5 FAM 600
INFORMATION TECHNOLOGY SYSTEMS
5 FAM 610
DEVELOPING AND MANAGING INFORMATION TECHNOLOGY (IT)
SYSTEMS
(CT:IM-253; 11-26-2018)
(Office of Origin: IRM/BMP)
5 FAM 611 GENERAL
(CT:IM-253; 11-26-2018)
a. This policy establishes Department standards for
effective and efficient management of information technology (IT) investments.
b. Project managers must adhere to this policy
throughout the systems life cycle.
c. Project managers must take a Department approved
project management course and complete the Departments mandatory leadership
training program offered by the Foreign Service Institute (FSI) before taking
on a project.
d. Project managers must develop performance criteria
for measuring project performance based on the Departments enterprise
architecture (EA) and latest Office of Management and Budget (OMB) Performance
Reference Model (PRM) and Performance Measures required by the National
Institute of Standards and Technology (NIST) Special Publication (SP) 800-55 Revision 1. (See 5 FAM 670.)
e. All systems (including applicable contractor
systems) and applications associated with any projects must be registered in
Integrated Management, Analytics, and Technology Resource for Information
Exchange (iMATRIX). (For more information on how to register system and
applications in the iMATRIX, refer to the iMATRIX website.)
f. Managers must coordinate all long- and short-term
training requirements (domestically and abroad) related to the project with FSI
before starting any IT project.
g. All major projects must be evaluated through the
Capital Planning and Investment Control (CPIC) process. (See the E-Gov Program
Management Office (PMO) Web site.)
h. Project managers must use an approved Earned Value
Management System (EVMS) for all major projects in accordance with guidelines
established in American National Standards Institute/Electronics Industries
Alliance (ANSI/EIA-STD-748). (See 5 FAM 680.)
i. Electronic Signature (E-Sign) is authorized for use
to digitally sign contracts and other legal forms and documents that are usually
written on paper. (See 5 FAM 612,
paragraph b.)
A government program/project manager (GPM) or other
designated full-time U.S. Government employee must represent organizations for
training, briefings, and seminars regarding major and nonmajor investments.
The Department requires that project managers
incorporate IT security into the life cycles of their projects and systems (per
Procurement Information Bulletin 2007-29)
and use performance-based measures in the performance of all IT contracts (per FAR
37.6 Performance-Based Acquisition).
Project managers must involve data management in the
beginning and throughout the project life cycle of all major applications and
general support system activities. (See 5 FAM 630.)
Project managers must indicate that quality is being
integrated in projects by taking the necessary steps to lay out the
requirements and the method for managing them. (See 5 FAM 640.)
Program managers must seek the involvement of the
Contracts and Procurement Division for all acquisition initiatives and
requirements. Their participation beginning in the initial phases will likely
contribute to exploring strategic approaches, establishing requirements,
simplifying the procurement plan, obtaining required internal approvals,
preparing specifications, and achieving milestones.
o. System owners should consult the Department's Privacy
Office (A/GIS/PRV) when conducting a Privacy Impact Assessment (PIA). Under
the E-Government Act of 2002, agencies are required to conduct a PIA before:
(1) Developing or procuring IT systems or projects
that collect, maintain or disseminate information in identifiable form from or
about a member of the public, or
(2) Initiating, consistent with the Paperwork
Reduction Act, a new electronic collection of information in identifiable form
for 10 or more persons (excluding agencies), instrumentalities or employees of
the Federal Government).
p. OMB M-07-16 and related memoranda mandate additional
controls for all information systems (electronic or otherwise). These systems
must implement additional protections for Personally Identifiable Information
(PII) (see 5 FAM
613).
