Project Initiation. ProPath. Office of Information and Technology

Project Initiation ProPath Office of Information and Technology

Table of Contents Project Initiation Process Maps... 1 Process: Project Initiation... 10 Project Initiation and Goals... 12... 12 Goals... 12 Project Initiation RACI Information... 13 Project Initiation Process... 25 Process Activity Name: PRI-1 Define Business Requirements... 25 Process Activity Name: PRI-1.1 Identify Needs and Capabilities... 25 Process Activity Name: PRI-1.2 Identify EA Content... 26 Process Activity Name: PRI-1.2-DEC01 Segment Level Content?... 27 Process Activity Name: PRI-1.3 Identify Segment Content... 28 Process Activity Name: PRI-1.4 Update Business Requirements with EA Traceability... 29 Process Activity Name: PRI-2 Create QUAD Chart... 30 Process Activity Name: PRI-3 Develop Initial Infrastructure Rough Order of Magnitude... 31 Process Activity Name: PRI-4 Create Project Charter... 32 Process Activity Name: PRI-5 Evaluate Enterprise Shared Services... 33 Process Activity Name: PRI-5.1 Submit IAM Service Request... 34 Process Activity Name: PRI-5.2 Receive IAM Service Request... 35 Process Activity Name: PRI-5.3 Determine Need for IAM Service Request... 36 Process Activity Name: PRI-5.3-DEC01 IAM Required?... 37 Process Activity Name: PRI-5.3-DEC02 Additional Services?... 37 Process Activity Name: PRI-5.4 Schedule IAM Service Request Review Meeting... 38 Process Activity Name: PRI-5.5 Review IAM Service Request Package... 39 Process Activity Name: PRI-5.5-DEC01 Concur?... 40 Process Activity Name: PRI-5.6 Schedule Governance Review Intake Team Meeting... 40 Process Activity Name: PRI-5.7 Obtain IAM MOU Signatures... 41 Process Activity Name: PRI-5.8 Review IAM Service Request... 42 Process Activity Name: PRI-5.8-DEC01 Approved?... 43 Process Activity Name: PRI-5.9 Assign IAM Team Members... 43 Process Activity Name: PRI-5.10 Create IAM Change Requests... 44 Process Activity Name: PRI-5.11 Notify IAM Project Manager Change Requests Created... 45 Project Initiation i

Process Activity Name: PRI-5.12 Notify Project Manager Service Request Approved... 46 Process Activity Name: PRI-5.13 Receive IAM Change Requests... 47 Process Activity Name: PRI-5.14 Receive IAM Service Request Decision... 48 Process Activity Name: PRI-5.15 Close IAM Service Request... 49 Process Activity Name: PRI-6 Register Project with Enterprise Systems Engineering... 50 Process Activity Name: PRI-6.1 Complete ESE Registration Form (Initial)... 50 Process Activity Name: PRI-6.2 Set Up ESE Process Initiation (PI) Meeting. 51 Process Activity Name: PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements... 52 Process Activity Name: PRI-6.4 Update Work Breakdown Structure... 53 Process Activity Name: PRI-7 Establish and Resource Integrated Project Team... 54 Process Activity Name: PRI-7.1 Determine IPT Resource Requirements... 55 Process Activity Name: PRI-7.2 Submit HPS Intake Form... 56 Process Activity Name: PRI-7.2.1 Populate HPS Intake Form... 57 Process Activity Name: PRI-7.2.2 Determine Tier 2 IPT Member... 58 Process Activity Name: PRI-7.2.3 Create Intake Tracker Record... 58 Process Activity Name: PRI-7.2.4 Review Intake Form... 59 Process Activity Name: PRI-7.2.5 Create Intake Assessment Findings Report... 60 Process Activity Name: PRI-7.2.6 Update Intake Tracker... 61 Process Activity Name: PRI-7.2.7 Communicate Intake Assessment Findings Report... 62 Process Activity Name: PRI-7.2.8 Receive Intake Assessment Findings Report... 62 Process Activity Name: PRI-7.3 Submit Request for ISO Support... 63 Process Activity Name: PRI-7.3.1 Submit Request for ISO Support Form... 64 Process Activity Name: PRI-7.3.2 Perform Security Review... 65 Process Activity Name: PRI-7.3.3 Receive Security Review Findings... 66 Process Activity Name: PRI-7.4 Conduct Security Impact Analysis... 66 Process Activity Name: PRI-7.4.1 Initiate Security Impact Analysis... 67 Process Activity Name: PRI-7.4.1-DEC01 Health Product?... 68 Process Activity Name: PRI-7.4.2 Assign HCSR Resource... 69 Process Activity Name: PRI-7.4.3 Conduct Security Impact Analysis... 70 Process Activity Name: PRI-7.4.4 Communicate Security Impact Analysis.. 70 Process Activity Name: PRI-7.5 Submit Privacy Threshold Analysis... 71 Process Activity Name: PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request... 72 Project Initiation ii

Process Activity Name: PRI-7.5.2 Review Privacy Threshold Analysis... 73 Process Activity Name: PRI-7.5.2-DEC01 Complete?... 74 Process Activity Name: PRI-7.5.3 Review Privacy Threshold Analysis Request... 75 Process Activity Name: PRI-7.5.3-DEC01 Approved?... 76 Process Activity Name: PRI-7.5.4 Accept Privacy Threshold Analysis... 77 Process Activity Name: PRI-7.5.4-DEC01 Accepted?... 78 Process Activity Name: PRI-7.5.5 Receive Completed Privacy Threshold Analysis... 78 Process Activity Name: PRI-7.6 Submit SDE PAO New Project Request Form... 79 Process Activity Name: PRI-7.7 Submit ASD IPT Support Request... 80 Process Activity Name: PRI-7.8 Submit Privacy Officer Support Request... 81 Process Activity Name: PRI-7.9 Receive Notifications of IPT Member Assignments... 82 Process Activity Name: PRI-7.10 Form Integrated Project Team... 83 Process Activity Name: PRI-PR1 Conduct Peer Review of the Business Requirements Document... 84 Process Activity Name: PRI-FR1 Conduct Formal Review of the Business Requirements Document... 85 Process Activity Name: PRI-FR1-DEC01 Requirements Sufficient?... 86 Process Activity Name: PRI-8 Elaborate Business Requirements... 87 Process Activity Name: PRI-9 Select Design Approach... 88 Process Activity Name: PRI-MS0 Conduct Milestone 0 Review... 89 Project Initiation iii

Project Initiation Process Maps Project Initiation Office of Responsibility home overview MS0 raci help PRI-9 Select Design Approach Project Manager PRI-5 Evaluate Enterprise Shared Services PRI-4 Create Project Charter PRI-6 Register Project with Enterprise Systems Engineering PRI-7 Establish and Resource Integrated Project Team F P Yes Requirements Sufficient? No PRI-3 Develop Initial Infrastructure Rough Order of Magnitude Business Analyst PRI-1 Define Business Requirements PRI-2 Create QUAD Chart PRI-8 Elaborate Business Requirements The links in this process map are inactive. Please scroll to view activity data. 1

Project Initiation: PRI-1 Define Business Requirements home proc ess overview raci help Segment Architect PRI-1.3 Identify Segment Content Yes EA Architect PRI-1.2 Identify EA Content Segment Level Content? No Business Analyst PRI-1.1 Identify Needs and Capabilities PRI-1.4 Update Business Requirements with EA Traceability The links in this process map are inactive. Please scroll to view activity data. 2

Project Initiation: PRI-5 Evaluate Enterprise Shared Services IAM Governance Review Intake Team No Yes Approved? PRI-5.8 Review IAM Service Request home process overview PRI-5.9 Assign IAM Team Members raci help IAM Governance Manager PRI-5.3 Determine Need for IAM Service Request PRI-5.2 Receive IAM Service Request PRI-5.4 Schedule IAM Service Request Review Meeting Yes IAM Required? No PRI-5.5 Review IAM Service Request Package Concur? No Yes PRI-5.7 Obtain IAM MOU Signatures PRI-5.6 Schedule Governance Review Intake Team Meeting PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.10 Create IAM Change Requests PRI-5.12 Notify Project Manager Service Request Approved IAM Project Manager PRI-5.13 Receive IAM Change Requests Project Manager PRI-5.1 Submit IAM Service Request Additional Services? Yes No PRI-5.14 Receive IAM Service Request Decision To: RFSC Request for Service Consumption PRI-5.15 Close IAM Service Request From: RFSC Request for Service Consumption The links in this process map are inactive. Please scroll to view activity data. 3

Project Initiation: PRI-6.0 Register Project with Enterprise Systems Engineering home process overview raci help Project Manager PRI-6.1 Complete ESE Registration Form (Initial) PRI-6.4 Update Work Breakdown Structure ESE Release Readiness Officer PRI-6.2 Set Up ESE Process Initiation (PI) Meeting PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements The links in this process map are inactive. Please scroll to view activity data. 4

Project Initiation: PRI-7 Establish and Resource Integrated Project Team home process overview raci help PRI-7.2 Submit HPS Intake Form PRI-7.6 Submit SDE PAO New Project Request Form Project Manager PRI-7.1 Determine IPT Resource Requirements PRI-7.3 Submit Request for ISO Support PRI-7.4 Conduct Security Impact Analysis PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-7.9 Receive Notifications of IPT Member Assignments PRI-7.10 Form Integrated Project Team PRI-7.5 Submit Privacy Threshold Analysis The links in this process map are inactive. Please scroll to view activity data. 5

Project Initiation: PRI-7.2 Submit HPS Intake Form home process back overview raci help Project Manager PRI-7.2.1 Populate HPS Intake Form PRI-7.2.8 Receive Intake Assessment Findings Report Tier 2 (T2) Helath Product Support Specialist PRI-7.2.2 Determine Tier 2 IPT Member Tier 3 (T3) Sustainment Manager PRI-7.2.3 Create Intake Tracker Record PRI-7.2.4 Review Intake Form PRI-7.2.5 Create Intake Assessment Findings Report PRI-7.2.6 Update Intake Tracker PRI-7.2.7 Communicate Intake Assessment Findings Report The links in this process map are inactive. Please scroll to view activity data. 6

Project Initiation: PRI-7.3 Submit Request for ISO Support home process back overview raci help Project Manager PRI-7.3.1 Submit Request for ISO Support Form PRI-7.3.3 Receive Security Review Findings Information Security Officer PRI-7.3.2 Perform Security Review The links in this process map are inactive. Please scroll to view activity data. 7

Project Initiation: PRI-7.4 Conduct Security Impact Analysis home process back overview raci help Project Manager PRI-7.4.1 Initiate Security Impact Analysis Health Product? Yes No PRI-7.4.3 Conduct Security Impact Analysis PRI-7.4.4 Communicate Security Impact Analysis Director Health Care Security Requirements PRI-7.4.2 Assign HCSR Resource The links in this process map are inactive. Please scroll to view activity data. 8

