Version 2.6

August 2008

Overview

The Commerce information technology (IT) capital planning and investment control process is built on a foundation of strategic and operational IT planning that is integrated with processes for the selection, control, and evaluation of IT investments. The process includes linkages throughout to enterprise architecture, IT security and privacy, electronic government, IT accessibility and other domains of IT management responsibility as well as linkages to the Commerce strategic planning, budgeting, and acquisition processes. This capital planning and investment control process supports the Clinger-Cohen Act of 1996; the Paperwork Reduction Act of 1995; the E-Government Act of 2002, including the Federal Information Security Management Act; Homeland Security Presidential Directive 7 of December 17, 2003, Critical Infrastructure Identification, Prioritization, and Protection; the Rehabilitation Act, amended in 1998; the Information Quality Act of 2001; Office of Management and Budget Circular A-130, Management of Federal Information Resources of November 30, 2000; the Federal Enterprise Architecture; and other related legislation and Federal guidance.

The Office of Management and Budget (OMB) Circular A-11, Exhibits 300 (Capital Asset Plan and Business Case Summary) and 53 (Agency IT Investment Portfolio) form the building blocks for IT planning, budgeting, and acquisition documentation. An IT Strategic Planning and Investment Review Maturity Model is the capstone to the process, pulling together all the elements of the process including linkages to other areas of focus, in a comprehensive model that helps operating units to monitor, evaluate, and improve their IT management processes over time.

Plans are to change some of the processes described in this document over the next year. The next revision will incorporate those changes as we gain experience with the new procedures.

Strategic IT Plans

The process begins with a request from the Department’s Chief Information Officer (CIO) for operating units to develop strategic IT plans within the context of maturing their capital planning and investment control process. The Strategic IT Planning Call provides an opportunity for the CIO to highlight specific areas for attention. For example, consistent with last year’s practice, the strategic IT plan call issued in January 2008 emphasized performance measurement in capital planning and investment control and enterprise architecture through the use of maturity models. Operating units are asked to develop strategies to address performance gaps. Capital planning and investment control processes based on strategic IT plans are linked with and support operating unit program plans developed under requirements of the Government Performance and Results Act (GPRA). In some operating units, this process is integrated with the strategic IT plans developed in conjunction with program plans.

Strategic IT plans provide a framework for discussion and an opportunity for operating units to focus on the strategic use of IT resources to improve program delivery. Strategic IT plans also lay the groundwork for development of operational IT plans and documentation to support budget year IT initiatives. Strategic IT plans establish over-arching, operating unit-wide IT goals, such as the development of architectures, strategic use of electronic commerce, and development of IT security and privacy strategies. The plans include financial information in the format of OMB Circular A-11, Exhibit 53. This provides an overview of the operating unit’s IT portfolio and provides consistency with the budgeting process. The call for strategic IT plans specifies that plans are due annually, on a schedule that best meets the needs of the operating unit.

Each operating unit addresses its program information needs in its own Strategic IT Plan. The Department’s Strategic IT Plan (or Strategic Information Resources Management Plan) builds on these information requirements as well as elaborates strategic goals for the Department as a whole. The Strategic IT Plan complements and supports the Commerce Strategic Plan and Annual Performance Plan. Office of the CIO staff develop the Strategic IT Plan, with input and concurrence from the Commerce CIO Council and key stakeholders such as the Office of Budget and the Office of the Chief Financial Officer. The Departmental Strategic IT Plan is available to all stakeholders. The plan highlights key IT investments including four major modernization efforts: The Census Bureau’s 21^st Century Master Address File/Topologically Integrated Geographic Encoding and Referencing (MAF/TIGER) Enhancements, the National Oceanic and Atmospheric Administration’s High Performance Computing Strategy (HPCS), and the Patent and Trademark Office’s Patent Automation Program and Trademark Automation Program. Like last year’s plan, this year’s plan focuses on a streamlined set of IT goals and identifies strong performance metrics to track progress against these goals.

The Commerce CIO organizational structure gives operating unit CIOs full responsibility and accountability for their strategic and operational IT planning. Consistent with the maturity of the IT planning processes at Commerce, operating unit CIOs assess their planning processes against a capability maturity scale and inform the Department’s CIO of progress. The CIOs also share information and best practices through a monthly CIO Council meeting, chaired by the Department’s CIO.

Operational IT Plans

Operational IT plans are due in the fall and describe specific operating unit plans for IT activities for the coming fiscal year. As with the strategic IT planning call, the Operational IT Planning Call provides an opportunity for the CIO to highlight specific areas of focus. This year’s call, issued in October 2007, put emphasis on performance measurement, architecture, and security.

The operational IT plans are based on OMB Circular A-11, Exhibit 300. This provides continuity with the budgeting process and a consistent set of documentation, ensuring that issues such as developing systems within the context of an architecture and IT security and privacy are considered on an ongoing basis. At the point of the operational IT plans, the Exhibit 300 documentation should be well defined, identifying specific schedules, acquisition plans, and performance measures. The timing of the operational IT plan is intended to put the focus on the coming fiscal year and to promote better coordination and integration with development of performance measures required by GPRA.

