Governance

Introduction
Definition/Description (What) – Governance is a strategic decision-making process that grants authority, assigns accountability, defines expectations, and verifies performance. It also determines organizational objectives and monitors performance to ensure those objectives are attained.[1]
Purpose/Function (Why) – Provides a formal collaboration and consensus process for shared responsibilities (e.g., Executive Leadership) that drives economies of scale by identifying, prioritizing, and reusing investments to avoid duplicative costs. This section will describe how to:
  • Establish collaborative governance and management oversight body for investment planning.
  • Establish an Investment Technology Acquisition Review (ITAR) framework and checklist for portfolio management.
  • Describe how to align to the Capital Planning Investment Control (CPIC) acquisition process.
  • Provide information sharing agreement guidance for Service Level Agreements.

Stakeholder Performance Guide (Who & How) – For Executive Leadership and to a lesser degree Program Managers responsible for policy compliance, resource planning and approval (e.g., fiscal and human), and whom have “signature authority” to commit to program strategic direction and resourcing.   [1] Holistic Engineering Education, Systems Integration, Chapter 5, The MITRE Corporation, February 23, 2011.  
Governance Principles

The ability to coordinate across mission areas and collaborate on geospatial investments is a primary responsibility for the Executive Leadership to drive interoperability and cost efficiencies. When a governance structure is executed effectively, it provides procedures for collaboration and consensus-based strategic decision-making, defines accountability, sets obtainable goals and requirements, shares resource investments, validates accomplishments, and provides measurable performance metrics. Effective governance structures will enable agencies to offer and reuse capabilities and services for sharing across the environment, consistent with an interoperable architecture approach.

Without a consensus-based governance structure, achieving interoperability and the maximum value from enterprise geospatial shared service investments is impossible.

While a “one-size-fits-all” governance model is not practical there are some common principles for successful governance:

  • Executive Leadership sponsorship, decision-making authority, commitment, and participation.
  • Defined roles and responsibilities with accountability by all members, usually through a Charter.
  • Defined goals and objectives with quantifiable performance measures to demonstrate success.
  • A systematic and repeatable approach for assessing investments and making decisions.
  • Subject matter expertise either resident or available through reach-back.
  • Inclusive discussions with consensus-based collaboration from all members.

Governance Structures

There are numerous governance models that can be applied at varying levels of rigor depending upon an organization’s complexity and/or the number and level of geospatial investments that require coordination. The following two examples can be modified or combined to meet the specific needs of the organization and its members. While there is no “one-way” to establish a governance structure; there is “no-way” to succeed without one.

Geospatial programs may exist in multiple forms, and may in some cases be distributed throughout an agency without definable governance. In such cases it will be difficult to provide useful indicators of program performance in any measurement area, especially for customer results.[1]
EXECUTIVE STEERING COMMITTEE

An Executive Steering Committee (ESC) structure should be established within and across an organization’s enterprise based upon the needs of the organizations (e.g. Office, Branch, Department, etc.) to be included in the committee. There is policy guidance for cross governmental (e.g., Federal and non-Federal involvement including the public) interaction and coordination activities as defined by the Federal Advisory Committee Act (FACA). FACA became law in 1972 and is the legal foundation defining how federal advisory committees operate. The law has special emphasis on open meetings, chartering, public involvement, and reporting.[2] In terms of Federal agency committees, both intra- and inter-agency coordination, committee structures and operating procedures are based upon consensus-based collaboration, usually with express language stating that the results or findings do not interfere with agency or governmental policy or law.

 

Numerous definitions exist; however, most steering committees are chartered with senior management leadership, are business-oriented and influence/direct resource investment.