Project Initiation: PRI-7.5 Submit Privacy Threshold Analysis home process back overview raci help Privacy Services PRI-7.5.4 Accept Privacy Threshold Analysis Accepted? No Yes System Owner Yes Approved? No PRI-7.5.3 Review Privacy Threshold Analysis Request Privacy Officer PRI-7.5.2 Review Privacy Threshold Analysis Yes Complete? No Project Manager PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request PRI-7.5.5 Receive Completed Privacy Threshold Analysis The links in this process map are inactive. Please scroll to view activity data. 9

Process: Project Initiation Overview: The process map for Project Initiation cycles through the following process and review activities: PRI-1 Define Business Requirements PRI-1.1 Identify Needs and Capabilities PRI-1.2 Identify EA Content PRI-1.2-DEC01 Segment Level Content? PRI-1.3 Identify Segment Content PRI-1.4 Update Business Requirements with EA Traceability PRI-2 Create QUAD Chart PRI-3 Develop Initial Infrastructure Rough Order of Magnitude PRI-4 Create Project Charter PRI-5 Evaluate Enterprise Shared Services PRI-5.1 Submit IAM Service Request PRI-5.2 Receive IAM Service Request PRI-5.3 Determine Need for IAM Service Request PRI-5.3-DEC01 IAM Required? PRI-5.3-DEC02 Additional Services? PRI-5.4 Schedule IAM Service Request Review Meeting PRI-5.5 Review IAM Service Request Package PRI-5.5-DEC01 Concur? PRI-5.6 Schedule Governance Review Intake Team Meeting PRI-5.7 Obtain IAM MOU Signatures PRI-5.8 Review IAM Service Request PRI-5.8-DEC01 Approved? PRI-5.9 Assign IAM Team Members PRI-5.10 Create IAM Change Requests PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.12 Notify Project Manager Service Request Approved PRI-5.13 Receive IAM Change Requests PRI-5.14 Receive IAM Service Request Decision PRI-5.15 Close IAM Service Request PRI-6 Register Project with Enterprise Systems Engineering PRI-6.1 Complete ESE Registration Form (Initial) PRI-6.2 Set Up ESE Process Initiation (PI) Meeting PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements PRI-6.4 Update Work Breakdown Structure PRI-7 Establish and Resource Integrated Project Team PRI-7.1 Determine IPT Resource Requirements PRI-7.2 Submit HPS Intake Form PRI-7.2.1 Populate HPS Intake Form PRI-7.2.2 Determine Tier 2 IPT Member PRI-7.2.3 Create Intake Tracker Record PRI-7.2.4 Review Intake Form PRI-7.2.5 Create Intake Assessment Findings Report Project Initiation 10

PRI-7.2.6 Update Intake Tracker PRI-7.2.7 Communicate Intake Assessment Findings Report PRI-7.2.8 Receive Intake Assessment Findings Report PRI-7.3 Submit Request for ISO Support PRI-7.3.1 Submit Request for ISO Support Form PRI-7.3.2 Perform Security Review PRI-7.3.3 Receive Security Review Findings PRI-7.4 Conduct Security Impact Analysis PRI-7.4.1 Initiate Security Impact Analysis PRI-7.4.1-DEC01 Health Product? PRI-7.4.2 Assign HCSR Resource PRI-7.4.3 Conduct Security Impact Analysis PRI-7.4.4 Communicate Security Impact Analysis PRI-7.5 Submit Privacy Threshold Analysis PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request PRI-7.5.2 Review Privacy Threshold Analysis PRI-7.5.2-DEC01 Complete? PRI-7.5.3 Review Privacy Threshold Analysis Request PRI-7.5.3-DEC01 Approved? PRI-7.5.4 Accept Privacy Threshold Analysis PRI-7.5.4-DEC01 Accepted? PRI-7.5.5 Receive Completed Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-7.9 Receive Notifications of IPT Member Assignments PRI-7.10 Form Integrated Project Team PRI-PR1 Conduct Peer Review of the Business Requirements Document PRI-FR1 Conduct Formal Review of the Business Requirements Document PRI-FR1-DEC01 Requirements Sufficient? PRI-8 Elaborate Business Requirements PRI-9 Select Design Approach PRI-MS0 Conduct Milestone 0 Review Project Initiation 11

Project Initiation and Goals Project Initiation is the process by which a project transitions from the Project Management Accountability System (PMAS) state of "New Start" into the state of "Planning". A project New Start state is a candidate for Planning once the project has been added to the Business Operating Plan and the Enterprise Project Structure identifies the funds released by the Information Technology Resource Management (ITRM). Projects require a Milestone 0 review to establish if in full compliance before transitioning to Planning. The Project Manager is responsible for establishing the Milestone 0 review through the applicable Office Of Responsibility. Goals The Goals of Project Initiation are as follows: - To determine if the business requirements are sufficient - To determine if the service level requirements are sufficient - To create a high level spend plan - To identify the project team - To ensure privacy requirements are determined - To ensure identity and access management requirements are determined - To ensure security and if needed, Compliance, Advising and Security Engineering (CASE) management requirements are determined - To identify the integrated project team - To ensure design pattern guidance is reviewed for the project's development activity types when determining the overall design approach - To determine if the project is ready for the planning state Project Initiation 12

Project Initiation RACI Information The following describes the RACI information for this process: PRI-1.1 Identify Needs and Capabilities : Business Analyst Accountable Role: Business Unit Lead Consulted Role: Business Analyst, Stakeholder(s), System Owner PRI-1.2 Identify EA Content : Enterprise Architect Accountable Role: Business Unit Lead PRI-1.2-DEC01 Segment Level Content? : Enterprise Architect Accountable Role: PRI-1.3 Identify Segment Content : Segment Architect Accountable Role: Business Unit Lead Informed Role: Stakeholder(s) PRI-1.4 Update Business Requirements with EA Traceability : Business Analyst Accountable Role: Business Unit Lead Informed Role: Stakeholder(s) PRI-2 Create QUAD Chart : Business Analyst Project Initiation 13

Accountable Role: Business Unit Lead Consulted Role: Office of Responsibility Informed Role: Stakeholder(s) PRI-3 Develop Initial Infrastructure Rough Order of Magnitude : Project Manager Accountable Role: Program Manager Consulted Role: Enterprise Operations Storage Management Informed Role: Stakeholder(s) PRI-4 Create Project Charter : Project Manager Accountable Role: Program Manager Consulted Role: Business Sponsor, Integrated Project Team Member, Program Manager Informed Role: Stakeholder(s) PRI-5.1 Submit IAM Service Request : Project Manager Accountable Role: Program Manager PRI-5.2 Receive IAM Service Request : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team PRI-5.3 Determine Need for IAM Service Request : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Informed Role: Project Manager Project Initiation 14

PRI-5.3-DEC01 IAM Required? : Identity and Access Management Governance Manager Accountable Role: PRI-5.3-DEC02 Additional Services? : Project Manager Accountable Role: PRI-5.4 Schedule IAM Service Request Review Meeting : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Consulted Role: Project Team PRI-5.5 Review IAM Service Request Package : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Consulted Role: Project Team PRI-5.5-DEC01 Concur? : Project Manager Accountable Role: PRI-5.6 Schedule Governance Review Intake Team Meeting : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Consulted Role: Project Manager Informed Role: Business Sponsor Project Initiation 15

PRI-5.7 Obtain IAM MOU Signatures : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Consulted Role: Stakeholder(s) PRI-5.8 Review IAM Service Request : Identity and Access Management Governance Review Intake Team Accountable Role: Identity and Access Management Governance Review Intake Team Consulted Role: Business Sponsor, Governance Review Intake Team, Project Team PRI-5.8-DEC01 Approved? : Identity and Access Management Governance Review Intake Team Accountable Role: PRI-5.9 Assign IAM Team Members : Identity and Access Management Governance Review Intake Team Accountable Role: Office of Responsibility PRI-5.10 Create IAM Change Requests : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team PRI-5.11 Notify IAM Project Manager Change Requests Created : Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Informed Role: Identity and Access Management Project Manager PRI-5.12 Notify Project Manager Service Request Approved Project Initiation 16

: Identity and Access Management Governance Manager Accountable Role: Identity and Access Management Governance Review Intake Team Informed Role: Project Manager PRI-5.13 Receive IAM Change Requests : Identity and Access Management Project Manager Accountable Role: Identity and Access Management Governance Manager Informed Role: Governance Review Intake Team PRI-5.14 Receive IAM Service Request Decision : Project Manager Accountable Role: Program Manager Informed Role: Project Team, Stakeholder(s) PRI-5.15 Close IAM Service Request : Project Manager Accountable Role: Program Manager PRI-6.1 Complete ESE Registration Form (Initial) : Project Manager Accountable Role: Product Manager PRI-6.2 Set Up ESE Process Initiation (PI) Meeting : Enterprise Systems Engineering Release Officer Accountable Role: Deputy Director, Enterprise Systems Engineering Informed Role: Capacity and Performance Management Analyst, Enterprise Systems Engineering Capacity Planning and Engineering Operational Readiness Review Analyst, Health Product Support Release Coordinator, Enterprise Systems Engineering Test Analyst, Release Readiness Office POC, Service Delivery and Engineering Point of Contact, VHA Release Management Team Project Initiation 17

PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements : Enterprise Systems Engineering Release Officer Accountable Role: Deputy Director, Enterprise Systems Engineering Consulted Role: Capacity and Performance Management Analyst, Enterprise Systems Engineering Capacity Planning and Engineering Operational Readiness Review Analyst, Health Product Support Release Coordinator, Release Readiness Office POC, Service Delivery and Engineering Point of Contact, 508 Reviewer, VHA Release Management Team PRI-6.4 Update Work Breakdown Structure : Project Manager Accountable Role: Program Manager Informed Role: Project Team PRI-7.1 Determine IPT Resource Requirements : Project Manager Accountable Role: Program Manager Informed Role: Stakeholder(s) PRI-7.2.1 Populate HPS Intake Form : Project Manager Accountable Role: Program Manager Informed Role: Health Product Support Release Coordinator PRI-7.2.2 Determine Tier 2 IPT Member : Tier 2 (T2) Health Product Support Specialist Accountable Role: Tier 2 (T2) Health Product Support Division Director Informed Role: Tier 2 (T2) Health Product Support Specialist Project Initiation 18

PRI-7.2.3 Create Intake Tracker Record : Tier 3 (T3) Sustainment Manager Accountable Role: Director, Health Product Support PRI-7.2.4 Review Intake Form : Tier 3 (T3) Sustainment Manager Accountable Role: Director, Health Product Support PRI-7.2.5 Create Intake Assessment Findings Report : Tier 3 (T3) Sustainment Manager Accountable Role: Director, Health Product Support PRI-7.2.6 Update Intake Tracker : Tier 3 (T3) Sustainment Manager Accountable Role: Director, Health Product Support PRI-7.2.7 Communicate Intake Assessment Findings Report : Tier 3 (T3) Sustainment Manager Accountable Role: Director, Health Product Support Informed Role: Project Manager PRI-7.2.8 Receive Intake Assessment Findings Report : Project Manager Accountable Role: Program Manager Informed Role: Business Sponsor, Integrated Project Team, Stakeholder(s) PRI-7.3.1 Submit Request for ISO Support Form : Project Manager Project Initiation 19