Investment Review Process

Budget Year Initiatives

The CIO issues a call for IT budget initiatives as well as for documentation on major systems in the spring. This IT planning call is directly linked to the Secretary’s budget guidance for the upcoming budget year; submissions are due at the same time budget proposals are due, usually mid- May. See the CIO’s call for IT Budget Initiatives. This call, like those for strategic and operational IT plans, provides an opportunity for the CIO to highlight key issues. For the FY 2010 budget, the CIO emphasized alignment with the Commerce IT Review Board evaluation criteria. The budget proposals, as well as documentation of major systems, are provided in OMB Circular A-11, Exhibit 300 format. The proposals are a product of operating unit IT selection processes, reflecting operating unit portfolio analysis and operating unit IT review board decisions. See the Operating Unit Responsibilities for the capital planning and investment control process.

The Commerce IT Review Board (CITRB) (see charter) advises the Secretary and Deputy Secretary on critical IT matters, ensuring that proposed investments contribute to the Secretary’s strategic vision and mission requirements, employ sound IT investment methodologies that comply with Departmental systems architectures, and provide the highest return on the investment or acceptable project risk. This includes recommendations for approval or disapproval of funding for new or base investments as part of the Department’s budget review process. Systems selected for review meet one or more of the following criteria: systems meriting special attention due to their sensitivity, mission criticality, or risk potential; Department-wide systems; systems where resources are shared between operating units and/or the Department; and systems with life cycle costs over $25 million.

The CITRB is chaired by the CIO, co-chaired by the Chief Financial Officer, and composed of the Director of the Office of Budget, the Procurement Executive, the Director for Human Resources, the Deputy Chief Financial Officer, the Deputy CIO, and CIOs from the National Oceanic and Atmospheric Administration, Census Bureau, National Institute of Standards and Technology, and International Trade Administration, and, on a rotating basis, up to two other operating unit CIOs. Currently these include the Bureau of Economic Analysis and the Bureau of Industry and Security.

Recommendations of the CITRB are based on consensus evaluations on a green-yellow-red scale, using decision criteria to determine such factors as alignment to Commerce and operating unit high-level performance goals, net risk-adjusted return on investment, project management strategies, risk mitigation, security implementation, architectural compliance, and overall value of proposed IT projects. See the evaluation criteria used by the CITRB. Green indicates that the project adequately satisfies all the review criteria; yellow indicates that the planning and supporting documentation for the project needs improvement, and the needed improvement can be done with a reasonable amount of effort and time; and red indicates that the project is not acceptable as proposed and a substantial effort is required to improve the proposal. Only CITRB members or designated alternates from the Department of Commerce may vote. Commerce Office of Budget analysts participate in the discussions and question the proposal sponsors. Initiatives that do not meet the criteria to be reviewed by the Board are reviewed following the same process by Office of the CIO staff supplemented by staff from the Office of Acquisition Management as well as the Office of Budget. CIO staff also review all Exhibit 300s for existing and proposed investments, and provide comments to investment sponsors to help improve the quality of these business cases.

To help focus the CITRB sessions, project managers and sponsors for investments selected for CITRB review are required to provide supporting project planning documentation, including the Exhibit 300, two weeks prior to the CITRB meeting. Staff subject matter experts in IT security, enterprise architecture, project management, earned value management, benefit-cost analysis, budgeting, and acquisition review the project management material and provide comments to the project manager and sponsor providing them an opportunity to explain or resolve gaps in the information provided. Remaining technical issues are highlighted for the CIOs’ attention prior to the CITRB meeting.

Following the meeting, the CIO provides the operating units the investments’ ratings along with comments and suggestions for improvements, and an opportunity to improve their proposal justifications, where needed. The CIO, in consultation with the CITRB members and Office of the CIO staff, reviews the revised proposals and assigns a final rating on a green-yellow-red scale, which is then provided to the Office of Budget. Also, the CIO or Deputy CIO participates in the Office of Budget briefings with the Deputy Secretary and provides input and commentary as necessary on initiatives with an IT component.

Control and Evaluation Reviews

As part of its charter, the CITRB makes recommendations for continuation or termination of projects under development at key milestones or when they fail to meet performance, cost, or schedule criteria. The Office of the CIO staff review all major systems and make recommendations to the CIO regarding those IT investments that should be reviewed by the Board. The staff also conduct pre-Board reviews themselves or recommend pre-Board reviews from external experts, when they perceive a benefit from an independent, in-depth evaluation.

The CITRB meets monthly to assess the identified projects in control and post-implementation reviews and to consider delegation of procurement authority requests. The CITRB control and post-implementation review process follows on the operating unit processes for the control and evaluation of major IT investments, which generate the principal documentation for CITRB consideration.

The CIO provides formal evaluation memoranda to the project sponsors and requires follow-up information and actions with due dates, as needed. The Office of the CIO staff track responses to the actions. Further, the operating units provide quarterly earned value management and operational analysis reports, which are reviewed by Office of the CIO staff. (See later discussion.) In addition, any proposed change to the baseline in the exhibit 300 milestone table is now automatically flagged and requires justification and CIO approval. These processes taken together highlight any investments that may need special management attention. The CIO briefs the Deputy Secretary on investments that deviate from cost, schedule, or performance goals by more than 10% or that are in other ways troublesome.

