-00-02-13-01-3201-24
- First 3 digits - Department code, “006” for Commerce
- Fourth and fifth digits - Operating unit code, “03” is used to identify Department-wide investments such as Commerce Business Systems
- Sixth and seventh digits - Portion of the Exhibit 53, i.e., Infrastructure/ Office Automation/Telecommunications “02,” Mission Area Systems “01,” Enterprise Architecture and Planning “03,” Grants Management “04”
- Eighth and ninth digits – A Mission Area that is selected from an automated pick list. Some Mission Areas are defined by operating units; other mission areas such as “01” for Financial systems are Department-wide categories. Contact the eCPIC system administrator if your operating unit wants to add a mission area.
- Tenth and eleventh digits – Indicates type of investment. “01” is for a major investment, a non-major is “02.” "00" represents an IT investment that is part of a larger asset with an existing business case. "04" identifies a major IT investment for which another agency has the lead management and reporting responsibility
- Twelfth through fifteenth digits – A unique 4 digit project code. Each operating unit has been assigned a number range. Per the listing below “3201” identifies this as a NOAA investment.
- PMA E-Gov – 0001 through 0050
- Dept-wide – 0051 through 0299
- OS, OGC –-- 0300 through 0599
- OIG –- 0600 through 0699
- ESA and BEA -- 5000 through 5499
- BIS –- 5500 through 5999
- Census – 4000 through 4999
- EDA – 6000 through 6499
- ITA --- 6500 through 6999
- MBDA - 0900 through 0999
- NOAA – 3000 through 3999
- NIST, TA/OTP – 7000 through 7299
- NTIA -- 7300 through 7499
- NTIS -- 2000 through 2199
- PTO – 8000 through 8999
- Sixteenth and seventeenth digits – Specifies the investment category. An E-Government initiative endorsed by the President's Management Council (PMC) or an individual agency's participation in a PMC E-Government initiative is identified by a “24.” An investment or investment component that is part of the OMB High Risk list is identified with a “07”.
Can an Exhibit 300's funding be split into multiple Exhibit 53 investment or mission areas?
OMB requires that each Exhibit 300 have a unique user ID that refers to only one investment on Exhibit 53. If an investment falls into two or more mission areas, keep all the funding under the most important mission area for that investment.
When is an investment a "mixed life cycle" type, and what part of the Exhibit 300 does it complete?
If budget year funding is for two or more project stages (Planning, Acquisition, and Maintenance) or if BY funding is for operations and maintenance but planning or acquisition activity is still underway in PY or CY, then the investment is "mixed." For mixed life cycle investments fill in Part I and Part II of the Exhibit 300.
What is a steady state investment and what part of the Exhibit 300 does it complete?
Steady State is synonymous with the Operations & Maintenance stage listed in the Summary of Spending table. Steady State investment is for routine maintenance, helpdesk support, and routine technology refreshment of completed systems. Complete only Parts 1 and 3 of the Exhibit 300 for investments that are in this life cycle stage.
When is an investment considered development, modernization and enhancement (DME), not steady state?
Any significant activity required to substantially increase the investment’s capability and capacity, especially when it is needed by a specific time, qualifies as a development effort. From a project management perspective, if a proposed investment increase has risks that are distinct from the steady state effort then that new activity is in the planning or development stage.
Should the “brief summary and justification” focus on the technical solution or the investment's purpose?
The Exhibit 300 is a business case summary, not a technical solutions document. Describe what the investment is, what outcome it aims to achieve, and why that outcome is needed. The intended audience is people whose familiarity with the investment is largely limited to this description.
What is the difference between the “brief summary and justification” and the DOC Supplemental description?
The “brief summary and justification” is the only description that OMB will receive. The DOC Supplemental question was added to allow the project manager to provide additional background information that will be seen by the Department but not by OMB.
How do I answer "Did the Agency’s Investment Committee approve this request” if no review has occurred yet?
All major Department of Commerce IT investment initiatives are reviewed by the Commerce Information Technology Review Board (CITRB) when they are first proposed in the budget. Generally a "No" answer to these and other yes/no questions will cause OMB's IT investment reviewers to recommend not funding that investment.
Does Date of Approval refer to the first approval or the most recent review date?
Enter the date when the project, as currently scoped, was first approved. Usually this will be the initial CITRB investment approval date. However, if the project was stopped, significantly redesigned, and then received approval to restart, use the later approval date.
Do the Project Manager, Contract Officer, and Project Sponsor need to be different people?
Yes; each position must be held by a different person.
Does the Project Manager need to be working full time on that investment?
Yes, the Project Manager needs to be devoted full time to each major IT investment. Having one person as project manager of more than one major IT investment is an unacceptable project risk. Good management practices, supported by OMB, state that one person cannot provide sufficient monitoring and control of multiple investments.
What is the FAC-P/PM certification?
A copy of the Federal Acquisition Certification for Program and Project Managers (FAC-P/PM) standard is available in eCPIC along with the Department’s implementation guidance. Every current Major investment project manager needs to meet senior/advanced level FAC P/PM certification or request a waiver which is good for one year.