Merriam-Webster defines a managing or directing committee (e.g., Steering Committee) as “a committee that determines the order in which business will be taken up in a United States legislative body.”[3]
BusinessDirectory.com defines an advisory committee: “… usually made up of high level stakeholders and/or experts who provide guidance on key issues such as company policy and objectives, budgetary control, marketing strategy, resource allocation, and decisions involving large expenditures. ”[4]

Some organizations may have prescriptive requirements for the establishment of ESCs through their Office of General Council or related policy or legislative affairs offices depending upon the proposed membership of the committee (e.g., internal or external). Once policy guidance is determined, the structuring of the ESC can occur. As the name implies, an ESC is sponsored and lead by a decision-making level body of representatives, (see Stakeholder Audience, for the definition of Executive Leadership). The sponsoring body, office or board often chairs/co- chairs the committee; however, member roles and responsibilities are defined by a Charter (see [5] An IPT process, while generally designed for an engineering approach to a system or “product,” it can also be applied to the governance of developing an interoperable geospatial investment either as a standalone approach or as part of the Executive Steering Committee structure described above. Generally, the “P” in IPT stands for product; however, it is also appropriate for project as defined below:

The Defense University defines an Integrated Product Team as “a multi-disciplinary group of people who are collectively responsible for delivering a defined product or process.”[6]
The IT Law Wiki defines an Integrated Project Team as “composed of representatives from all appropriate functional disciplines working together with a Team Leader to build successful and balanced program, identify and resolve issues, and make sound and timely recommendations to facilitate decision-making.”[7]

 

IPTs are used in complex development programs/projects for review and decision making. The emphasis of the IPT is on involvement of all stakeholders in a collaborative forum. IPTs are created most often as part of structured systems engineering methodologies, focusing attention on understanding the needs and desires of each stakeholder. The IPT approach simultaneously takes advantage of all members’ expertise and produces an acceptable product the first time.

Several more detailed resources are available for users to assess IPT processes and procedures to determine if the structure can be adopted/adapted for use in their geospatial governance. These documents have detailed operating principles and practices and provide example artifacts for the use to apply to meet their needs.

  • Rules of the Road: A Guide For Leading Successful Integrated Product Teams, Revision 1, October 1999, Department of Defense[8]
  • Integrated Project Team (IPT) Start-up Guide, February 2009, MITRE[9]

The following summarizes many of the practices and procedures of the authoritative sources listed above. IPTs, in general, will require operating principles and practices to include:

  1. Chartering and Authorizing – requires the overall sponsorship and membership of the governing body within the existing policy and protocol structure of the This may be prescribed by law, statute or other established agency specific policy and guidance. If no authorizing structure exists, the Charter sponsorship and membership agreement must be defined in the Charter which also defines the roles, responsibilities and decision-making process.
  2. Goal Alignment – to ensure an agreed upon, mutually beneficial set of objectives that are quantifiable to all members.
  3. Open Discussions with No Secrets – is the basis for mutual trust and It is also a mechanism to ensure both leadership and individual members do not unduly influence the overall direction of the team.
  4. Empowered, Qualified Team Members – ensures the best resources are applied to address the This can also require “reach-back” to subject matter experts for a limited duration to address a specific issue.
  5. Dedicated/Committed Proactive Participation – ensures a collaborative and informed working environment without revisiting issues and unnecessary delays. The level of participation must be understood and agreed to by the member in advance to set expectations.
  6. Issues Raised and Resolved Early – pending the structure of the IPT, issues should be resolved with an inclusive If issues cannot be resolved, there needs to be an escalation and resolution process to Executive Leadership for closure and advancement.

 

IPTs can be very involved requiring defined requirements, process, documentation, measures, and accountability. The need for a disciplined approach includes core tenants:

