§ 11301. Responsibility of Director

In fulfilling the responsibility to administer the functions assigned under chapter 35 of title 44, the Director of the Office of Management and Budget shall comply with this chapter with respect to the specific matters covered by this chapter.

§ 11302. Capital planning and investment control

• (a) The Director of the Office of Management and Budget shall perform the responsibilities set forth in this section in fulfilling the responsibilities under section 3504(h) of title 44 .
• (b) The Director shall promote and improve the acquisition, use, security, and disposal of information technology by the Federal Government to improve the productivity, efficiency, and effectiveness of federal programs, including through dissemination of public information and the reduction of information collection burdens on the public.
• (c)
  • (1) In this subsection:
    • (A) The term “covered agency” means an agency listed in section 901(b)(1) or 901(b)(2) of title 31.
    • (B) The term “major information technology investment” means an investment within a covered agency information technology investment portfolio that is designated by the covered agency as major, in accordance with capital planning guidance issued by the Director.
    • (C) The term “national security system” has the meaning provided in section 3542 of title 44 . 1 1 See References in Text note below.
  • (2) As part of the budget process, the Director shall develop a process for analyzing, tracking, and evaluating the risks, including information security risks, and results of all major capital investments made by an executive agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security risks, associated with the investments.
  • (3)
    • (A) The Director shall make available to the public a list of each major information technology investment, without regard to whether the investments are for new information technology acquisitions or for operations and maintenance of existing information technology, including data on cost, schedule, and performance.
    • (B)
      • (i) The Director shall issue guidance to each covered agency for reporting of data required by subparagraph (A) that provides a standardized data template that can be incorporated into existing, required data reporting formats and processes. Such guidance shall integrate the reporting process into current budget reporting that each covered agency provides to the Office of Management and Budget, to minimize additional workload. Such guidance shall also clearly specify that the investment evaluation required under subparagraph (C) adequately reflect the investment’s cost and schedule performance and employ incremental development approaches in appropriate cases.
      • (ii) The Chief Information Officer of each covered agency shall provide the Director with the information described in subparagraph (A) on at least a semi-annual basis for each major information technology investment, using existing data systems and processes.
    • (C) For each major information technology investment listed under subparagraph (A), the Chief Information Officer of the covered agency, in consultation with other appropriate agency officials, shall categorize the investment according to risk, in accordance with guidance issued by the Director.
    • (D) If either the Director or the Chief Information Officer of a covered agency determines that the information made available from the agency’s existing data systems and processes as required by subparagraph (B) is not timely and reliable, the Chief Information Officer, in consultation with the Director and the head of the agency, shall establish a program for the improvement of such data systems and processes.
    • (E) The applicability of subparagraph (A) may be waived or the extent of the information may be limited by the Director, if the Director determines that such a waiver or limitation is in the national security interests of the United States.
    • (F) The requirements of subparagraph (A) shall not apply to national security systems or to telecommunications or information technology that is fully funded by amounts made available—
      • (i) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 ( 50 U.S.C. 3003(6) );
      • (ii) under the Military Intelligence Program or any successor program or programs; or
      • (iii) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).
  • (4) For each major information technology investment listed under paragraph (3)(A) that receives a high risk rating, as described in paragraph (3)(C), for 4 consecutive quarters—
    • (A) the Chief Information Officer of the covered agency and the program manager of the investment within the covered agency, in consultation with the Administrator of the Office of Electronic Government, shall conduct a review of the investment that shall identify—
      • (i) the root causes of the high level of risk of the investment;
      • (ii) the extent to which these causes can be addressed; and
      • (iii) the probability of future success;
    • (B) the Administrator of the Office of Electronic Government shall communicate the results of the review under subparagraph (A) to—
      • (i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;
      • (ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and
      • (iii) the committees of the Senate and the House of Representatives with primary jurisdiction over the agency;
    • (C) in the case of a major information technology investment of the Department of Defense, the assessment required by subparagraph (A) may be accomplished in accordance with section 2445c of title 10 , provided that the results of the review are provided to the Administrator of the Office of Electronic Government upon request and to the committees identified in subsection (B); and
    • (D) for a covered agency other than the Department of Defense, if on the date that is one year after the date of completion of the review required under subsection (A), the investment is rated as high risk under paragraph (3)(C), the Director shall deny any request for additional development, modernization, or enhancement funding for the investment until the date on which the Chief Information Officer of the covered agency determines that the root causes of the high level of risk of the investment have been addressed, and there is sufficient capability to deliver the remaining planned increments within the planned cost and schedule.
  • (5) At the same time that the President submits the budget for a fiscal year to Congress under section 1105(a) of title 31 , the Director shall submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by executive agencies for information systems and how the benefits relate to the accomplishment of the goals of the executive agencies.
• (d) The Director shall oversee the development and implementation of standards and guidelines pertaining to federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 11331 of this title and section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ).
• (e) The Director shall designate the head of one or more executive agencies, as the Director considers appropriate, as executive agent for Government-wide acquisitions of information technology.
• (f) The Director shall encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology.
• (g) On a continuing basis, the Director shall assess the experiences of executive agencies, state and local governments, international organizations, and the private sector in managing information technology.
• (h) The Director shall compare the performances of the executive agencies in using information technology and shall disseminate the comparisons to the heads of the executive agencies.
• (i) The Director shall monitor the development and implementation of training in information resources management for executive agency personnel.
• (j) The Director shall keep Congress fully informed on the extent to which the executive agencies are improving the performance of agency programs and the accomplishment of the agency missions through the use of the best practices in information resources management.
• (k) The Director shall coordinate with the Office of Federal Procurement Policy the development and review by the Administrator of the Office of Information and Regulatory Affairs of policy associated with federal acquisition of information technology.

