HHS Policy for Information Technology Acquisition Reviews (ITAR)

Document #: HHS-OCIO-OES-2020-06-006
Version #: 1.4
Last Reviewed: June 2020
Next Review: June 2023
Owner: OCIO/OES
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy
7. Roles and Responsibilities
   • 7.1. HHS Chief Information Officer
   • 7.2. Chief Acquisition Officer (CAO) and Senior Procurement Executive (SPE)
   • 7.3. Operating Division Chief Information Officer (OpDiv CIO)
   • 7.4. HHS Legislative Compliance Division (LegCom)
   • 7.5. HHS Contracting Offices
   • 7.6. HHS ITAR Critical Partners
   • 7.7. Program Managers (PMs), Contracting Officer's Representatives (CORs), and Contracting Officers (COs)
   • 7.8. HHS OpDiv Senior Officials for Privacy (SOP)
   • 7.9. HHS OpDiv Section 508 Program Manager
8. Information and Assistance
9. Effective Date and Implementation
10. Approval
11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

---

1. Nature of Changes

This is the first issuance of the Department of Health and Human Services (HHS) Policy for Information Technology Acquisition Reviews (ITAR).

2. Purpose

The purpose of this Policy is to establish the Department of Health and Human Services (HHS) Information Technology Acquisition Review (ITAR) Program. The program will ensure HHS conducts its due diligence to manage and maintain oversight and governance over the procurement of Information Technology (IT) therefore contributing to effective planning, budgeting, and execution of IT resources. Further, it is designed to ensure the Department's Chief Information Officer (CIO) has the appropriate visibility and oversight of IT acquisitions across the agency.

This Policy, and its intended purpose, is separate from the Assistant Secretary for Financial Resources (ASFR), Office of Acquisition (OA) requirements set forth under Acquisition Alert 2019-01 and 2019-02, HHS Acquisition Review Pilot Program. Its purpose is not intended to replace nor amend acquisition reviews separately conducted under the oversight and governance of the Deputy Assistant Secretary for the Office of Acquisitions and Senior Procurement Executive.

Further, this Policy is not intended to replace nor amend the terms of the 2017 Memorandum of Understanding (MOU) between HHS and the HHS Office of Inspector General (OIG), which sets forth the agreement between both entities regarding the implementation of the Federal Information Technology Acquisition Reform Act (FITARA). The Inspector General Act of 1978 (IG Act), as amended, 5 U.S.C. App. 3, provides Inspector Generals with certain authorities and responsibilities to oversee the programs and operations of their respective Departments and agencies. The independence created by the IG Act affords the Inspector General with the authority to appoint their own personnel, including establishing the Inspector General as the agency head for purposes of appointing members of the Senior Executive Service; a process to submit and comment on any changes made to the Inspector General's budget; and the authority to enter into contracts and other agreements. The Office of Management and Budget (OMB) issued implementation guidance for departments and agencies regarding implementation of FITARA. The OMB guidance recognizes that the enhanced CIO authorities established by FITARA are not to be applied to OIGs in a manner that would adversely impact these offices' independence and authorities over personnel, performance, procurement, and budget, as delineated in the IG Act.

3. Background

The Federal Information Technology Acquisition Reform Act (FITARA) of 2014, passed by Congress through the National Defense Authorization Act (NDAA) of 2014, was designed to improve the manner with which the federal government procures and manages its IT. Additionally, this law increased the authority and responsibility of CIOs with the intent to promote and strengthen their influence and effectiveness amongst agency leadership as it relates to IT budgeting and governance; to include IT procurements. Section 831 of this mandate expands on this and states that agencies may not enter into a contract or other agreement for IT products or services unless the contract or agreement is reviewed and approved by the HHS CIO or delegated approver.

HHS fulfills its IT compliance responsibilities by developing and implementing robust policies that comply with federal mandates. This Policy is in place to formalize, streamline and refine the manner in which HHS IT acquisitions are forecasted, budgeted, governed, planned, and documented, as well as sufficiently supported in the pre-award phase of the acquisition lifecycle. 

4. Scope

This Policy sets forth roles and responsibilities, requirements, and a formal process for the HHS CIO and the HHS Operating Division (OpDiv) CIOs to optimize tools and procedures, as well as develop a more mature IT acquisition management and governance program.

This Policy applies to the Department and all HHS OpDivs and Staff Divisions (StaffDivs) seeking to purchase goods or services. These acquisitions can either be IT acquisitions or other acquisitions or agreements containing IT components. For guidance regarding applicable clauses for consideration, reference the Federal Acquisition Regulation (FAR), Department of Health and Human Services Acquisition Regulation (HHSAR), and HHS Acquisition Policy, Guidance and Instructions (PGI). In accordance with FITARA, the HHS CIO is a full participant in the ITAR governance process. IT contract review will be conducted prior to award, the Acquisition Strategy (AS) and Acquisition Planning (AP) phases, (see Section 6. Policy for more information). 

To ensure the proper oversight and collaboration is conducted in the formal review process, and to improve the integrity of the process, the scope of this Policy also applies to the ongoing engagement between the Legislative Compliance Division (LegCom) ITAR reviewers and additional critical partner experts, (see Appendix A for additional information).

