TITLE 40 - US CODE - CHAPTER 113 - RESPONSIBILITY FOR ACQUISITIONS OF INFORMATION TECHNOLOGY

TITLE 40 - US CODE - SUBCHAPTER I - DIRECTOR OF OFFICE OF MANAGEMENT AND BUDGET

40 USC 11301 - Responsibility of Director

In fulfilling the responsibility to administer the functions assigned under chapter 35 of title 44, the Director of the Office of Management and Budget shall comply with this chapter with respect to the specific matters covered by this chapter.

40 USC 11302 - Capital planning and investment control

(a) Federal Information Technology.— 
The Director of the Office of Management and Budget shall perform the responsibilities set forth in this section in fulfilling the responsibilities under section 3504 (h) of title 44.
(b) Use of Information Technology in Federal Programs.— 
The Director shall promote and improve the acquisition, use, security, and disposal of information technology by the Federal Government to improve the productivity, efficiency, and effectiveness of federal programs, including through dissemination of public information and the reduction of information collection burdens on the public.
(c) Use of Budget Process.— 

(1) Analyzing, tracking, and evaluating capital investments.— 
As part of the budget process, the Director shall develop a process for analyzing, tracking, and evaluating the risks, including information security risks, and results of all major capital investments made by an executive agency for information systems. The process shall cover the life of each system and shall include explicit criteria for analyzing the projected and actual costs, benefits, and risks, including information security risks, associated with the investments.
(2) Report to congress.— 
At the same time that the President submits the budget for a fiscal year to Congress under section 1105 (a) of title 31, the Director shall submit to Congress a report on the net program performance benefits achieved as a result of major capital investments made by executive agencies for information systems and how the benefits relate to the accomplishment of the goals of the executive agencies.
(d) Information Technology Standards.— 
The Director shall oversee the development and implementation of standards and guidelines pertaining to federal computer systems by the Secretary of Commerce through the National Institute of Standards and Technology under section 11331 of this title and section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).
(e) Designation of Executive Agents for Acquisitions.— 
The Director shall designate the head of one or more executive agencies, as the Director considers appropriate, as executive agent for Government-wide acquisitions of information technology.
(f) Use of Best Practices in Acquisitions.— 
The Director shall encourage the heads of the executive agencies to develop and use the best practices in the acquisition of information technology.
(g) Assessment of Other Models for Managing Information Technology.— 
On a continuing basis, the Director shall assess the experiences of executive agencies, state and local governments, international organizations, and the private sector in managing information technology.
(h) Comparison of Agency Uses of Information Technology.— 
The Director shall compare the performances of the executive agencies in using information technology and shall disseminate the comparisons to the heads of the executive agencies.
(i) Monitoring Training.— 
The Director shall monitor the development and implementation of training in information resources management for executive agency personnel.
(j) Informing Congress.— 
The Director shall keep Congress fully informed on the extent to which the executive agencies are improving the performance of agency programs and the accomplishment of the agency missions through the use of the best practices in information resources management.
(k) Coordination of Policy Development and Review.— 
The Director shall coordinate with the Office of Federal Procurement Policy the development and review by the Administrator of the Office of Information and Regulatory Affairs of policy associated with federal acquisition of information technology.

40 USC 11303 - Performance-based and results-based management

(a) In General.— 
The Director of the Office of Management and Budget shall encourage the use of performance-based and results-based management in fulfilling the responsibilities assigned under section 3504 (h) of title 44.
(b) Evaluation of Agency Programs and Investments.— 

(1) Requirement.— 
The Director shall evaluate the information resources management practices of the executive agencies with respect to the performance and results of the investments made by the executive agencies in information technology.
(2) Direction for executive agency action.— 
The Director shall issue to the head of each executive agency clear and concise direction that the head of each agency shall
(A) establish effective and efficient capital planning processes for selecting, managing, and evaluating the results of all of its major investments in information systems;
(B) determine, before making an investment in a new information system
(i) whether the function to be supported by the system should be performed by the private sector and, if so, whether any component of the executive agency performing that function should be converted from a governmental organization to a private sector organization; or
(ii) whether the function should be performed by the executive agency and, if so, whether the function should be performed by a private sector source under contract or by executive agency personnel;
(C) analyze the missions of the executive agency and, based on the analysis, revise the executive agencys mission-related processes and administrative processes, as appropriate, before making significant investments in information technology to be used in support of those missions; and
(D) ensure that the information security policies, procedures, and practices are adequate.
(3) Guidance for multiagency investments.— 
The direction issued under paragraph (2) shall include guidance for undertaking efficiently and effectively interagency and Federal Government-wide investments in information technology to improve the accomplishment of missions that are common to the executive agencies.
(4) Periodic reviews.— 
The Director shall implement through the budget process periodic reviews of selected information resources management activities of the executive agencies to ascertain the efficiency and effectiveness of information technology in improving the performance of the executive agency and the accomplishment of the missions of the executive agency.
(5) Enforcement of accountability.— 