Accountable Role: Director, Software Development Informed Role: Information Security Officer PRI-7.3.2 Perform Security Review : Information Security Officer Accountable Role: Director, Office of Cyber Security Informed Role: Project Manager, Stakeholder(s) PRI-7.3.3 Receive Security Review Findings : Project Manager Accountable Role: Director, Software Development Informed Role: Integrated Project Team, Project Team, Stakeholder(s) PRI-7.4.1 Initiate Security Impact Analysis : Project Manager Accountable Role: Director, Software Development Consulted Role: Information Security Officer, Privacy Officer, Privacy Services Informed Role: Integrated Project Team PRI-7.4.1-DEC01 Health Product? : Project Manager Accountable Role: Director, Software Development PRI-7.4.2 Assign HCSR Resource : Director, Health Care Security Requirements Accountable Role: Project Manager Consulted Role: Information Security Officer, Privacy Officer Informed Role: Health Care Security Requirements (HCSR) Security Specialist, Integrated Project Team Project Initiation 20

PRI-7.4.3 Conduct Security Impact Analysis : Project Manager Accountable Role: Director, Office of Cyber Security Consulted Role: Health Care Security Requirements (HCSR) Security Specialist, Information Security Officer, Privacy Officer Informed Role: Integrated Project Team PRI-7.4.4 Communicate Security Impact Analysis : Project Manager Accountable Role: Director, Software Development Consulted Role: Integrated Project Team, Information Security Officer, Privacy Officer, Privacy Services Informed Role: Health Care Security Requirements (HCSR) Security Specialist, Stakeholder(s) PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request : Project Manager Accountable Role: Director, Software Development Informed Role: Integrated Project Team, Privacy Officer, System Owner PRI-7.5.2 Review Privacy Threshold Analysis : Privacy Officer Accountable Role: Director, Office of Cyber Security PRI-7.5.2-DEC01 Complete? : Privacy Officer Accountable Role: Director, Office of Cyber Security PRI-7.5.3 Review Privacy Threshold Analysis Request Project Initiation 21

: System Owner Accountable Role: System Owner PRI-7.5.3-DEC01 Approved? : System Owner Accountable Role: Project Manager PRI-7.5.4 Accept Privacy Threshold Analysis : Privacy Services Accountable Role: Director, Office of Cyber Security PRI-7.5.4-DEC01 Accepted? : Privacy Services Accountable Role: Director, Office of Cyber Security PRI-7.5.5 Receive Completed Privacy Threshold Analysis : Project Manager Accountable Role: Director, Software Development PRI-7.6 Submit SDE PAO New Project Request Form : Project Manager Accountable Role: Program Manager PRI-7.7 Submit ASD IPT Support Request : Project Manager Accountable Role: Program Manager PRI-7.8 Submit Privacy Officer Support Request Project Initiation 22

: Project Manager Accountable Role: Program Manager Consulted Role: Administrations and Staff Offices Leadership Informed Role: Privacy Officer, Stakeholder(s) PRI-7.9 Receive Notifications of IPT Member Assignments : Project Manager Accountable Role: Program Manager Informed Role: Integrated Project Team, Stakeholder(s) PRI-7.10 Form Integrated Project Team : Project Manager Accountable Role: Program Manager Consulted Role: Integrated Project Team, Stakeholder(s) PRI-PR1 Conduct Peer Review of the Business Requirements Document : Project Manager Accountable Role: Program Manager Consulted Role: Integrated Project Team, Project Team PRI-FR1 Conduct Formal Review of the Business Requirements Document : Project Manager Accountable Role: Program Manager Consulted Role: Stakeholder(s) PRI-FR1-DEC01 Requirements Sufficient? : Project Manager Accountable Role: Program Manager Project Initiation 23

PRI-8 Elaborate Business Requirements : Business Analyst Accountable Role: Business Unit Lead PRI-9 Select Design Approach : Project Manager Accountable Role: Program Manager PRI-MS0 Conduct Milestone 0 Review : Office of Responsibility Accountable Role: Deputy Assistant Secretary/Deputy Chief Information Officer Consulted Role: 508 Reviewer, Office of Responsibility, Stakeholder(s) Project Initiation 24

Project Initiation Process Process Activity Name: PRI-1 Define Business Requirements Note: This activity is performed concurrently with: PRI-2 Create QUAD Chart PRI-3 Develop Initial Infrastructure Rough Order of Magnitude None PRI-4 Create Project Charter The sub-process map PRI-1 Define Business Requirements process cycles through the following dependent activities: PRI-1.1 Identify Needs and Capabilities PRI-1.2 Identify EA Content PRI-1.3 Identify Segment Content PRI-1.4 Update Business Requirements with EA Traceability Process Activity Name: PRI-1.1 Identify Needs and Capabilities None PRI-1.2 Identify EA Content The Business Analyst ensures the Business Requirements document (BRD) is created in draft form by the Enterprise Systems Manager, Office of Business Process Integration, or Corporate Business Analyst to capture and describe the business needs of the customer/business owner and identifies the needs and reviews the capabilities the stakeholders and the target users identify and why these needs exist, providing a focused overview of the requirements, constraints, and Information Technology options considered, including insight into the current state, current capabilities and proposed business area or process and identifies stakeholders and profiles primary and secondary user communities. The business analyst also specifically addresses requirements for identity and access service needs. Business Needs Documents New Service Request Project Initiation 25

Service Level Requirements Artifacts Created Business Flow Diagrams Business Requirements Document Business Analyst IBM Rational Requirements Composer IBM Rational RequisitePro VA EA Enterprise Technical Architecture (ETA) Compliance Criteria Requirement Level Guide VA Identify Management Policy (VAIQ 7011145) All community generated Open Source products (products developed by anyone outside the VA national development resources) that are identified as viable candidates to be used within VA must be reviewed by the business community to assure that stakeholders approve all of the functionality that is provided in any such product. For VHA, contact Health Systems staff to ensure the proper Program Offices are engaged. The project team may use either IBM Rational RequisitePro or IBM Rational Requirements Composer until IBM Rational RequisitePro is officially discontinued. Process Activity Name: PRI-1.2 Identify EA Content PRI-1.1 Identify Needs and Capabilities PRI-1.2-DEC01 Segment Level Content? The Enterprise Architect (EA) identifies EA content and determines if the business needs fall within the current Business Reference Model and Service Reference Model and if the capability to meet the needs currently exists. Business Requirements Document Project Initiation 26

Artifacts Created Updated Business Requirements Document Enterprise Architect Business Reference Model VA Systems Inventory Requirement Level Guide All community generated Open Source products (products developed by anyone outside the VA national development resources) that are identified as viable candidates to be used within VA must be reviewed by the business community to assure that stakeholders approve all of the functionality that is provided in any such product. For VHA, contact Health Systems staff to ensure the proper Program Offices are engaged. The Feedback section of the VA Systems Inventory can be used to provide update for existing system or Register new system. Process Activity Name: PRI-1.2-DEC01 Segment Level Content? PRI-1.2 Identify EA Content If Yes, PRI-1.3 Identify Segment Content If No, PRI-1.4 Update Business Requirements with EA Traceability Note: There is a decision dependency that determines the next activity: The EA Architect determines if there is segment level content. If Yes, the next activity is PRI-1.3 Identify Segment Content. If No, the next activity is Update Business Requirements with EA Traceability. Project Initiation 27

Enterprise Architect Process Activity Name: PRI-1.3 Identify Segment Content PRI-1.2-DEC01 Segment Level Content? is YES PRI-1.4 Update Business Requirements with EA Traceability The Segment Architect identifies and articulates the changes the business needs drive to the target business and information architectures by: - Analyzing the gap between current and proposed business information environments in the context of business needs, - Determining which elements within the current state business and information environment must change to meet desired improvements, - Describing required changes to the business and information environment and whether these changes are currently addressed with - planned initiatives or investments, - Ensuring that both functional and non-functional requirements are identified. As-is Business Function Model As-is Business Value Chain Diagrams As-is Key Business Process Models As-is Key Business Process Swim Lane Diagrams As-is Key Information Sources Qualitative Assessment Business Requirements Document Common/Mission Services Maturity Levels Existing documentation on current business and information environment (practices, rules, PAR, applicable PART) Segment Scope and Strategic Intent Artifacts Created Updated Business Requirements Document Segment Architect IBM Rational Requirements Composer Project Initiation 28

IBM Rational RequisitePro Requirement Level Guide All community generated Open Source products (products developed by anyone outside the VA national development resources) that are identified as viable candidates to be used within VA must be reviewed by the business community to assure that stakeholders approve all of the functionality that is provided in any such product. For VHA, contact Health Systems staff to ensure the proper Program Offices are engaged. The project team may use either IBM Rational RequisitePro or IBM Rational Requirements Composer until IBM Rational RequisitePro is officially discontinued. Process Activity Name: PRI-1.4 Update Business Requirements with EA Traceability PRI-1.3 Identify Segment Content Or PRI-1.2-DEC01 Segment Level Content? is NO PRI-4 Create Project Charter The Business Analyst updates the Business Requirements Document (BRD) providing documentation at a maturity level of 2 (at a minimum) sufficient to support subsequent IT Project Planning. Business Requirements Document Artifacts Created Updated Business Requirements Document Business Analyst IBM Rational Requirements Composer IBM Rational RequisitePro Project Initiation 29

Requirement Level Guide All community generated Open Source products (products developed by anyone outside the VA national development resources) that are identified as viable candidates to be used within VA must be reviewed by the business community to assure that stakeholders approve all of the functionality that is provided in any such product. For VHA, contact Health Systems staff to ensure the proper Program Offices are engaged. The project team may use either IBM Rational RequisitePro or IBM Rational Requirements Composer until IBM Rational RequisitePro is officially discontinued. Process Activity Name: PRI-2 Create QUAD Chart Note: This activity is performed concurrently with: PRI-1 Define Business Requirements PRI-3 Develop Initial Infrastructure Rough Order of Magnitude None PRI-4 Create Project Charter The Business Analyst is responsible for the creation of the QUAD Chart which is a formal document that summarizes the high level scope, deliverables, schedule, and planned budget for a set of business requirements. The Business Analyst collaborates with the Office of Responsibility and assigned support staff to create the QUAD Chart and to obtain the Enterprise Project Structure (EPS) Number for the project. The QUAD Chart is used as a communication tool across organizations and is designed to support the decision making and prioritization process. Business Requirements Document Office of Responsibility and Support Staff Designation Artifacts Created Quad Chart Business Analyst Project Initiation 30

