OMB Criteria (from Dashboard FAQs)

Question 1

OMB Criteria for - Requirements Management

Answer 1

Investment objectives are clear and scope is controlled
Requirements are complete, clear and validated
Appropriate stakeholders are involved in requirements definition

Question 2

OMB Criteria for - Contractor Oversight

Answer 2

Acquisition strategy is defined and managed via an Integrated Program Team

Agency receives key reports, such as earned value reports, current status, and risk logs

Agency is providing appropriate management of contractors such that the government is monitoring, controlling, and mitigating the impact of any adverse contract performance

Question 3

OMB Criteria for - Historical Performance

Answer 3

No significant deviations from planned cost and schedule

Lessons learned and best practices are incorporated and adopted

Question 4

OMB Criteria for - Human Capital

Answer 4

Qualified management and execution team for the IT investments and/or contracts supporting the investment

Low turnover rate

Other factors that the CIO deems important to forecasting future success

Question 5

DOC Internal Rating Factors - Transparency

Answer 5

Clear, timely, responsive communication
Investment documentation and content is up to date,
Complete and allows for transparent oversight of investment
Information provided is sufficiently detailed to assess project health

Question 6

DOC Internal Rating Factors - Risk Profile

Answer 6

Degree of risk based on risk register and other documentation
Quality of risk mitigation strategy including sufficient mgt reserve
Success in implementing strategy for realized risks
Experienced, qualified and stable project management team
Adequate IT Security Planning and implementation

Question 7

DOC Internal Rating Factors - Historical Performance

Answer 7

Cost and schedule variances overall and for key elements, within 10%
Operational performance metrics meet target
CITRB and other evaluation (OIG, GAO, …) results

Question 8

OMB 300 Artifacts - ROI Artifacts

Answer 8

Requirements document
Operational analyses for steady state or mixed lifecycle systems. Periodic requirement satisfied by monthly quad charts. Annual Operational Analyses report still required
Investment acquisition plan

Question 9

OMB 300 Artifacts - PAIR Artifacts

Answer 9

Post implementation review results, if applicable:
Appropriate/documented requirements control board processes
Investment charter, including IPT; and,
Risk Management Plan

Question 10

OMB 300 Artifacts - PI2 Artifacts

Answer 10

Project charters, as available
Investment alternative analysis and benefit-cost analysis
Investment re-baseline decision approval(s)

Question 11

IT Security Assessment Criteria

Answer 11

Principles followed in selecting criteria:

• • Are applicable whether in-house DoC programs or cloud-based Software as a Service.
• • Metrics are tangible and measureable vs. C&A process.
• • Single metric identified for each of the three DME phases.

Question 12

IT Security Assessment Criteria - the three DME phases.

Answer 12

Phase 1 Initiation: Performed FIPS 199 System Impact Analysis (low, moderate, high)?

Phase 2 Acquisition and Development: Completed IT Compliance in Acquisition checklist (see attachment)?
Phase 3 Implementation/Assessment: Have obtained an Authorization to Operate? (ATO)

Question 13

IT Dashboard Security Scoring

Answer 13

Score 0: No Documentation
Score 3: In Phase 2 and FIPS 199 completed
Score 3: In Phase 3 and FIPS 199 and Acquisition checklist completed
Score 5: ATO completed

Question 14

When is all investment data due for IT Dashboard Security Scoring?

Answer 14

All information is due by 10am on the 10th of the month or by 10am on the first weekday before that when the 10th falls on a weekend)

Question 15

List of all investment items due for security IT Dashboard review on or near 10 AM on the 10th of every month:

Answer 15

Self Assessment rating and comment for each investment
Updated Exhibit 300 information including:
Formal Baseline Change Request in eCPIC; supported by project plan
Exhibit 300B Project, Activity, Risk and Operational Performance data
Exhibit 300A Contract table data
Exhibit 300 Information Security questions
Monthly Quad Chart
Under Quad Chart “Issues” note departure or replacement of Project Manager
Current Risk Register (if changed)
Current Project Plan(s) (if changed or not previously provided). Must accompany any proposed Replan or Rebaseline.
Latest Earned Value data

Question 16

Define a security risk level 5 on the ITDB:

Answer 16

5- Low Risk
Investment documentation is up-to-date. Information provided is complete and allows for oversight of investment. No major risks, proper risk register. Within 10% variance, operational performance metrics meet targets. Project is performing well, no major issues. Investment objectives and scope are clear. Project management team is qualified and stable. No POAMS. Quad Chart is timely, specific deliverables are listed. Investment has dependencies and schedules align. Dependency fully managed and reported. Data provided allows assessment of investment health.

Question 17

Define a security risk level 4 on the ITDB:

Answer 17

4- Moderate Low Risk
Investment document is up-to-date. Some degree of moderate risk but being addressed. Variance within 10% or possible small schedule slippage. Some issues, but being addressed and communicated to DOC OCIO. Investment has dependencies and schedules align. Dependencies fully managed and reported. Proper risk register. Exhibit 300 data is up-to-date, project is performing well. Investment objectives and scope are clear. Project management team is qualified and stable. No POAMS. Quad Chart is timely, specific deliverables are listed. Data provided allows assessment of investment health.

Question 18

Define a security risk level 3 on the ITDB:

Answer 18

3- Medium Risk
Major medium and high risks, weak mitigation plan, lacking documentation, little transparency into project. Some key activities are outside of variance. Missing some Exhibit 300B data, rebaselining frequently. Investment has dependencies and schedules do not align. Investment objectives and scope are not well defined. Dependencies not fully managed or reported. Issues not reported to DOC OCIO. Some POAM delays.

Question 19

Define a security risk level 2 on the ITDB:

Answer 19

2- Moderately High Risk
No transparency into project, lack of communication and responsiveness from project manager. Project documentation is dated. Poor quality or missing Exhibit 300 data. Quad Chart does not identify specific deliverables and is not current. Major risks are not being addressed. Investment objectives and scope are not clear. Several key activities are outside of variance with no clear corrective action plan. Investment has dependencies and schedules do not align. Dependencies not fully managed or reported. Performance measures not met. Unresolved issues from OIG or CITRB. Issues not reported to DOC OCIO or OU. Significant POAM delays and security issues. Project management team frequent turnover and lacking qualifications. Data provided does not allow assessment of investment health.

Question 20

Define a security risk level 1 on the ITDB:

Answer 20

1- High Risk

Project documentation is lacking or dated. Poor quality or missing Exhibit 300 data. No transparency into project. Frequent turnover in project management team and lacking qualifications. Performance measures not met. Frequent rebaselines. Multiple key activities have significant cost and schedule variance with no clear corrective action plan. Investment objectives and scope are not clear. Investment has dependency and schedules do not align. Dependency not fully managed or reported. Quad Chart does not identify specific deliverables and is not current. Major risks are not being addressed. No mitigation plan. Lack of communication and responsiveness from project manager. Project objectives are not clear and scope is not well defined. Unresolved issues from OIG or CITRB. Ongoing issues with no clear resolution. Issues not reported to DOC OCIO or OU. Major POAM delays and security issues. Project management team frequent turnover and lacking qualifications. Data provided does not allow assessment of investment health.

Question 21

OMB Criteria for - Risk Management

Answer 21

Risk management strategy exists
Risks are well understood by senior leadership
Risk log is current and complete
Risks are clearly prioritized
Mitigation plans are in place to address risks