(A) In general.— 
The Director may take any action that the Director considers appropriate, including an action involving the budgetary process or appropriations management process, to enforce accountability of the head of an executive agency for information resources management and for the investments made by the executive agency in information technology.
(B) Specific actions.— 
Actions taken by the Director may include
(i) recommending a reduction or an increase in the amount for information resources that the head of the executive agency proposes for the budget submitted to Congress under section 1105 (a) of title 31;
(ii) reducing or otherwise adjusting apportionments and reapportionments of appropriations for information resources;
(iii) using other administrative controls over appropriations to restrict the availability of amounts for information resources; and
(iv) designating for the executive agency an executive agent to contract with private sector sources for the performance of information resources management or the acquisition of information technology.

TITLE 40 - US CODE - SUBCHAPTER II - EXECUTIVE AGENCIES

40 USC 11311 - Responsibilities

In fulfilling the responsibilities assigned under chapter 35 of title 44, the head of each executive agency shall comply with this subchapter with respect to the specific matters covered by this subchapter.

40 USC 11312 - Capital planning and investment control

(a) Design of Process.— 
In fulfilling the responsibilities assigned under section 3506 (h) of title 44, the head of each executive agency shall design and implement in the executive agency a process for maximizing the value, and assessing and managing the risks, of the information technology acquisitions of the executive agency.
(b) Content of Process.— 
The process of an executive agency shall
(1) provide for the selection of investments in information technology (including information security needs) to be made by the executive agency, the management of those investments, and the evaluation of the results of those investments;
(2) be integrated with the processes for making budget, financial, and program management decisions in the executive agency;
(3) include minimum criteria to be applied in considering whether to undertake a particular investment in information systems, including criteria related to the quantitatively expressed projected net, risk-adjusted return on investment and specific quantitative and qualitative criteria for comparing and prioritizing alternative information systems investment projects;
(4) identify information systems investments that would result in shared benefits or costs for other federal agencies or state or local governments;
(5) identify quantifiable measurements for determining the net benefits and risks of a proposed investment; and
(6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality.

40 USC 11313 - Performance and results-based management

In fulfilling the responsibilities under section 3506 (h) of title 44, the head of an executive agency shall
(1) establish goals for improving the efficiency and effectiveness of agency operations and, as appropriate, the delivery of services to the public through the effective use of information technology;
(2) prepare an annual report, to be included in the executive agencys budget submission to Congress, on the progress in achieving the goals;
(3) ensure that performance measurements
(A) are prescribed for information technology used by, or to be acquired for, the executive agency; and
(B) measure how well the information technology supports programs of the executive agency;
(4) where comparable processes and organizations in the public or private sectors exist, quantitatively benchmark agency process performance against those processes in terms of cost, speed, productivity, and quality of outputs and outcomes;
(5) analyze the missions of the executive agency and, based on the analysis, revise the executive agencys mission-related processes and administrative processes as appropriate before making significant investments in information technology to be used in support of the performance of those missions; and
(6) ensure that the information security policies, procedures, and practices of the executive agency are adequate.

40 USC 11314 - Authority to acquire and manage information technology

(a) In General.— 
The authority of the head of an executive agency to acquire information technology includes
(1) acquiring information technology as authorized by law;
(2) making a contract that provides for multiagency acquisitions of information technology in accordance with guidance issued by the Director of the Office of Management and Budget; and
(3) if the Director finds that it would be advantageous for the Federal Government to do so, making a multiagency contract for procurement of commercial items of information technology that requires each executive agency covered by the contract, when procuring those items, to procure the items under that contract or to justify an alternative procurement of the items.
(b) FTS 2000 Program.— 
The Administrator of General Services shall continue to manage the FTS 2000 program, and to coordinate the follow-on to that program, for and with the advice of the heads of executive agencies.

40 USC 11315 - Agency Chief Information Officer

(a) Definition.— 
In this section, the term information technology architecture, with respect to an executive agency, means an integrated framework for evolving or maintaining existing information technology and acquiring new information technology to achieve the agencys strategic goals and information resources management goals.
(b) General Responsibilities.— 
The Chief Information Officer of an executive agency is responsible for
(1) providing advice and other assistance to the head of the executive agency and other senior management personnel of the executive agency to ensure that information technology is acquired and information resources are managed for the executive agency in a manner that implements the policies and procedures of this subtitle, consistent with chapter 35 of title 44 and the priorities established by the head of the executive agency;
(2) developing, maintaining, and facilitating the implementation of a sound, secure, and integrated information technology architecture for the executive agency; and
(3) promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.
(c) Duties and Qualifications.— 
The Chief Information Officer of an agency listed in section 901 (b) of title 31
(1) has information resources management duties as that officials primary duty;
(2) monitors the performance of information technology programs of the agency, evaluates the performance of those programs on the basis of the applicable performance measurements, and advises the head of the agency regarding whether to continue, modify, or terminate a program or project; and
(3) annually, as part of the strategic planning and performance evaluation process required (subject to section 1117 of title 31) under section 306 of title 5 and sections 1105 (a)(28), 1115–1117, and 9703 (as added by section 5(a) of the Government Performance and Results Act of 1993 (Public Law 10362, 107 Stat. 289)) of title 31
(A) assesses the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of those requirements for facilitating the achievement of the performance goals established for information resources management;
(B) assesses the extent to which the positions and personnel at the executive level of the agency and the positions and personnel at management level of the agency below the executive level meet those requirements;
(C) develops strategies and specific plans for hiring, training, and professional development to rectify any deficiency in meeting those requirements; and
(D) reports to the head of the agency on the progress made in improving information resources management capability.