PMAS Dashboard QUAD Information Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) Project Management Accountability System (PMAS) Guide Please email the VA OIT PD PPO IM mail group if you have specific questions or concerns. Please email the VA OIT PD PPO EPS mail group if you have specific questions or concerns about EPS numbers. The EPS number is located under the EPS tab on the PMAS Dashboard menu. Process Activity Name: PRI-3 Develop Initial Infrastructure Rough Order of Magnitude Note: This activity is performed concurrently with: PRI-1 Define Business Requirements PRI-2 Create Quad Chart None PRI-4 Create Project Charter The Project Manager develops an initial rough order or magnitude (ROM) infrastructure and sustainment cost estimate for budget request purposes using the Government-Hosted Cloud/Shared Infrastructure Estimating Tool. The ROM is used to create a high level spend plan. The ROM estimates are not binding. Precise infrastructure and sustainment cost information are formulated by Enterprise Operations when the requisite project artifacts are submitted and the Systems Engineering and Design Review (SEDR) is completed later in the system development life cycle. To request an architected solution, email a request to VAITSDEEOIntakeArchitecturalServicesAllStaff. Business Requirements Document (BRD) QUAD Chart Artifacts Created Corporate Data Center Operations (CDCO) Pricing Matrix, if used Infrastructure ROM Project Initiation 31

Updated Quad Chart Project Manager Government-Hosted Cloud/Shared Infrastructure Estimating Process Activity Name: PRI-4 Create Project Charter Note: The following activities are performed concurrently. PRI-1 Define Business Requirements PRI-2 Create QUAD Chart PRI-3 Develop Initial Infrastructure Rough Order of Magnitude PRI-5 Evaluate Enterprise Shared Services The Project Manager creates the Project Charter. If an existing Project Charter was created, it should be updated to include any revisions such as scope, etc. The revised Project Charter is signed by the Business Sponsor, Program Manager, Project Manager, and Integrated Project Team Chair. Business Requirements Document Artifacts Created Project Charter Project Manager Project Initiation 32

Communications Services Technical Services Project Repository (TSPR) Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) Project Management Accountability System (PMAS) Guide VA EA Enterprise Technical Architecture (ETA) Compliance Criteria For information on how to set up a project folder on the PMAS portal, the Project Manager contacts the Communications Representative. If the Communications Representative is not known, then the Project Manager contacts the OIT PD Communications Managers mail group for assistance or goes to the Communication Services web site to view the current list of representatives. The OneVA EA ETA Compliance Criteria document establishes minimum compliance criteria for a product or product release. Process Activity Name: PRI-5 Evaluate Enterprise Shared Services PRI-4 Create Project Charter PRI-6 Register Project with Enterprise Systems Engineering The sub-process PRI-4 Evaluate Enterprise Shared Services process cycles through the following dependent activities: PRI-5.1 Submit IAM Service Request PRI-5.2 Receive IAM Service Request PRI-5.3 Determine Need for IAM Service Request PRI-5.4 Schedule IAM Service Request Review Meeting PRI-5.5 Review IAM Service Request Package PRI-5.6 Schedule Governance Review Intake Meeting PRI-5.7 Obtain IAM MOU Signatures PRI-5.8 Review IAM Service Request PRI-5.9 Assign IAM Team Members Project Initiation 33

PRI-5.10 Create IAM Change Requests PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.12 Notify Project Manager Service Request Approved PRI-5.13 Receive IAM Change Requests PRI-5.14 Receive IAM Service Request Decision PRI-5.15 Close IAM Service Request Process Activity Name: PRI-5.1 Submit IAM Service Request PRI-4 Create Project Charter PRI-5.2 Receive IAM Service Request The Project Manager submits the Identity and Access Management (IAM) Service Request following the guidance available in the IAM Service Request Submission User Guide. The IAM Service Request, the Business Requirements Document, and the Business Flow Diagrams are submitted together as the IAM Service Request Package. The Business Requirements Document and Business Flow Diagrams must accompany the submitted service request. Within the attached BRD, highlight the business requirements sections applicable to the IAM request, and note the sections in the IAM Service Request online tool. For requests linked to an existing BRD, ensure the functionality within the BRD describes: - As is state - To be state - Expected benefits Business Process Models Business Requirements Document IAM Service Request Package Artifacts Created IAM Service Request Updated IAM Service Request Package Project Manager Project Initiation 34

Identity and Access Management Central Home IAM Service Request Submission User Guide The IAM Service Request form identifies business needs and specific IAM services required. The IAM Service Request allows the IAM Service Request Team to review and track the request from submission through implementation. The requester only fills out Sections 1.0 and 2.1 of the IAM Service Request. Within the attached BRD, highlight the business requirements sections applicable to the IAM request and note that section in the Service Request online tool. The project manager can provide a link to the project's Technical Services Project Repository (TSPR) site. If you have any questions regarding the IAM Governance process or need assistance with completing the Service Request form, please contact IAM Governance at the IAM Service Request mail group. Process Activity Name: PRI-5.2 Receive IAM Service Request PRI-5.1 Submit IAM Service Request PRI-5.3 Determine Need for IAM Service Request The Identity and Access Management (IAM) Governance Manager receives the IAM Service Request and IAM Service Request Package and enters the IAM Service Request into the IAM Service Work Plan. IAM Service Request IAM Service Request Package Artifacts Created Updated IAM Service Work Plan Identity and Access Management Governance Manager Identity and Access Management Central Home IAM Service Request Submission User Guide Project Initiation 35

The IAM Governance Manager is the project manager's point of contact for the request for questions and status updates regarding the IAM Service Request. Process Activity Name: PRI-5.3 Determine Need for IAM Service Request PRI-5.2 Receive IAM Service Request OR PRI-5.8-DEC01 Approved? is NO PRI-5.3-DEC01 IAM Required? The Identity and Access Management (IAM) Governance Manager determines the need for an Identity and Access Management (IAM) Service Request. If a determination is made that submission of an IAM Service Request is not necessary, the Identity and Access Management (IAM) Governance Manager documents that decision with a memorandum for the record and notifies the Project Manager Business Flow Diagram Business Requirements Document Artifacts Created IAM Service Request Package Memorandum for the Record, if needed Updated Business Requirements Document (if needed) Identity and Access Management Governance Manager Identity and Access Management Central Home Identity and Access Management Services Master Glossary Technical Services Project Repository (TSPR) IAM Service Request Submission User Guide VA EA Enterprise Technical Architecture (ETA) Compliance Criteria Project Initiation 36

VA Identify Management Policy (VAIQ 7011145) The IAM Central Website provides guidance regarding business processes and the specific IAM services that enable project teams to satisfy the VA enterprise requirements. The requester is only required to fill out Sections 1.0 & 2.1 of the Service Request. If there are any questions regarding the IAM Governance process or assistance needed with completing the Service Request form and Service Request Package, please contact IAM Governance at the IAM Service Request mail group. Process Activity Name: PRI-5.3-DEC01 IAM Required? PRI-5.3 Determine Need for IAM Service Request If Yes, PRI-5.4 Schedule IAM Service Request Review Meeting If No, PRI-5.3-DEC02 Additional Services? Note: There is a Decision Activity that determines the next activity: If the Identity and Access Management Governance Manager determines IAM is required the next activity is PRI-5.4 Schedule IAM Service Request Review Meeting. If the Identity and Access Management Governance Manager determines IAM is not required the next activity is PRI-5.3-DEC02 Additional Services? Identity and Access Management Governance Manager Process Activity Name: PRI-5.3-DEC02 Additional Services? PRI-5.3 DEC01 IAM Required? is NO If Yes, there is a flow to the Request for Service Consumption Process. If No, PRI-6 Evaluate Enterprise Shared Services. Note: There is a decision dependency that determines the next activity to complete: Project Initiation 37

If the Enterprise Shared Services are required the next activity to complete is a flow to the Request for Service Consumption Process. If the Enterprise Shared Services not required the next activity to complete is PRI-6 Register Project with Enterprise Systems Engineering. Project Manager Process Activity Name: PRI-5.4 Schedule IAM Service Request Review Meeting PRI-5.3-DEC01 IAM Required? is YES PRI-5.5 Review IAM Service Request Package The Identity and Access Management (IAM) Governance Manager schedules a review of the IAM Service Request Package with the Project Manager to ensure all materials are complete and ready for continued submission to the IAM Governance Review Intake Team (GRIT). IAM Service Request IAM Service Request Package IAM Work Plan Artifacts Created Updated IAM Work Plan Identity and Access Management Governance Manager Identity and Access Management Central Home IAM Service Request Submission User Guide Project Initiation 38

Any questions regarding the IAM Governance process or assistance needed with completing the IAM Service Request form, please contact IAM Governance at the IAM Service Request mail group. Process Activity Name: PRI-5.5 Review IAM Service Request Package PRI-5.4 Schedule IAM Service Request Review Meeting PRI-5.5-DEC01 Concur? The Identity and Access Management (IAM) Governance Manager and Project Team representatives meet to review the IAM Service Request and IAM Service Request Package and ensure that IAM services are required and that all materials are ready for submission to the IAM Governance Review Intake Team (GRIT) for their review and approval. If the IAM Governance Manager concurs with the need for the IAM Service Request, the IAM Service Request Package is passed for scheduling to the IAM GRIT for review. If the IAM Governance Manager does not concur with the need for the IAM Service Request, the IAM Service Request is returned to the Project Manager with the Meeting Agenda and Minutes explaining the decision. IAM Service Request IAM Service Request Package IAM Work Plan Artifacts Created Artifact Review Agenda and Minutes Updated IAM Service Request Package Identity and Access Management Governance Manager Identity and Access Management Central Home Technical Services Project Repository (TSPR) IAM Service Request Submission User Guide Project Initiation 39

Process Activity Name: PRI-5.5-DEC01 Concur? PRI-5.5 Review IAM Service Request Package If Yes, PRI-5.6 Schedule Governance Review Intake Team Meeting If No, PRI-5.14 Receive IAM Service Request Decision Note: There is a decision dependency that determines the next activity to complete. If the IAM Governance Manager determines the need for an IAM Service Request the next activity to complete is PRI-4.6 Schedule Governance Review Intake Team Meeting. If the IAM Governance Manager determines there is no need for an IAM Service Request the next activity to complete is PRI-4.14 Receive IAM Service Request Decision. Project Manager Process Activity Name: PRI-5.6 Schedule Governance Review Intake Team Meeting PRI-5.5-DEC01 Concur? is YES PRI-5.7 Obtain IAM MOU Signatures The Identity and Access Management (IAM) Governance Manager, in conjunction with the Project Manager, schedules the IAM Governance Review Intake Team (GRIT) Meeting when the Business Sponsor, or designated representative, and the respective project team members can be available to discuss the content of the IAM Service Request and IAM Service Package. IAM Work Plan Project Initiation 40