  1. Understanding the requirements – an opportunity is identified that requires IPT resolution or assistance. This could be as broad as developing an interoperable enterprise geospatial capability or as limited as determining which organization within an enterprise will be the steward for an enterprise geospatial capability.
  2. Outlining the approach – framing the goal and objectives with roles and responsibilities (and memorialized through a Charter) with clear outcome expectations is defined.
  3. Planning the effort – working as an IPT, team members develop a Plan Of Action & Milestones (POA&M) to fully develop detailed tasking and levels of efforts estimates to allow the appropriate allocation of resources.
  4. Allocating resources – key stakeholders are identified and the team members are launched by senior leadership to resolve the opportunity at Leveraging financial resources will be determined by the Executive Leadership.
  5. Executing and tracking the plan – project management skills are essential along with the subject matter expertise to execute the defined Reporting based upon the POA&M schedule (scope, schedule, and budget) and the ability to address issues that will arise during the project period. Most issues should be discussed and resolved within the IPT environment. When issues cannot be resolved, problems are escalated to Executive Leadership intervention.
  6. Delivery – as issues are resolved and the POA&M executed, the IPT completes and delivers its Chartered outcome requirements.
  7. Reevaluation – upon delivery and review with Executive Leadership, the IPT provides necessary feedback to IPT membership and evaluates the need for continuation of the IPT.
  8. Finite Duration – if requirements are fulfilled the IPT is disbanded.

The governance of geospatial investments should be crafted based upon the complexity of the organization(s) involved, number and level of investments, and the agreed upon value to the mission/business.

 

[1] Geospatial Profile, Version 1.1, January 27, 2006. Architecture and Infrastructure Committee, Federal Chief Information Officers Council and Federal Geographic Data Committee. (no longer available)

[2] http://www.gsa.gov/portal/content/100916

[3] http://www.merriam-webster.com/dictionary/steering%20committee

[4] http://www.businessdictionary.com/definition/steering-committee.html

[5] Rules of the Road: A Guide for Leading Successful Integrated Product Teams, Revision 1, October 1999. Department of Defense.

[6] https://acc.dau.mil/CommunityBrowser.aspx?id=24675

[7] http://itlaw.wikia.com/wiki/Integrated_Project_Team#cite_note-0

[8]

http://www.navair.navy.mil/nawctsd/Resources/Library/Acqguide/IPT%20Rules%20of%20the%20Road.htm

[9] http://www.mitre.org/publications/technical-papers/integrated-project-team-ipt-startup-guide


Investment Governance

Governance of geospatial investments can be viewed as operating at three different levels of an organization: Program, Portfolio and Enterprise. An integrated, multi-tiered governance framework unites disparate processes to eliminate redundant and low-value investments.[1]

  • Program – program-level success is defined by meeting the goal of delivering a system that meets specified, contracted-for performance, price, and schedule parameters. Program-level decisions, directions, and actions align with that view of success and influence the expectations of systems engineering provided at that level.
  • Portfolio – the focus shifts to making trades among a collection of programs to achieve capability-level The tradeoffs balance various criteria, including the importance of capabilities to be delivered and expected delivery schedule within constraints, such as availability of funding and dates operational capabilities are needed. Portfolio-level decisions can result in programs being added and accelerated, cut back and decelerated, deferred, or cancelled.
  • Enterprise – result in change of environment or rules in which programs and portfolios operate including their roles and responsibilities to achieve enterprise- wide outcomes, such as joint interoperability or net-centricity. Often, this is achieved through departmental or agency-wide policies and regulations.[2]

As organizations mature from Program to Portfolio to Enterprise levels, greater technical documentation should be developed and maintained to allow each pending new investment to be assessed, aligned, and adopted. The increase in the number of investments makes the complexity and challenge greater but also more important. At the individual Program level, the acquisition process may only use the existing Procurement Office procedures required of all investments within an organization. At the Portfolio level, a baseline assessment (e.g., As-Is environment) is essential to allow Senior Leadership the ability to make strategic investment, Program Managers to coordinate and allocate human resource coordination across individual programs, and Solution Architects the ability to design and develop interoperable components at the application and system level. The baseline assessment or As-Is (e.g., GeoBaseline) documentation (see Geospatial Baseline Assessment Matrix, Business Reference Model, Data Reference Model, and Applications/Services Reference Model) provides the foundation to perform these tasks and the basis upon which to achieve enterprise-wide outcomes.