5 FAM 612 SCOPE AND AUTHORITY
(CT:IM-247; 11-20-2018)
a. This policy applies to all Department organizations
and entities as the authority governing management of major and nonmajor IT
investments. The policy provides requirements for project development,
integration, modification, and maintenance of the Department IT systems,
products, and services. This policy applies to all Department personnel, as
well as contractors involved in Department systems and program planning,
development, modification, integration, operation, and maintenance.
b. The authorities establishing this policy include:
(1) Paperwork Reduction Act, Public Law 104-13;
(2) Clinger-Cohen Act, Public Law 104-106 (formerly
known as the Information Technology Reform Act);
(3) Government Performance and Results Act of 1993,
Public Law 103-62;
(4) E-Government Act of 2002, Public Law 107-347;
(5) Federal Information Security Management Act of
2002 (FISMA), Public Law 107-347, Title III;
(6) Government Paperwork Elimination Act of 1998,
Public Law 105-277;
(7) Electronic Signatures in Global and National
Commerce Act, June 30, 2000, Public Law 106-229;
(8) OMB Circular A-130 Managing Information as a
Strategic Resource;
(9) Federal Information Technology Acquisition Reform
(FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl
Levin and Howard P. "Buck" McKeon National Defense Authorization Act
for Fiscal Year 2015;
(10) OMB Memorandum (M-15-14); Management and Oversight
of Federal Information Technology;
(11) Presidential Decision Directive (PDD) 63, May 22,
1998;
(12) Federal Acquisition Regulation (FAR) Sections
7.102, 10.002 and 11.105;
(13) FAR, Subpart 34.2;
(14) ANSI/EIA-STD-748-A;
(15) Section 508 of the Rehabilitation Act of 1973 (29
U.S.C. 794d);
(16) Executive Order 13589 (Promoting Efficient
Spending);
(17) NIST SP 800-64, Security Considerations in the
Information System Development Life Cycle, June 2004;
(18) NIST SP 800-65, Integrating IT Security into the
Capital Planning and Investment Control Process;
(19) Privacy Act of 1974, (5 U.S.C. 552a), as amended;
(20) M-07-16, Safeguarding Against and Responding to
the Breach of Personally Identifiable Information (May 22, 2007);
(21) M-06-15, Safeguarding Personally Identifiable
Information (May 22, 2006);
(22) M-06-16, Protection of Sensitive Agency Information
(June 23, 2006); and
(23) M-06-19, Reporting Incidents Involving Personally
Identifiable Information (July 1, 2006).
5 FAM 613 DEFINITIONS
(CT:IM-85; 04-02-2007)
Acquisitions period: One of
the three periods in the project cycle proceeded by study period and followed
by the operations period. The acquisition period encompasses the source
selection period.
Alternatives analysis:
Identifies alternatives to meeting project objectives:
(1) Selection of the top three alternatives;
(2) Comparison of the three alternatives using a set
of reasonable criteria;
(3) Identification of the preferred alternative; and
(4) Documentation of the benefits associated with the
preferred alternative.
Annual operating costs: A
one-year expenditure or cost projection for required resources to produce
products and services.
Benefit cost analysis (BCA): A
project development technique used as a systematic approach for comparing
alternatives in project development; see also simplified BCA. (See 5 FAM 660.)
Business case: An executive
report which outlines an evaluation of a proposed investment in terms of
Department missions and objectives, purpose and approaches, costs and desired
outcome, as well as investment risk analyses (including security risks). (This
report is required for all IT projects and systems meeting the enterprise level
of investment, defined as a major project by the E-Government Program Board
(E-GovPB)).
Capital expenditures: Costs
incurred for purchasing capital assets or tangible property, including durable
goods, equipment, buildings, installations, and land.
Capital planning: A systematic
effort to manage the risks and returns on capital assets for a given mission.
Capital planning and investment
control (CPIC) process: A decision-making process, directed through the
Departments E-Government Program Board (E-GovPB) to ensure that information
technology investments integrate strategic planning, budgeting, procurement,
and the management of IT in support of the Departments mission and business
needs.
Concept of operations document:
A detailed document that defines and establishes the human-to-machine workflow
of the product for the operational environment.
