[Federal Register Volume 73, Number 106 (Monday, June 2, 2008)]
[Notices]
[Pages 31486-31487]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-12025]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary


Office of Resources and Technology; Statement of Organization, 
Functions and Delegations of Authority

    Part A, Office of the Secretary, Statement of Organization, 
Functions and Delegations of Authority for the Department of Health and 
Human Services (HHS) is being amended at Chapter AM, Office of 
Resources and Technology, as last amended at 72 FR 2282-88 on January 
18, 2007, and more recently at 72 FR 56074, on October 2, 2007. This 
reorganization is to establish within the Office of the Chief 
Information Officer (AMM), a new Office of Information Technology 
Security (AMM6). The changes are as follows:
    I. Under Chapter AM, Section AMM. 10 Organization, delete in its 
entirety and replace with the following:
    AMM.10 Organization. The Office of the Chief Information Officer 
(OCIO) is headed by the Deputy Assistant Secretary for Information 
Technology/HHS Chief Information Officer (CIO), who reports to the 
Secretary and the Assistant Secretary for Resources and Technology 
(ASRT). The HHS CIO serves as the primary IT leader for the Department, 
and the OCIO consists of the following:
    [cir] Immediate Office (AMM).
    [cir] Office of Resources Management (AMM2).
    [cir] Office of Enterprise Architecture (AMM4).
    [cir] Office of Enterprise Project Management (AMM5).
    [cir] Office of Information Technology Security (AMM6).
    II. Under AM, Section AMM.20 Functions, make the following changes:
    A. Under Paragraph 3, ``Office of Enterprise Architecture (AMM4),'' 
delete in its entirety and replace with the following:
    3. Office of Enterprise Architecture (AMM4): The Office of 
Enterprise Architecture (OEA) is headed by the Director, Office of 
Enterprise Architecture who is also the HHS Chief Enterprise Architect 
and supports all planning and enterprise programs that fall under the 
OCIO.
    The OEA is responsible for:
    a. Working with OPDIV Chief Information Officers (CIOs) to support 
Government-wide initiatives of the Federal CIO Council and to identify 
opportunities for participation and consultation in information 
technology projects with major effects on OPDIV program performance.
    b. Providing leadership in the planning, design, and evaluation of 
major Departmental projects and oversight throughout project rollout 
and perform post implementation performance assessments.
    c. Assessing risks that major information systems pose to 
performance of program operations and administrative business 
throughout the Department, develops risk assessment policies and 
standard operating procedures and tools, and uses program outcome 
measures to gauge the quality of Departmental information resources 
management.

[[Page 31487]]