A mature enterprise may strive to establish and sustain a Technical Reference Model (TRM) or Target Architecture of the desired technical framework to which investments should align. The TRM is a component-driven, technical framework categorizing the standards and technologies to support and enable the delivery of services and capabilities. It provides a foundation to advance the reuse and standardization of technology and Service Components from a government-wide perspective.[3]

Aligning agency capital investments to the TRM leverages a common, standardized vocabulary, allowing intra/interagency discovery, collaboration, and interoperability. Agencies and the federal government will benefit from economies of scale by identifying and reusing the best solutions and technologies to support their business functions, mission, and target architecture. Organized in a hierarchy, the TRM categorizes the standards and technologies that collectively support the secure delivery, exchange, and construction of business and application services and capabilities that may be leveraged in a component-based or service-oriented architecture.

The TRM or Target Architecture would list the types of technology an organization would use and may include categories of use to include:[4]

  • Permitted – products and standards that currently reside in the TRM and approved for use.
  • Go-To (Target) – products and standards that the Department/Agency is migrating towards and considered enterprise-wide solution, and have a compliance date for usage.
  • Divest – products and standards which are obsolete and the Department/Agency must actively plan for disposal and should not invest further, with a specified divestment date.
  • Restricted – products and standards that can only be used by the organization obtaining approval.
  • Emerging – products and standards that will be utilized in a very limited capacity during the prototypes or pilot phase of a program development with future decision pending approval.
  • Prohibited – products and standards that are not aligned to the Department/Agency TRM and may not be procured.

Once a TRM or Target is established, a pending geospatial investment can then be compared against both the As-Is GeoBaseline and TRM and reviewed by the governance body to ensure existing capabilities are reused and new capabilities can be shared across the enterprise.

 

INFORMATION TECHNOLOGY ACQUISITION REVIEW PROCESS

A primary benefit of governance is the efficient and agreed upon use of geospatial resource investments. As part of the governance structure, an investment review process should be established to ensure the optimal reuse of existing capabilities and the effective development of new shared capabilities across the enterprise. While the geospatial governance body does not [necessarily] have “veto” authority, as each organization will have its own procurement approval procedures and signatory authorities (e.g., CIO or CFO), it does provide the ability to align investments and reduce duplication for maximum interoperability.

The governance body should establish portfolio management guidance to pending investments and help prepare for the Information Technology Acquisition Review (ITAR). Table 1 provides portfolio management guidance principles to ensure:[5]

Table 1.

•   The program requirements are completely clear in meaning or intention, correct, and complete.

•    Acquisition requirements align with established portfolio targets and transition plans.

•  New acquisitions support a capability gap existing within a portfolio.

•    If the acquisition provides services to other investments within the Department/Agency, the performance requirements are defined (e.g., Service Level Agreement (SLA) or Memorandum).

•  Any other capability/service in the Department/Agency portfolio (existing or planned), as identified in the GeoBaseline or TRM, is identified. Acquisition requirements should not overlap and the investments should determine the most effective solution for the Program and Enterprise.

•    Opportunities to consolidate all or part of the acquisition with other existing/planned acquisitions within the Portfolio have been examined and resolved.

•    If necessary, contractual or policy language must be developed to mandate portfolio alignment.

 

The governance body should define the required documentation for an investment review. A pending investment review submission package should include: [6]

  • A Standard Acquisition Check list (see Table 2).
  • Acquisition Documentation (i.e., Statement of Work (SOW), Statement of Objectives (SOO), Performance Work Statement (PWS), Request for Proposal (RFP), or other supporting documents).
  • Independent Government Cost Estimate (IGCE) or Bill of Materials (BOM).
  • Signed memorandum or other indication of Senior Leadership

A Standard Acquisition Checklist for effective portfolio management should consist of the following:

Table 2.[7]

ITAR NAME

ITAR ID #

Questions

Responses

Guidance/Instructions/Comments

Organization Name/Point of Contact (POC)