Configuration management (CM):
The process of identifying and defining the change control items in a system,
controlling the release and change of these items throughout the systems life
cycle, recording and reporting the status of configuration items and change
requests, and verifying the accuracy and completeness of configuration items.
Contracting officer: See FAR
2.101.
Contracting officers representative
(COR): A technically-qualified person designated as the contracting
officers authorized representative to assist in the administration of a
contract. The designation must be made in writing by the contracting officer
in accordance with DOSAR 642.270(f). (See 14 FAH-2, Contracting Officers
Representative Handbook, for more information and additional requirements.)
Control gate: A management
review process in the project cycle designed to examine and evaluate project
status (milestones) and to determine if the project will proceed to the next
management event.
Conversion: Addresses
requirements to change software, hardware, data values, forms, or
organizational structures to enhance data use.
Data management (DM): The
Departments management office for developing, standardizing, maintaining, and
approving data elements for use in IT systems development projects.
Data mapping: A method used to
identify and link selected data to one or more equivalent standard data
elements.
Data modeling: Identifies
informal graphical and textual representation and the entities and
relationships involved in a data process; provides a mechanism for
understanding the intended activity of a new system and designing the data.
Data reference model (DRM):
One of the five reference models of the Federal Enterprise Architecture (FEA).
The DRM is a framework of which its primary purpose is to enable information
sharing, to allow reuse across the Federal Government via the standard
description and discovery of common data, and to promote uniform data
management practices.
Earned value management (EVM):
See 5 FAM 680.
E-Government Program Board (E-GovPB):
See 5 FAM 115.3.
Electronic signature (E-Signs):
GPEA defines "electronic signature" as a method of signing an
electronic message that:
(1) Identifies and authenticates a particular person
as the source of the electronic message; and
(2) Indicates such person's approval of the
information contained in the electronic message.
Executive management:
Personnel (i.e., division chiefs, office directors, policy staff assistants)
directly responsible for the approval and management of program planning and
implementation, staffing requirements and assignments, and budget allocation
and disbursement.
Federal Enterprise Architecture (FEA):
The Federal Enterprise Architecture (FEA) is a set of inter-related reference
models designed to facilitate cross-agency analysis and collaboration.
Information system: See 5 FAM 913.
Information Technology Change Control
Board (IT CCB): A centralized body of knowledgeable personnel with the
appropriate authority to evaluate change requests that impact the operational
stability or maintainability of IT assets controlled, managed, or supported by
the Department of State.
Managing State projects (MSP):
A project management methodology consisting of periods, phases, activities, and
control gates, designed specifically for the Department of State.
Object: Access to an object
potentially implies access to the information it contains. Examples of objects
are records, blocks, pages, files, directories and programs, as well as bits,
bytes, words, fields, keyboards, clocks, printers, network nodes. (See 5 FAM 630.)
Operations period: The third
period in the project cycle, preceded by the study period and the acquisition
period. The operations period encompasses the deployment phase, the operations
and maintenance (O&M) phase, and the deactivation phase.
Performance-based service contracts:
Contracts that incorporate a process for obtaining results that add value and
benefit to the Department. These performance-based service contracts may
include incentives and disincentives based on actual services performed.
Performance measures:
Indicators of progress toward achieving goals and objectives based on actual
vs. planned targets established.
Personally identifiable information
(PII): Refers to information which can be used to distinguish or trace
an individuals identity, such as their name, Social Security Number, biometric
records, etc., alone, or when combined with other personal or identifying
information which is linked or linkable to a specific individual, such as date
and place of birth, mothers maiden name, etc. Department employees should
exercise their best judgment in determining the sensitivity of the PII.
Sensitivity of the PII would depend on factors such as whether its unauthorized
disclosure may result in any of the following harms to the records subject:
fiscal or physical harm, identify theft, personal or professional
embarrassment, inconvenience, unfairness, security risks, coercion, and/or
other adverse effects.
