Department of Health and Human Services, Information Technology (Draft)Department of Health and Human Services, Information Technology (Draft)HHS/IT_7048c8fa-605b-41e2-93d6-56a719d7de30Provide robust, flexible, efficient, and secure information technology enabling the HHS enterprise and its partners to respond to the requirements of their missions. _b65a4355-fca7-4cde-85e4-a97b7c8d2dfbProvide a well-managed and secure enterprise information technology environment that enables stakeholders to advance the causes of better health, safety and well-being of the American people. _60e64a9d-8e86-4771-964b-948e5b640a80Secure, Trusted ITProvide a secure and trusted IT environment._91a7d063-726e-4c78-aef7-dd7e5a0b3a5a1Confidentiality, Integrity, and AvailabilityEnhance confidentiality, integrity, and availability of IT resources. _c173e124-2393-4d99-abcd-c055fb4897161Unauthorized Access and MisuseProtect IT assets and resources from unauthorized access or misuse._c7420e6d-53a6-4fb3-821d-d3efba65dc7c2Security AwarenessEnhance security awareness department-wide. _7cfc09c5-d19e-4c41-ab90-dcacef9e1d543IT Lifecycle SecurityEnsure that IT security is incorporated into the lifecycle of every IT investment._14d94f48-b9ec-46f3-b7fd-abf93e47ab6e4Secure One HHS – Emphasis on IT Security Department-Wide: Two fundamental trends exist within the Federal Government that has a marked impact on IT at HHS. First, the drive for greater efficiency in Federal IT spending is forcing Federal departments and agencies to look for shared infrastructures and services to support their operating divisions. The second trend is the improvement of services to the public and other stakeholders facilitated by conducting business on-line. The result of these two trends is that as HHS OPDIVs are becoming increasingly connected to one another; they are opening their networks to citizens, businesses, academic institutions, and other stakeholders. As OPDIVs place more transactions on-line, the criticality of those systems increases exponentially. Unfortunately, so do the risks to those systems. And as the OPDIVs move toward a shared infrastructure, the security risk assumed by one is shared by all. The status quo security practices that currently protect OPDIVs at varying levels today will not be enough. Baseline levels of security standards and practices need to be established to protect all OPDIVs in this decentralized environment. In this changing world of new threats, instilling a culture of increased awareness and mindsets toward preventive action is necessary. In a Federal agency, IT security cannot be an afterthought and must be integrated into the Department's vision, mission, and business lines. In addition, HHS has taken on a new role in homeland security and needs to improve its security practices to meet these obligations. It is critical that we incorporate security into the daily activities of HHS employees at all levels. With this, all IT leaders in the Department must support the notion of IT security as a way of life. These reasons prompted the HHS CIO and the HHS Chief Information Security Officer (CISO) to develop an overarching IT Security Program. Understanding that HHS OPDIVs face unique business requirements, the challenge was to develop an IT Security Program that allowed for both compliance and flexibility. Based on GAO best practice guidance, HHS IG and OPDIV reviews, HHS has set up an overarching IT Security Program called Secure One HHS. The program’s goal is to provide support and guidance, address OPDIV security needs and concerns, and meet HHS security responsibilities. The Secure One HHS mission is to “foster an enterprise-wide secure and trusted IT environment in support of HHS’ commitment to improve the health, safety, privacy, and well-being of the American people.” To meet the aggressive demands of an enterprise-wide HHS IT Security Program, strong governance with clearly defined roles, responsibilities, and security expertise is required. By establishing the program at the headquarters level, HHS will achieve a consistent IT security baseline across the OPDIVs by supporting universal security requirements. The Secure One program will then be driven by close coordination and collaboration with each OPDIV to ensure that their needs and expectations are identified and addressed. OPDIVs will then be responsible for custom implementation at their level, based on each OPDIVs unique needs and goals. Further information on the Secure One program can be found in the HHS Annual IRM and Performance Plan or by contacting the HHS CISO. Quality, Availability, and Delivery of Information and ServicesEnhance the quality, availability, and delivery of HHS information and services to citizens, employees, businesses, and government._23b64d57-7cd8-43b2-aa10-915eb44f27532CitizensEmployeesBusinessesGovernmentPublic Information