When should I select “New Program Manager” in answer to the FAC-P/PM question?
Select the option "New Program Manager" when the individual has not been certified at the appropriate level and has been assigned to the program within the last twelve months. Unless a waiver is issued, new program/project managers have twelve months from the date of assignment to the project/program to achieve certification.
When should I select "Waiver Issued"?
There are three scenarios where "waiver issued" is an appropriate selection:
1. "Waiver Issued" is appropriate selection when the CAO, or designated functional manager such as the CIO, has waived all or part of the FAC-P/PM requirements in writing. For example, the CAO may waive the FAC-P/PM requirement for an existing program/project manager to attain certification within twelve months from the date of assignment.
2. "Waiver Issued" is also the appropriate selection if the individual is progressing towards certification but has not yet received final certification. In these cases, the designated functional manager must maintain information on the progress of the individual towards certification.
3. "Waiver Issued" may also be used if an agency has a process for issuing FAC-PPM certifications but the timing of the OMB 300 does not allow for certification prior to submission. In these cases, documentation regarding the agency process, timeline, and expected certification dates for eligible PPMs must be kept on file for each individual.
Agencies that select "Waiver Issued" must ensure that waivers are issued only when determined to be in the best interest of the agency.
Is PMP certification sufficient for meeting the FAC-P/PM Advanced/Senior level standard?
The Project Management Institute’s Project Management Professional (PMP) certification and/or a Masters Certificate in Information Technology Project Management meets the FAC P/PMs Intermediate level standard. Additional training in risk management and advanced Earned Value Management is generally required to meet the FAC P/PM Advanced/Senior level standard.
Who certifies FAC-P/PM qualifications?
FAC P/PM certification credentials are vetted by the Commerce Office of the CIO and are reviewed and issued by the Commerce Office of Acquisition Management
What is meant by the Product or Program Manager?
The Product or Program Manager is the person or persons who are responsible for taking the output of the capital investment and using it to produce the outcome product(s) or goal.
Are energy efficient practices implemented in Commerce IT investments?
At the Department of Commerce, hardware procurements are supposed to meet government energy efficiency regulations that promote the purchase of “green” energy saving products. Accordingly, most, if not all, IT investments should be able to answer “Yes” to this question.
Do the questions about buildings, ESPC, and sustainable design apply to IT investments?
Typically these questions do not apply. If you answer “no” to the question about buildings then do NOT answer (leave blank) the related questions that immediately follow.
Where are the Program Assessment Rating Tool recommendations posted?
The Program Assessment Rating Tool (PART) recommendation is posted on the OMB PART Web site.
How do I determine the “level of the IT Project”?
The level rises with the scope and complexity of the investment. See the Departmental Project Manager Qualification Guidelines to determine the project level, and the project manager rating level.
How does a Project Manager become validated as qualified?
To be considered qualified to manage an investment, a project manager’s qualification level must equal or exceed the project’s complexity level. To assess his or her qualifications each Project Manager is required to enter their experience and other training into a standard resume format, which is also in the eCPIC Resource Library. The completed form should be sent to your operating unit CPIC representative for submission to the Department’s CIO Office. The Department will review the information and validate if the qualifications are appropriate for the size and complexity of the investment that is being managed.
What if the Project Manager does not have project management certification?
If the Project Manager does not have certification, describe what training she/he will receive to achieve that goal. Identify and initiate project management teams, sponsors, and project management training now if you haven't yet done so, so you can answer affirmatively to all the questions in this section.
How do I know if the project is deemed high risk?
This is based on whether the investment is on the OMB High Risk list, naming IT systems that must report the status of key project management criteria to OMB every quarter. Commerce IT investments currently identified in the OMB High Risk memo are Census Field Data Collection Automation (FDCA), Census Decennial Response Integrated System (DRIS), Census MAF/TIGER, NOAA NPOESS Ground System, Commerce Business Systems (CBS), NOAA and NIST Legacy Travel Systems, NTIS e-Training, several PTO major investments and the Commerce portion of the various e-Gov initiatives. The latest OMB High Risk list is available in eCPIC. This quarterly reporting requirement is distinct from other “risk” lists.
GAO issues a report called the “High Risk Series” on programs deemed at risk. OMB in the Passback issues a list of IT investments that are on a Management Watch List. From a security perspective, investments are deemed to be at low, medium or high risk due to their criticality and sensitivity of their content. OMB in the Passback memo includes a Management Watch List identifying IT investments based on the quality of their Exhibit 300 business cases.
How is the Budget Formulation percentage calculated?
This is the estimated percentage of the total IT investment for the budget year used to develop or maintain budget formulation capabilities in that system. This percent will be automatically entered in the Exhibit 53.
How is the Budget Execution percentage calculated?
This is the estimated percentage of the total IT investment for the budget year used to develop or maintain budget execution capabilities in that system. This percent will be automatically entered in the Exhibit 53.
Does the financial percentage include the budget formulation and execution system percentages?
The budget formulation and execution systems percentages are independently calculated and are excluded from the financial system percentage.
How is the financial percentage used?