§ 11303. Performance-based and results-based management

• (a) The Director of the Office of Management and Budget shall encourage the use of performance-based and results-based management in fulfilling the responsibilities assigned under section 3504(h) of title 44 .
• (b)
  • (1) The Director shall evaluate the information resources management practices of the executive agencies with respect to the performance and results of the investments made by the executive agencies in information technology.
  • (2) The Director shall issue to the head of each executive agency clear and concise direction that the head of each agency shall—
    • (A) establish effective and efficient capital planning processes for selecting, managing, and evaluating the results of all of its major investments in information systems;
    • (B) determine, before making an investment in a new information system—
      • (i) whether the function to be supported by the system should be performed by the private sector and, if so, whether any component of the executive agency performing that function should be converted from a governmental organization to a private sector organization; or
      • (ii) whether the function should be performed by the executive agency and, if so, whether the function should be performed by a private sector source under contract or by executive agency personnel;
    • (C) analyze the missions of the executive agency and, based on the analysis, revise the executive agency’s mission-related processes and administrative processes, as appropriate, before making significant investments in information technology to be used in support of those missions; and
    • (D) ensure that the information security policies, procedures, and practices are adequate.
  • (3) The direction issued under paragraph (2) shall include guidance for undertaking efficiently and effectively interagency and Federal Government-wide investments in information technology to improve the accomplishment of missions that are common to the executive agencies.
  • (4) The Director shall implement through the budget process periodic reviews of selected information resources management activities of the executive agencies to ascertain the efficiency and effectiveness of information technology in improving the performance of the executive agency and the accomplishment of the missions of the executive agency.
  • (5)
    • (A) The Director may take any action that the Director considers appropriate, including an action involving the budgetary process or appropriations management process, to enforce accountability of the head of an executive agency for information resources management and for the investments made by the executive agency in information technology.
    • (B) Actions taken by the Director may include—
      • (i) recommending a reduction or an increase in the amount for information resources that the head of the executive agency proposes for the budget submitted to Congress under section 1105(a) of title 31 ;
      • (ii) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources;
      • (iii) using other administrative controls over appropriations to restrict the availability of amounts for information resources; and
      • (iv) designating for the executive agency an executive agent to contract with private sector sources for the performance of information resources management or the acquisition of information technology.

§ 11311. Responsibilities

In fulfilling the responsibilities assigned under chapter 35 of title 44, the head of each executive agency shall comply with this subchapter with respect to the specific matters covered by this subchapter.