 

Required – Department/Agency office and point-of-contact

Date Submitted

 

Required – M/D/YYYY

Title

 

Required – brief title; usually one sentence

Summary

 

Required – brief summary; usually one clear paragraph

Description (expansion of summary)

 

Required – expansion of summary, providing a contextual framework of the acquisition, including background

Benefits

 

Required – explanation of why this procurement is necessary, how Department/Agency benefits, and explanation of potential risks if this acquisition is not complete

Alignment to Geospatial Baseline and/or TRM

 

Required – explanation of how this procurement is aligned to the GeoBaseline and/or TRM and any new technology needs

Is this a follow-on review?

 

Required – a “follow-on” review for a continuation of existing procurement with additional capabilities

Previous review ID #

 

If applicable, provide most recent review number

Have all previous review conditions been resolved?

 

Ensures that any prior deficiencies on the proposed acquisition have been addressed

Organization approval

 

Required – ensures senior leadership understanding and commitment

Approval date

 

Required – M/D/YYYY

 

CAPITAL PLANNING INVESTMENT CONTROL PROCESS

The Office of Management and Budget (OMB) provides specific policy, procedural, and analytical guidelines for planning, budgeting, acquisition, and management of major IT capital investments. OMB reviews and evaluates each agency’s IT spending, using the guidance on Exhibits 53 and 300, to effectively manage its portfolio of capital assets to ensure scarce public resources are wisely invested.[8] Agencies are required to use a disciplined Capital Planning Investment Control (CPIC) process to acquire, use, maintain, and dispose of IT in alignment with the agency’s Enterprise Architecture (EA) planning processes. Exhibit 300 describes the justification, planning, and implementation of an individual capital asset included in the agency IT investment portfolio (as reported in Exhibit 53) and serves as a key artifact of the agency’s EA and IT CPIC processes.

Geospatial system investments are often considered a sub-system or supporting technology and may not be clearly identified or listed as the primary technology function of the desired system, making it more difficult to identify many (smaller) geospatial investments across an enterprise. The Program Manager should ensure the geospatial capability of a larger system is identified as a sub-system to allow for identification within the CPIC process.

Capital programming integrates the planning, acquisition, and management of capital assets into the budget decision-making process. It is intended to assist agencies in improving asset management and in complying with the federal IT policy.

The practices, templates and other tools within the GIRA can be directly applied to supporting the development and investment justifications necessary for the OMB CPIC submission process, including:

  • Governance – provides the management oversight requirements and coordination mechanisms necessary for investment comparison and
  • Business Reference Model – provides the Geospatial Baseline Assessment Matrix to inventory investments in the areas of data, architecture, technology, applications and
  • Infrastructure Reference Model – provides the target architecture and artifacts that can be used in the required Three Alternatives Analysis for the solution
  • Performance Reference Model – provides many of the possible measurable tasks and milestones needed as metrics for investment and stakeholder satisfaction.

In the capital planning and investment control process, there are two separate and distinct plans that address IRM and IT planning requirements for the agency. The IRM Strategic Plan (44 U.S.C. 3506 (b)(2)) addresses all information resources management of the agency and ensures IRM decisions are integrated with organizational planning, budget, procurement, financial management and program decisions.[9]

The IT Capital Plan is operational in nature; supports the goals and missions identified in the IRM Strategic Plan, and is a living document that must be updated twice yearly. This IT Capital Plan is the implementation plan for the budget year. The IT Capital Plan must be submitted yearly to OMB with the agency budget submission annually. An example of the required CPIC guidance and how the GIRA tools can be applied to meet this guidance include: [10]

  • Ensure decisions to improve existing information systems or develop new information systems are initiated only when no alternative private sector or governmental source can efficiently meet the need.
  • Prepare and maintain a portfolio of major information systems that monitors investments and prevents redundancy of existing or shared IT The portfolio will provide information demonstrating the impact of alternative IT investment strategies and funding levels, identify opportunities for sharing resources, and consider the agency’s inventory of information resources.
  • Ensure improvements to existing information systems and the development of planned information systems do not unnecessarily duplicate IT capabilities within the same agency, from other agencies, or from the private sector.
  • Establish oversight mechanisms to evaluate systematically and ensure the continuing security, interoperability, and availability of systems and their data.