The financial percentage is used to generate a financial system cost estimate. This estimate is aggregated by operating unit and compared and reconciled against the Inventory of Financial Systems and the Exhibit 52 (Summary of Financial Systems). Coordinate with your operating unit's financial systems reporting office when calculating this percentage to ensure consistency between the Exhibit 300, Exhibit 53 and Exhibit 52.
Does the percent breakout for hardware, software, services and “other” account for all investment funding?
Yes, these categories should total 100% and account for all budget year funding including FTE. “Services” includes all external contract services, while “Other” includes FTE and any other budget year funding for the investment that does not fit into the other three categories.
Who is typically responsible for addressing the investment’s privacy responsibilities?
Which investments are associated with a GAO High Risk Area?
The latest GAO High Risk memorandum identifies two risks that may be associated with Commerce IT investments -- “Protecting ... Information Systems and the Nation’s Critical Infrastructures,” and Ensuring the Effective Protection of Technologies Critical to.. National Security Interests.”
Is there a list that identifies which investments support Homeland Security and in which categories?
Yes, all investments that support Homeland Security have been identified under specific categories in the Homeland Security database. This is a list that has been negotiated between the Department and OMB.
What is the difference between the detailed description and the brief description provided under I.A. Descriptive Information?
Provide additional information to inform the Commerce Capital Planning process. This information should not duplicate what was described earlier, and unlike the previous brief description, will not be submitted to OMB.
What is meant by “Assumptions”?
List what is assumed about the availability of resources and functionality specific to this project that, if not met, would result in a system change request or rebaseline request. There is no need to mention concern over not receiving full funding as you have no control over this and this ‘assumption’ is already documented in your budget summary. Feel free to provide background information here related to other sections of the business case summary that don't allow free form text; for example, assumptions behind information provided in the performance measure, alternatives analysis, or project schedule sections.
What sort of constraints should be identified?
Among cost, scope, and schedule, state which is most constrained, which moderately constrained, and which least constrained. Identify any other specific constraint(s) critical to project success such as the availability of a specific manpower skill.
What is meant by critical dependencies?
Identify the name of, and date by which, external data sources and systems must be in place, for this investment to get the data it needs to ensure that the investment’s output produces the intended outcome, i.e., what components of the Enterprise Architecture does this investment depend upon for achieving its intended objective.
In what units is funding entered in eCPIC?
All tables in eCPIC record figures in thousands of dollars. Summary of Spending (SOS) totals are automatically converted to millions of dollars upon export to the Exhibit 53.
Are all IT costs even for Reimbursable Funding included in the Summary of Spending table?
Yes, all IT costs are included in this table. Non-appropriated sources of funding are identified in the Funding Source table as described below.
What distinguishes the Planning and Acquisition Stages from the Maintenance Stage?
The Planning and Acquisition stages in the Summary of Spending table (SOS) are the same as Development/Modernization/Enhancement (DME) on the Exhibit 53, while the Operations & Maintenance stage is the same as Steady State. OMB Exhibit 53 guidance defines planning and acquisition as "changes or modifications to existing systems that improve capability or performance, [or] changes mandated by Congress or agency leadership ...” Prototype funding must be reported in the Acquisition stage. Include under the Maintenance stage funding for operating and maintaining the system at current capability and performance level. This encompasses the cost of corrective active and replacement of broken equipment. Major functional enhancements, modernization or replacement of a portion of an operational system is included under the planning and/or acquisition stages.
Why is it important to separate development from steady state?
Significant development efforts are allocated a budget to develop new features, services or capabilities by a specific time. This is distinct from the effort required to maintain ongoing operations also called “steady state”. For each significant development activity, the Exhibit 300 should have one or more performance measures, milestones, and estimated budget, as you would for any other discrete project.
What is the difference between budgetary resources and outlays?
Budgetary resources represent how much money you are allowed to spend based on the budget authority provided (or requested) in the Appropriations Act, including any limits placed on the use of reimbursable funding. Normally the budgetary resources amount in the Summary of Spending table matches the annual budget request. Budgetary resources can also include direct appropriations, working capital funds, and revolving funds. Outlays, also called disbursements, represent payment of obligations, and are expected to closely match the Performance cost Actuals in II.C and planned outyear spending. Major investments often plan on outlay rates of 35% per year. As a result, the final year or two of an investment may have $0 budgetary resources but significant outlays. Check with your budget office to derive the appropriate outlay rate and verify the prior year disbursement amount.
How can the full life cycle costs be shown if the project extends beyond the years shown?
In the last Summary of Spending column before the total, enter all other remaining costs (in later years) to complete the investment.
Does the Summary of Spending Total include FTE costs?
FTE cost is reported on a separate table and is not included in the Summary of Spending “Total.” The Funding Source amounts however, do include all FTE and non-FTE costs. The Funding Source DME and Steady State amounts are what are reported on the Exhibit 53.
Is there a way to verify that the Summary of Spending amounts equal the Funding Source amounts?
The funding source annual and grand totals for DME and Steady State should be the same as the Summary of Spending totals for budget authority (including FTE funding). When you are viewing either the Summary of Spending or Funding Source tables a “reconciliation” icon appears next to the Excel import icon. Always run the reconciliation function to verify that all Summary of Spending funds have been accounted for in the Funding Sources table.