Privacy impact assessment (PIA):
An analysis of how personal information is collected, stored, shared, and
managed in a Federal system:
(1) To ensure handling conforms to applicable legal,
regulatory, and policy requirements regarding privacy;
(2) To determine the risks and effects of collecting,
maintaining, and disseminating information in identifiable form in an
electronic information system; and
(3) To examine and evaluate protections and
alternative processes for handling information to mitigate potential privacy
risks.
Program: A coordinated group
of planned undertakings (projects) having a common goal, objective, or mission.
Project: A carefully planned
task or undertaking that has been scheduled to meet specified performance goals
and achieve a desired result within defined budget and time constraints.
Project management certificate:
An official document awarded to students who successfully complete a sequence
of courses (i.e., a mixture of required and elective courses).
Project plan: A documented
collection of achievable goals that establishes a beginning and end; groupings
of milestones and tasks; in MSP, a collection of control gates based on a work
breakdown structure outlining tasks.
Project quality assurance: A
process consisting of features and functions used in project development to
ensure that the system is reliable, authentic, and meets all the requirements
of the quality assurance plan.
Project quality control:
Activities performed continually throughout a project to verify that project
management and project deliverables are of high quality.
Project quality management: A
management function that includes all activities that determine the policy,
objectives, and responsibilities, and implements them through quality planning,
quality control, and quality assurance.
Project risk management: A
method to identify and evaluate risks associated with a project, system, or
overall investment, and incorporates input into planned
project/system/investment goals.
Quality assurance manager: The
person responsible for overseeing all aspects of achieving the required quality
performance, including inspectability, testability, process control, and
related factors(also called the QA process).
Return on investment (ROI):
The result for projects that show positive gains (improved mission performance;
reduced cost; increased quality, speed, or flexibility; increased
customer/employee satisfaction) have been demonstrated.
Risk: The potential for
encountering negative technical, costs, or schedule impacts in a project.
Simplified BCA: A scaled-down
version of the BCA that focuses only on those elements that the project manager
deems relevant.
Study periodMSP: The
conceptual planning phase, (i.e., requirements gathering, details); time used
to establish the scope and direction of the project by recommended phases
(i.e., user-requirements definition, concept definition, system definition, and
acquisition planning).
System: See 5 FAM 913.
Task manager: The person on
the project team responsible for ensuring completion of tasks in the work
breakdown structure of the project plan; the individual responsible for
managing a task or cost account.
Validation: The generic term
that applies to the whole range of data quality issues, from elimination of
duplicate records to compliance with format standards to matching values with
reference tables.
Vendor: Used synonymously with
supplier of material or services for sale through catalog, reverse auction,
and/or price quote. (Certain laws apply for funding thresholds between
$2,500.00 - $25,000.00.)
5 FAM 614 ACQUIRING IT services
(CT:IM-79; 11-08-2006)
a. Managers must begin coordinating all acquisition
requirements with the contracting officer (CO) as soon as the requirements are
initially identified. Managers must fully cooperate with COs and contracting
officers representatives (CORs) in all aspects of the award and administration
of all contracts. COs, CORs, and managers must hold contractors accountable
for performance in accordance with the contract. Only the CO can modify the
contract, if necessary.
b. See 5 FAM 900
for IT Acquisition policies.
5 FAM 614.1 Performance Work
Statements
(CT:IM-85; 04-02-2007)
a. The CO is responsible for implementing
performance-based service contracting. The CO is also ultimately responsible
for everything that goes into the contract, include the performance work
statement.
b. The COR is responsible for the quality (see 5 FAM 640) of
the performance work statement that is submitted to the CO and should reject
procurement requests that do not meet this requirement. The COR must have
completed COR training before performing contract management responsibilities.
FSI is the preferred source for this training.
c. Program offices must arrange for training of
employees who write performance work statements for services. Employees may
receive training through FSI or from other sources.
d. Project managers must establish criteria to
scrutinize incoming procurement requests for project development.