40 USC 11316 - Accountability

The head of each executive agency, in consultation with the Chief Information Officer and the Chief Financial Officer of that executive agency (or, in the case of an executive agency without a chief financial officer, any comparable official), shall establish policies and procedures to ensure that
(1) the accounting, financial, asset management, and other information systems of the executive agency are designed, developed, maintained, and used effectively to provide financial or program performance data for financial statements of the executive agency;
(2) financial and related program performance data are provided on a reliable, consistent, and timely basis to executive agency financial management systems; and
(3) financial statements support
(A) assessments and revisions of mission-related processes and administrative processes of the executive agency; and
(B) measurement of the performance of investments made by the agency in information systems.

40 USC 11317 - Significant deviations

The head of each executive agency shall identify in the strategic information resources management plan required under section 3506 (b)(2) of title 44 any major information technology acquisition program, or any phase or increment of that program, that has significantly deviated from the cost, performance, or schedule goals established for the program.

40 USC 11318 - Interagency support

The head of an executive agency may use amounts available to the agency for oversight, acquisition, and procurement of information technology to support jointly with other executive agencies the activities of interagency groups that are established to advise the Director of the Office of Management and Budget in carrying out the Directors responsibilities under this chapter. The use of those amounts for that purpose is subject to requirements and limitations on uses and amounts that the Director may prescribe. The Director shall prescribe the requirements and limitations during the Directors review of the executive agencys proposed budget submitted to the Director by the head of the executive agency for purposes of section 1105 of title 31.

TITLE 40 - US CODE - SUBCHAPTER III - OTHER RESPONSIBILITIES

40 USC 11331 - Responsibilities for Federal information systems standards

(a) Definition.— 
In this section, the term information security has the meaning given that term in section 3532 (b)(1) of title 44.
(b) Requirement to Prescribe Standards.— 

(1) In general.— 

(A) Requirement.— 
Except as provided under paragraph (2), the Director of the Office of Management and Budget shall, on the basis of proposed standards developed by the National Institute of Standards and Technology pursuant to paragraphs (2) and (3) of section 20(a) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3 (a)) and in consultation with the Secretary of Homeland Security, promulgate information security standards pertaining to Federal information systems.
(B) Required standards.— 
Standards promulgated under subparagraph (A) shall include
(i) standards that provide minimum information security requirements as determined under section 20(b) of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3 (b)); and
(ii) such standards that are otherwise necessary to improve the efficiency of operation or security of Federal information systems.
(C) Required standards binding.— 
Information security standards described under subparagraph (B) shall be compulsory and binding.
(2) Standards and guidelines for national security systems.— 
Standards and guidelines for national security systems, as defined under section 3532 (3) of title 44, shall be developed, promulgated, enforced, and overseen as otherwise authorized by law and as directed by the President.
(c) Application of More Stringent Standards.— 
The head of an agency may employ standards for the cost-effective information security for all operations and assets within or under the supervision of that agency that are more stringent than the standards promulgated by the Director under this section, if such standards
(1) contain, at a minimum, the provisions of those applicable standards made compulsory and binding by the Director; and
(2) are otherwise consistent with policies and guidelines issued under section 3533 of title 44.
(d) Requirements Regarding Decisions by Director.— 

(1) Deadline.— 
The decision regarding the promulgation of any standard by the Director under subsection (b) shall occur not later than 6 months after the submission of the proposed standard to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3).
(2) Notice and comment.— 
A decision by the Director to significantly modify, or not promulgate, a proposed standard submitted to the Director by the National Institute of Standards and Technology, as provided under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3), shall be made after the public is given an opportunity to comment on the Directors proposed decision.

40 USC 11332 - Repealed. Pub. L. 107296, title X, 1005(a)(1), Nov. 25, 2002, 116 Stat. 2272; Pub. L. 107347, title III, 305(a), Dec. 17, 2002, 116 Stat. 2960]

Section, Pub. L. 107–217, Aug. 21, 2002, 116 Stat. 1244, related to Federal computer system security training and plan.