Should funds received from or provided to other federal agencies be reported?
Funds received from sources other than Commerce appropriated funds should be entered in the Summary of Spending table. However, any such funding should be identified in a separate row or rows on the Funding Sources table. When entering revolving funds or other non- Commerce appropriated funds in the Funding Source table, select No in response to the question, “For OMB submission?” This appears when you choose the account code. Answering “No,” ensures that the data will not appear on the Exhibit 53, which includes only funds appropriated to the Department of Commerce.
Where does one report funds sent to another agency?
IT funding DOC sends to another agency must be reported under a non-major Exhibit 300 so it can appear in the Commerce Exhibit 53. If the recipient agency is the managing partner of the investment then it, and not DOC, maintains the major Exhibit 300 business case. For the investment's unique identifier, use the 4 digit UID provided by the lead agency. Entering "04" in the 10th and 11th digits of the project's UID identifies it as funding provided to another agency.
Where are funds reported that are appropriated to one investment but transferred to another?
The investment initially receiving the funds or reimbursing another office for expenditures on its behalf, must account for the funding in the Summary of Spending table. The investment receiving the pass-through funding or receiving fees for service must also account for that funding in its Summary of Spending table but identifies such funding as a “Non-add” appropriations in its Funding Source table.
Can multiple appropriated and non-appropriated accounts be entered in the Funding Source table?
Yes, use the pick list in the Funding Sources table to identify each funding account’s name and number. Then enter the funding amount from each account. Separately list each source of non-appropriated funding such as from a revolving loan fund or reimbursable source. The annual total and grand total from this table must match the budgetary resources annual and grand totals for FTE and non-FTE from the Summary of Spending table. If a funding account cannot be found on the eCPIC pick list, call the eCPIC Help Desk to add it. Note that “internal” reimbursements should only be accounted in a single investment’s budget, either the giver or the receiver.
Does the total amount from the Summary of Spending table appear on the Exhibit 53?
The Exhibit 53 automatically includes all appropriated funds from the Funding Source table but does not include funds identified in the Funding Source table as reimbursable or other non-appropriated accounts. If non-appropriated funds are received, they should be included in the SOS table as well as in the other Exhibit 300 sections such as the acquisition table, the performance-milestone table, and in the EVM calculations.
Should there be a direct linkage between the Summary of Spending amounts and the figures shown for the current baseline total?
Yes, the budget amounts in the milestone tables at the end of Parts II and III must be consistent with the figures in the Summary of Spending table.
Is other information needed to supplement the Exhibit 300 for an IT Investment Authority (ITIA) review?
When seeking IT Investment Authority, an Exhibit 300 is needed as well as an Acquisition Plan.
Should contract amounts be included that are more than the currently approved budget?
Include the total value of the portion of each contract supporting the investment including option years. If the contract value exceeds the approved budget profile shown in the Summary of Spending table, explain this difference in the DOC Supplementary project description.
Should contracts be listed that are used by more than one investment?
List only the task orders that apply to this investment.
In what dollar unit are the contract values?
All dollar values are in thousands.
Is the Contract information only for awarded contracts?
OMB guidance explicitly states that contracts and/or task orders planned for this investment shall be included in the contract data table. When entering planned investments, fill in the known data elements, other fields can be left blank. Data for proposed contracts cannot appear in the publicly releasable version of the Exhibit 300.
What size contracts or task orders should be included in the table?
Include all significant contracts and task orders sufficient to account for all or nearly all of the contract dollars.
Must all contracts for DME activities include an Earned Value Management clause?
Department of Commerce policy requires that major IT investment contracts for DME activity include language mandating that the vendor provide Earned Value management (EVM) data, and that the investment have an EVM system in place.
If the contract complies with Section 508 regulations is an explanation still needed?
If the contract complies with Section 508 (accessibility) regulations, explain how. If the contract does not comply with Section 508, explain why not.
Does an Acquisition Plan need to be provided?
Attach any approved or near final acquisition plan to the investment’s eCPIC resource folder.
Why, for older investments, are there two performance tables?
The “Legacy” performance table only appears as an historical reference and cannot be edited. Enter data only in the Federal Enterprise Architecture (FEA) Performance Reference Model (PRM) table. For more information see the FEA Reference Model categories and definitions.
Can the performance measures be the same ones that appear in the Annual Performance Plan?
Use, as appropriate, performance measures that are part of the Annual Performance Plan or that can be tied to those measures.
Are measures needed during all phases of the project life cycle?
Performance measures are required for all phases of the project life cycle including planning and acquisition. During the planning and acquisition phases select performance measures and targets that certify or demonstrate the impact of completed project stages or useable end items. However, do not repeat activities already listed as milestones in the Performance cost table in Part II. The performance measures provided should be consistent with the measures included in the budget submission document which, per OMB A-11 instructions, shows funding and performance measures for five years beyond the budget year.
What are the basic elements of a “Measurement Indicator”?