5 FAM 614.2 Requirements for
Contracts
(CT:IM-79; 11-08-2006)
a. All new service contracts must be performance-based,
with defined deliverables and performance standards, unless justified in
writing and approved by the Office of the Procurement Executive (A/OPE) (see 5 FAM 915.4).
b. Per FAR 11.105, all new supply contracts shall be
solutions-based and results-oriented rather than specifying a specific brand
name. If only one or a limited number of brand names are acceptable, then the
brand name specification must be justified in accordance with FAR 11.105(b) or
11.105(c), as determined to be applicable by the CO.
c. The Department is accountable to OMB through the
e-CPIC process for periodic reports on the progress made in performance-based
service contracting.
5 FAM 615 THE PROJECT PLAN
(CT:IM-79; 11-08-2006)
A project plan must be in place before beginning any
project for accountability purposes and successful results. A typical project
plan should include the clearly defined requirements, tasks, schedule, tasks
assignments, resources, and expected results. The project plan becomes the
primary source of information for how the project will be planned, executed,
monitored and controlled and closed. All project plans must include the
following:
(1) Project backgroundbriefly describe effort and
state goals;
(2) Responsibilitiesname key personnel;
(3) Objectives and performance measuresclearly state
objectives to include performance measures and how these objectives will be
accomplished;
(4) Business caseprepare a business case, during the
projects study period, that addresses risks in terms of specific security
considerations as well as the cost, schedule, performance, functional and
technical requirements;
(5) Work breakdown structuresubdivide the major
project deliverables and project work into smaller, more manageable components,
including security requirements, to accomplish the goals;
(6) Issues, risks, security, constraintsidentify
concerns, problems, and possible delays;
(7) Annual operating costsestimate annual operating
costs, including short-term and long-term training and security requirements
costs;
(8) Signaturesproject manager must sign and secure
other approval signatures as required;
(9) Courses and studentslist of training required and
individuals to be trained; and
(10) Contract review performed by the Office of the
Procurement Executive (A/OPE).
5 FAM 616 REVIEW BOARDS
(CT:IM-184; 12-22-2016)
a. The following senior-level boards evaluate IT
projects in accordance with 5 FAM 110:
(1) Electronic Government Program Board (E-GovPB): An
advisory entity to the Under Secretary for Management that addresses the full
range of Department e-Government and IT investment portfolio and project
management activities;
(2) The E-Gov Advisory Group: Provides a business,
technical, and investment evaluation of IT initiatives before submission to the
E-GovPB, considering potential risk, cost, benefit, alignment with the
Departments EA, and priority in relation to other IT investments. It also
identifies issues for E-GovPB review to ensure senior-level attention;
(3) Electronic Government Program Office (E-GovPMO):
The office that ensures the completion of all program elements related to the
Departments IT investments for meeting E-Government guidance and to ensure
that major milestones are met throughout all stages of the Capital Planning and
Investment Control (CPIC) process;
(4) Information Technology Change Control Board (IT
CCB): (see 5 FAM
110); and
(5) Local Change Control Board (CCB): (see 5 FAM 110).
b. Both advisory groups review proposed IT programs to
ensure that technical objectives can be achieved and proposed projects are
sound investments that contribute to the organizations mission and the
Departments strategic goals for IT endeavors to include all individuals in 5 FAM 110.
5 FAM 617 ROLES AND RESPONSIBILITIES
(CT:IM-79; 11-08-2006)
Executive management is responsible for the overall
direction, policy, and priorities of IT programs and projects. Project roles
and responsibilities are stated in 5 FAM 617.1
through 5 FAM
617.7.
5 FAM 617.1 Executive Management
(CT:IM-79; 11-08-2006)
Executive management facilitates support and resolves
conflict. Responsibilities include the following:
(1) Commits appropriate resources, including training,
to the project;
(2) Defines review boards goals and objectives;
(3) Defines and clarifies corporate goals through
established architecture using review boards results;
(4) Appoints project manager and defines project
managers authority to lead and control work and resources;
(5) Defines decision channels for project;
(6) Provides project manager with long-range planning
and budget information to establish timely control gates within the project
plan;
(7) Ensures the project operates within budget
constraints; and
(8) Assigns management responsibility to ensure
security controls are identified.