One-StopProvide an intuitive one-stop solution to quickly and reliably deliver information for public access._9840b75c-a724-46bb-9022-cf3bb4ddc2d71Web ServicesLeverage web services to conduct business securely with customers and stakeholders._c32763e1-0a43-4c66-ae27-3451baf2f4702Web Services and egov initiatives -- The Department will continue its investment in electronic Government (eGov) initiatives to deliver services and information to internal as well as external employees, consumers, and business partners. Key to this strategy is the use of standards-based Web Services. Web-based technologies are recognized as a vital and effective way for organizations to communicate both internally and externally. HHS has taken steps to leverage web-based technologies as it seeks to better serve the US citizenry and improve communications within the agency. The are three categories of Web based technologies HHS uses to achieve these objectives: Internet Web sites, an Intranet Web site, and an internal HHS Web portal. HHS Inter- and Intranet Web sites include the HHS.gov site as well as many other HHS Operating Division sites. These sites are used to fulfill the objectives of the E-Government Act of 2002 by providing timely and effective communications that are citizen centric. The HHS.gov Web site is comprised of individually coded HTML pages, although there is a plan to implement a Content Management Solution for the site which will make site modification and maintenance more streamlined and convenient for contributors. Additionally, a planned redesign of the OCIO Web site for HHS.gov will offer better organization and more timely delivery of information about the OCIO office, its mission, accomplishments and strategic objectives. The HHS Intranet Web site is available to HHS employees with internal access to the HHS network. The Intranet site serves as an internal communication tool for agency information. The HHS Web Management Team, guided by the results of usability testing, card sorting, and interviews with HHS employees, continues to make progress on redesigning the HHS Intranet. The objective of the redesign is to streamline the presentation of content and increase it’s relevancy and usefulness for HHS employees. The HHS Web portal is being developed with use of the Plumtree application. The portal provides a collaboration tool where communities of employees can form around projects within the Department. Currently, the HHS Web portal is being used extensively by the HHSIdentity Project which has developed sub-communities to assist in the sharing of information among employees in the agency working on the initiative. Consistent with Section 6.2, the Department will leverage standards-based Web Services infrastructure (common services). Moreover, the Department will migrate toward SOA-based common services for future eGov initiatives and for integration of legacy technology and applications with new Web-Based applications to facilitate information interoperability, and to expose standards-based SOA/Web servers to consumers, business partners, and other users of eGov systems and applications. Emergency InformationEnsure the availability and dissemination of information in preparation of or in response to local and national emergencies or other significant business disruptions._3cbac02a-926c-402a-ae51-ca326f22a6733Technology for Collaboration and Knowledge SharingProvide technologies enabling HHS employees to work collaboratively and share knowledge._e0582884-5bd8-4bc6-96a9-6977f9e5e2da4Communications and Collaboration -- HHS communication and collaboration are increasingly interconnected in order to get maximum value from the information technology (IT) infrastructure, and enable personnel to collaborate efficiently. As a result, messaging and collaboration servers that enable e-mail, document sharing, and instant messaging have become a mission-critical infrastructure component in business environments throughout the government.. Because e-mail servers are aggregation points for data and are critical to the day-to-day operations of most government agencies, security is of the utmost interest in the Department. E-mail has become the most common vehicle for virus infections, and was the means of entry in the majority of virus incidents in 2005. The Federal Government and Corporations are starting to depend on collaborative Web sites and instant messaging to enable growth, productivity, and communication. These too have become targets of malicious software writers and require protection against viruses and worms. Enterprise ApproachImplement an enterprise approach to information technology infrastructure and common administrative systems that will foster innovation and collaboration._14db7c58-fd44-46a0-ac59-bf794361210b3Infrastructure ConsolidationEstablish a basis for consolidated infrastructure to achieve