At a minimum, the measurement indicator should include the type of units (such as # of, % of), a clear, complete definition of what is being measured, and the periodicity of the measurement (monthly, annually…).
What is meant by baseline and should it remain constant?
A baseline is a specific quantitative or qualitative measure that existed or was established before the investment began and usually does not change over time. For example a baseline storm warning lead time of 12 minutes would be compared against the proposed performance targets for years 3, 4, and 5, to assess the net benefit from this investment.
What is an acceptable “Target”?
In this column enter a clearly measurable outcome, e.g., 7 minutes, 10% increase over baseline. OMB expects the performance targets to reflect constant improvement.
Must the performance targets show constant improvement?
Yes, the performance targets should show what added business value is being gained as result of the continuing investment. If the target metrics have reached a plateau, then select a new measure from that point forward that will capture the continuous improvement that is supposed to be achieved by all on-going capital investments.
Where can the linkage between the project performance measures and the high level outcome goals be described?
Strive to identify performance measures that have a clear connection ("line of sight") to each other and to your operating unit’s annual performance goals. To highlight the upper level linkage, a Strategic Goals column is included that contains the strategic objectives listed in the Commerce Strategic Plan. If the line of sight linkage would not be apparent to an outside observer, document this connection in the Description field of the Exhibit 300, in the Enterprise Architecture, and in the Strategic IT Plan.
Do performance measures need to be customer focused?
At least some of the performance measures should explicitly address who the customers are, and how the investment will benefit them. This is especially important for projects in the operations and maintenance stage where a crucial question is whether customers are receiving the benefits they expect from the system.
Should there be performance metrics for meeting IPv6 goals?
Yes, project managers, especially for infrastructure related investments, are encouraged to identify IPv6 performance goals.
What are the acceptable Measurement Areas and Measurement Categories?
The Performance Reference Model, which is encoded in the eCPIC select boxes for the first few columns of Table 2, identifies four measurement areas and several groupings within each area that describe the attribute or characteristic measured as follows:
- Mission and Business Results - Outcome measure tied to level 1 (Services for Citizens) and 3 (Management of Government Resources and Support Delivery of Services) of the FEA Business Reference Model. The measurement categories are services provided, support for services, management of resources, and financial
- Customer Results - Output measure tied to level 1 and 3 of the FEA Business Reference Model. Measurement categories: satisfaction, service coverage, quality, timeliness
- Processes and Activities - Output measure that defines the direct effect of daily activities and broader processes. Aligned with level 2 (Mode of Delivery) of the FEA Business Reference Model. Measurement categories: financial, productivity and efficiency, cycle time, quality
- Technology - Inputs, key enablers measured through their contribution to outputs. Measurement categories: financial, quality and efficiency, information and data, reliability and availability, user satisfaction
When are IT Security and Privacy considered in the project lifecycle?
Planning and funding for security and privacy must be done throughout the lifecycle of each investment. The investments budget must cover the cost for privacy impact assessments, quarterly and annual FISMA reporting requirements, annual security assessments, contingency plan testing, and for identifying and correcting weaknesses noted in the Plan of Action and Milestones (POA&M).
Must Steady State security requirements be met before improving the IT capital asset?
OMB Memorandum M-00-07, of February 28, 2000, directs that steady-state system operations must meet existing security requirements before new funds are spent on system development, modernization or enhancement.
What is meant by “Percentage IPv6”?
Of the IT investment’s total BY funding, calculate the percentage of funding that will be spent to comply with IPv6 requirements.
How do I calculate the percent funding for IT Security?
Estimate the full cost of maintaining the IT investment's confidentiality, integrity, and availability for the budget year. This cost should include security activities such as, awareness training, intrusion detection, incident response, and security certification and accreditation if these are not otherwise reported on the Exhibit 53. Also include the estimated value of security requirements in the IT investment’s software development life cycle. Be sure to enter a non-zero value as a zero percent response will indicate that the system is not secure.
The same value, e.g., 2%, for all investments is not acceptable. Each investment must be evaluated independently. The IT security percentage reported for each investment is used to calculate the total IT security budget for each operating unit. Coordinate with your unit's IT Security Office to ensure that this calculation agrees with the IT Security funding data each operating unit transmits in its September FISMA report.
Should a project manager admit that a system has security weaknesses identified by the agency or IG?
Answer affirmatively if the system has significant, unremediated, security weaknesses identified by the Government Accountability Office, by Department compliance and oversight, or by the Office of Inspector General review of FISMA or FFMIA.
Is a special system name used for the security tables?
Create a separate record for each FISMA system inventory package that is associated with the investment. Under “Name of System” enter the FISMA system ID exactly as it appears in the FISMA report followed by the FISMA system name; for example, NOAA2400 Rockville Campus.
How important is it to complete the security systems tables?
A documented and completed C&A is required before a new system or major update to that system is allowed to be put into operation. In addition, to meet requirements, the C&A must be done at least every three years (using NIST 800-37) while the security control and contingency plan testing must be done annually.
When does the Planning Systems table need to be completed?
A C&A date entry is expected in the planning table for each ongoing or planned DME activity identified in the Exhibit 300. This C&A date must precede putting the new capabilities and enhancements into operation.