5 FAM 617.2 Project Manager
(CT:IM-79; 11-08-2006)
a. Every project must have a project manager to oversee
the IT investment and ensure progress towards project goals and deliverables.
The project manager assigns specific roles and a responsibility to project team
members and ensures accurate and timely completion of all required
documentation and reporting requirements.
b. The project manager:
(1) Manages resources and activities to meet technical
objectives and satisfy user requirements by ensuring completion of the project
plan and requirements analysis documents at the outset;
(2) Is accountable for overall planning, direction,
and execution;
(3) Directs team, monitors progress, and resolves
conflict;
(4) Reviews requests for project development, modification
or integration and technical products, problem reports, and change requests;
(5) Keeps abreast of changes to the operating
environment to determine how to properly respond;
(6) Ensures the project operates within budget
constraints;
(7) Manages the budget and ensures timely funding by
executive management, if project exceeds budget year(s);
(8) Controls configuration management (CM) processes
and establishes quality assurance (QA) guidelines for the team;
(9) Identifies training requirements in support of new
projects or extensions of existing projects;
(10) Ensures adequate funding is requested for training
in support of new projects or extensions of existing projects;
(11) Keeps executive management abreast of the project
status; and
(12) Includes security costs (including certification
and accreditation) when budgeting for the project.
5 FAM 617.3 Project Team
(CT:IM-79; 11-08-2006)
a. The project team is comprised of members with
various technical and functional levels of expertise (e.g., analysts,
contractors, technical writers, and IT experts), as required to complete a
project.
b. At a minimum, the project team will consist of the
following members:
(1) Project manager;
(2) Contracting officer (CO);
(3) Contracting officers representative (COR);
(4) Project task manager for tasks that are
established within the work breakdown structure of the project plan;
(5) Budget coordinator;
(6) Quality assurance manager;
(7) End user and/or sponsor;
(8) Vendor and/or contractor representative, if a contract
is in place;
(9) Information system security officer (ISSO);
(10) Training officer; and
(11) Configuration manager.
c. Team members are assigned tasks by the project
manager and work together to accomplish the following tasks:
(1) Collect and analyze requirements;
(2) Coordinate budget and resource requirements;
(3) Report periodically to project manager or project
task manager;
(4) Produce project quality assurance documentation
needed to meet requirements; and
(5) Represent vendor and/or contractor to assist with
deliverables, if necessary.
d. Team members may be required to serve on the project
team for any portion of the project lifecycle.
5 FAM 617.4 Sponsor
(CT:IM-52; 06-25-2004)
The sponsor is the primary point of contact in the end
user (sponsor) organization. The sponsor does the following:
(1) Submits and authorizes requests;
(2) Commits resources to define and specify
requirements;
(3) Represents the user and/or customer;
(4) Interacts with the project manager and others
outside of the sponsor organization;
(5) Coordinates user participation, when necessary;
(6) Participates in quality assurance and security
reviews;
(7) Reviews and approves products;
(8) Accepts the system when it meets users
requirements; and
(9) Identifies training users will need, if any, to
use the end product.
5 FAM 617.5 User and/or Customer
(CT:IM-85; 04-02-2007)
Anyone who will use the system or end product being
developed and/or accepts the end product(s) is a user or a customer. The user
and/or customer specify that software requirements are based on business needs
by participating in interviews and providing reference materials to
substantiate requested replacement system. The user and/or customer may
provide additional input as follows:
(1) Reviews and provides input to documentation
prepared by the project team;
(2) Develops and/or approves acceptance test;
(3) Administers and participates in acceptance test;
(4) Prepares appropriate administrative and/or user
documentation, such as responsibility for developing training /guides and
standard operating procedures;
(5) Develops a concept of operations document if
necessary;
(6) Participates in system/product/services testing;
(7) Attends any training needed in order to be able to
use the end product; and
(8) Accepts system, product, or service after user
requirements are satisfied.