Supersessions

• This Policy does not supersede any applicable law or regulation
• This Policy does not supersede the 2017 MOU between HHS and the HHS OIG
• This Policy supersedes HHS Memorandum OCIO IT Acquisition Reform Act (FITARA) Approval Guidance, December 2016
• This Policy supersedes the HHS Information Technology Acquisition Review (ITAR) Process for OS and OCIO Acquisition Packages, Version 1.5, October 2017

Major IT Investments

HHS OpDivs and StaffDivs pursuing a Major IT investment, (see Glossary and Acronyms section of this Policy for definitions), are subject to Department CIO review and approval in accordance with FITARA.

All OpDivs that have a CIO and have been given delegated authority in accordance with the HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019, are responsible for implementing an internal review, approval and reporting process for, at minimum, all major acquisitions under IT investments below the ITAR review threshold located in section six (6) of this Policy.

OpDivs may create a supplemental policy that is more stringent, but not less stringent.

5. Authorities

Legislation, Federal Regulation, and Executive Orders:

• Clinger-Cohen Act, 40 U.S.C. § 11101, et. Seq.
• Carl Levin and Howard P. 'Buck' McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
• Executive Order 13833, Enhancing the Effectiveness of Chief Information Officers, May 15, 2018
• Federal Acquisition Regulation (FAR), 48 C.F.R. ch 1
• Department of Health and Human Services Supplemental Acquisition Regulation (HHSAR), 48 C.F.R ch 3

Federal Guidance:

• OMB Circular A-11, Preparation, Submission and Execution of the Budget, Section 55, June 28, 2019
• OMB Circular A-130, Managing Information as a Strategic Resource, July 28, 2016
• OMB M-15-14, Memorandum for Heads of Executive Departments and Agencies: Management and Oversight of Federal Information Technology, June 10, 2015
• OMB M-16-12, Memorandum for The Heads of Departments And Agencies, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing, June 2, 2016

Departmental Policy and Guidance:

• HHS Federal Information Technology Acquisition Reform Act (FITARA) Implementation-Revised HHS IT Governance Framework, October 25, 2016
• HHS Federal Information Technology Acquisition Reform Act (FITARA) HHS Implementation Plan, September 2015
• HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Division Chief Information Officers, July 24, 2019
• HHS Policy for Capital Planning and Investment Control (CPIC), April 26, 2019
• HHS Policy for IT Enterprise Performance Lifecycle (EPLC), October 6, 2008
• Department of Health and Human Services (HHS) Procedures, Guidance and Instructions (PGI)
• Information Technology Decision Criteria and Clause Matrix version 1.3
• HHS Policy for Information Technology Procurements - Security And Privacy Language
• HHS Standard for Encryption of Computing Devices and Information
• HHS Minimum Security Configuration Standards Guidance
• HHS Policy for Software Development Secure Coding Practices
• HHS Directive for Acquisition Strategy

6. Policy

In accordance with FITARA, the HHS CIO must ensure that its offices and components do not enter into contracts or agreements to procure IT products or services without CIO review and approval. The CIO is executing express authority by implementing the new ITAR Program and supplemental processes as an agency-wide requirement when there is a plan to expend funds for IT resources.

Department-level reviews will be conducted on applicable acquisition strategies and acquisition plan packages to ensure the CIO maintains visibility into the management and procurement of IT at HHS. The process will ensure proposed contract actions are properly planned and budgeted, align with approved programs and projects that have been properly vetted by governance boards, are sufficiently supported with required artifacts, and are in alignment with relevant IT laws, regulations, and strategic plans. Recommendations and business advice will be offered to improve pre-award documentation, collaboration, and strategic planning as a part of the review process. Conditions may be set forth and must be satisfied before final approval is granted whenever necessary.

The CIO places the responsibility to manage the ITAR program and related processes under the leadership of the Director of the Legislative Compliance Division (LegCom) within the Office of the Chief Information Officer (OCIO), Office of Enterprise Services (OES) at the Department.

ITAR reviews must be conducted in accordance with the following dollar thresholds:

1. Department OCIO, HHS Office of the Secretary StaffDivs (OS), and OpDivs without CIO Delegated Authority:
   • Acquisition Strategies for IT investments valued at $10 million total program/project lifecycle
   • Acquisition Plan packages for IT acquisitions valued greater than or equal to $150,000 (inclusive of agreements such as Interagency Agreements (IAA))
   • Acquisition Plan packages for non-IT acquisitions containing IT components - an overall contract value greater than or equal to $150,000 (inclusive of IAAs)
2. OpDivS with CIO Delegated Authority:
   • Acquisition Strategies (AS) for IT investments of $20 million annually/$100 million over 5 years
   • Acquisition Plans (AP) for contracts that have material variances (major revisions/drastic departure) from an approved AS for IT investments over $20 million annually/$100 million over 5 years.

The CIO delegates IT acquisition approval authority under the ITAR program, to an Executive who directly reports to the CIO and the Director of the LegCom Division as follows:

Approval Authority Threshold	Approver
≤ $1,000,000	LegCom Director
> $1,000,000	CIO or CIO Designee (Executive -Direct Report to CIO) (LegCom Director & CIO Designee: Co-Approvers)

Contracts, agreements (such as IAAs), and contract actions (such as modifications) that align with the aforementioned review thresholds must not be executed without evidence of an official ITAR approval, as indicated by an assigned ITAR number along with documented ITAR approval. As a full participant in this governance process, the CIO designates an Executive (direct report to CIO) and the Director of the LegCom Division as approvers for the ITAR program, consistent with the procedures set forth in this Policy under Appendix A2, which aligns with the above approver threshold chart.