Capital Planning Training

Over the past several years we have sponsored training, supplemented by one-on-one consultations, to address the areas of the Exhibit 300 that cause preparers the most difficulty, including performance measurements, alternatives analysis to include return on investment, and earned value management. Additionally, we regularly update a set of customized, Commerce-specific instructions on how to prepare a high quality business case and post them to our Web site. The Department’s Office of the CIO also offers training sessions for beginning and advanced students on use of the eCPIC (electronic Capital Planning and Investment Control) software to enter, track, and analyze their operating unit’s portfolio of IT and non-IT investments.

Linkages

Commerce’s capital planning and investment control process is linked to other processes within Commerce. The linkage to the budget process has been described above. Linkages to other IT processes and to the acquisition process are described below.

Enterprise Architecture

The Commerce Enterprise Architecture (EA) has a broad scope. The EA is the union of the operating unit architectures and the overarching Department architecture. The Department architecture addresses lines of business and services common to all operating units. It establishes basic goals and directions, characterizes common systems and services, and defines fundamental standards universal to all operating units. This approach provides the operating units flexibility in executing their mission specific lines of business, while providing greater efficiency and reduced cost for the common lines of business. The diverse nature and mission of each operating unit mandates a flexible structure, allowing each operating unit to define its mission specific architecture that best fits its business requirements. In this way, each operating unit can fulfill its mission tasks, and provide the best service to all stakeholders and customers while supporting the overall goals of Commerce.

The Commerce Enterprise Architecture documents results realized from the combined capital planning and architecture efforts in reducing redundant systems, reusing existing components, and taking advantage of newer technologies to achieve efficiencies. The high-level overview describes Commerce’s goals and business needs, and “as is” and “to be” architectures along with migration plans, from business, information, application, and infrastructure views. This is supplemented by detailed technical and architecture information from the operating units in support of the strategic architectural vision.

Another part of the overall architecture effort is the identification and development of segment architectures. Segment architectures are discrete slices of the enterprise that provide a product or service. The segment architecture provides detailed results-oriented architecture and a transition strategy for a section of the enterprise. More information about Segment Architecture can be found in the Federal Enterprise Architecture Practice Guide. Commerce’s Enterprise Architecture now includes two segments, National Oceanic and Atmospheric Administration Observing Systems and Spectrum Allocation Management.

The Department’s Enterprise Architecture Advisory Group, composed of representatives from across the Department, developed guidance for the Enterprise Architecture Program. This guidance is consistent with the OMB Federal Enterprise Architecture Framework and is designed to enhance the integration of the operating unit portions of the Enterprise Architecture and provide a consistent picture across all of Commerce. With the development of the OMB Federal Enterprise Architecture Assessment Framework, as well as the General Accountability Office Architecture Maturity Assessment, the Commerce Enterprise Architecture Capability Maturity Model has been retired.

The Enterprise Architecture Review Board is a focused group derived from the Enterprise Architecture Advisory Group (see charter for both groups), which reviews architecture updates and change requests, and examines investments that are being reviewed by the CITRB for compliance with the Enterprise Architecture. Recommendations are forwarded to the CITRB for consideration. Strengthened EA governance processes are under consideration.

The Enterprise Architecture Program is linked to the capital planning and investment review process through the strategic IT plans and the Exhibit 300s that form the basis of budget initiatives, investment reviews, and operational IT plans. The Commerce maturity model measures these linkages. Architectural compliance is one of the six areas formally scored by the CITRB members when they evaluate IT investments.

In an effort that supports the Enterprise Architecture and the Infrastructure Optimization Initiative Line of Business, Commerce’s Consolidated Infrastructure Team (CIT) prepares a single Exhibit 300 to cover infrastructure, telecommunications, and office automation. The CIT is a governing body sanctioned by the CIO Council and charged with facilitating efforts to consolidate, integrate, and coordinate the management of all Commerce IT infrastructure activities. The CIT is composed of representatives from across the Department. The CIT developed an IT Infrastructure Management Framework, principles governing the management of Commerce’s IT infrastructure, which is consistent with the Federal Enterprise Architecture and the Department’s Enterprise Architecture. Commerce is an active participant in the Government-wide IT Infrastructure Line of Business (ITI LOB). In support of the ITI LOB, the CIT is working to identify commodity infrastructure and to rationalize these data with the Exhibit 300 for infrastructure, with the goal of optimizing Commerce’s infrastructure platforms.

IT Security and Privacy

The Department of Commerce places a very high priority on IT security, recognizing that an effective IT Security Program is necessary to protect its IT investments and its data. The Department has strengthened its focus in two management areas: IT security program management and administration, and critical infrastructure protection.

The IT Security Program Team, supplemented by IT Security Officers in each of the operating units, focuses on improving Department-wide IT security program management and overseeing Department-wide compliance with IT security requirements. Efforts to improve the program include focusing on standardizing the processes that lead to sound IT system’s certification and accreditation; updating the comprehensive IT security program policy and minimum implementation standards (ITSPP) to reflect current IT investment trends and regulatory requirements, particularly in the area of personally identifiable information; ensuring linkage between the IT system inventory and IT investments; as well as improving general security awareness training and providing guidance for role-based training for those with significant IT security roles and responsibilities. The most recent efforts focus on new initiatives to address OMB Memorandum 08-05 on Trusted Internet Connections (TIC), Federal Desktop Core Configuration (FDCC), two-factor authentication, Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, Cyber Security Assessment and Management (CSAM), a tool to help build strong certification and accreditation packages, and National Communications Security Directive 3-10 to provide communications under emergency situations. In addition, the Department continues an IT compliance review program that includes testing the management, operational, and technical controls of the Department's IT systems.

