DAR File No. 39026

Technology Services, Administration

Rule R895-6

IT Plan Submission Rule for Agencies

Notice of Proposed Rule

(Amendment)

DAR File No.: 39026
Filed: 12/23/2014 01:48:38 PM

RULE ANALYSIS

Purpose of the rule or reason for the change:

State agencies are required by statute to submit information technology (IT) plans for review and approval by the Chief Information Officer (CIO). This rule provides the format and content requirements for IT plan submission. The reason for the change is to clarify the updated process for agencies to provide IT plan submission.

Summary of the rule or change:

State agencies are required by statute to submit IT plans for review and approval by the Chief Information Officer (CIO). This rule provides the format and content requirements for IT plan submission. The reason for the change is to clarify the updated process for agencies to provide IT plan submission.

State statutory or constitutional authorization for this rule:

• Section 63F-1-206
• Section 63F-1-204

Anticipated cost or savings to:

the state budget:

There is no aggregate anticipated cost or savings to state budget. The changes to the rule are simplifying the process for state agencies only.

local governments:

There is no aggregate anticipated cost or savings to local government. The changes to the rule are simplifying the process for state agencies only, and do not affect local government.

small businesses:

There is no aggregate anticipated cost or savings to small businesses. The changes to the rule are simplifying the process for state agencies only, and do not affect small businesses.

persons other than small businesses, businesses, or local governmental entities:

There is no aggregate anticipated cost or savings to persons other than small businesses, businesses, or local government entities. The changes to the rule are simplifying the process for state agencies only, and do not affect other persons.

Compliance costs for affected persons:

There are no compliance costs for affected persons. The changes to the rule are simplifying the process for state agencies only.

Comments by the department head on the fiscal impact the rule may have on businesses:

The rule causes no fiscal impact to businesses. The changes to the rule are simplifying the process for state agencies only.

Mark VanOrden, CIO

The full text of this rule may be inspected, during regular business hours, at the Division of Administrative Rules, or at:

Technology Services
Administration
Room 6000 STATE OFFICE BUILDING
450 N STATE ST
SALT LAKE CITY, UT 84114

Direct questions regarding this rule to:

• Stephanie Weiss at the above address, by phone at 801-538-3284, by FAX at 801-538-3622, or by Internet E-mail at stweiss@utah.gov

Interested persons may present their views on this rule by submitting written comments to the address above no later than 5:00 p.m. on:

02/17/2015

This rule may become effective on:

02/24/2015

Authorized by:

Mark VanOrden, Executive Director and CIO

R895. Technology Services, Administration.

R895-6. IT Plan Submission Rule for Agencies.

R895-6-1. Purpose.

State agencies are required by statute to submit IT plans for review and approval by the Chief Information Officer (CIO) office. This rule provides the format and content requirements for IT Plan submission.

 

R895-6-2. Authority.

This rule is issued by the Chief Information Officer under the authority of Section 63F-1-206 of the Technology Governance Act, in accordance with Section 63G-3-201 of the Utah Rulemaking Act, Utah Code Annotated, and section 63F-1-204 of the Utah code, Agency Information Technology Plans.

 

R895-6-3. Scope of Application.

All state agencies of the executive branch of the State of Utah government shall comply with this rule, which provides a consistent technology planning method for the State of Utah.

 

[R895-6-4. Definitions.

(1) "Project" Investment in development of a new application/system or to upgrade or enhance an existing information system.

(2) Plan Timeframe: One fiscal year into the future.

(3) Severity level: Severity level is rated on four categories: impact on citizens, visibility to the public and Legislature, impact on state operations, and the consequences of doing nothing. The severity rating reflects the impact on external stakeholders.

(4) Risk level: The risk criteria measure the impact of the project on the organization, the effort needed to complete the project, the stability of the proposed technology, and the agency preparedness. The risk rating reflects the impact on the internal stakeholders.

 

]R895-6-[5]4. Compliance and Responsibilities.

The following are the compliance issues and the responsibilities for state agencies:

(1) Any state executive branch agency that develops, hosts, or funds information technology projects or infrastructure shall submit a plan following the format outlined in R895-6-[6]5 below.

(2) The CIO office shall provide education and instruction to the agencies to enable consistent response.

(3) Finalized and approved Agency IT Plans shall be delivered to the CIO office, in electronic format, by July 1 of each year.