7. Roles and Responsibilities

7.1. HHS Chief Information Officer

The HHS CIO, or designee, must:

• Define IT processes and policies, consistent with FITARA and related statutes, regulations and federal guidance, and make them publicly available
• Act as the principal accountable owner of the ITAR Program, and hold the authority for approval unless otherwise delegated or designated in accordance with the governance processes set forth in this Policy
• Review and approve acquisition strategies, acquisition plans, and interagency agreements that include IT
• Review all cost estimates of IT related costs, and ensure acquisition strategies and acquisition plans, that include IT, apply adequate incremental development principles
• Ensure there is an agency-wide governance process that confirms all acquisitions that include IT are:
  • led by personnel with appropriate federal acquisition certifications;
  • reviewed for opportunities to leverage acquisition initiatives, such as shared services, category management, strategic sourcing, and incremental or modular contracting, as appropriate;
  • and adequately implementing incremental development
• Participate on program governance boards to ensure early matching of appropriate IT with program objectives
• Approve any movement of funds for IT resources that require Congressional notification
• Collaborate and partner with the HHS cross-functional leadership team who share in these responsibilities, to include the Secretary, Deputy Secretary (DepSec), the Chief Financial Officer (CFO), the Chief Acquisition Officer (CAO), and the Chief Human Capital Officer
• Ensure IT acquisitions are in compliance with statutes, regulations, federal guidance and HHS policies and governance requirements

7.2. Chief Acquisition Officer (CAO) and Senior Procurement Executive (SPE)

The CAO and the SPE must:

• Ensure all IT contract actions are consistent with CIO-approved acquisition strategies and plans
• Notify the CIO when planned acquisition strategies and acquisition plans include IT

7.3. Operating Division Chief Information Officer (OpDiv CIO)

HHS OpDiv CIOs must:

• Implement OpDiv level policies and procedures to ensure compliance with FITARA, related HHS IT policies and guidance, and all other applicable statutes and regulation
• At minimum, implement an internal review, approval and reporting process for all major IT acquisitions and investments below the Department CIO review threshold (responsibility applicable to CIOs with delegated authority only)

7.4. HHS Legislative Compliance Division (LegCom)

The HHS LegCom must:

• Manage and lead the HHS ITAR Program effectively and efficiently
• Engage internal critical partners while executing ITAR to ensure the proper oversight and governance of IT acquisitions during the pre and post award phases of the acquisition lifecycle
• Conduct acquisition reviews and provide recommendations in alignment with statutes, regulations, federal and department guidance and policy, and the CIO delegated responsibilities detailed above
• Oversee compliance with IT laws, regulations, guidance, policies and best practices
• Strive to maintain the integrity of the ITAR process by doing due diligence to conduct thorough reviews in accordance with laws, regulation, guidance and policies therefore contributing to sustaining the integrity of IT resource management and improved IT governance agency-wide
• Stay abreast of IT trends, best practices, changes in laws and regulation, congressional shifts, GAO findings/recommendations, etc. in order to ensure HHS IT policies, guidance and procedures remain current.

7.5. HHS Contracting Offices

The HHS Contracting Offices must:

• Ensure acquisition requirements are not accepted, solicited, nor awarded by the contracting office without requisite CIO or delegate approval within the ITAR process, when applicable
• Partner with the LegCom Division to oversee compliance with FITARA, the FAR, HHSAR, this Policy and other HHS policies guidance and information (PGI) pertaining to HHS IT acquisitions
• Ensure all Program Managers and CORs involved with acquisitions that include IT are personnel with the appropriate federal acquisition certifications

7.6. HHS ITAR Critical Partners

HHS ITAR Critical Partners must:

• Participate in the ITAR review process by providing their expertise, oversight, governance, and recommendations
• Assist in enhancing IT governance; sound investment decisions and practices; and
• Help improve the integrity of IT strategic planning, IT acquisition planning and budgeting, and appropriate pre and post award documentation
• Prevent circumvention of the IT acquisition review requirement

***Critical partners vary dependent upon type, complexity, and uniqueness of each acquisition (Examples: Enterprise Architecture (EA), Capital Planning and Investment Control (CPIC), Privacy Officer, Chief Information Security Officer (CISO), OpDiv Section 508 Program Manager, Chief Product Office (CPO), etc.).

7.7. Program Managers (PMs), Contracting Officer's Representatives (CORs), and Contracting Officers (COs)

HHS PMs, CORs, and COs (in alignment with their respective role and position) must:

• Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance
• Ensure AS and AP documentation has been:
  • properly developed within the requiring office without deficiencies or omissions,
  • reviewed and approved by leadership at the program/project level,
  • and properly vet requirements (statement of work/statement of objectives) through program level subject matter experts before submitting the documents to ITAR
• Ensure the proper program and project governance requirements are satisfied, and component level critical partners have been engaged before pursuing IT acquisitions and/or acquisitions containing IT components
• Monitor the execution of contracts that procure IT products and services to ensure proper contract administration and efficient use of IT resources

7.8. HHS OpDiv Senior Officials for Privacy (SOP)

HHS OpDiv SOPs must:

• Evaluate IT investments for privacy risks to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of publicly identifiable information (PII)
• Approve any required privacy documentation, including the Privacy Solicitation Certification Checklist, as applicable, in accordance with the HHS Policy for Information Technology Procurements - Security And Privacy Language (see Appendix A-Procedures)
• Review acquisition packages through each procurement phase to verify that privacy requirements have been fulfilled
• Comply with the provisions of this Policy, applicable OpDiv level policy, and related statutes, regulations and guidance

7.9. HHS OpDiv Section 508 Program Manager (PM)

HHS OpDiv Section 508 PMs must:

• Evaluate IT investments for compliance to HHS Section 508 requirements to ensure that HHS Section 508 requirements (and associated conformance controls), as well as any associated costs, are explicitly identified and included, with respect to any Information and Communications Technology (ICT) that is developed, procured, maintained, funded, and used by HHS.
• Provide Section 508 determination for any ICT that is developed, procured, maintained, funded, and used by HHS.
• Review acquisition packages through each procurement phase to verify that HHS Section 508 requirements have been fulfilled
• Comply with the provisions of this Policy, the HHS Policy on Section 508 Compliance and Accessibility of Information and Communications Technology, applicable OpDiv level Section 508 policy, and related statutes, regulations, and guidance.

8. Information and Assistance

The HHS Legislative Compliance Division is responsible for the development and management of this Policy. Direct questions, comments, suggestions, and requests for information about this Policy and all related procedures and guidance to ITAR@hhs.gov.

9. Effective Date and Implementation

The effective date of this Policy is the date on which the Policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of the Policy. To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jose Arietta, Chief Information Officer (CIO)

June 8, 2020

11. Concurrence

/S/

Scott Rowell, Assistant Secretary for Administration (ASA)

June 25, 2020

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policies library.

To initiate the ITAR process, a requesting office must submit a complete acquisition strategy or acquisition plan package to the Office of Legislative Compliance (LegCom) via the ITARNow  portal, which is an online application that must be accessed using the Google Chrome web browser. (Note: Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.) Packages deficient of supporting documentation and/or appropriate component level approvals will not be accepted.  When submitting packages in the ITARNow portal, requestors must be sure to reference the appendices of this Policy which provide supplemental procedures and guidance that must be followed.

Appendix A1: ITAR Standard Operating Procedures for Submitters

HHS OpDivs, OS, and OCIO seeking to procure IT products, IT services, or who have acquisitions containing IT components must undergo ITAR when the minimum criteria is met.  This SOP is the structured process ITAR submitters will follow to perform the task of submitting a new ITAR request via the ITARNow portal: (https://hhsasa.servicenowservices.com/ocio).

ITAR requests submitted through the ITARNow portal will be reviewed and approved in accordance with LegCom’s Service Level Agreements (SLAs) posted in Table 1 below:

Service	Description of Service	Performance Standards	Timer
ITAR Receipt Notification	The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom	1 Business Day	Starts when an acquisition package is submitted in the ITARNowportal - an automated email is generated
Time to Completion/Approval	The time LegCom requires to review and route ITARs under $1M through the approval process	7-10 business days	Starts when a complete acquisition package has been submitted in the ITARNow portal
CIO Approval (ITARs >$1M)	The time LegCom requires to review and route ITARs equal to or greater than $1M through the approval process	10-15 business days	Starts when a complete acquisition package has been submitted in the ITARNow portal
Hold Time (Suspend)	The time period an ITAR is suspended without being reviewed due to missing information	Not to exceed 5 business days	Starts after an incomplete ITAR package has been submitted in the ITARNow portal and the LegCom reviewer informs the Submitter that ITAR is on hold

A1.1: ITAR Submission Process for ITAR Requestors

Figure 1 illustrates the four (4) steps that ITAR Requestors will execute to submit a new ITAR using the ITARNow portal. Each step is detailed below to guide users through the submission process.

^{Figure 1: ITAR Submission Steps}

Step 1 - Develop Acquisition Package

Requesting offices are required to develop the acquisition package in accordance with HHS acquisition policy and regulations. As a minimum requirement, and in addition to key artifacts that are required with each submission, acquisition packages submitted for ITAR must demonstrate OpDiv/StaffDiv level governance approval.

When submitting a new ITAR request, users must include all necessary information, supporting documentation, and evidence from OpDiv/StaffDiv critical partners to confirm the acquisition has been reviewed and is within the compliance standards of HHS.  Examples of critical partners include Section 508 Compliance, Capital Planning and Investment Control (CPIC), Enterprise Performance Life Cycle (EPLC), Privacy Office, and Information Security Officer (ISO).

Complete acquisition packages include, at a minimum, the following core documents and/or approvals:

1. Requirements Document [i.e., Statement of Work (SOW), Statement of Objectives (SOO), Performance Work Statement (PWS), Specification Document (SPEC)] to include all applicable security and privacy language per the guidance provided in HHS Policy for Information Technology Procurements - Security And Privacy Language.
2. The Information Security & Privacy Certification Checklist [signed by both the OpDiv/StaffDiv Chief Information Security Officer (CISO) and the Privacy Act Officer].
3. Acquisition Strategy (signed and approved by Program Office)^[1]
4. Acquisition Plan (signed and approved by Program Office).
5. ITAR attestation certification (automated through the ITAR submission process. See “Step 4 – ITAR Attestation Certification” below.)
6. Limited Sources Justification (signed and approved by Program Office), if applicable
7. Independent Government Cost Estimate (IGCE)^[2]
8. Business Cases, if applicable.
9. Market Research Report^[3]
10. Interagency Agreements (IAA), if applicable.