 

PROCUREMENT POLICY LANGUAGE

At the highest maturity level, an enterprise would have policy in place within the procurement process that requires an Investment Review Board to ensure the proposed procurement aligns with the enterprise TRM or Target Architecture.

An example of geospatial procurement policy language could include:

 

DEPARTMENT/AGENCY GEOSPATIAL INFORMATION SYSTEM

TERMS AND CONDITIONS

All geospatial implementation including data, information, systems, and services shall comply with the policies and requirements set forth by the Department/Agency Geospatial Governance Board, including but not limited to the following:

•  All data created, adopted or acquired, shall be submitted to the government for review and insertion into the Department/Agency Technical Reference Model.

•  All software created, adopted or acquired, shall be submitted to the government for review and insertion into the Department/Agency Technical Reference Model.

 

[1] Ensuring IT Investments Deliver Their Promised Value, The Importance of Enterprise Governance, January, 2011, Office of the Chief Information Officer, DHS.

[2] Department of Homeland Security, Systems Engineering and Acquisition, Best Practices: A Portal Companion, Version 1.0, September 2012. Developed by the Home Security Systems Engineering and Development Institute.

[3] Department of Homeland Security, Systems Engineering and Acquisition, Best Practices: A Portal Companion, Version 1.0, September 2012. Developed by the Home Security Systems Engineering and Development Institute.

[4] Department of Homeland Security, Information Technology Acquisition Review (ITAR) Quick Essentials Guide, Version 3.0, January 23, 2013.

[5] Department of Homeland Security, Information Technology Acquisition Review (ITAR) Quick Essentials Guide, Version 3.0, January 23, 2013.

[6] Ibid.

[7] Department of Homeland Security, Information Technology Acquisition Review (ITAR) Quick Essentials Guide, Version 3.0, January 23, 2013.

[8] Office of Management and Budget, Guidance on Exhibits 53 and 300 – Information Technology and E-Government, available at  

http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/fy14_guidance_on_exhibits_53_and_300.pdf

[9] OMB  Memorandum  M-13-13,  Open  Data  Policy  –  Managing  Information  as  an  Asset  (May  9,  2013),  available  at http://www.whitehouse.gov/sites/default/files/omb/memoranda/2013/m-13-13.pdf

[10] http://www.whitehouse.gov/omb/fedreg_a130notice


Information Sharing Agreements

Information Sharing Agreement (ISA) governance is an essential, yet often overlooked element in the access to and sharing of geospatial data, applications, and services. When an organization has made a decision to share information and services, the provider/consumer need to negotiate, agree, and formally document the services to be provided. If funding will be transferred from one agency to another, then the agreement also needs to contain an authority to transfer funds, the amount being transferred, and a clause describing collection of costs upon cancellation. This information is provided in one of several types of agreements, as shown in Table 3 (a) Memorandum of Understanding (MOU); (b) Memorandum of Agreement (MOA); and (c) Interagency Agreement (IAA). Some agencies draw distinctions between different agreement types, while others focus only on the content in the agreement. The Federal Chief Information Officers Council’s Federal Shared Services Implementation Guide[1], provides clear and comprehensive description and understanding of the types of agreements that could be used as well as funding and pricing model approaches, to establish ISAs across organizations and should be reviewed when moving toward a shared-services environment.


Table 3. Types of Agreements

ACTIONMOUMOAIAA
Establish a Non-financial RelationshipXXX
Order a Service  X
Terms and Conditions  X
Requirements and Funding Information  X

Information Sharing Agreements can include both internal as well as external (government) partners. This write-up does not address ISAs with foreign governments (see Department of State’s Information Sharing Environment Guidance (ISE-G) Checklist of Issues For Negotiating Terrorism Information Sharing Agreements and Arrangements), nor does it directly apply to private sector license agreements although many of the template sections or checklist items could be useful in assessing an offered license agreement from a commercial provider.