interoperability and communication among operating divisions. _ab89a541-8fc0-44eb-9644-fffe6a336a7d1Infrastructure -- Improving IT Infrastructure:As cited in the Government Accountability Office report number 05-308 Federal Agencies Face Challenges in Implementing Initiatives to Improve Public Health Infrastructure, challenges facing HHS include: Integrating current initiatives into a national health IT strategy and federal architecture to reduce the risk of duplicative efforts; Developing and adopting consistent standards to encourage interoperability; Coordinating initiatives with states and local agencies to improve the public health infrastructure; and Overcoming federal IT management weaknesses to improve progress on IT Initiatives. IT Consolidation and Shared Infrastructure: A key strategy for cost effectiveness is the sharing and reuse of common, standards-based IT infrastructure. In the broadest sense, infrastructure can be viewed as a sharable IT investment that can be leveraged and standardized across an enterprise to prevent duplicate efforts, to leverage common investments, to standardize training and operational processes, and to lower IT cost as a benefit. Standards-based, common networks (i.e., local area, wide area) such as HHSNet are a common and simple application of these principles and opportunities for cost avoidance exist in virtually every layer of the Open Systems Interconnect (OSI) model, from physical to shared data and application services. Such opportunities include the potential for improved quality of service (QoS) at lower cost through sharing services such as: - Physical: Networks, servers, help desks and support infrastructure - Operating System Services: Sharing common operating environments and services (e.g. file, print, and directory services) - Infrastructure Services: Leveraging services such as Public Key Infrastructure, Single-Sign-On, Enterprise Service Bus, etc. - Common Application Service: Workflow, Master Subject Index, Lexical/Semantic Services, Data Services, Messaging Services, Data Transformation, etc. A key initiative for HHS within the 2006-2010 timeframe will be a focus on IT consolidation, implementing and sharing common services, and leveraging these tools, infrastructure, and processes to improve integration and interoperability across the Department—at a lower cost. HHSIdentity: This initiative will integrate and implement key identity management and eAuthentication services across the Department in compliance with HSPD 12 and FIPS 201. These common security, identification, and authentication services will be integrated across the enterprise in support of enterprise initiatives such as Enterprise eMail, and will be leveraged by a variety of HHS systems and applications for authentication. This initiative will include the integration and implementation of key identified services including single sign-on, enterprise directory services, public key infrastructure, and biometrics services to meet defined operational objectives and functional requirements. Another part of the strategy will be to leverage a Federated Service Oriented Architecture (SOA) approach in the delivery of these services, consistent with our Shared Services and IT consolidation strategy described above. Service Orientated Architecture: Service Oriented Architecture (SOA) initiatives are leading a revolution in enterprise business and IT integration. Many companies and government agencies are moving toward SOA projects, from limited scale efforts, to large strategic SOA rollouts at the enterprise level with supports from senior management in IT and sometimes business executives. SOA as an IT strategy has gained traction in the past year. SOA enables a business service layer on top of applications, which facilitates emphasis on business function support rather than hardware and software. The core business value of SOA is in delivering business agility. Industry best practices have demonstrated that the business benefit of SOA is in service reconfiguration flexibility, with changes done in days by business people, not in weeks by technical specialists. This means that the business and technical architectures must be aligned, which is not the case in most organizations today. Expressing existing application architecture in SOA terms is not enough. Services must be business-oriented if they are to be orchestrated by business people. SOA helps to streamline IT infrastructure, and helps to align IT investments with business goals, optimizing IT investments. The deployment of SOA in web service allows integration of business with current technologies. SOA can be evolved based on existing systems and infrastructure rather than requiring a full-scale re-build. Organizations will achieve benefits from SOA by focusing their development effort around the creation of services with