Artifacts Created Updated IAM Work Plan Identity and Access Management Governance Manager Identity and Access Management Central Home The GRIT meets weekly. Any questions regarding the IAM Governance process please contact IAM Governance at the IAM Service Request mail group. Process Activity Name: PRI-5.7 Obtain IAM MOU Signatures PRI-5.6 Schedule Governance Review Intake Team Meeting PRI-5.8 Review IAM Service Request The Identity and Access (IAM) Governance Manager proceeds with preparing and obtaining necessary signatures on the Memorandum of Understanding defining the services and actions required of all parties. IAM Service Request IAM Service Request Package Artifacts Created IAM Memorandum of Understanding, signed Identity and Access Management Governance Manager Project Initiation 41

Identity and Access Management Central Home Technical Services Project Repository (TSPR) IAM Service Request Submission User Guide Process Activity Name: PRI-5.8 Review IAM Service Request PRI-5.7 Obtain IAM MOU Signatures PRI-5.8-DEC01 Approved? The IAM Governance Review Intake Team (GRIT) meets to review the IAM Service Request, IAM Service Request Package and Memorandum of Understanding. The entire requesting team (all POCs listed in the IAM Service Request POC listing) is required to attend the IAM GRIT meeting. The Business Sponsor or designated representative presents the business requirements and business flow diagrams from the IAM Service Request Package. The GRIT Team collectively determines to approve or disapprove IAM Service Request. If the IAM Service Request is disapproved, it is returned to the Project Manager with the Meeting Agenda and Minutes explaining the decision. If the IAM Service Request is approved, the IAM Governance Manager is notified to create and monitor the appropriate change requests. IAM Memorandum of Understanding, signed IAM Service Request IAM Service Request Package Artifacts Created Artifact Review Agenda and Minutes Identity and Access Management Governance Review Intake Team Identity and Access Management Central Home Technical Services Project Repository (TSPR) Project Initiation 42

Process Activity Name: PRI-5.8-DEC01 Approved? PRI-5.8 Review IAM Service Request If Yes, PRI-5.9 Assign IAM Team Members If No, PRI-5.3 Determine Need for IAM Service Request Note: There is a decision dependency that determines the next activity to complete: If the IAM Governance Review Intake Team approves the IAM Service Request the next activity to complete is PRI-4.9 Assign IAM Team Members. If the IAM Governance Review Intake Team does not approve the IAM Service Request the next activity to complete is PRI-4.3 Determine Need for IAM Service Request. Identity and Access Management Governance Review Intake Team Process Activity Name: PRI-5.9 Assign IAM Team Members PRI-5.8-DEC01 Approved? is YES PRI-5.10 Create IAM Change Requests The Identity and Access Management (IAM) Governance Intake Review Team (GRIT) assigns IAM Team Members to create the appropriate IAM Change Requests associated with the specifications contained in the approved IAM Service Request and IAM Service Request Package. Project Initiation 43

IAM Service Request IAM Service Request Package Meeting Agenda and Minutes Artifacts Created IAM Team Member Assignment Memorandum Identity and Access Management Governance Review Intake Team Identity and Access Management Central Home Technical Services Project Repository (TSPR) Process Activity Name: PRI-5.10 Create IAM Change Requests PRI-5.9 Assign IAM Team Members PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.12 Notify Project Manager Service Request Approved The Identity and Access Management (IAM) Governance Manager creates the appropriate change requests associated with the specifications contained in the approved IAM Service Request and IAM Service Request Package. IAM Service Request IAM Service Request Package Project Initiation 44

Artifacts Created IAM Change Requests Identity and Access Management Governance Manager IBM Rational ClearQuest Identity and Access Management Central Home Process Activity Name: PRI-5.11 Notify IAM Project Manager Change Requests Created Note: This activity is performed concurrently with: PRI-5.12 Notify Project Manager Service Request Approved PRI-5.10 Create IAM Change Requests PRI-5.13 Receive IAM Change Requests The assigned Identity and Access Management (IAM) Governance Manager processes the change requests to effect assignment to the respective IAM Project Manager and creates the IAM Project Manager Assignment Memorandum designating which IAM Project Manager has been assigned responsibility for completion of the change request. IAM Change Requests IAM Service Request IAM Service Request Package Project Initiation 45

Artifacts Created IAM Project Manager Assignment Memorandum Updated IAM Change Requests Identity and Access Management Governance Manager IBM Rational ClearQuest Identity and Access Management Central Home Process Activity Name: PRI-5.12 Notify Project Manager Service Request Approved Note: This activity is performed concurrently with: PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.10 Create IAM Change Requests PRI-5.13 Receive IAM Change Requests The Identity and Access Management (IAM) Governance Manager notifies the Project Manager that the IAM Service Request is officially approved and that the appropriate change requests have been created. IAM Change Requests IAM Service Request IAM Service Request Package Meeting Agenda and Minutes Project Initiation 46

Artifacts Created IAM Service Request (approved) Identity and Access Management Governance Manager IBM Rational ClearQuest Identity and Access Management Central Home Process Activity Name: PRI-5.13 Receive IAM Change Requests Note: The following process activities are performed concurrently: PRI-5.11 Notify IAM Project Manager Change Requests Created PRI-5.12 Notify Project Manager Service Request Approved PRI-5.3-DEC02 Additional Services? The Identity and Access Management (IAM) Project Manager receives the assigned change requests associated with the specifications contained in the approved IAM Service Request and IAM Service Request Package and notifies the Integration Team Members of the task assignment. IAM Change Request IAM Service Request IAM Service Request Package Artifacts Created Integration Team Member Assignment Memorandum Updated IAM Change Requests Project Initiation 47

Identity and Access Management Project Manager IBM Rational ClearQuest Identity and Access Management Central Home Process Activity Name: PRI-5.14 Receive IAM Service Request Decision PRI-5.5-DEC01 Concur? is NO PRI-5.15 Close IAM Service Request The Project Manager receives the disapproved Identity and Access Management (IAM) Service Request and Meeting Agenda and Minutes explaining the disapproval decision and updates the Project Management Accountability System (PMAS) Dashboard. IAM Service Request (disapproved) Meeting Agenda and Minutes Artifacts Created Updated PMAS Dashboard Project Manager Identity and Access Management Central Home PMAS Dashboard Project Initiation 48

Technical Services Project Repository (TSPR) The PMAS Dashboard landing page is open to all users in the VA network. For technical support regarding the PMAS Dashboard, select the link in the area titled "I m Looking for Site Help" and select the link "Submit Help Desk Support Ticket" Business Office. For general questions or inquiries regarding the PMAS Dashboard, submit an email to VA PMAS Business Office. The PMAS Dashboard is updated when reportable information or conditions change. Each project/increment is updated at least monthly until closed. Process Activity Name: PRI-5.15 Close IAM Service Request PRI-5.14 Receive IAM Service Request Decision PRI-6 Register Project with Enterprise Systems Engineering The Project Manager closes the Identity and Access Management (IAM) Service Request and files the IAM Service Request Package in the Technical Services Project Repository (TSPR) project file. IAM Service Request Package Meeting Agenda and Minutes Artifacts Created Updated PMAS Dashboard Updated Technical Services Project Repository (TSPR) project file Project Manager Identity and Access Management Central Home PMAS Dashboard Technical Services Project Repository (TSPR) Project Initiation 49

The PMAS Dashboard landing page is open to all users in the VA network. For technical support regarding the PMAS Dashboard, select the link in the area titled "I m Looking for Site Help" and select the link "Submit Help Desk Support Ticket" Business Office. For general questions or inquiries regarding the PMAS Dashboard, submit an email to VA PMAS Business Office. The PMAS Dashboard is updated when reportable information or conditions change. Each project/increment is updated at least monthly until closed. Process Activity Name: PRI-6 Register Project with Enterprise Systems Engineering PRI-5.15 Close IAM Service Request OR A flow from the Request for Service Consumption Process PRI-7 Establish and Resource Integrated Project Team The sub-process PRI-4 Evaluate Enterprise Shared Services process cycles through the following dependent activities: PRI-6.1 Complete ESE Registration Form (Initial) PRI-6.2 Set Up ESE Process Initiation Meeting PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements PRI-6.4 Update Work Breakdown Structure Process Activity Name: PRI-6.1 Complete ESE Registration Form (Initial) PRI-5.15 Close IAM Service Request PRI-6.2 Set Up ESE Process Initiation Meeting The Project Manager completes the two Pre-Milestone 0 sections of the ESE Registration Form and saves the form. The two Pre-Milestone 0 sections are: Project Initiation 50

- General Information - System Characteristics (ASSESS/SEDR) Additional sections of the ESE Registration Form must be completed before Milestone 1. (See PRP-4.1) Those sections are: - System Characteristics (ASSESS/SEDR) - System Development & Implementation (TIA) - System Documentation (TIA) - ETS Workload Forecasting (TIA) Business Requirements Document Artifacts Created ESE Registration Form (Pre-Milestone 0 Sections) Project Manager ESE Registration Form Portal ESE Registration Form User Guide Systems Engineering and Design Review Process Process Activity Name: PRI-6.2 Set Up ESE Process Initiation (PI) Meeting PRI-6.1 Complete ESE Registration Form (Initial) PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements Project Initiation 51

The ESE Release Readiness Officer schedules the ESE Process Initiation Meeting. The calendar invitation is sent to the PM and representatives from all ESE processes/entities involved in product release, as well as entities outside ESE. Attendees can include representatives from CPE, ETS, LRM, SEDR, EO, FO, VHA RMT, HPS, and others. ESE Registration Form Artifacts Created Calendar Invitation Enterprise Systems Engineering Release Officer Process Activity Name: PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements PRI-6.2 Set Up ESE Process Initiation Meeting PRI-6.4 Update Work Breakdown Structure The ESE Release Readiness Officer conducts the ESE Process Initiation (PI) Meeting. Representatives from CPE, ETS, LRM, SEDR, EO, FO, VHA RMT, HPS, SQAS, and others identify POCs for each of their processes. The PM provides information about the product to be released. Following the meeting, the process POCs each provide the PM with a preliminary list of requirements for the Release. Project Initiation 52

ESE Registration Form Artifacts Created POC Requirements Summary Enterprise Systems Engineering Release Officer Enterprise Systems Engineering Project Team Drop Box ESE Registration Form Portal JAZZ Team Server Rational Tools Training Portal Process Activity Name: PRI-6.4 Update Work Breakdown Structure PRI-6.3 Conduct PI Meeting and Confirm Preliminary Requirements PRI-7 Establish and Resource Integrated Project Team The Project Manager adds tasks to the project schedule for the creation or update of required artifacts. Examples of required artifacts include the Version Document, the Production Operations Manual, the Requirements Traceability Matrix, and other key materials. List of Release Requirements from each Process POC Project Management Plan Project Schedule Work Breakdown Structure Project Initiation 53