§ 11312. Capital planning and investment control

• (a) In fulfilling the responsibilities assigned under section 3506(h) of title 44 , the head of each executive agency shall design and implement in the executive agency a process for maximizing the value, and assessing and managing the risks, of the information technology acquisitions of the executive agency.
• (b) The process of an executive agency shall—
  • (1) provide for the selection of investments in information technology (including information security needs) to be made by the executive agency, the management of those investments, and the evaluation of the results of those investments;
  • (2) be integrated with the processes for making budget, financial, and program management decisions in the executive agency;
  • (3) include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, including criteria related to the quantitatively expressed projected net, risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects;
  • (4) identify information systems investments that would result in shared benefits or costs for other federal agencies or state or local governments;
  • (5) identify quantifiable measurements for determining the net benefits and risks of a proposed investment; and
  • (6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.

§ 11313. Performance and results-based management

In fulfilling the responsibilities under section 3506(h) of title 44 , the head of an executive agency shall—

• (1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology;
• (2) prepare an annual report, to be included in the executive agency’s budget submission to Congress, on the progress in achieving the goals;
• (3) ensure that performance measurements—
  • (A) are prescribed for information technology used by, or to be acquired for, the executive agency; and
  • (B) measure how well the information technology supports programs of the executive agency;
• (4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against those processes in terms of cost, speed, productivity, and quality of outputs and outcomes;
• (5) analyze the missions of the executive agency and, based on the analysis, revise the executive agency’s mission-related processes and administrative processes as appropriate before making significant investments in information technology to be used in support of the performance of those missions; and
• (6) ensure that the information security policies, procedures, and practices of the executive agency are adequate.

§ 11314. Authority to acquire and manage information technology

• (a) The authority of the head of an executive agency to acquire information technology includes—
  • (1) acquiring information technology as authorized by law;
  • (2) making a contract that provides for multiagency acquisitions of information technology in accordance with guidance issued by the Director of the Office of Management and Budget; and
  • (3) if the Director finds that it would be advantageous for the Federal Government to do so, making a multiagency contract for procurement of commercial products of information technology that requires each executive agency covered by the contract, when procuring those products, to procure the products under that contract or to justify an alternative procurement of the products.
• (b) The Administrator of General Services shall continue to manage the FTS 2000 program, and to coordinate the follow-on to that program, for and with the advice of the heads of executive agencies.

§ 11315. Agency Chief Information Officer

• (a) In this section, the term “information technology architecture”, with respect to an executive agency, means an integrated framework for evolving or maintaining existing information technology and acquiring new information technology to achieve the agency’s strategic goals and information resources management goals.
• (b) The Chief Information Officer of an executive agency is responsible for—
  • (1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed for the executive agency in a manner that implements the policies and procedures of this subtitle, consistent with chapter 35 of title 44 and the priorities established by the head of the executive agency;
  • (2) developing, maintaining, and facilitating the implementation of a sound, secure, and integrated information technology architecture for the executive agency; and
  • (3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.
• (c) The Chief Information Officer of an agency listed in section 901(b) of title 31 —
  • (1) has information resources management duties as that official’s primary duty;
  • (2) monitors the performance of information technology programs of the agency, evaluates the performance of those programs on the basis of the applicable performance measurements, and advises the head of the agency regarding whether to continue, modify, or terminate a program or project; and
  • (3) annually, as part of the strategic planning and performance evaluation process required (subject to section 1117 of title 31 ) under section 306 of title 5 and sections 1105(a)(28), 1115–1117, and 9703 (as added by section 5(a) of the Government Performance and Results Act of 1993 ( Public Law 103–62 , 107 Stat. 289 )) of title 31—
    • (A) assesses the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of those requirements for facilitating the achievement of the performance goals established for information resources management;
    • (B) assesses the extent to which the positions and personnel at the executive level of the agency and the positions and personnel at management level of the agency below the executive level meet those requirements;
    • (C) develops strategies and specific plans for hiring, training, and professional development to rectify any deficiency in meeting those requirements; and
    • (D) reports to the head of the agency on the progress made in improving information resources management capability.