5 FAM 617.6 Quality Assurance
Manager
(CT:IM-79; 11-08-2006)
The quality assurance (QA) manager is the primary contact
for project quality assurance and configuration management issues. The QA
manager:
(1) Monitors and updates development requests per the
initial statement of work or functional requirements;
(2) Ensures the project manager establishes an IT
engineering process based on managing State projects (MSP) or other approved
engineering processes;
(3) Interacts with the project manager and others
outside of the sponsor organization concerning all configuration management
(CM) and/or QA issues;
(4) Participates in project quality assurance reviews;
(5) Reviews and approves products;
(6) Establishes and records a baseline for the product
throughout its lifecycle; and
(7) Defines product naming and tracking standards.
5 FAM 617.7 Data Administrator
(CT:IM-79; 11-08-2006)
The data administrator develops physical database models
for major and nonmajor projects that comply with the data reference model
(DRM); approves, maintains, and ensures accuracy of data and database
performance; coordinates with the Data Administration Working Group (DAWG) on
behalf of the project team. (See 5 FAM 636.)
5 FAM 618 PROJECT RISK MANAGEMENT
(CT:IM-79; 11-08-2006)
a. Project risk management is a process used to manage
or predict future outcomes based on present knowledge. Project managers must
be committed to addressing the management of risk proactively and consistently
throughout the project.
b. Risk assessment judges the probable effect of each
risk factor on the project, so that the project manager can minimize the effort
in responding appropriately.
c. A risk is usually brought about by lack of
resources, lack of information, or lack of control over the decision-making
process. An analysis of this risk and any strategy adopted to control it
should consider these causes. Common risk factors include (but are not limited
to) the following:
(1) Volatility of requirements;
(2) Project scope;
(3) Project management ability;
(4) Project staffing levels and skills;
(5) Technology experience and degree of innovation;
(6) Technical complexity;
(7) Realism of project schedules;
(8) Availability of funding;
(9) Senior management support;
(10) Number and types of procurement;
(11) Security risks;
(12) Logistics and/or transportation of materials;
(13) Host-country factors (e.g. customs,
infrastructure); and
(14) Inadequate training for developers or users.
d. Project managers should consider these basic risk
control strategies:
(1) Reduce the likelihood or consequence of risk
(e.g., buy information, i.e., a study or prototype);
(2) Protect the project from risk by arranging the
project plan to accommodate risk (much like fault tolerance);
(3) Set up contingency funds or additional time to
cover unexpected loss;
(4) Decide whether to accept the consequences; and
(5) Focus visibility and management attention on
clearly defined tasks (i.e., control gates).
5 FAM 619 System authorization
(CT:IM-247; 11-20-2018)
a. Security safeguards must be in place to protect the
automated information system and its data against unauthorized access,
modification, destruction, and unavailability.
b. Project managers must issue a letter of intent to
perform C&A to the Office of Information Assurance (IRM/IA) after
registering in the iMATRIX and completing the Integrated Management, Analytics,
and Technology Resource for Information Exchange validation to ensure timely
system authorization and to avoid unnecessary delays.
c. Department system owners responsible for Department
information systems, including those responsible for non-Department entities
(e.g., contractors, vendors), must ensure that system authorization is
performed on all FISMA reportable Department systems. (See 5 FAM 1064.)
d. Project managers must budget for security costs
including certification and accreditation when incorporating each safeguard
and/or countermeasure into the system. IRM/IA will assist project managers in
preparing the security portion of their investment documents. Consider programming,
time needed for testing, security equipment purchases, etc. (See the IRM/IA
Web site.)
e. System authorization must be performed in accordance
with Department requirements. See 5 FAM 1060; the
appropriate sub-chapters of 5 FAH-11; also see IRM/IA and the Office of
Computer Cybersecurity (DS/SI/CS) Web page.
f. Systems owners are responsible for all funding
required to perform C&A of their systems.