using both new and existing components and technologies, combined with the component-based approach to software engineering and the enabling SOA infrastructure. The benefits of SOA include: Business agility: SOA facilitates business process improvement. It provides business users with an ideal environment for monitoring business operations. Process modeling is reflected in the business services. Process manipulation and the change of process flow can be achieved by the use of BPM (Business Process Modeling) tools integrated into the SOA infrastructure. Reuse and leverage existing assets : A business service can be constructed as an aggregation of existing components, using a suitable SOA infrastructure and made available to the enterprise. Legacy systems can be encapsulated and accessed via web service interfaces. Common infrastructure as commodity: SOA infrastructure is becoming a commodity that can be implemented by the use of COTS products. By enforcing standards, its development and deployment can be consistent across an enterprise. Existing components, newly-developed components, and components purchased from vendors can be consolidated within a well-defined SOA infrastructure. Reduced development cost: The reuse of existing service and components will reduce software development time and cost. Beyond SOA, and to align with the HHS enterprise structure, HHS will explore a Federated SOA solution, and this Federated SOA approach will be tightly integrated with, and a subset of the HHS Enterprise Architecture. In combination, this approach can be viewed as an HHS Federated, Service Oriented Enterprise Architecture (SOEA). HHS will leverage SOA technologies for delivery of common services across the Department to support both enterprise IT initiatives as well as Mission Oriented IT investment (systems and applications) across the Department.Communication/Network PerformanceImprove the performance of HHS’ communication/network resources._a62cd2c1-4795-4e38-8d34-e4828377b9422Unification and SimplificationEnable the unification and simplification of similar IT business processes and services within and across operating divisions._59e5902d-a74d-443d-82d3-07fb5d9ff71a3Financial and Administrative Systems ConsolidationImplement consolidated financial management and other administrative systems._f1f81f97-c769-4edf-8a4f-8d0f93120be84Enterprise-wide Procurement and LicensingMaximize the value of technology investments through enterprise-wide procurement and licensing._d2f0a600-2eee-4c05-a4a8-4042969f2ad45Information IntegrationEnable and improve the integration of health and human services information. _da5f0dee-102b-4e9c-af08-2894c10f64c14Integrated Public Health Information ServicesProvide integrated public health information services across HHS and to private industry, first responders, other healthcare providers, and the public._b7490267-c60f-4243-b50b-9c9ef8258f3a1Private IndustryFirst RespondersHealth Care ProvidersThe PublicHealth Informatics LeadershipProvide national leadership for Consolidated Health Informatics to promote the adoption of data, process, and vocabulary standards. _98bbae36-f897-4b73-ac48-7ef791f0216c2IT Support to the ONC -- The Office of the CIO is committed to the principles, objectives, and strategies of the Office of the National Coordinator for Health Information Technology (ONC), including the Federal Health Architecture (FHA), and the integration and adoption of open standards across the Department. The OCIO will support the ONC with technical IT consulting, as required, in a variety of areas such as: Health IT Standards review, adoption, and implementation Examination of technology and architecture best practices and approaches that align with the ONC strategic framework and objectives Technology reviews and inputs Evaluation support for technologies and prototypes as appropriate The OCIO will also coordinate and collaborate EA activities with the FHA and ONC to ensure that Department Strategic and Tactical Planning initiatives and approaches are coordinated and synchronized. Management PracticesAchieve excellence in IT management practices. _ce902090-2f20-4cbe-b158-5573a80ac5505Strategic and Capital Planning and Investment Control Strengthen HHS enterprise-wide processes for collaborative IT strategic planning, capital planning, and investment control._9c38ce76-2991-4470-8601-51ae881e13771Enterprise architecture -- Enterprise Architecture (EA) will continue to be a major and key element of HHS IT planning, as well as a driver for IT investment. Service Oriented Architecture principles, concepts, and technologies will be integrated into the HHS EA strategy, building on the Federated EA concepts already adopted by the Department. This will result in a Federated, Enterprise Service Oriented Architecture (ESOA) approach for the Department that will facilitate leveraging SOA