(4) Agency IT Plans shall use document formatting methods as defined in CIO instruction.

(5) Agency IT Plans at a division level, shall be combined for submission to the CIO office at the Agency/Department level.

(6) Amendments to the IT Plan shall be submitted throughout the fiscal year for any [significant ]change in a project, any new project, or any removal of a project.[or if an IT supplemental appropriation is requested during the budget process.]

 

R895-6-[6]5. Agency IT Plan Format.

The following is the IT plan format:

(1) SUBMIT AN EXECUTIVE SUMMARY.

(a) [Department/Agency Mission Statement.]The information technology objectives of the Agency.

(b) [Department/Agency Business Objectives that have IT projects supporting them.]Any performance measures used by the Agency for implementing the Agency's technology objectives.

(c) [Statement of IT Vision/Mission.]Any planned expenditure related to information technology.

(d) [Description of accomplishments of past calendar year.]The agency need for appropriations for information technology.

(e) [IT Budget Summary for Department/Agency.]How the agency's development of information technology coordinates with other state and local governmental entities.

(f) [Verification of compliance procedures for information technology policies, administrative rules, and statutes.]Any efforts the agency has taken to develop public and private partnerships to accomplish information technology objectives of the agency.

(g) [Describe performance measures used by the agency for implementing the agency's information technology objectives.]The efforts the agency has taken to conduct transactions electronically in compliance with Utah Code Section 46-4-503.

(h) The agency's plan for the timing and method of verifying the department's security standards, if an agency intends to verify the department's security standards for the data that the agency maintains or transmits through the department's servers.

(2) IT PLAN DETAILS.

(a) Complete a project description for each information technology project, utilizing the document formatting methods as defined by CIO instruction.[Security Plan Documentation.

(b) Disaster Recovery/Business Resumption Plan Documentation.

(c) If a supplemental IT appropriation is anticipated, describe.

(d) Describe anticipated changes in objectives, projects or initiatives.

(e) If a building block request for an IT appropriation is anticipated, describe.

(3) PROPOSED PROJECT DESCRIPTION

Complete a project description for each IT project including the following information:

(a) Project organizational impact:

(i) Division (or other dept. sub-unit) project; identify:

(ii) Department project.

(iii) Cross-department project.

(b) Project Name.

(c) Project Manager.

(d) Project Purpose (check all that apply):

(i) Maintain/enhance existing infrastructure.

(ii) New infrastructure.

(iii) Maintain/enhance existing application/product.

(iv) Develop new application/product.

(v) Support of UCA 46-4-503.

(vi) Pilot project.

(vii) Implement/enhance GIS.

(viii) Collaboration with local government.

(ix) Public/private partnership.

(x) Other, please specify.

(4) DOCUMENT SUPPORT OF EXECUTIVE BRANCH STRATEGIC GOALS.

(5) DESCRIBE PROPOSED PROJECT AND ITS ANTICIPATED BENEFITS.

(6) IDENTIFY THE IMPACT ON DTS SERVICES THAT MAY RESULT WITH THE DEVELOPMENT OF THIS PROJECT.

(7) LIST ESTIMATED START AND END DATE FOR PROJECT.

(8) ESTIMATE PROJECT COSTS INCLUDING LABOR, HARDWARE, SOFTWARE, CONTRACT SERVICES AND OTHER.

(9) ESTIMATE ANNUAL OPERATION/MAINTENANCE COSTS.

(10) DESCRIBE RISK LEVEL OF PROJECT FOLLOWING CIO INSTRUCTION FOR FORMAT.

(11) DESCRIBE SEVERITY LEVEL OF PROJECT FOLLOWING CIO INSTRUCTION FOR FORMAT.

(12) DESCRIPTION OF IT ALIGNMENT WITH BUSINESS OBJECTIVES.]

 

R895-6-[7]6. Exceptions.

Any variance to format or content as established in this rule shall be approved by the CIO office.

 

R895-6-[8]7. Rule Compliance Management.

The CIO may enforce this rule by non-approval of the IT Plan as defined in Utah Code, Section 63F-1-204.

 

KEY: IT planning

Date of Enactment or Last Substantive Amendment: [September 16, 2009]2015

Notice of Continuation: March 27, 2014

Authorizing, and Implemented or Interpreted Law: 63F-1-206; 63F-1-204; 63G-3-201