Table 2 below lists a set of core documents and HHS sanctioned templates that must accompany the ITAR request based on document type.

Document Type	Required Content
Acquisition Plan	Contains a detailed high-level description of the acquisition to include but not limited to: Copy of signed/approved Acquisition Strategy that the submitted Acquisition Package properly aligns with • Background and Objectives Conditions Capability/Performance Standards Brief description of the product or service being procured Sources ITAR attestation certification: The Program Manager (PgM) or Project Manager (PM), Business Owner, System Owner (if applicable), and OpDiv/StaffDiv office executive’s statement validating the acquisition package and supporting documentation submitted for CIO approval.  IGCE: Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required). Must show how the estimate was derived/calculated (i.e., what methodology was used). Requirements Document (SOW, PWS, SOO): Describes the product or service being procured. Products: Provides specifications and standards that must be met. Services: Defines the work the government expects a contractor to perform or delineates project objectives that contractor must meet. Deliverables, metrics, standards, applicable laws and regulation etc. are detailed.
Acquisition Strategy	Comprehensive, detailed, high-level description of a strategic approach that program management will follow to manage risk and meet program objectives. It governs program execution across the entire program life cycle. It is not specific to one acquisition and can contain high level information regarding several forecasted procurements that may eventually contribute to a single program. Acquisition Strategies include: Requirement (Mission/Business Need and Strategy) Management Approach • Contracting Approach Risk Management Technology Security and Privacy Budgeting and Funding Milestone Schedule Reviews and Approvals of Acquisition Strategy Ensure that the Acquisition Strategy includes a high-level forecast of anticipated IT costs that will support the program(s) covered by the Acquisition Strategy. These costs should not be coupled with and hidden within all other forecasted programmatic costs. Note: Precedes the acquisition plan development and can have several acquisition plans that support it. Acquisition strategies and acquisition plans are not one in the same.

Step 2 - Access ITARNow Portal / Upload Acquisition Documents

ITARNow Portal Access

The ITARNow portal page is a secure site that is available to all users on the HHS Network.  Users are required to authenticate using their PIV Card and Pin before access is granted. Navigate to the ITARNow portal by typing (https://hhsasa.servicenowservices.com/ocio) in your Google Chrome browser then follow the login prompts shown in Figure 2. (Note: Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)

Figure 2 is a sequenced image of how users will access the tool.

Figure 3 displays the Service Portal landing page where users will initiate ITAR requests.

Upload Acquisition Documentation

Table 3 is a list of steps users will perform to access the ITARNow portal, complete the submittal form, and upload their acquisition documentation.

Service Portal Steps: Access Service Portal / Upload Documents

Step	Description
1	Use Google Chrome* to log into the ITARNow portal page: (https://hhsasa.servicenowservices.com/ocio); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Navigate to “ITAR Packages” at the top of landing page and select “Submit New ITAR”;
3	Complete the ITAR submittal form;
4	Attach documents by clicking the paper clip button at the top right corner of form;
5	Locate the acquisition document(s) within local folder(s), OneDrive, SharePoint, Team’s, etc.;
6	Click “Open” to attach file(s) once identified in folder(s);
7	Repeat steps 6 and 7 to upload additional files;
8	To remove a file, select “Edit” above the uploaded document(s);
9	Click the (X) to remove document(s) then click “Done” when finished.

Figure 4 below is a partial image of the ITAR submittal form ITAR Requestors will complete to initiate IT Acquisition Reviews. Guidance and links to resources are provided to ensure submissions are completed correctly.  Contact information is also provided in the event assistance with the tool is needed.

Step 3 - Submit ITAR Package

The ITAR submittal form can only be submitted after all mandatory fields contain a value. Fields containing a red asterisk in the upper left corner are mandatory and require a response. When the ITAR submittal form contains adequate information, follow the steps in Table 4 to submit the ITAR request..

Service Portal Steps: Submit ITAR Package

Step	Description
1	Verify that the ITAR Submission form has been completed by ensuring each field contains data;
2	Verify that the required ITAR supporting documents for the acquisition has been attached;
3	Scroll to bottom of form and click "Submit";
4	Submission is confirmed when user is redirected to landing page. (as see in figure 3, above)

ITAR submissions will trigger the ITAR Attestation certification process that must be completed electronically by the following certifiers: PgM or PM, Business Owner, System Owner (if applicable), and Office Executive.

Step 4 - ITAR Attestation Certification

Moving forward, the ITAR Attestation certification process will be used in lieu of the legacy pdf ITAR Approval form. Each stakeholder, identified by the program office requestor who enters the package in the ITARNow Portal, will be required to respond electronically by either Approving or Rejecting the ITAR package attestation statement.

All ITAR submissions are subject to ITAR Attestation certification.  ITAR Requestors must identify the stakeholders who are the official attestation certifiers for their ITAR package by providing their names in the following data fields: 1) Program/Project Manager, 2) Business Owner, 3) System Owner (if applicable); and 4) OpDiv/StaffDiv Executive.  Once the names are entered, the identified certifiers will receive an automated email notification with instruction to complete their action. Note: These fields are connected to MS Outlook’s Global Address Book; therefore, you must begin completing these fields in a manner similar to inserting an email address in the “to” field of the new email message.