Must all C&As be conducted using NIST SP 800-37 and 800-53A?
Yes, NIST 800-53A is now the official standard for monitoring and testing the security controls listed in NIST 800-53. These standards replace 800-26. Commerce FISMA reporting instructions have validated that all “non-national security programs and information systems must following NIST standards.”
What is the Security Control Testing Date?
FISMA requires that selected NIST 800-53 controls be tested annually. The Security Control Test completion date in the Exhibit 300 should be consistent with the FISMA IT inventory’s “Annual Continuous Monitoring Test Date” field.
Must the information in the IT Security Table be consistent with the data in the FISMA IT Inventory database?
Yes, the data in the IT Security Table must be consistent with the data in the FISMA Inventory which is the primary source of record. Specifically, the Accreditation date in the FISMA Inventory correlates to the Security table C&A date and the Contingency Plan Test date in the FISMA inventory is the same as the similarly named data field in the Exhibit 300. If one of the security tests or accreditation steps is completed after the FISMA reporting but before the submission of the Exhibit 300, then first send in the update to the FISMA database coordinator before entering the same data in eCPIC. This will ensure verifiable data consistency.
Who needs to answer the question on contractor security procedures?
If the Operational Security table identifies a system as being contractor operated or contractor and government operated then you must answer this question.
What information is needed to document appropriate IT Security oversight of contractors?
Identify and describe the specific actions and procedures taken to ensure contractor and contractor system security. Merely certifying that the required regulations are being followed is not an acceptable response and has caused many investments to be put on the OMB Watch List. See Commerce Procurement Memorandum 2006-06 for more details on implementing IT Security in planned and awarded contracts.
What if I need more help in preparing the IT Security Section?
Consult with the system and IT security professionals knowledgeable with your specific project. In addition, your IT Security Officer or DOC Office Chief Information Officer's IT Security Program Team (DOCITSecurity@doc.gov) can assist you in responding to these questions
What system name(s) should be used in the Privacy Table?
A separate privacy table entry is required for each system inventory ID entered in the Security tables. Enter the system inventory ID and name exactly as it appears in the Security table.
How do I know if the investment needs a Privacy Impact Assessment and what does it involve?
What is an appropriate response if the system contains no privacy or information collection related data?
If no PIA or SORN was done because the system will not and/or does not contain any privacy protected data answer “No” to Question 8(c) and 8 (e) and state in 8(d) that “No PIA is required because the system contains no personally identifiable information,” and in 8 (f) state “No, because the system is not a Privacy Act system of records.”
How do I know if a System of Records Notice (SORN) is required?
If you are uncertain whether an investment is included under the Privacy Act provisions regarding information collection from the public, contact your operating unit's Privacy Act Coordinator or Allen Winokur at AWinokur@doc.gov.
Is this investment identified in your agency's enterprise architecture (EA)? If not, why?
A “no” answer is unacceptable to OMB. Each investment should be a product of comparing the current architecture with the target architecture and developing a gap analysis. The intent of the investment should be to bridge one or more of the gaps identified. If the investment is driven by new legislative mandates, then the architecture may not have been updated to reflect the changes, but should be. Regardless of how the Architecture is documented, the initiative should be clearly identifiable in the Target Architecture.
How do I know if the investment is in the Commerce EA Transition Strategy?
If the investment was included in the operating unit's transition plan, then it is included in the DOC transition plan. If you have not consulted with the Chief Architect for your organization, it is probably not included in the transition plan.
Should a segment architecture code be entered even if the segment is not yet approved?
Yes you can now enter a segment architecture code, even if that segment has not yet been approved.
What are the Segment Architecture Codes for approved segments?
If you select “Yes” for completed and approved segment, then you must enter a six digit code. The codes are listed in eCPIC and available from your OU Enterprise Architect.
Does the Department review each major investment’s Enterprise Architecture?
Prior to a CITRB review, the Commerce Enterprise Architecture Review Board is responsible for reviewing the OU’s enterprise architecture to ensure that all investments are properly and fully documented, and in compliance with the agency architecture standards and targets.
How should proposed new investments integrate with the agency business architecture?
Every new IT investment should impact the business architecture, changing it for the better. It would be difficult to defend the need for that investment if it had no such impact. Indicate what changes to organization, business processes, etc. are engendered by this initiative and what new or enhanced products and/or services it provides or facilitates.
What is the FEA Primary Mapping Information?
This information is carried forward from the Exhibit 300 data entered last year or earlier. It is up to the current project manager in consultation with the operating unit CPIC representative to determine if any change is needed. Starting in FY 2007, enter either the code from the Federal Enterprise Architecture (FEA) Business Reference Model (BRM) or from the Service Component Reference Model (SRM). For functional applications use the BRM. For cross-cutting Service Type applications use the SRM. A full listing of the BRM and SRM codes can be found at the FEA site. The BRM Mode of Delivery lines of business are not valid as a primary FEA mapping.
How are SRM component categories identified?