§ 11316. Accountability

The head of each executive agency, in consultation with the Chief Information Officer and the Chief Financial Officer of that executive agency (or, in the case of an executive agency without a chief financial officer, any comparable official), shall establish policies and procedures to ensure that—

• (1) the accounting, financial, asset management, and other information systems of the executive agency are designed, developed, maintained, and used effectively to provide financial or program performance data for financial statements of the executive agency;
• (2) financial and related program performance data are provided on a reliable, consistent, and timely basis to executive agency financial management systems; and
• (3) financial statements support—
  • (A) assessments and revisions of mission-related processes and administrative processes of the executive agency; and
  • (B) measurement of the performance of investments made by the agency in information systems.

§ 11317. Significant deviations

The head of each executive agency shall identify in the strategic information resources management plan required under section 3506(b)(2) of title 44 any major information technology acquisition program, or any phase or increment of that program, that has significantly deviated from the cost, performance, or schedule goals established for the program.

§ 11318. Interagency support

The head of an executive agency may use amounts available to the agency for oversight, acquisition, and procurement of information technology to support jointly with other executive agencies the activities of interagency groups that are established to advise the Director of the Office of Management and Budget in carrying out the Director’s responsibilities under this chapter. The use of those amounts for that purpose is subject to requirements and limitations on uses and amounts that the Director may prescribe. The Director shall prescribe the requirements and limitations during the Director’s review of the executive agency’s proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31 .

§ 11319. Resources, planning, and portfolio management

• (a) In this section:
  • (1) The term “covered agency” means each agency listed in section 901(b)(1) or 901(b)(2) of title 31.
  • (2) The term “information technology” has the meaning given that term under capital planning guidance issued by the Office of Management and Budget.
• (b)
  • (1)
    • (A) The head of each covered agency other than the Department of Defense shall ensure that the Chief Information Officer of the agency has a significant role in—
      • (i) the decision processes for all annual and multi-year planning, programming, budgeting, and execution decisions, related reporting requirements, and reports related to information technology; and
      • (ii) the management, governance, and oversight processes related to information technology.
    • (B) The Director of the Office of Management and Budget shall require in the annual information technology capital planning guidance of the Office of Management and Budget the following:
      • (i) That the Chief Information Officer of each covered agency other than the Department of Defense approve the information technology budget request of the covered agency, and that the Chief Information Officer of the Department of Defense review and provide recommendations to the Secretary of Defense on the information technology budget request of the Department.
      • (ii) That the Chief Information Officer of each covered agency certify that information technology investments are adequately implementing incremental development, as defined in capital planning guidance issued by the Office of Management and Budget.
    • (C)
      • (i) A covered agency other than the Department of Defense—
        • (I) may not enter into a contract or other agreement for information technology or information technology services, unless the contract or other agreement has been reviewed and approved by the Chief Information Officer of the agency;
        • (II) may not request the reprogramming of any funds made available for information technology programs, unless the request has been reviewed and approved by the Chief Information Officer of the agency; and
        • (III) may use the governance processes of the agency to approve such a contract or other agreement if the Chief Information Officer of the agency is included as a full participant in the governance processes.
      • (ii)
        • (I) Except as provided in subclause (II), the duties of a Chief Information Officer under clause (i) are not delegable.
        • (II) For a contract or agreement for a non-major information technology investment, as defined in the annual information technology capital planning guidance of the Office of Management and Budget, the Chief Information Officer of a covered agency other than the Department of Defense may delegate the approval of the contract or agreement under clause (i) to an individual who reports directly to the Chief Information Officer.
  • (2) Notwithstanding any other provision of law, for each covered agency other than the Department of Defense, the Chief Information Officer of the covered agency shall approve the appointment of any other employee with the title of Chief Information Officer, or who functions in the capacity of a Chief Information Officer, for any component organization within the covered agency.
• (c) None of the authorities provided in this section shall apply to telecommunications or information technology that is fully funded by amounts made available—
  • (1) under the National Intelligence Program, defined by section 3(6) of the National Security Act of 1947 ( 50 U.S.C. 3003(6) );
  • (2) under the Military Intelligence Program or any successor program or programs; or
  • (3) jointly under the National Intelligence Program and the Military Intelligence Program (or any successor program or programs).
• (d)
  • (1) The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall implement a process to assist covered agencies in reviewing their portfolio of information technology investments—
    • (A) to identify or develop ways to increase the efficiency and effectiveness of the information technology investments of the covered agency;
    • (B) to identify or develop opportunities to consolidate the acquisition and management of information technology services, and increase the use of shared-service delivery models;
    • (C) to identify potential duplication and waste;
    • (D) to identify potential cost savings;
    • (E) to develop plans for actions to optimize the information technology portfolio, programs, and resources of the covered agency;
    • (F) to develop ways to better align the information technology portfolio, programs, and financial resources of the covered agency to any multi-year funding requirements or strategic plans required by law;
    • (G) to develop a multi-year strategy to identify and reduce duplication and waste within the information technology portfolio of the covered agency, including component-level investments and to identify projected cost savings resulting from such strategy; and
    • (H) to carry out any other goals that the Director may establish.
  • (2) The Director of the Office of Management and Budget, in consultation with the Chief Information Officers of appropriate agencies, shall develop standardized cost savings and cost avoidance metrics and performance indicators for use by agencies for the process implemented under paragraph (1).
  • (3) The Chief Information Officer of each covered agency, in conjunction with the Chief Operating Officer or Deputy Secretary (or equivalent) of the covered agency and the Administrator of the Office of Electronic Government, shall conduct an annual review of the information technology portfolio of the covered agency.
  • (4) In the case of the Department of Defense, processes established pursuant to this subsection shall apply only to the business systems information technology portfolio of the Department of Defense and not to national security systems as defined by section 11103(a) of this title . The annual review required by paragraph (3) shall be carried out by the Chief Management Officer of the Department of Defense (or any successor to such Officer), in consultation with the Chief Information Officer, the Under Secretary of Defense for Acquisition and Sustainment, and other appropriate Department of Defense officials. The Secretary of Defense may designate an existing investment or management review process to fulfill the requirement for the annual review required by paragraph (3), in consultation with the Administrator of the Office of Electronic Government.
  • (5)
    • (A) The Administrator of the Office of Electronic Government shall submit a quarterly report on the cost savings and reductions in duplicative information technology investments identified through the review required by paragraph (3) to—
      • (i) the Committee on Homeland Security and Governmental Affairs and the Committee on Appropriations of the Senate;
      • (ii) the Committee on Oversight and Government Reform and the Committee on Appropriations of the House of Representatives; and
      • (iii) upon a request by any committee of Congress, to that committee.
    • (B) The reports required under subparagraph (A) may be included as part of another report submitted to the committees of Congress described in clauses (i), (ii), and (iii) of subparagraph (A).