Attestation certifiers will be required to respond by either approving or rejecting the ITAR package.  Attestation certifiers will have two (2) business days to register their concurrence (approval) or non-concurrence (rejection).

Rejections will trigger an automated notification transmitted by email to the ITAR Requestor, ITAR Requestor’s Alternate POC, and the ITAR Reviewer group.

A member of the ITAR Reviewer group will reach out to Attestation approvers who reject an ITAR to determine if the request should be closed. When responding to an email from the ITAR Reviewer group users must reply all. Replies should provide sufficient information for why the ITAR was rejected and, if remediation action is required. If updates are required, the ITAR Reviewer group will coordinate changes to the ITAR record with the ITAR Requestor.

Figure 5 is an image of the ITAR Certification page Certifiers will use to approve or reject the acquisition package requiring ITAR.

Service Portal Steps: Attestation Certification

Step	Description
1	Open the email notification received via MS Outlook;
2	Click the URL provided in the body of the email (Ensure Google Chrome* is the browser used to open the ITARNow portal); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
3	Log into the ITARNow portal page with PIV credentials (See Figure 2 for step-by-step illustration);
4	Review the Attestation declarations then verify the acquisition package details;
5	To Approve Attestation - type Approve in the comments box and click Save.  (Please DO NOT include additional characters, sentences, or spaces.) To Reject Attestation - type Reject: followed by the reason for the rejection in the comments box and click Save.
6	Await contact from an ITAR Reviewer seeking a rejection rational.
7	‘Reply All’ with rejection rationale and correction steps (if applicable)

Post Attestation Certification Activities

When the Attestation process completes, and the overall outcome is an approval, the ITAR Reviewer group is notified. At that time, an individual ITAR Reviewer is assigned to the ITAR package which will trigger a new notification to the ITAR Requestor and ITAR Requestor’s Alternate POC. The notification will include the ITAR Number and ITAR Reviewer’s name who will perform the ITAR analysis and review.

• Prior to performing a full ITAR review, the ITAR Reviewer will conduct a completeness and document an initial analysis of the package documentation and details.
• Packages found to be incomplete or not in alignment with HHS IT policy and guidance will be placed in a hold status and a request for additional information and/or a request for revisions will be sent to the ITAR Requestor and Requestor’s Alternate POC. A valid response with documentation (if required) is due within five (5) business days.
• Hold status cannot exceed five (5) business days unless an extension is requested by the program office, and subsequently granted by the ITAR Governance Board. If a hold exceeds five (5) business days without a granted extension and/or without proactive follow-up from the program office to keep the ITAR Reviewer informed of status, the ITAR Requestor and Alternate Requestor will be notified, as a courtesy, that the ITAR package will be closed out without further action. Closed requests still requiring ITAR will have to be resubmitted under a new ITAR number. Resubmittals must include the initial ITAR number.  Note: If the ITAR Requestor anticipates being unavailable or out of office, he/she must ensure their named ITAR Alternate Requestor actively engages with the ITAR Reviewer, and keep the ITAR Reviewer abreast of any challenges that may impact their ability to meet the five (5) business day suspense.
• Requests for information and/or documentation will be sent by the ITAR Reviewer from the ITARNow portal which uses MS Outlook mailbox to deliver the email messages. When the ITAR Requestor or other members of the Program Office are responding to a request from the ITAR Reviewer, all responders must “Reply All” to allow courtesy copied stakeholders to remain informed, while also ensuring all communication continues to be tracked within the ITARNow portal real-time.

Step 5 - View Submitted ITAR Request

Requestors can check the status of a submitted ITAR by navigating back to the ITARNow portal page and clicking Submitted ITARs under ITAR Packages.  Follow the instructions in Table 6 below.

Service Portal Steps: View Submitted ITARs

Step	Description
1	Use Google Chrome* to log into the ITARNow portal page: (https://hhsasa.servicenowservices.com/ocio); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Navigate to “ITAR Packages” at the top of landing page and select “Submitted ITARs”;
3	A list of ITAR(s) submitted with the logged in user listed as “Requestor” will be viewable in a table format;
4	Navigate and select the ITAR from the list to view.

A1.2 Quality Control/Quality Assurance

The ITAR Application is built in a software module with a set of business rules that are designed to improve ITAR process quality measures.  This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur.  Use of the ITARNow portal feature to receive ITAR request will also eliminate much of the human intervention involved with communicating the status of each ITAR.  Users will now have transparency into their requests in real-time and will be able to quickly identify where the package is in the workflow.

Several of the ITAR Submission Business Rules are described in the table below:

Rule	Description
Check Mandatory fields for values	Checks for: Acquisition Title is true Requestor is true OpDiv is true Requesting Office is true ITAR Send attestation is true? Contract Type is true Signed Information Security & Privacy Certification Checklist Attached is true Acquisition Amount equal to $0 is false Acquisition Amount is equal to or greater than $150K Period of Performance is true Total Number of Option Years is true If any of the above values are false, the ITAR request is prevented from being submitted and the user will be notified to enter the required information.
Set ITAR Number	Submitting a new record triggers the system to assign an ITAR Number
Set Submitted Date	Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins.