The IT Security program is the information assurance foundation ensuring the consideration of IT security over the system's life cycle, from inclusion in IT capital asset budgeting to system disposal. Details of these efforts are provided in the Department's annual report to OMB as required by the Federal Information Security Management Act (FISMA).

The Critical Infrastructure Protection program concentrates on securing the Department's infrastructure resources that support national essential functions. In addition, the team reviews and coordinates the IT aspects of Department-wide continuity of operations planning to ensure availability of IT investments that support nationally critical as well as Commerce’s mission functions. Partnerships established with the Department of Homeland Security and integration with Commerce physical security programs have enhanced the quality of the critical infrastructure program. Furthermore, current and planned investments in new technology for incident detection and infrastructure monitoring will strengthen the Department's IT security posture and enforce the information assurance efforts under way by the IT Security Program Team, as described above, to protect the Department's IT investment.

Section 208 of the E-Government Act of 2002 (P.L. 107-347) requires that agencies ensure privacy in the conduct of Federal information activities. The Department has established the CIO as the Commerce’s Senior Official for Privacy. The CIO’s Office works closely with Commerce’s Privacy Act Officer, established under the Privacy Act, to ensure that Commerce’s CIO is actively involved in and informed of privacy issues affecting Commerce. In a testament to Commerce’s commitment to privacy, Commerce’s IT Privacy Policy extends privacy protections beyond personally identifiable information to business identifiable information. Commerce is also extending the Privacy Impact Assessment (PIA) process to address OMB’s data extract log and verify requirement for sensitive data.

Recent events have made the protection of personally identifiable information a priority. Commerce has moved quickly to establish policies and make available practical protections for employees to use in safeguarding personally identifiable information as well as other sensitive information. All Commerce Privacy Impact Assessments and Privacy Policy Statements are available on the Commerce Web Privacy Page.

Commerce’s Web Master’s Advisory Group has developed guidance for preparing Web Privacy Policies to address privacy. Annually in the summer, Commerce CIOs certify that their Web sites comply with the privacy policies. Also, the Office of the CIO staff have independently verified that the Web Privacy Policies meet the criteria specified in the guidance. Further, by December 2004, the Web Privacy Policies were available in machine-readable form, following Platform for Privacy Preference Project (P3P) criteria.

We emphasize the linkages to IT security and privacy in strategic IT plans and the Exhibit 300s that form the basis of budget initiatives, investment reviews, and operational IT plans to ensure that IT security and privacy are an integral part of the planning, budgeting, and acquisition processes. IT security is a key focus of analysis in the Commerce IT Review Board.

Electronic Government and the Paperwork Reduction Act (PRA)

The Commerce Department continues to expand its already extensive use of electronic government to perform its mission better, to enhance support to citizens, businesses, and other customers, and to reduce costs. Commerce has long recognized the advantages afforded by electronic government to support its responsibilities in delivering scientific, technical, and statistical information to the public. Commerce uses the Internet as a primary means of disseminating large amounts of data and information as well as supporting online transactions. The Department has over 100 different transactions available on the Internet. Members of the public can apply for fishing permits, file patent and trademark applications, order nautical charts and environmental data, file economic census data, register a search and rescue radio beacon, analyze economic and demographic data, and read publicly available patent and trademark files --- all electronically. See “E-Commerce Highlights” for more information.

Within the Office of the CIO, staff are dedicated to analyzing the information collection packages required by the PRA from the Commerce operating units to ensure that the principles of E-Government are given full consideration. In addition, information quality and privacy implications are addressed as needed for each PRA collection.

The Office of the CIO ensures that E-Government considerations are given high visibility in Commerce’s information technology capital investment and control process. Through selection and control reviews by the Commerce Information Technology Review Board, senior Commerce management examines initiatives for E-Government possibilities and suggests E-Government alternatives, where sensible.

Commerce has served as the managing partner for the E-Government International Trade Process Streamlining initiative, expanding the One-Stop One-Form initiative to the NAFTA Certificate of Origin form and integrating content from USDA/Foreign Agricultural Service into export.gov. Further, Commerce is participating in 31 other cross-cutting E-Government and Lines of Business Initiatives. For instance, all Commerce grant-related application packages are posted to grants.gov and a system-to-system interface between the NOAA Grants Online system and grants.gov is in place. All Commerce official personnel file data from the National Finance Center are electronically submitted to OPM for the Enterprise Human Resources Integration (EHRI) E-Government initiative. The Department has also implemented a public-facing Web application, export.gov, for the E-Authentication initiative. Further, the Department has participated in the new Lines of Business Initiatives for IT Infrastructure, Geospatial data, and Federal Health Architecture. Commerce has selected service providers for both IT security training and FISMA reporting and developed an implementation schedule. In support of these efforts, the CIO has been forceful in eliminating any duplication with the Administration’s E-Government and Lines of Business Initiatives. Commerce systems will provide only back-end processing for the various E-Government portals and will migrate legacy systems to the various Lines of Business where applicable.