    d. Coordinating the Department's strategic planning, capital 
planning and investment control (CPIC), budgeting and performance 
management processes for information technology, and provides direct 
planning development and support to assure that IRM plans support 
agency business planning and mission accomplishment.
    e. Coordinating the activities of the Departmental Information 
Technology Investment Review Board (ITIRB) in assessing and 
prioritizing the Department's major information systems, and in 
analyzing and evaluating IT investment decisions. Reviews OPDJV ITIRB 
implementations, IT capital funding decisions, and use of performance 
metrics to evaluate programs for both initial and continued funding.
    f. Coordinating and supporting the Department's Chief Information 
Officer's Council, whose membership consists of the Chief Information 
Officers from each OPDIV.
    g. Representing the Department through participation on interagency 
and Departmental work groups and task forces, as appropriate.
    h. Working with OPDIV Chief Information Officers to identify 
opportunities for administering information management functions and 
telecommunications initiatives with major effects on OPDIV performance. 
OEA provides leadership primarily in defining alternatives for 
acquisition of telecommunications services and coordinating 
implementation of information management initiatives in conjunction 
with the Director of the Office of Enterprise Project Management and 
the HFJS Chief Enterprise Architect.
    i. Providing support for special priority initiatives identified by 
the CIO.
    B. Add the following new paragraph at the end of Section AMM.20 
Functions, ``Office of the Chief Information Officer (AMM6).''
    5. Office of Information Technology Security (AMM6). The Office of 
Information Technology Security (OITS) is headed by the Director, 
(OITS), who is also HHS Chief Information Security Officer (CISO), 
which manages HHS Security Program. The Office provides management 
leadership in IT security policy and guidance, expert advice and 
collaboration among the Operating Divisions (OPDIVs) and the Staff 
Divisions (STAFFDIVs) in developing, promoting and maintaining IT 
security measures to adequately and cost effectively protect and ensure 
the confidentiality, integrity and timely availability of all data and 
information in the custody of the Department as well as of the 
information systems required to meet the Department's current and 
future business needs. OJTS is responsible for:
    a. Developing, implementing and administering the program to 
protect the information resources of the Department. This includes 
management and oversight of activities under the Federal Information 
Security Management Act (FISMA), IT critical infrastructure protection 
(CIP), and Department-wide security contracts and high level project 
management of OPDIV security programs, such as corrective action plans 
and security policies.
    b. Implementing and administering the HHS security program to 
protect the information resources of the Department in compliance with 
legislation, Executive Orders, directives of the Office of Management 
and Budget (OMB), or other mandated requirements (e.g., the Clinger 
Cohen Act, Presidential Decision Directive 63, and OMB Circular A-130), 
the National Security Agency, and other Federal agencies.
    c. Directing the development of and implementing cyber security 
policies and guidance for the Department, including requirements for 
employees and contractors who are responsible for systems of data, or 
for the acquisition, management, or use of information resources.
    d. Monitoring information system security program activities in the 
Department by reviewing OPDIVs and STAFFDFVs security plans for 
sensitive systems, recommending improvements, and evaluating safeguards 
to protect major information systems, or IT infrastructure.
    e. Responding to requests in conjunction with 0MB Circular A-130, 
the Computer Security Act of 1987, and Presidential Decision Directive 
63, or other legislative or mandated requirements related to IT 
security or privacy.
    f. Monitoring all Departmental systems development and operations 
for security and privacy compliance and providing advice and guidance 
to ensure compliance standards are included throughout system life 
cycle development.
    g. Reviewing Departmental ITIRB and ClO Council business cases (as 
well as 0MB circular A-11 requirements) for assurance of security and 
privacy compliance.
    h. Recommending to the ClO to grant or deny programs the authority 
to operate information systems, based on security compliance.
    i. Establishing and leading Department-wide teams to conduct 
reviews to protect HHS cyber and personnel security programs and 
conduct vulnerability assessments of HHS critical assets. This includes 
regular certification of existing systems as well as newly implemented 
systems. The OITS activities involving personnel and cyber security are 
coordinated and synchronized with the Office of Security and Strategic 
Information.
    j. Reviewing the Department's information resources for fraud, 
waste, and abuse to avoid having redundant resources, in conformance 
with the Clinger-Cohen Act.
    k. Developing, implementing, and evaluating employee cyber security 
awareness and training program to meet the requirements as mandated by 
0MB Circular A-130 and the Computer Security Act.
    l. Establishing and providing leadership to the Subcommittee of the 
HHS ClO Council on Security.
    m. Establishing and leading the HHS Computer Security Incident 
Response Capability team, the Department's overall cyber security 
incident response/coordination center and primary point of contact for 
Federal Computer Incident Response Capability (FedCIRC) and National 
Infrastructure Protection Center (NIPC).
    IV. Continuation of Policy: Except as inconsistent with this 
reorganization, all statements of policy and interpretations with 
respect to the Office of Infonnation and Resources Management 
heretofore issued and in effect prior to this reorganization are 
continued in full force and effect with respect to the Office of the 
Chief Information Officer.
    V. Delegation of Authority: All delegations and redelegations of 
authority previously made to officials and employees of the Office of 
the Chief Information Officer will continue in them or their successors 
pending further redelegation, provided they are consistent with this 
reorganization.
    VI. Funds, Personnel, and Equipment: Transfer of organizations and 
functions affected by this reorganization shall he accompanied by 
direct and support funds, positions, personnel, records, equipment, 
supplies, and other sources.

    Dated: May 19, 2008.
Joe W. Ellis,
Assistant Secretary for Administration and Management.
 [FR Doc. E8-12025 Filed 5-30-08; 8:45 am]
BILLING CODE 4150-22-M