To identify the proper SRM category for an investment component first use the business reference model to identify the correct investment category, then subdivide the business processes into discrete functions, and finally map each of these functions to the corresponding SRM Model grouping.
What is the purpose of the SRM Table?
As stated in the Federal Enterprise Architecture SRM Model version 1.0: “the SRM model is intended for use in discovering government-wide business and application Service Components in IT investments and assets. It is a component-based framework that provides, independent of business function, a leverageable foundation to support the reuse of applications, application capabilities, components, and business service.” From this and the list of components contained in the SRM, OMB is looking to identify components that can be reused across the Government regardless of which line of business they were originally designed for.
Should the SRM table BY Funding Percentage total 100%?
The entries in the SRM table include all SRM components in the investment including components that are shared with other projects. To the extent that not all of the budget year spending is for service components (for example FTE costs and training), the total of all the SRM spending may be less than 100% of the investment’s total BY funding.
How do you identify reuse components and calculate their BY funding percentage?
Reuse components only includes components reused from another investment. Such reuse generally incurs little or no cost to the benefiting investment, so the BY funding percentage will normally be 0%. The information provided in the SRM table must be consistent with the responses given to the “Reuse & Information Sharing” questions, i.e., include in the SRM table any reuse components referred to in the “Reuse & Information Sharing” response.
What is meant by internal versus external reuse?
Internal is within the Department of Commerce. External is when the reused component is from an agency that is outside the Department.
What is a Service Component UPI and who has this information?
All IT spending is categorized on the Exhibit 53 by “investment,” each of which has a Unique Project Identification (UPI) code. The Capital Planning and Investment Control (CPIC) lead for each operating unit has a list of that OU's IT investments and their UPI codes.
Must every SRM Component be mapped to a TRM Category?
Each SRM components must be mapped to all applicable TRM Service Area/Category and Standards to indicate the technology components that deploy each SRM component.
Do systems expected to be in steady state in BY need to complete Part II?
If the investment will not achieve full steady state status until the BY, then Part II still needs to be completed in order to track the status of the ongoing DME activity.
Does an alternative analysis always need to be conducted?
All new initiatives, whether they are a major part of an existing initiative or a completely new effort, need to be supported by an alternatives analysis. The alternative analysis should be based on market research and consider various approaches to meeting the identified need. The Department as well as OMB may ask for the alternative analysis plan from which the data in II.A is drawn. To allow prompt response to requests for information, attach the latest alternative analysis document to the investment’s resource library in eCPIC.
What if there are more than three alternatives?
At least three alternatives as well as the status quo must be provided. Additional alternatives can be entered in the Exhibit 300, but only the three selected, plus the status quo, will go to OMB. In the Alternatives Analysis table’s “Send to OMB” column, mark True next to alternatives to be submitted to OMB. Examples of alternatives include buy-it, out source it, or build it yourself. Other possible alternatives are incrementally improve or totally rebuild. Meld and summarize choices to show at least three distinct alternatives.
How often does the alternatives analysis need to be updated?
The alternative analysis should be updated at least every three years or whenever a major shift in system strategy is proposed.
What is included in the Risk Adjusted Life Cycle costs and benefits estimates?
The costs and benefits should cover the entire project life cycle from design, through operations and maintenance, including data migration and system disposal. Normally, the lifecycle cost is consistent with the Summary of Spending total including FTE. To allow prompt response to requests for supporting information, attach the latest independent and program office cost assessments and cost-benefit analyses to the investment’s resource library in eCPIC.
Is a cost-benefit spreadsheet template available?
Yes, a spreadsheet template is in the eCPIC Resource Library under the folder entitled Cost Benefit/EVA. Use benchmarks and market studies to identify the cost of alternatives.
Do costs and benefits need to be discounted?
Yes. The discount factors for investments of various time spans are published in OMB Circular A-94 and updated periodically.
Do legacy system migration costs need to be included in the new investment’s life-cycle cost?
Yes, the cost estimate for a new system includes the whole life cycle including migration from the legacy system and, at the end of the new system’s useful life, its disposal cost.
How are Federal Quantitative Benefits different from the benefits in the alternative analysis?
Federal Quantitative benefits only include direct benefits to the U.S. government and exclude societal benefits, therefore the cost savings will be no greater than, and usually much less than the benefits estimated in the Alternatives Analysis table.
Does the Risk Management Plan need to be kept current?
Yes, the Risk Management Plan includes risk mitigation targets and activities. The current plan reflects whether or when these milestones are achieved and what new risk measures are needed as the project reaches later stages of development. At a minimum, a formal risk management plan should be redone every three years.
Does a current Risk Management Plan need to be available upon request?
All documentation that is affirmed to be available can be requested at any time by OMB. In addition, the Department routinely requests supporting documentation in advance of a CITRB review. To allow prompt response to requests for information, attach the latest Risk Management Plan to the investment’s resource library in eCPIC.
What is included in a Risk Management Plan?