A1.3 ITAR Submitter Checklists

Table 8, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting acquisition packages for ITAR approval:

Develop Acquisition Package	Complete
Do you have a complete Acquisition Package? See Appendix A1. Step 1 for guidance.	☐
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)	☐
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?	☐
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHS Acquisition Request and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?	☐
Enter Acquisition Data in ITARNow portal Application	Complete
Use Google Chrome* to log into the ITARNow portal page: (https://hhsasa.servicenowservices.com/ocio) (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)	☐
Follow the instructions on ITARNow portal page to complete the ITAR Submission form	☐
Ensure all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field	☐
Requestor’s Alternate POC identified and entered with Acquisition data	☐
Submit Request to LegCom	Complete
Click "Submit" button at bottom of form to send ITAR request to LegCom ITAR team	☐
ITAR Attestation Certification status is ‘Approved’	☐
Receive Microsoft Outlook email confirmation of ITAR submission, ITAR Number, and ITAR POC assignment	☐
Respond to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner	☐

Appendix A2: ITAR Standard Operating Procedures for Reviewers and Approvers

ITAR Reviewers and Approvers will interact with the ITARNow application in its native view – which differs from the graphical user interface designed for submitters. To review a new or existing ITAR, open Google Chrome then paste the following URL: hhsasa.servicenowservices.com.  (Note:  Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)

ITAR requests submitted through the ITARNow portal page are immediately received by the LegCom ITAR review team. Notification of a new submission is sent directly to the Outlook mailbox of each user in the ITAR Reviewer group. ITAR requests will be reviewed and approved in accordance with LegCom’s posted Service Level Agreements (SLAs), Table 9.

Service	Description of Service	Performance Standards	Timer
ITAR Receipt Notification	The receipt notification sent to a requestor as confirmation that the ITAR request was submitted and received by LegCom	1 Business Day	Starts when acquisition package submitted in ITARNow portal.  Automated email generated
ITAR Attestation Certification	Notification is sent to attestation certifiers with a link requesting that the ITAR package be approved or rejected. [The attestation certifiers are the (PgM) or Project Manager (PM), Business Owner, System Owner (if applicable), and OpDiv/StaffDiv Executive.]  Note: The ITAR review will not begin until the attestation certifications are completed.	2 Business Day	Starts when the acquisition package is submitted in the ITARNow portal.  Each attestation certifier will have 2 business days to complete the automated approval or rejection.  Note:  The notification email will be received by the attestation certifiers in the following order: PgM or PM –Notification email will be sent immediately after the ITAR package is submitted in the ITARNow portal. Business Owner – Notification email will be sent  immediately after approval by the PgM or PM. System Owner (if applicable) –Notification email will be sent  immediately after approval by the Business Owner. OpDiv/StaffDiv Executive –Notification email will be sent  immediately after approval by the Business Owner or System Owner.
Time to Completion/Approval	The time LegCom requires to review and route ITARs under $1M through the approval process	7 to 10 Business Days	Starts when a complete acquisition package has been submitted in ITARNow portal.
CIO Approval (ITARs >$1M)	The time LegCom requires to review and route ITARs over $1M through the approval process	10 to 15 Business Days	Starts when a complete acquisition package has been submitted in ITARNow portal.
Hold Time (Suspend)	The time period an ITAR is suspended without being reviewed due to missing information	Not to exceed 5 business days	Starts after incomplete ITAR package has been submitted in ITARNow portal and LegCom reviewer informs Submitter that ITAR is on hold.

A2.1 ITAR Reviewer Process

ITAR reviews performed by LegCom ITAR staff follow a four-step process outlined in Figure 6:

When a submitted ITAR is in the intake phase of the process ITAR Reviewers can potentially become involved if the Attestation certification process needs to be relaunched.

Reasons that warrant Re-starting the Attestation approval process are:

1. An attestation approver inadvertently rejects
2. The attestation approver requests a minor change to the ITAR record

To Re-Start the attestation certification process follow the directions in Table 10 below.

Step 1a - Re-send Attestation

Attestation Decision

Attestation rejection notices will be delivered to the ITAR Reviewer group. Before beginning the Re-send Attestation process described below, the ITAR Reviewer group must engage the Attestation certifier who rejected the ITAR to seek their rejection reason(s).

If an Attestation Certifier rejects the ITAR for a reason that does not warrant closure an ITAR Reviewer can collaborate with the Requestor or Requestor's Alternate POC to correct the ITAR record. After correcting the ITAR, ITAR Reviewers can manually re-start the ITAR Attestation certification workflow following the instructions in Table 10 below.

ServiceNow Steps: Re-Send Attestation

Step	Description
1	Use Google Chrome* to log into ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Open the ITAR application by clicking “ITAR” then “ITAR Packages” on the Application Navigator menu;
3	Within the ITAR Repository click the matching “ITAR Number” value found in the “ITAR Attestation Rejection Notification” email notification;
4	Scroll to ITAR Attestations at the bottom of the ITAR record to identify the Stakeholder who ‘Rejected’ (Example shown in  Figure 7)
5	Use the email function to seek a rejection reason and next steps from the Stakeholder who rejected;
6a	If the ITAR can be corrected, and at the discretion of the ITAR Reviewer group, collaborate with the Requestor using the email function in Step 5 to update issue(s) identified by Stakeholder(s);
6b	Close the ITAR if the rejection reason warrants closure (Tip: Use Approval Queue field);
7	Restart the attestation workflow by clicking the “Re-Send Attestation” field check box (Example shown in Figure 8);
8	Click "Update" to save changes.

To advance an Attestation certification due to inactivity in excess of four (4) business days the ITAR Reviewer group can bypass an Attestation Certifier by following the steps in Table 11.