In early 2003, Commerce’s records management function was transferred to the Office of the CIO, providing an opportunity to fold e-records management into our larger internal E-Government program. The Records Management Web site provides pertinent information for records managers. A revised records management policy, which emphasizes electronic records, has been promulgated.

This year, Commerce implemented outreach and training activities to ensure that employees at all levels are aware of their responsibilities to safeguard electronic records, especially e-mail, in accordance with approved records control schedules. A message was broadcast to all employees reiterating Commerce policy regarding the retention of e-mail messages and providing guidance on how to determine if a message is an official record and must be maintained. This was followed up by individualized responses to questions and briefings to offices upon request.

Commerce will continue to emphasize electronic government through the strategic IT plans and the Exhibit 300s that form the basis of budget initiatives, investment reviews, and operational IT plans. Commerce’s annual E-Government Report includes more details.

Information Quality

Following provisions of the Information Quality Act of 2001, Commerce completed a major effort to publish its Information Quality Guidelines. Since Commerce is an information agency, these guidelines are at the core of Commerce’s work. As with other performance measures, the Information Quality Standards are linked to the capital planning process through the strategic IT plans and the Exhibit 300s that form the basis of budget initiatives, investment reviews, and operational IT plans. Information Quality Standards have been incorporated in the evaluation criteria used by the Commerce IT Review Board and are also explicitly tied to the E-Government process through justifications for information collections made under the Paperwork Reduction Act.

In December 2005, Commerce began posting peer review agendas on the Web in conformance with the OMB Bulletin for Peer Review. Commerce’s Information Quality reports show few requests for correction. This is a testament to the quality of Commerce’s information and its adherence to the Information Quality Guidelines. Further, in July 2007, Commerce began posting Significant Guidance Documents to the Web, in support of OMB M-07-07, “Final Bulletin for Agency Good Guidance Practices.” See the Information Quality Web site for full information.

Project Management

Commerce recognizes the importance of effective project management to the success of IT investments. To ensure that Commerce has skilled, qualified project managers to direct its major IT investments, we have launched several initiatives. The first is that IT investment sponsors must submit resumes, in a prescribed format, for project managers and contracting officers for any new or existing investment that is reviewed by the CITRB. This allows Board members and Office of the CIO staff to review the qualifications and experience of the project managers and contracting officers and weigh these factors in their evaluations of the IT investments. For large investments, the project manager must be assigned full time to the investment in question. In concert with CIO Council guidance and tailored to Commerce’s IT investments, Commerce formulated project manager qualification and certification guidelines and validated all project managers of major investments as meeting the CIO Council’s September 2004 Federal IT Project Manager Guidance Matrix certification and experience requirements. Starting in FY 2007, Office of CIO staff, in concert with staff of the Office of Acquisition Management (OAM) and the Office of Human Resources Management, developed an implementation plan to address the requirements of OMB’s new Federal Acquisition Certification for Program and Project Managers (FAC P/PM). OAM has promulgated a FAC P/PM policy and, following the guidance, IT program and project managers are preparing justifications to document their certification and experience levels or requesting waivers while they acquire the needed training or experience.

Second, Commerce and its constituent operating units offer project management training for all project managers who need it. In FY 2004, the Office of the CIO held two nine-day sessions, each for 25-30 students and in FY 2005, we trained an additional 44 students. Beginning in FY 2006, the Commerce Office of Human Resources Management developed a project management education and training curriculum and trained an initial group of 30 employees. This training program continues; in FY 2007, another 40 students were graduated, and by the end of FY2008 we expect to graduate another 40. This training develops knowledge in all nine Project Management Body of Knowledge areas and prepares students for Project Management Institute certification as a Project Management Professional (PMP^®). Further, specialized training for Earned Value Management and Risk Management are scheduled in FY 2008.

Third, we have embarked on regular, systematic Earned Value Management (EVM) analysis of IT investments under development. The intent is to monitor the performance of Commerce projects regularly to provide early warning of projects that may not be meeting cost, schedule, or performance goals, allowing course correction to bring the development effort back on track. The EVM analysis has been supported by focused training sessions on EVM techniques and one-on-one consultations. Further, operating unit CIOs are required to conduct operational analyses to certify that steady-state investments meet cost, schedule, and performance goals and to identify strategic opportunities for improvements. These requirements are founded on a formal IT Investment Performance Management Policy that defines Departmental requirements for the use of EVM and operational analysis.

In support of all of the above, we have established a program management service. The service provides as a central source for project management expertise, advice, and guidance, and focuses on four strategic initiatives:

• Establishment of standards and guidelines for the use of project management best practices throughout the Department.

• Providing project management services and support for select IT projects.

• Providing DOC program and project managers with technical assistance to ensure successful performance in presentations before the Commerce IT Review Board.

• Mentoring, training, and guiding project teams as they learn and use new project management best practices.

IT Workforce Development

The IT Workforce and Human Capital Committee of the Federal CIO Council, in partnership with the Office of Personnel Management (OPM), conducts an annual Web-based survey of IT employees in the Federal workforce. The survey collects information regarding IT employee skills, certifications, and competencies. The data from the survey provides a foundation for IT workforce development efforts at Commerce. In FY 2007, we completed a target setting and gap analysis effort, and in partnership with the Office of Human Resources Management, defined a cohesive IT workforce development program. Using this information as a basis point, we submitted an IT Workforce Development Plan to OMB and in FY 2008 completed the activities delineated in the plan. Our FY 2007 workforce development program resulted in improved skills in risk management and enterprise architecture development.