The risk management plan documents the procedures to be used to manage risk during the life of the project. It should include procedures for identifying and quantifying project risks, prioritizing risks for further analysis and action, identifying the parties responsible for managing the various areas of risk, developing appropriate responses and mitigation plans for specific risks, and monitoring and controlling the identified risks. Since additional risks will always be identified while the project is being executed, the risk management plan must be revisited on a regular basis and kept current as new information about the project becomes available. An excellent source of information on project risk management and the risk management planning process is the Project Management Institute’s PMBOK Guide.
Which costs are tracked using Earned Value?
For major IT systems, all planning and development costs, including FTE, must be accounted for, and tracked, using Earned Value Management (EVM). This may require the project manager to combine the earned value results for multiple contracts, as well as for government FTE, and for government furnished equipment.
How do I know whether the business practices I'm using qualify as an EVM system under the ANSI/EIA Standard 748?
Software can help support an EVMS but does not constitute an EVMS. ANSI/EIA Standard 748 describes the practices to be followed in employing an Earned Value Management System (EVMS). Each operating unit is responsible for ensuring that its own processes and procedures as well as those of contractors, continue to satisfy the EVMS Standard (and to verify that those processes and procedures are being followed appropriately). This EVMS verification is commonly called “surveillance.” An excellent model for establishing and maintaining an EVMS surveillance process is the National Defense Industrial Association (NDIA) Program Management Systems Committee’s “Surveillance Guide.”
Must the actual cost of work performed amount be consistent with the spending reported in the Summary of Spending table?
The EVM Actual cost of work figure is based on accrued spending to date for all planning and development activities, not budget authority. Therefore, the aggregate total of DME in the Summary of Spending table through a given year is likely to be different than the EVM Actual cost of work amount. However, total AC at completion must be the same as the DME grand total on the Summary of Spending table.
Can eCPIC be used to calculate earned value?
eCPIC has the capability to calculate Earned Value from the information entered in the performance baseline table and can generate a monthly variance chart. We are currently evaluating whether this approach will be recommended. In the meantime, EVMS results should continue to be calculated using an ANSI 748-A compliant off-line system and then manually entered into the Exhibit 300.
How often should EVMS data be calculated and updated?
To be considered compliant with ANSI/EIA Standard 748-A, EVMS data must be calculated at least monthly. The Spend Plan and EVMS data in eCPIC are expected to match the quarterly EVM report sent to the Department. When entering new EVMS data in eCPIC, the user must enter a new ‘As of Date.’
Does the Agency Head need to approve program continuation if the cost or schedule variance is 10% or greater?
The operating unit CIO and Department CIO must be notified if the negative variance is 10% or greater. In explaining cost or schedule variances, address any changes to the spend plan baseline and associate all variances with specific risks and mitigation strategies cited in the risk management section.
What is meant by initial and current baseline and how can they be changed?
Initial baseline is the first OMB approved project baseline and is normally kept unchanged to reflect the project’s history. Similarly, the investment’s current baseline for CY and earlier cannot be retroactively changed. However, if project assumptions significantly change, it may be appropriate to change the “Current” baseline for future years. Proposed changes to the baseline plan are entered in the baseline change request form in eCPIC. Significant change to the baseline plan of major investments or investments on the High Risk List are reviewed by the operating unit and Department. A request for a replan or rebaseline of 10% or more or $500K or greater in the O&M or DME portion of the investment requires the operating unit CIO to approve the change and to inform and justify the change to the Department. For details on the baseline change request process see the Implementation of IT Investment Performance Management Policy and the Commerce IT Investment Performance Management Policy.
What costs are included in the baseline funding?
The baseline includes all planning, development, and operations & maintenance funding in the life cycle budget including FTE costs.
What is entered in the Actual column for the Current Baseline?
The Actual column under Total Cost represents actual costs to date. The actual column under “completion date” should only be filled in when the task is completed.
What level of detail should be provided in the funding plan?
The funding or spend plan should correspond to the third level of the investment’s work breakdown structure and account for all spending included in the Summary of Spending table, i.e., cover the full investment life-cycle. Break out spending by project phase (planning, development/acquisition, operations and maintenance) and by contract wherever possible.
What duration should the Milestone Activities Be?
Milestone activities or their sub-milestones should be a year or less in duration. The table Baseline variance calculation will automatically generate large variance amounts for any milestones not yet complete that are longer than a year.
What is the Department guidance for conducting operational analysis?
Operational analysis is conducted periodically on an operational system. Major IT systems must report operational analysis results annually to the Department, typically in early February. An operational analysis verifies whether the investment is meeting its cost, schedule, and performance goals, as well as analyzing and identifying smarter, more cost effective methods for achieving the desired goal. For further information see the Department’s Operational Analysis and Performance Reporting guidance.
What investments need to complete this section?
Only the Managing Partner of an E-Gov, Line of Business or similar multi-agency collaboration investment fills out this section. Supporting capital asset investments that are not part of the Managing Partner’s business case should not use Part IV but rather should complete Part II or Part III as appropriate.
If you have questions regarding this advice or need related assistance on using eCPIC to complete an Exhibit 300, please contact Stuart Simon at 202-482-0275 or firstname.lastname@example.org
Last Updated January 8, 2009
- Questions regarding this section may be directed to the IT Capital Planning & Investment Control Administrator