Artifacts Created Updated PMAS Dashboard Updated Project Management Plan Updated Work Breakdown Structure Project Manager Process Activity Name: PRI-7 Establish and Resource Integrated Project Team PRI-6.4 Update Work Breakdown Structure PRI-PR1 Conduct Peer Review of the Business Requirements Document The sub-process PRI-6 Establishment and Resource Integrated Project Team cycles through the following dependent activities: PRI-7.1 Determine IPT Resource Requirements PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Receive Notifications of IPT Member Assignments PRI-7.8 Form Integrated Project Team Project Initiation 54

Process Activity Name: PRI-7.1 Determine IPT Resource Requirements PRI-6.4 Update Work Breakdown Schedule Note: The following activities are performed concurrently PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form The Project Manager establishes the Integrated Project Team (IPT) using the Integrated Project Team Guide to determine the required attendees and referring to the Project Management Accountability System (PMAS) Guide for general guidance. The IPT is a team of people with complementary skills and expertise who collaborate and commit to a timely delivery of specified work products. The IPT members provide skills and advocacy appropriate to all phases of the project life cycle and are collectively responsible for delivery of work products as specified and committed. The IPT should include empowered representatives from organizations, disciplines, and functions that have a stake in the success of the project. The IPT Roles Matrix, included in the IPT Charter, must be completed during this activity. The Charter is created and signed by all IPT members and the Assistant Secretary/Information Technology or designee. Business Requirements Document Project Charter Updated list of VA Staff Resources Artifacts Created IPT Charter Project Team Kick-Off Meeting Agenda and Minutes Project Initiation 55

Project Manager Technical Services Project Repository (TSPR) Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) Integrated Project Team (IPT) Guide v2.0 (VAIQ 7150532) Project Management Accountability System (PMAS) Guide Refer to the Integrated Project Team (IPT) Guide for guidance on IPT members and how to obtain membership. Process Activity Name: PRI-7.2 Submit HPS Intake Form Note: The following activities are performed concurrently PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-6.1 Determine IPT Resource Requirements PRI-7.8 Receive Notifications of IPT Member Assignments The sub-process PRI-7.2 Submit HPS Intake Form cycles through the following dependent activities: PRI-7.2.1 Populate HPS Intake Form PRI-7.2.2 Determine Tier 2 IPT Member PRI-7.2.3 Create Intake Tracker Record PRI-7.2.4 Review Intake Form PRI-7.2.5 Create Intake Assessment Findings Report Project Initiation 56

PRI-7.2.6 Update Intake Tracker PRI-7.2.7 Communicate Intake Assessment Findings Report PRI-7.2.8 Receive Intake Assessment Findings Report Process Activity Name: PRI-7.2.1 Populate HPS Intake Form PRI-7.1 Determine IPT Resource Requirements Note: The following process activities are performed concurrently: PRI-7.2.2 Determine Tier 2 IPT Member PRI-7.2.3 Create Intake Tracker Record The Project Manager uses the Business Requirements Document and the Project Charter to complete and submit the Health Product Support Intake Assessment Form. Business Requirements Document Project Charter Artifacts Created Health Product Support Intake Assessment Form Project Manager Health Product Support (HPS) SharePoint Site To populate the Intake Form, click the Form Templates link in the quick launch bar on top left of the HPS Main Page. To submit the Intake Form, click the Submit Intake Assessment link in the quick launch bar on top left of the HPS Main Page Project Initiation 57

Process Activity Name: PRI-7.2.2 Determine Tier 2 IPT Member Note: This activity is performed concurrently with: PRI-7.2.3 Create Intake Tracker Record PRI-7.2.1 Populate HPS Intake Form PRI-7.2.4 Review Intake Form The lead Tier 2 (T2) Health Product Support Specialist receives the Health Product Support Intake Assessment Form and determines the Tier 2 Health Product Support Specialist to assign to the project Integrated Project Team (IPT). Health Product Support Intake Assessment Form Artifacts Created Tier 2 IPT Membership Assignment Email Tier 2 (T2) Health Product Support Specialist Process Activity Name: PRI-7.2.3 Create Intake Tracker Record Note: This activity is performed concurrently with: PRI-7.2.2 Determine Tier 2 IPT Member PRI-7.2.1 Populate HPS Intake Form Project Initiation 58

PRI-7.2.4 Review Intake Form The Tier 3 (T3) Sustainment Manager creates the Health Product Support Intake Tracker Record for the Project. Health Product Support Intake Assessment Form Artifacts Created Health Product Support Intake Tracker Record Tier 3 (T3) Sustainment Manager Process Activity Name: PRI-7.2.4 Review Intake Form Note: The following process activities are performed concurrently: PRI-7.2.2 Determine Tier 2 IPT Member PRI-7.2.3 Create Intake Tracker Record PRI-7.2.5 Create Intake Assessment Findings Report The Tier 3 (T3) Sustainment Manager receives and reviews the Health Product Support Intake Assessment Form. Project Initiation 59

Health Product Support Intake Assessment Form Artifacts Created Intake Analysis Tier 3 (T3) Sustainment Manager Process Activity Name: PRI-7.2.5 Create Intake Assessment Findings Report PRI-7.2.4 Review Intake Form PRI-7.2.6 Update Intake Tracker The Tier 3 (T3) Sustainment Manager creates the Intake Assessment Finding Report after analysis of the information provided. Health Product Support Intake Assessment Form Intake Analysis Artifacts Created Intake Assessment Findings Report Project Initiation 60

Tier 3 (T3) Sustainment Manager Process Activity Name: PRI-7.2.6 Update Intake Tracker PRI-7.2.5 Create Intake Assessment Findings Report PRI-7.2.7 Communicate Intake Assessment Findings Report The Tier 3 (T3) Sustainment Manager updates the Health Product Support Intake Tracker with any necessary information contained in the Intake Assessment Findings Report. Health Product Support Intake Tracker Record Intake Assessment Findings Report Artifacts Created Updated Health Product Support Intake Tracker Record Tier 3 (T3) Sustainment Manager Project Initiation 61

Process Activity Name: PRI-7.2.7 Communicate Intake Assessment Findings Report PRI-7.2.6 Update Intake Tracker PRI-7.2.8 Receive Intake Assessment Findings Report The Tier 3 (T3) Sustainment Manager communicates the Intake Assessment Findings Report to the Project Manager. Intake Assessment Findings Report Artifacts Created Email Notice with Intake Assessment Findings Report attached Tier 3 (T3) Sustainment Manager Process Activity Name: PRI-7.2.8 Receive Intake Assessment Findings Report PRI-7.2.7 Communicate Intake Assessment Findings Report Project Initiation 62

PRI-7.8 Receive Notifications of IPT Member Assignments The Project Manager receives the Intake Findings Assessment Report indicating if there is continued need for Health Product Support participation. Intake Assessment Finding Report Integrated Project Team Charter Project Charter QUAD Chart Artifacts Created Updated Integrated Project Team Charter Updated Project Charter Updated QUAD Chart Project Manager Process Activity Name: PRI-7.3 Submit Request for ISO Support Note: The following activities are performed concurrently PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request Project Initiation 63

PRI-7.1 Determine IPT Resource Requirements PRI-7.9 Receive Notifications of IPT Member Assignments The sub-process PRI-7.3 Submit Request for ISO Support cycles through the following dependent activities: PRI-7.3.1 Submit Request for ISO Support Form PRI-7.3.1-DEC01 Health Product? PRI-7.3.2 Perform Security Review PRI-7.3.3 Receive Security Review Findings Process Activity Name: PRI-7.3.1 Submit Request for ISO Support Form PRI-7.1 Determine IPT Resource Requirements PRI-7.3.2 Perform Security Review The Project Manager submits the Request for Information Security Officer (ISO) Support Form to the VA FSS ISO Requests mail group. Business Requirements Document Exhibit 300A: IT Capital Asset Summary Project Charter Artifacts Created Request for Information Security Officer Support Project Manager Office of Cyber Security (OCS) Portal Project Initiation 64

VA Handbook 6500.5, Incorporating Security and Privacy into the System Development Life Cycle ISOs serve as principal security advisors to System Owners regarding security considerations in applications, systems, procurement, development, implementation, operation, maintenance, and disposal activities (i.e., SDLC management). The ISO should be involved as early as the Kickoff Meeting to incrementally review the project security-related documentation as it is being developed. Process Activity Name: PRI-7.3.2 Perform Security Review PRI-7.3.1 Initiate Security Impact Analysis PRI-7.3.3 Conduct Review of Security Impact Analysis The Information Security Officer (ISO) performs a security review based on the scope and business needs of the project using the Initial System/Application (ISAD). Initial System/Application (ISAD) Artifacts Created Information Security Officer Assignment Email Information Security Officer Office of Cyber Security (OCS) Portal Project Initiation 65

Process Activity Name: PRI-7.3.3 Receive Security Review Findings PRI-7.3.2 Perform Security Review PRI-7.9 Receive Notifications of IPT Member Assignments The Project Manager receives the Information Security Officer Assignment Email indicating if there is continued need for Information Security Officer involvement in the Integrated Project Team (IPT). Information Security Officer Assignment Email Integrated Project Team Charter Project Charter QUAD Chart Artifacts Created Updated Integrated Project Team Charter Updated Project Charter Updated QUAD Chart Project Manager Process Activity Name: PRI-7.4 Conduct Security Impact Analysis Note: The following activities are performed concurrently PRI-7.2 Submit HPS Intake Form PRI-7.4 Submit Request for ISO Support Project Initiation 66

PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-7.1. Determine IPT Resource Requirements PRI-7.9 Receive Notifications of IPT Member Assignments The sub-process PRI-7.4 Conduct Security Impact Analysis cycles through the following dependent activities: PRI-7.4.1 Initiate Security Impact Analysis PRI-7.4.2 Conduct Review of Security Impact Analysis PRI-7.4.3 Communicate Security Impact Analysis Process Activity Name: PRI-7.4.1 Initiate Security Impact Analysis PRI-7.1 Determine IPT Resource Requirements PRI-7.4.1-DEC01 Health Product? The Project Manager, in collaboration with the Information Security Officer (ISO), and Privacy Officer (PO), creates the Security Impact Analysis (SIA), (NIST SP 800-53 CM-4 Security Impact Analysis) using the on line template form. If the system is a health care product, the Project Manager submits the SIA and the Business Requirements Document (BRD) to the VHA 10P2 OIA CASE REQUESTS mail group for health related projects for review. Health Products include: development efforts involving electronic protected health information (EPHI), health care delivery services, or health care applications and systems. Business Requirements Document Exhibit 300A: IT Capital Assessment Summary Project Charter Project Initiation 67