The Commerce Learning Center (CLC) is now in operation. Functionality includes: online training history; scheduling and tracking of all types of training to meet Office of Personnel Management requirements; management of individual professional development rosters and reports; and distance learning through chat rooms and bulletin boards. This project supports the achievement of the President’s Strategic Management of Human Capital initiative as well as Expanded Electronic Government. The CLC will has been particularly useful for role-based IT security training.

Commerce is actively engaged in outreach programs to attract, recruit, develop, and maintain a viable and diverse workforce, responsive to the mission needs of the Department and the strategic objectives of our various operating units. The Office of the Secretary operates an Executive Leadership Development Program (ELDP) and an Aspiring Leaders Development Program (ALDP) for high potential employees. The ELDP is designed for employees at the GS-13 and 14 levels or equivalent whose career plans include moving into upper management positions and the ALDP provides leadership development opportunities and addresses core competencies of employees in the GS-7 to GS-12 levels or equivalent. Both efforts are considered flagship leadership programs that support the Department’s Human Capital Management Plan and our workforce succession plan. These plans assist organizations with attrition and retirement requirements in 16 mission critical career areas. The ELDP helps the Department maintain a high level of success with respect to our Human Capital Management Plan, a major mandate of the President’s Management Agenda.

Commerce offers a number of intern programs to high school students as well as postsecondary students at both the undergraduate and graduate levels. These intern programs offer students an opportunity to participate in hands-on education and training related to the mission of the Department in the disciplines of computer sciences, engineering, life sciences, physical sciences, communications and graphic design, mathematics, and related business disciplines.

In past years, the Commerce Office of the CIO has participated in the Hispanic Association of Colleges and Universities (HACU) internship program. Commerce has benefited greatly from the expertise and enthusiasm of these HACU-sponsored college students. These students typically supported the annual IT budget capital investment review process, and the E-Government program.

Commerce’s Office of the CIO has also cooperated with the Microsoft Corporation and the American Association of People with Disabilities (AAPD) to offer a summer internship program designed specifically for college and university students with disabilities who are interested in careers in information technology. The internship enables students to gain real-world experience and further enhance their employment opportunities while demonstrating to prospective employees that students with disabilities are solid prospects for the IT workforce.

Accessibility

The Commerce IT Accessibility Coordinators developed and the Commerce CIO issued an Electronic and Information Technology (EIT) Accessibility Policy to address Section 508 of the Rehabilitation Act. The policy requires that all Commerce operating units comply with the EIT accessibility standards for individuals with disabilities published by the Architectural and Transportation Barriers Compliance Board, when procuring, developing, maintaining, or using EIT. If complying with these standards would constitute an undue burden, then requests for relief from the standards must be submitted to the Commerce CIO.

The IT Accessibility Coordinator has instituted a network of Commerce operating unit Accessibility Coordinators. This group meets to share best practices in the use of assistive technologies and stay abreast of government-wide accessibility activities. Also, the Commerce IT Accessibility Coordinator has established an Accessibility Web site that provides useful information on EIT accessibility, including a section that focuses on the best practices employed to include Section 508 requirements in the acquisition process.

Like the IT Architecture and IT Security programs, the IT Accessibility Program is linked to the capital planning and investment review process through the strategic IT plans and the Exhibit 300s that form the basis of budget initiatives, investment reviews, and operational IT plans.

Acquisition

In a cooperative effort with the Office of the CIO and the Office of Budget, Commerce’s Office of Acquisition Management (OAM) uses OMB Circular A-11, Exhibit 300 as the foundation for documentation required in the acquisition process. An attached Acquisition Plan provides additional acquisition information. This procedure fully integrates the acquisition process with the information technology, cyber security compliance, and budgeting processes.

Under Commerce’s IT Acquisition Initiatives Policy, to request the approval of an IT initiative and a IT Investment Authority (ITIA), the operating unit submits an Exhibit 300 and Acquisition Plan to the Office of the CIO. The Office of the CIO schedules the requesting organization to brief the CITRB or refers the request to the OAM for review by the Acquisition Review Board (ARB), unless such a briefing is waived. A representative of the Office of the CIO sits on the ARB. The CIO may approve the IT acquisition initiative and grant an ITIA if recommended by the CITRB or the ARB and if cleared by OAM and the Office of General Counsel. The Procurement Executive sits on the CITRB, along with a contracting expert from the Office of General Counsel, which ensures that acquisition issues are addressed fully in IT investment reviews.

OAM has also issued a memorandum for the heads of contracting offices and operating unit procurement officials emphasizing the need to address IT security requirements in acquisitions. This provides additional reinforcement to the linkage between IT acquisition and IT security. Further, the CIO and Procurement Executive jointly issued instructions to the Commerce CIO and acquisition communities to ensure that no acquisition duplicates OMB’s E-Government or Lines of Business Initiatives, that acquisitions of IT hardware and software are IPv6 compliant, and that all contracts for major IT development efforts include earned value management requirements. In this way, Commerce’s functional disciplines work together as a cohesive unit to support the strongest and most efficient IT investments.