The Department of Homeland Security defines an Information Sharing and Access Agreement as:

An agreement that defines the terms and conditions of information/data exchanges between two or more parties. The term encompasses agreements of any form, including Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, etc.[2]

Information sharing agreements can be complex and time consuming and if not executed properly can introduce cost, redundancies, dependencies, and potential risk into an enterprise. ISAs are not merely a point-to-point discussion between a data owner/steward (e.g., provider) and a data consumer (e.g., requestor). While an agency or a direct point-of-contact within an agency may be the original data developer or custodian, the provisioning of data will require authorities and approvals in the areas of system/network administration, security, policy, privacy, general counsel, and others for the terms and condition of use and reuse or extended sharing to a third party. Third party reuse, in which Agency A (the provider) shares data with Agency B (User 1), who then shares the original data with Agency C (User 2), requires permissions/restrictions to be established in the original ISA between Agency 1 and Agency 2 and by extension to any third party requestor.

To determine what data or services require an ISA, the Geospatial Executive Steering Committee should determine all existing ISAs that are in effect (or pending) across the enterprise to ensure a complete understanding of available data sharing resource investments and activities, especially if commercial data provider license or Enterprise License Agreements (ELAs) are required. The Steering Committee as part of its geospatial investment baseline assessment (Operational Requirements Documentation and Data Reference Model) will be able to determine what data assets are available and which new assets are required. If new data assets are required by multiple components or business units across an organization, the ISA will need to reflect enterprise-wide access and use as well as considerations for Third Party access if applicable.

The following section is extracted and modified from the Department of Homeland Security (DHS) Information Sharing and Access Agreements Guidebook and Templates, revision version 2.1, October 2010.[3] The DHS documentation is far more detailed and complete than this abbreviated and highlighted summation.

Prior to the development of a new ISA, an Information Sharing Checklist[4] can be used to determine whether to accept or reject the request for data. The Checklist, while it is used for both internal and external requests, has primary benefit for internal requests within/across a Department/Agency. The Checklist assists both parties (e.g., Requestor and Provider) in determining the breadth of the requirements and provides the initial framework of understanding necessary to structure either an internal or external sharing agreement or both.

Once the initial Checklist has been reviewed, and approved, a Data Access Process Questionnaire is used to provide the detailed information necessary to establish an ISA. The Requesting Department/Agency completes the Questionnaire with information pertaining to:

  1. Points of Contact
  2. Data Request
  3. Purpose
  4. Authorities – Requesting Department/Agency
  5. Privacy and Civil Liberties Protections
  6. Information Security Controls
  7. Adjudication
  8. Signatories

The Questionnaire provides the Requestor and Provider a process by which to fully vet the information sharing requirements and challenges. It should be used as a basis for a more in-depth discussion to ensure all aspects of the data and its use/protection are considered prior to an exchange. During the in-depth review, additional requirements can also be discussed, such as; value-added or derived data usage; data accuracy and correction returned to the Provider; updates if the data are not dynamic; metadata and data tagging requirements; disposition; etc.

Once the requirements have been fully vetted, the ISA can be established (see ISA Template). A basic ISA may include the following sections:

  1. Contact information for parties entering into agreement. This includes both the Requestor(s) and Provider(s) information.
  2. Statements on the purpose/need for the ISA.
  1. Complete citations (including pinpoint cites to particular subsections in the authority) to applicable authorities including laws, regulations, directives, international obligations, and/or policies (including a parenthetical explaining why the authority is relevant to the particular ISA), as well as information regarding compliance with Civil Rights and Civil Liberties (CRCL), privacy, security, and other compliance guidelines.
  2. Description of information/data being
  3. Statement on how the data will be collected, used, shared, protected, retained, disseminated, and destroyed.
  4. Description of how the ISA will be monitored and reviewed.
  5. Terms and conditions for ISA enforcement.