Artifacts Created Security Impact Analysis Project Manager Health Care Security Requirements (HCSR) Website Office of Cyber Security (OCS) Portal CASE Security Impact Analysis (SIA) for Development Security Review CASE Security Impact Analysis Presentation Guide VA Handbook 6500.5, Incorporating Security and Privacy into the System Development Life Cycle The template for the SIA is available from the Health Care Security Requirements (HCSR) website on the Tools and Resources link. The SIA assists with establishing expectations for the necessary level of security work; ensures security stakeholder representation early in the development process; tracks security analysis performed during the System Development Life Cycle (SDLC); assists the transfer of information between groups; and identifies potential security impacts prior to implementation. The Project Manager will begin to populate the SIA tool. Process Activity Name: PRI-7.4.1-DEC01 Health Product? PRI-7.4.1 Initiate Security Impact Analysis If Yes, PRI-7.4.2 Assign HCSR Resource If No, PRI-7.4.3 Conduct Review of Security Impact Analysis Note: There is a decision activity that determines the next activity: If the Project Manager determines the project is a health product related project, the Project Manager requests a Health Care Security Requirements (HCSR) Security Project Initiation 68

Specialist support by submitting the SIA and the Business Requirements Document (BRD) to the VHA 10P2 OIA HCSR REQUESTS mail group for review. The next activity to complete is PRI-7.4.2 Assign HCSR Resource. If the Project Manager determines the project is not a health product related project, the next activity to complete is PRI-7.4.3 Conduct Security Impact Analysis. Project Manager Process Activity Name: PRI-7.4.2 Assign HCSR Resource PRI-7.4.1-DEC01 Health Product? PRI-7.4.3 Conduct Review of Security Impact Analysis The Health Care Security Requirements (HCSR) office receives the request for a HCSR Security Specialist. A HCSR Security Specialist is assigned to the project. Business Requirements Document (BRD) HCSR Security Specialist Request Email Security Impact Analysis (SIA) Artifacts Created HCSR Security Specialist Assignment Email Director, Health Care Security Requirements Project Initiation 69

Process Activity Name: PRI-7.4.3 Conduct Security Impact Analysis PRI-7.4.1-DEC01 Health Product? is YES PRI-7.4.4 Communicate Security Impact Analysis The Project Manager, in collaboration with the Information Security Officer (ISO), and Privacy Officer (PO) completes the Security Impact Analysis. If a health product, the Health Care Security Requirements (HCSR) Security Specialist should be included and consulted. Business Requirements Document Security Impact Analysis Artifacts Created Recommended Security Categorization Updated Security Impact Analysis Project Manager Process Activity Name: PRI-7.4.4 Communicate Security Impact Analysis PRI-7.1 Determine IPT Resource Requirements Project Initiation 70

PRI-7.9 Receive Notifications of IPT Member Assignments The Project Manager, if the project is for an existing product, communicates the results based on the Security Impact Analysis (SIA) to the respective Change Control Board and appends the SIA to the existing Configuration Management Plan if applicable. Configuration Management Plan Email Security Impact Analysis Response Security Impact Analysis Artifacts Created Email Notification to Change Control Board Updated Configuration Management Plan Project Manager Technical Services Project Repository (TSPR) Integrated Project Team (IPT) Guide v2.0 (VAIQ 7150532) Completed Security Impact Analyses are maintained with the application or system Configuration Management Plan as an appendix for CM-4 Security Impact Analysis. Process Activity Name: PRI-7.5 Submit Privacy Threshold Analysis Note: The following activities are performed concurrently PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-7.1 Determine IPT Resource Requirements Project Initiation 71

PRI-7.8 Receive Notifications of IPT Member Assignments The sub-process PRI-7.5 Submit Privacy Threshold Analysis cycles through the following dependent activities: PRI-7.5.1 Submit Privacy Threshold Analysis Request PRI-7.5.2 Review Privacy Threshold Analysis Request PRI-7.5.3 Review Privacy Threshold Analysis Request PRI-7.5.4 Accept Privacy Threshold Analysis PRI-7.5.5 Receive Completed Privacy Threshold Analysis Process Activity Name: PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request PRI-7.1 Determine IPT Resource Requirements OR PRI-7.5.2-DEC01 Complete? is NO PRI-7.5.2 Review Privacy Threshold Analysis Request The Project Manager determines if the project is a change or upgrade to an existing IT system/program or a completely new IT system/program/technology. If a change or upgrade to an existing IT system/program, the Project Manager obtains the existing Privacy documentation, i.e. Privacy Threshold Analysis (PTA) and Privacy Impact Assessment (PIA) for the IT system/program and updates those documents with the prospective changes and submits to the assigned Privacy Officer for initial review and submits to VA Privacy Services via the PIASUPPORT@VA.GOV email account for official determination. (VA Privacy Services reviews and approves only privacy documentation that is associated with FISMA reportable IT systems) For all other PMAS projects that are new or adding new IT systems or technologies, the Project Manager completes a PMAS PTA and submits to the Business Sponsor Privacy Officer associated with the Integrated Project Team (IPT) for review and determination if a PIA is needed. The Privacy Threshold Analysis (PTA) is used by Privacy Officers, IT System Owners, Project Managers and Integrated project Teams (IPTs) at every stage within the PMAS process to identify potential privacy issues and whether personally identifiable information (PII) exists and determines the following: Project Initiation 72

- Whether a Privacy Impact Assessment (PIA) is required under the E-Government Act of 2002 - Whether a Privacy Officer is needed to attend IPT meetings regularly - The associated project has been reviewed for privacy implications in the development stage. Business Requirements Document Artifacts Created Privacy Threshold Analysis Request Project Manager Privacy Impact Assessments Portal Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Project Management Accountability System (PMAS) Guide Public Law 107-347 E-Government Act of 2002 VA Directive 6508, Privacy Impact Assessments For projects, complete a PMAS PTA for each increment. Templates are available at the Privacy Services website listed in Section. Process Activity Name: PRI-7.5.2 Review Privacy Threshold Analysis PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request Or PRI-7.5.3-DEC01 Approved? is NO PRI-7.5.2-DEC01 Complete? Project Initiation 73

The Privacy Officer reviews the Privacy Threshold Analysis (PTA) for completeness and accuracy and assists the Project Manager with completing/updating a new/existing Privacy Impact Assessment (PIA) and System of Records Notice (SORN) if applicable. Privacy Threshold Analysis Request Artifacts Created Privacy Impact Assessment (if necessary) Privacy Threshold Analysis (signed) System of Records Notice (if applicable) Privacy Officer Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Project Management Accountability System (PMAS) Guide Public Law 107-347 E-Government Act of 2002 VA Directive 6508, Privacy Impact Assessments Process Activity Name: PRI-7.5.2-DEC01 Complete? PRI-7.5.2 Review Privacy Threshold Analysis Request If Yes, PRI-7.5.3 Review Privacy Threshold Analysis Request If No, PRI-7.5.1 Submit/Update Privacy Threshold Analysis Request Project Initiation 74

Note: There is a decision dependency that determines the next activity to complete: If the Privacy Officer determines the Privacy Threshold Analysis Request is complete, the next activity to complete is PRI-6.5.3 Review Privacy Threshold Analysis Request. If the Privacy Officer determines the Privacy Threshold Analysis Request is not complete, the next activity to complete is PRI-6.5.1 Submit/Update Privacy Threshold Analysis Request. Privacy Officer Process Activity Name: PRI-7.5.3 Review Privacy Threshold Analysis Request PRI-7.5.2-DEC01 Complete? is YES Or PRI-7.5.4-DEC01 Accepted? is NO PRI-7.5.3-DEC01 Approved? The System Owner approves the Privacy Threshold Analysis (PTA) then signs the PTA and submits to Privacy Services. Privacy Impact Assessment Privacy Threshold Analysis Request System of Records Notice Artifacts Created Signed Privacy Threshold Analysis Request System Owner Project Initiation 75

Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Project Management Accountability System (PMAS) Guide Public Law 107-347 E-Government Act of 2002 VA Directive 6508, Privacy Impact Assessments Process Activity Name: PRI-7.5.3-DEC01 Approved? PRI-7.5.3 Review Privacy Threshold Analysis Request If Yes, PRI-7.5.4 Accept Privacy Threshold Analysis If No, PRI-7.5.2 Review Privacy Threshold Analysis Request Note: there is a decision dependency that determines the next activity to complete: If the System Owner determines the Privacy Threshold Request is approved, the next activity to complete is PRI-6.5.4 Accept Privacy Threshold Analysis. If the System Owner determines the Privacy Threshold Request is not approved, the next activity is PRI-6.5.2 Review Privacy Threshold Analysis. System Owner Project Initiation 76

Process Activity Name: PRI-7.5.4 Accept Privacy Threshold Analysis PRI-7.5.3-DEC01 Approved? is YES PRI-7.5.4-DEC01 Accepted? Privacy Services reviews the Privacy Threshold Analysis (PTA) for acceptance. Privacy Impact Assessment Privacy Threshold Analysis Request System of Records Notice Artifacts Created Signed Privacy Threshold Analysis Request Privacy Services Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Project Management Accountability System (PMAS) Guide Public Law 107-347 E-Government Act of 2002 VA Directive 6508, Privacy Impact Assessments Privacy Services will email the completed PTA Request form directly to the individual submitting the PTA Request. Project Initiation 77

Process Activity Name: PRI-7.5.4-DEC01 Accepted? PRI-7.5.4 Accept Privacy Threshold Analysis If Yes, PRI-7.5.5 Receive Completed Privacy Threshold Analysis If No, PRI-7.5.3 Review Privacy Threshold Analysis Request Note: There is a decision dependency that determines the next activity to complete: If the Privacy Services determines that the Privacy Threshold Analysis is accepted, the next activity to complete is PRI-6.5.5 Receive Completed Privacy Threshold Analysis. If the Privacy Services determines that the Privacy Threshold Analysis is not accepted, the next activity to complete is PRI-6.5.3 Review Privacy Threshold Analysis Request. Privacy Services Process Activity Name: PRI-7.5.5 Receive Completed Privacy Threshold Analysis PRI-7.5.4-DEC01 Accepted? is YES PRI-7.8 Receive Notifications of IPT Member Assignments The Project Manager receives the Privacy Threshold Analysis (PTA) Request Form indicating if there is continued need for Privacy Officer participation in the Integrated Project Team (IPT) and updates the IPT Charter. Integrated Project Team Charter Privacy Threshold Analysis (PTA) Request Form Artifacts Created Updated Integrated Project Team Charter Project Initiation 78

Project Manager If it is determined the project doesn t require a Privacy Officer, add the words not needed, per PIA analysis" in the IPT membership table contained in the Milestone Review Presentation Templates. Process Activity Name: PRI-7.6 Submit SDE PAO New Project Request Form Note: The following activities are performed concurrently PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request PRI-7.1 Determine IPT Resource Requirements PRI-7.8 Receive Notifications of IPT Member Assignments The Project Manager submits the Service Delivery and Engineering (SDE) Program Administration Office (PAO) New Project Request Form. This form is used to request (1) that a new project be managed by SDE or (2) a sub-project be managed by SDE. The requestor should complete the form, save, and email to the VA IT SDE Requests mail group. The Project Manager receives a meeting invitation from the SDE Intake team to review and finalize the New Project Request form in preparation for leadership review and approval. The status of the request is posted on the SDE PAO Project Initiation Request Log. Project Initiation 79