Maturity Model

Commerce has developed an IT Planning and Investment Review Maturity Model based on the General Accountability Office’s IT Investment Management process. GAO has reviewed and commented favorably on this maturity model. The model is intended to help the operating units understand the full capital planning and investment control process, including linkages to other areas of IT management responsibility and to the budget and acquisition processes, and to help them mature their processes over time. Operating units report measures using the model annually in support of the Strategic IT Plan. The model is updated periodically to reflect new legislation, guidance, and new directions in capital planning and related disciplines. Periodically, a team performs an independent verification and validation of the operating unit self-assessments against this model and provides comments and recommendations to the operating units. A new model supported by a software tool will be used in the FY 2009 process.

Electronic Capital Planning and Investment Control (eCPIC)

Commerce prepares its Exhibits 300 (Capital Asset Plan and Business Case Summary) and 53 (Agency IT Investment Portfolio) through eCPIC, an automated portfolio management tool. A representative from Commerce sits on the eCPIC Change Management Committee and Commerce has provided a test bed for the revised software. Improvements are ongoing, with positive feedback from users and analysts. In June 2007, the eCPIC system received a re-certification and a re-accreditation.

This year we implemented use of a new feature within eCPIC to monitor baseline changes. This tool is helping us understand when and why baseline changes occur. Formal approval of baseline changes is now required.

Benchmarking IT Management Processes

Commerce is committed to sustaining and improving its IT management processes. To this end, Commerce routinely and regularly benchmarks its IT management practices against those of leading organizations. Commerce maintains a subscription to Gartner Group, which provides benchmarking solutions using a large database of IT performance metrics, enabling us to compare our IT functions to those of similar organizations. Office of the CIO staff study General Accountability Office reports of IT management processes and stay abreast of IT management best practices through participation at conferences and with professional organizations and subscriptions to professional journals, magazines, and newspapers. Of particular note from past years is Commerce’s own IT conference, with external and internal speakers on an array of IT subjects, which offers the broader Commerce IT community the opportunity to benchmark their practices against those of others. Also, we have conducted off-site conferences with the operating unit CIOs to exchange ideas and arrive at concurrence on strategic and operational issues.

Through the Federal CIO Council’s Best Practices Committee, which has compiled best practices to share across the Federal IT community, Commerce has spearheaded a Community of Practice for Capital Planning and Investment Control. Commerce has also reached out across the Government to share our IT management practices through presentations at the Information Resources Management College of the National Defense University, National Academy of Public Administration, National Academies, AFCEA, Association for Federal Information Resources Management, etc.

Summary of Improvements

Commerce has been actively working to improve its capital planning and investment control process. Summarized below are the actions we have taken over the past year to improve the process. Many of these activities are addressed in the discussion above; they are enumerated here to highlight the serious, continued, and dynamic efforts Commerce is taking to manage its information technology investments.

Commerce has taken or is taking the following actions:

• Updated Commerce’s Strategic IT Plan. The plan highlights key IT investments including four major modernization efforts: The Census Bureau’s 21^st Century Master Address File/Topologically Integrated Geographic Encoding and Referencing (MAF/TIGER) Enhancements, the National Oceanic and Atmospheric Administration’s High Performance Computing Strategy (HPCS), and the Patent and Trademark Office’s Patent Automation Program and Trademark Automation Program. Like last year’s plan, this year’s plan focuses on a streamlined set of IT goals and identifies strong performance metrics to track progress against these goals. The plan has been reorganized to highlight key information in the main body and include supplemental information in appendices.

• Updated all internal calls for elements of the Capital Planning Process including Strategic IT Plans, Operational IT Plans, Enterprise Architecture, FY 2010 budget initiatives, etc. Each call was revised to reflect changing requirements and areas of focus Government-wide.

• For the FY 2010 budget, analyzed 13 investments, nine through the Commerce IT Review Board and four through the Office of the CIO staff selection processes. Provided recommendations regarding these initiatives to the Deputy Secretary through the Office of Budget. In CY 2007, analyzed 20 investments through the Commerce IT Review Board control and evaluation processes. In CY 2007, issued five IT Investment Authorities for major IT acquisitions totaling $213.3 million.

• Prepared Exhibits 300 (Capital Asset Plan and Business Case Summary) and 53 (Agency IT Investment Portfolio) through eCPIC and submitted XML files to OMB as part of the FY 2009 budget process. The more than 60 business cases prepared and submitted to OMB covered over 85% of Commerce’s IT budget. All but five of the business cases on OMB’s “Watch List” were cleared for investment-specific reasons.

• Completed the re-certification and re-accreditation of the eCPIC application.

• Implemented a new rebaseline control process using eCPIC, which requires each investment with a proposed baseline change to categorize, justify, and get CIO approval for that change.

• Continued training and one-on-one consultations to address the areas of the Exhibit 300 that cause preparers the most difficulty, including performance measurements, alternatives analysis to include return on investment, and earned value management. Prepared and updated instructions on how to produce a high quality business case and posted them to our Web site.

• Prepared and updated Web-based guidance on how to prepare high quality presentations for the CITRB. Conducted pre-reviews of the presentations and the business cases and provided feedback to investment sponsors prior to the CITRB meetings.