§ 11331. Responsibilities for Federal information systems standards

• (a) In this section, the term “information security” has the meaning given that term in section 3532(b)(1) 1 1 See References in Text note below. of title 44.
• (b)
  • (1)
    • (A) Except as provided under paragraph (2), the Director of the Office of Management and Budget shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(a) ) and in consultation with the Secretary of Homeland Security, promulgate information security standards pertaining to Federal information systems.
    • (B) Standards promulgated under subparagraph (A) shall include—
      • (i) standards that provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3(b) ); and
      • (ii) such standards that are otherwise necessary to improve the efficiency of operation or security of Federal information systems.
    • (C) Information security standards described under subparagraph (B) shall be compulsory and binding.
  • (2) Standards and guidelines for national security systems, as defined under section 3532(3) 1 of title 44, shall be developed, promulgated, enforced, and overseen as otherwise authorized by law and as directed by the President.
• (c) The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Director under this section, if such standards—
  • (1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and
  • (2) are otherwise consistent with policies and guidelines issued under section 3533 1 of title 44.
• (d)
  • (1) The decision regarding the promulgation of any standard by the Director under subsection (b) shall occur not later than 6 months after the submission of the proposed standard to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ).
  • (2) A decision by the Director to significantly modify, or not promulgate, a proposed standard submitted to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act ( 15 U.S.C. 278g–3 ), shall be made after the public is given an opportunity to comment on the Director’s proposed decision.