[1] Federal Shared Services Implementation Guide, April 16, 2013. Federal Chief Information Officers Council, available at

https://cio.gov/wp-content/uploads/downloads/2013/04/CIOC-Federal-Shared-Services-Implementation-Guide.pdf

[2] Department of Homeland Security, Information Sharing and Access Agreements Guidebook and Templates, revision version 2.1, October 2010.

[3] Department of Homeland Security, Information Sharing and Access Agreements Guidebook and Templates, revision version 2.1, October 2010.

[4] Ibid.

Stakeholder Performance Guidance

At its most basic level, governance comprises a set of formal and informal rules and practices. These rules and practices determine how decisions are made around investments, how decision execution is monitored and the results of these decisions are measured, how empowerment for decision making is exercised, and how those who make the decisions are held accountable.[1]

Stakeholder governance serves to formally recognize/legitimize the collaborative administration of a shared investment and frames the roles, responsibilities and accountability with corresponding performance measures. Some of those performance measures are highlighted below for each of the three stakeholder communities; Executive Leadership, Program Manager, and Solution Architect (Table 4).

 

Table 4. Standards Performance Guide: Governance

STAKEHOLDER PERFORMANCE GUIDE

GOVERNANCE

Role

Responsibility

Approach

Benefit

Executive Leadership

• Establish and/or Co-Chair the Chartered governance (ESC/IPT) body.

• Signatory to establish Investment Technology Acquisition Review (ITAR) framework.

• Signatory to ISAs for access or dissemination of data and/or services.

• Work with other Executives to frame Charter goals/objectives and commitment to level-of- effort support/involvement.

• Establish review board with CIO/CFO representation and consider policy to ensure participation and commitment.

• Establish or follow General Council process and review and maintain repository of Agreements.

• Signatory with defined responsibility and stated measurable results (e.g., ELAs with % cost reduction, shared services with defined Steward, etc.).

• Promotes interoperability, reduces redundant investments, and allows for cost share.

• Reduce cost for data acquisition and/or document need for establishing an Enterprise License Agreement.

Program Manager

• Coordinate across other internal Department/Agency investment PMs for recommendations to Execs for strategic and tactical objectives.

• Staff and perform Working Group tasks as defined within the ESC/IPT Charter.

• Develop performance measures and target end-state (To-Be) environment.

• Ensure geospatial (sub-system at a minimum) is identified within the CPIC submission process.

• PMs identify and prioritize capability gaps and planned investments to determine To-Be end-state vs. As-Is environment and prepared business plan and value proposition for Execs approval.

• Recommend Working Group priority, short-term/high-value tasks, and early delivery results to demonstrate benefits.

• Within Charter define Working Group roles/responsibilities and prepare a work plan with Plan of Action & Milestones (POA&M).

• Within the annual CPIC submission (e.g., 53/300) process, ensure geospatial capability is identified so that search and identification across system investments can be performed.

• Early adoption/visibility to strengthen long-term commitment from Executive Leadership.

• Working Group member awareness of multiple investments across enterprise promotes coordination resulting in leveraged investments.

• Results oriented for measurable and quantifiable results demonstrating value of collaboration.

• Facilitates the search and identification of geospatial investments (especially for smaller systems) across the entire enterprise to foster participation within the Executive Steering Committee and technical solution teams.

Solution Architect

• SME and reach back for Working Group participation.

• Validate technical requirements for work plan.

• Develop baseline assessment and perform capability gap analysis for As-Is and To-Be environments.

• Develop technical approach for work plan tasks and POA&M.

• Technical vetting and validation across investments for desired To-Be end-state environment.

• Ensure broadest possible technical review, adoption and acceptance.

 

[1] IT Governance Institute.


Updated on February 4, 2020