• Reviewed all business cases and provided comments to investment sponsors to help improve the quality of the business cases. Assisted operating units in identifying and resolving concerns that caused business cases to be on OMB’s Management Watch List.

• Revised the Enterprise Architecture to document results realized from the combined capital planning and architecture efforts in reducing redundant systems and taking advantage of newer technologies to achieve efficiencies. The high-level overview describes Commerce’s goals and business needs, and “as is” and “to be” architectures along with migration plans, from business, information, application, and infrastructure views. This is supplemented by detailed technical and architecture information from the operating units as well as multiple artifacts such as Systems Development Life Cycle Guidance, IPv6 Implementation Plan, and EA Training and Communications Plans. Commerce’s Enterprise Architecture now includes two segments, Observing Systems and Spectrum Allocation Management.

• Continued emphasis on refining the Department’s IT Security program, including sustaining it as a very high priority and improving its integration with the IT Capital Planning and Investment Control program. Specifically:

o In a concerted effort, focused the Department's IT Compliance Review program on improving the quality of performance and documentation of system certification and accreditation efforts.

o Implementing Cyber Security Assessment and Management (CSAM), a tool to help build strong certification and accreditation packages.

o Continued delivery and improvement of the Department's end-user annual refresher training and role-based training for those with significant IT security roles and responsibilities.

• Continued Department-wide support of intrusion detection sensors on Internet-facing systems, system vulnerability assessment capabilities, and management controls and accountability to improve overall security posture and mitigate risk of harm to or compromise of IT investments and information.

o Updated Commerce’s Homeland Security Presidential Directive 12 (HSPD-12) Implementation Plan regarding Personal Identification Verification. Continued coordination with the GSA’s Managed Service Office to prepare for the implementation of the EDS solution. A shared responsibility, the Executive Steering Committee composed of the CIO, Director of Human Resources and Director of Security, established a Departmental HSPD-12 Solution Implementation team to support the operating units’ implementation of the solution. Issuance of cards is ongoing.

o Responded to OMB’s Memorandum M-06-17 regarding safeguarding sensitive information including encryption, two-factor authentication, remote access time-out, and data extract log and verify.

o Continuing to conduct surveys and analysis of the use of social security numbers and other personally identifiable information in Commerce to execute our plan to eliminate use whenever possible.

o Focused on new initiatives to address Trusted Internet Connections (TIC), Federal Desktop Core Configuration (FDCC), and National Communications Security Directive 3-10 for providing communications under emergency situations.

• Continued privacy coordination between the Commerce CIO as the Senior Official for Privacy and the Privacy Act Officer under the Privacy Act. This provides a focal point for privacy policy and activities at Commerce.

• Completed, and posted to the Web, Privacy Impact Assessments (PIA) for applicable IT systems. Incorporating the data extract log and verify procedures in the PIAs. Reviewing and, as needed, revising PIAs to ensure consistency of coverage.

• Verified Web Privacy Policies and their availability in machine-readable format, following Platform for Privacy Preference Project (P3P) criteria.

• Submitted quarterly High Risk Reports to OMB.

• Continue to maintain and enhance the E-Government International Trade Process Streamlining (ITPS) initiative. OMB has graduated ITPS.

• Participated in 31 other cross-cutting E-Government and Lines of Business Initiatives. See highlights in the body of the report.

• Filed Commerce’s E-Government Report, showing strong progress in developing Commerce and government-wide E-Government initiatives.

• Maintained Commerce’s E-Commerce Web site, which highlights some of Commerce’s many E-Government success stories.

• Completed Commerce’s E-Government Implementation Plans, outlining milestones for implementing with OMB’s E-Government, Lines of Business, and SmartBuy Initiatives. Filed quarterly progress reports.

• Submitted Commerce’s Information Collection Budget.

• Filed Commerce’s FY 2007 Information Quality Report, indicating that Commerce received seven requests for correction.

• In support of information quality, updated Commerce’s Peer Review Agenda for Highly Influential Scientific Assessments and Influential Scientific Information on Commerce’s Web site.

• In support of Good Guidance Practices, posted significant guidance documents to the Web.

• Participated with Commerce’s E-Stewardship Program. Our initial focus is on acquisition, use, and disposal of PC’s in compliance with “green” standards.

• Responded to GAO reviews of Chief Privacy Officers, rebaselining, and OMB’s Management Watch and High Risk Lists. Responded to an Inspector General’s review of Commerce’s PIA process.

• Continuing efforts to strengthen project management at Commerce, including Implementation of the new Federal Acquisition Certification for Program and Project Managers; training for IT project managers who need it; regular, systematic use of Earned Value Management analysis for development projects and operational analysis for steady state projects; and establishment of a program management service.

• Filed quarterly reports assessing progress against Commerce’s IT Workforce Development Plan.

• Continued to share and discuss information on all of the above activities through the monthly CIO Council meeting and other Commerce forums, such as the Chief Financial Officers Council.

• Continued to measure progress in improving processes and results through the maturity scores of the IT Planning and Investment Review and Enterprise Architecture maturity models.

• Maintained the Commerce CIO Web site to enhance the users’ ability to find capital planning and project management guidance as well as information about other CIO policies.

• Documented the Commerce Capital Planning and Investment Control Process and submitted it to OMB in September 2007. This document is an update of that documentation.