concepts such as use of sharable, reusable common services using SOA technologies and infrastructure. The EA Governance structure and EA policy will be employed to guide a value-based, ROI-driven approach to support transformation toward an ESOA. Project Management and Performance MeasurementApply strong project management and performance measurements processes to critical IT projects to achieve project success._4164d155-eeb4-4bcd-87aa-de7849ce3eac2ITIM and Performance Management -- The ability to select, control, and manage IT investments effectively is a core requirement for HHS OCIO management. To maintain the Department’s commitment to achieving the goal of Excellence in IT Management Practices, initiatives to develop an integrated performance management system and to improve the Capability-Maturity of the Department and OPDIVs on the GAO Information Technology Investment Management (ITIM) framework are planned for the coming period. This Strategic Plan and subsequent two volumes describe in detail the planned performance management system. The key requirements for the system are that it integrate the various levels of IT management and performance reporting requirements throughout the Department, provide timely and actionable information through an automated system, and standardize metrics and clarify accountability through rigorous goal, objective and initiative alignment. The performance management system is designed to function efficiently with existing CPIC and Strategic Planning processes, but will nevertheless represent a considerable organizational challenge. Establishing effective performance measures will, however, have a major impact on all future initiatives. The GAO ITIM Capability-Maturity Model measures an Organization’s ability to manage IT investments so that they contribute effectively to mission and business priorities. The Model posits five stages of maturity marking increasing levels of sophistication in selecting, controlling and evaluating investments from a portfolio perspective. Various GAO reports have assessed the Department or specific OPDIVs as having achieved various elements of Stages 2 and 3, with Stage 3 being the stage at which the organization is beginning to manage investments on an integrated portfolio basis. As a result, Executive Management has decided to set the goal of the OCIO and all OPDIVs progressing through Stage 2 to achieve ITIM Stage 3 by Summer 2007. The OCIO will work closely with OPDIVs to develop policy, ensure policies are effectively institutionalized, and foster collaboration and the use of best and common practices. Taken together with the integrated performance management system initiative, this will mean that the Department and OPDIVs will greatly enhance their ability to manage IT cohesively and effectively at HHS in this next IT strategic planning period. Human Capital PlanDevelop an IT human capital plan to guide the recruitment, retention, and skill development of staff._bcd3383e-4213-4e4a-8046-bdc95542e8f83Human Capital PLANNING AND MANAGEMENT -- HHS employees can and need to proactively manage their own contributions to overall Departmental success with the adoption of unique COTS performance management software. Individual and team-based performance determines how well a software solution or new business process is adopted, its level of patron satisfaction, and ensures that the quality of work is the utmost in the efficient management of human capital. Personnel are given specific objectives that directly relate to Departmental goals and objectives. Standard metrics help personnel and their managers consistently monitor daily activities, including time card submission and approval, task status and request approval. Personnel receive feedback on their personal performance based on given objectives. Individual and team-based scorecards show performance ratings based on configurable metrics. Surveys allow you to continually track and monitor client satisfaction based on team, system or individual performance. Since personnel receive feedback direct from the client, they can proactively manage client satisfaction with key systems and services. Workforce performance management functionality provides objective individual and team-based personnel performance results. This data can support reviews and a mentoring process, track progress against performance improvement plans, and recognize and reward top performers. Custom metrics that measure peer satisfaction with team performance and mentoring relationships can also be developed. IT Policies and SOPsEstablish and maintain IT policies and SOPs to ensure compliance with evolving Federal legislation and OMB regulations._79109134-83e5-4ee3-8f19-e283494061ab42005-10-012010-09-302010-02-08http://www.hhs.gov/ocio/plans/itstrategicplan.htmlArthurColman (www.drybridge.com)colman@drybridge.com