Any information specified by the business sponsor that can support the population of the request form such as the Original Requestor, Program Office or person endorsing the request (Sponsor), Proposed Project Name, Overall Project Scope and Objectives, Scope of Deliverables, Business Values/Drivers, Major Initiative Association, PMAS Status, and Proposed Project Timeframe. Artifacts Created SDE PAO New Project Request Form Project Manager PAO Project Artifacts Page Service Delivery and Engineering Intake Support Site The SDE PAO New Project Request Form is accessed through the SDE Intake Support Web site. The requestor can find additional support on the Service Delivery Engineering Intake Support Web site including the ability to submit an email directly to SDE. Processes, procedures, helpful links, and contact information are available on the site. Process Activity Name: PRI-7.7 Submit ASD IPT Support Request PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.8 Submit Privacy Officer Support Request PRI-7.1 Determine IPT Resource Requirements PRI-PR1 Conduct Peer Review of the Business Requirements Document Project Initiation 80

The Project Manager submits a request for Architecture, Strategy and Design (ASD) Integrated Product Team (IPT) support to the mail group VA ASD PPM IPT Support at ASDPPMIPTSupport@va.gov describing the effort. Business Requirements Document Project Charter Artifacts Created Request for ASD IPT Support Project Manager VA EA Home Integrated Project Team (IPT) Guide v2.0 (VAIQ 7150532) Process Activity Name: PRI-7.8 Submit Privacy Officer Support Request PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.1 Determine IPT Resource Requirements PRI-7.9 Receive Notifications of IPT Member Assignments Project Initiation 81

The Project Manager submits an email request to designate a Privacy Officer to the respective point of contact for the National Cemetery Administration, VA Central, Veteran's Benefit Administration, or Veteran's Health Administration as identified on the Privacy Officers SharePoint Portal. For privacy related support contact Privacy Services at mailto:privacyservice@va.gov mail group. Business Requirements Document Project Charter Artifacts Created Privacy Officer Assignment Request email Project Manager Privacy Officers Portal Process Activity Name: PRI-7.9 Receive Notifications of IPT Member Assignments Note: The following activities are completed concurrently: PRI-7.2 Submit HPS Intake Form PRI-7.3 Conduct Security Impact Analysis PRI-7.4 Submit Request for ISO Support PRI-7.5 Submit Privacy Threshold Analysis PRI-7.6 Submit SDE PAO New Project Request Form PRI-7.7 Submit ASD IPT Support Request PRI-7.8 Submit Privacy Officer Support Request Project Initiation 82

PRI-7.10 Form Integrated Project Team The Project Manager receives notifications from Stakeholder organization of specific membership assignments to the Integrated Project Team (IPT). Membership Notifications Artifacts Created Integrated Project Team Membership Roster Project Manager Integrated Project Team (IPT) Guide v2.0 (VAIQ 7150532) Process Activity Name: PRI-7.10 Form Integrated Project Team PRI-7.9 Receive Notifications of IPT Member Assignments PRI-PR1 Conduct Peer Review of the Business Requirements Document The Project Manager, in conjunction with the Stakeholder designated Integrated Project Team Membership uses the Project Charter to create the Integrated Project Team Charter and obtain Sponsor and Member signatures as required. Integrated Project Team Membership Roster Project Charter Project Initiation 83

Artifacts Created Integrated Project Team Charter Project Manager Integrated Project Team (IPT) Guide v2.0 (VAIQ 7150532) Process Activity Name: PRI-PR1 Conduct Peer Review of the Business Requirements Document PRI-7.10 Form Integrated Project Team PRI-FR1 Conduct Formal Review of the Business Requirements Document The Project Manager conducts a Peer Review of the Business Requirements Document in accordance with the Quality Assurance Standard (appropriate sections pertaining to Peer Reviews) performing the following general steps: - Distribute the Peer Review Materials. - Review the Peer Review Materials. - Distribute the Consolidated Peer Review Findings. - Record the Finding Resolutions. - Implement the Finding Resolutions. The goal of the peer review of the Business Requirements Document is to resolve any questions the project team may have and to ensure the quality of the deliverable. Business Requirements Document Project Initiation 84

Artifacts Created Business Requirements Document Review Findings Summary Record of Notification Updated Business Requirements Document Project Manager VA EA Enterprise Technical Architecture (ETA) Compliance Criteria Quality Assurance Standard The OneVA EA ETA Compliance Criteria document establishes minimum compliance criteria for a product or product release. Process Activity Name: PRI-FR1 Conduct Formal Review of the Business Requirements Document PRI-PR1 Conduct Peer Review of Business Requirements Document PRI-FR1-DEC01 Requirements Sufficient? The Project Manager conducts a Formal Review of the Business Requirements Document in accordance with the Quality Assurance Standard (appropriate sections pertaining to Formal Reviews) performing the following general steps: - Plan the Formal Review. - Review the Formal Review Materials. - Implement the Finding Resolutions. The goal of the formal review is to obtain stakeholder concurrence of the Business Requirements Document and the appropriate approval signatures. Business Requirements Document Project Initiation 85

Artifacts Created Artifact Review Agenda and Minutes Business Requirements Document Review Findings Summary Updated Business Requirements Document Project Manager Digital Signature Guide VA EA Enterprise Technical Architecture (ETA) Compliance Criteria Quality Assurance Standard The OneVA EA Enterprise Technical Architecture (ETA) Compliance Criteria document establishes minimum compliance criteria for a product or product release. Process Activity Name: PRI-FR1-DEC01 Requirements Sufficient? PRI-FR1 Conduct Formal Review of the Business Requirements Document If Yes, PRI-10 Select Design Approach If No, PRI-9 Elaborate Business Requirements Note: There is a decision dependency that determines the next activity to complete: If the Project Manager determines requirements are sufficient, the next activity to complete is PRI-9 Select Design Approach. If the Project Manager determines requirements are not sufficient, the next activity to complete is PRI-8 Elaborate Business Requirements. Project Manager Project Initiation 86

Process Activity Name: PRI-8 Elaborate Business Requirements PRI-FR1-DEC01 Requirements Sufficient? is NO PRI-FR1-DEC01 Requirements Sufficient? The Business Analyst reviews existing business needs and requirements and collaborates with the Business stakeholders, technical subject matter experts and other resources to articulate the detailed business requirements. Individual business processes are defined and modeled. Upon completion, all requirements and models are prepared, finalized, and forwarded for approval by the Business Owner. Business Requirements Change Document - External to Product Development (if available) Business Requirements Document (BRD) - External to Product Development Updated Business Requirements Document Artifacts Created Business Process Models Business Use Case (BUC) Requirements Elaboration Document (RED) Business Analyst IBM Rational ClearCase IBM Rational Requirements Composer IBM Rational RequisitePro Requirements Development and Management New Service Request Database (NSRD) VA Systems Inventory Business Requirements & Architecture Management Plan Change to Project Management Accountability System (PMAS) Guide V5.0 (VAIQ 7606746) Project Management Accountability System (PMAS) Guide Project Initiation 87

Refer to the New Service Request Process Dictionary and the Business Process Models for Requirements Elaboration for guidance on artifacts and establishing an elaboration workgroup. For additional information or assistance, the Requirements Analysis and Engineering Management (RAEM) group can be contacted at VHA10P7SHSRAEMReqEngMgmt@va.gov mail group. The project team may use either IBM Rational RequisitePro or IBM Rational Requirements Composer until IBM Rational RequisitePro is officially discontinued. The Feedback section of the VA Systems Inventory can be used to provide update for existing system or Register new system. Process Activity Name: PRI-9 Select Design Approach PRI-FR1 DEC01 Requirements Sufficient? is YES PRI-MS0 Conduct Milestone 0 Review The Project Manager identifies the types of development activities to be undertaken to accomplish the business requirements. The types include: new Green Field application development, an enhancement and modernization to an existing production system, the selection of a suitable application, e.g., Commercial Off The Shelf (COTS), or the development for interagency information sharing. The Project Manager selects the high level design approach after reviewing the appropriate Architecture and Design Patterns. Upon completion, the design approach is forwarded for concurrence by the Business Owner. Business Process Models Business Requirements Document Artifacts Created Selected Design Approach Project Manager Requirements Development and Management New Service Request Database (NSRD) Project Initiation 88

Technology Strategies (TS) Documents: Design Patterns VA Systems Inventory VA EA Enterprise Technical Architecture (ETA) Compliance Criteria VA Directive 6051, Enterprise Architecture A solution development activity can involve one or more types of development. Process Activity Name: PRI-MS0 Conduct Milestone 0 Review PRI-9 Select Design Approach END OF PROJECT INITIATION PROCESS The Project Manager is responsible for requesting a Milestone 0 Review at the end of the 'New Start' state to ensure the project is ready to enter the 'Planning' state. The Milestone 0 Review verifies that the project is in the Budget Operating Plan (BOP). The Office of Responsibility's (OOR) Assistant Deputy Assistant Secretary/Assistant Deputy Chief Information Officer (ADAS/ADCIO) must participate in the Milestone 0 Review. Attendees at the Milestone 0 Review include empowered representatives from Architecture, Strategy and Design (ASD), Office of Information Security (OIS), OOR, OOR Budget Office, Product Development (PD), and Software Development and Engineering (SDE). The ProPath Required Artifacts page contains the specific listing of required artifacts needed to enter the Milestone 1 Review Active Development state. Budget Operating Plan PMAS Dashboard Artifacts Created MS0 Review Template Updated PMAS Dashboard Project Initiation 89

Office of Responsibility Budget Tracking Tool (BTT) PMAS Dashboard Technical Services Project Repository (TSPR) Requirement Level Guide VA Directive 6071, Project Management Accountability System (PMAS) VA EA Enterprise Technical Architecture (ETA) Compliance Criteria VA Identify Management Policy (VAIQ 7011145) Send Milestone 0 Review requests to mail group VA PMAS REVIEWS. The OneVA EA ETA Compliance Criteria document establishes minimum compliance criteria for a product or product release. The Budget Tracking Tool requires permission to access the systems. The PMAS Dashboard landing page is open to all users in the VA network. For technical support regarding the PMAS Dashboard, select the link in the area titled I m Looking for Site Help and select the link Submit Help Desk Support Ticket Business Office. For general questions or inquiries regarding the PMAS Dashboard, submit an email to VA PMAS Business Office. The PMAS Dashboard is updated when reportable information or conditions change. Each project/increment is updated at least monthly until closed. END OF PROCESS. Project Initiation 90