ServiceNow Steps: Bypass Attestation Certifier

Step	Description
1	Use Google Chrome* to log into ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Open the ITAR application by clicking “ITAR” then “ITAR Packages” on the Application Navigator menu;
3	Within the ITAR Repository click the “ITAR Number” requiring intervention;
4	Scroll down to “ITAR Attestations” at the bottom the record;
5	Under “Attestation Title” click the certifier role to be bypassed (Example shown in Figure 7 above);
6	Click “Bypass” button to skip the certifier. (Example shown in Figure 9 below)

Step 1b - Review Acquisition Package

Completeness Review

After the attestation approval, the ITAR Reviewer will perform a completeness check of the acquisition package to ensure it contains the necessary information, supporting documentation, evidence of OpDiv/StaffDiv critical partner engagement, and program office approval before moving forward.  (Please note that complete acquisition packages will receive a thorough analysis by the ITAR Reviewer.  See the section below entitled “Full ITAR Review.”)

Table 12 below provides all directional steps necessary to perform a completeness review within the ITARNow application.

ServiceNow Steps: Completeness Review

Step	Description
1	Use Google Chrome* to log into ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Click “ITAR” then “ITAR Packages” in the Application Navigator menu;
3	Within the ITAR Repository, click the matching “ITAR Number” value found in the “New ITAR Submitted” email notification; (Example shown in Figure 10 below)
4	Review ITAR data and attachments;
5a	If package meets ITAR requirements, enter ITAR POC name in “ITAR POC” field, then click “Update”;
5b	If package does not meet ITAR threshold, click the “Does Meet ITAR Criteria” check box located under the “Approval Queue” field, then click “Update at the top of the screen.” (Example shown in Figure 11 below)
6	If “Does Not Meet ITAR Criteria” is checked, change the “Approval Queue” field to “Closed” – the “ITAR POC” field does not need to be populated for packages submitted in error

Suspend an Incomplete ITAR Request

Incomplete acquisition packages submitted for review will prompt the Reviewer to reach back to the ITAR Requestor or Requestor’s Alternate POC for more information. An acquisition package is considered incomplete when it does not contain the required documentation or determined to be out of alignment with HHS IT policy and guidance.

Follow the steps in Table 13 to place an ITAR on hold.

ServiceNow Process Steps: Suspend ITAR

Step	Description
1	Use Google Chrome* to log into ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Click “ITAR” then “ITAR Packages” in the Application Navigator menu;
3	Click the ITAR Number (e.g., ITAR – 0001234) value;
4	Select the “Workflow” tab then enter the suspend date in the “Suspend Date” field; input a suspend comment – when applicable; (Example shown in Figure 12 below)
5	Input a resume date on the “Workflow” tab once a valid response and/or documentation is provided;
6	If the ITAR does not resume within five (5) business days, change the “Approval Queue” field to “Closed” and document the reason for closure in the “Suspend Comment” under “Workflow”.

Request Additional Information

Figure 13 is an image of step 1 in Table 14, below.  ITAR Reviewers will use the email feature in ITARNow to engage Requestors, Critical Partners, and/or stakeholders.

ServiceNow Process Steps: Request Additional Information

Step	Description
1	Within the ITAR Record navigate to banner and click the ellipsis (…) to the immediate left of “Update” button; (Example shown in Figure 13 above)
2	Select Email option from menu;
3	Draft Email with courtesy copy to any other stakeholder(s) that need to be informed, including the ITAR reviewer who is sending the email;
4	Click "Send."

Table 15 lists the required content for Acquisition Plans (AP) and Acquisition Strategies (AS).

Document Type	Required Content
Acquisition Plan	Contains a detailed high-level description of the acquisition to include but not limited to: Copy of signed/approved Acquisition Strategy that the submitted Acquisition Package properly aligns with Background and Objectives Conditions Capability/Performance Standards Brief description of the product or service being procured Sources ITAR attestation certification: The Program Manager (PgM) or Project Manager (PM), Business Owner, System Owner (if applicable), and OpDiv/StaffDiv office executive's statement validating the IT Acquisition package and supporting documentation submitted for CIO approval. IGCE: Market research document providing a justification for the estimated dollar value of the acquisition (Base + Options), including labor buildup, other direct costs, and travel (if required). Must show how the estimate was derived/calculated (i.e., what methodology was used). Requirements Document (SOW, PWS, SOO): Describes the product or service being procured. Products: Provides specifications and standards that must be met. Services: Defines the work the government expects a contractor to perform or delineates project objectives that contractor must meet. Deliverables, metrics, standards, applicable laws and regulation etc. are detailed. detailed.
Acquisition Strategy	Comprehensive, detailed, high-level description of a strategic approach that program management will follow to manage risk and meet program objectives.  It governs program execution across the entire program life cycle.  It is not specific to one acquisition and can contain high level information regarding several forecasted procurements that may eventually contribute to a single program.  Acquisition Strategies include: Requirement (Mission/Business Need and Strategy) Management Approach Contracting Approach Risk Management Technology Security and Privacy Budgeting and Funding Milestone Schedule Reviews and Approvals of Acquisition Strategy Note: Precedes the acquisition plan development and can have several acquisition plans that support it. Acquisition strategies and acquisition plans are not one in the same.

Full ITAR Review

ITAR Reviewers must review the full acquisition package in-depth by examining all contents of the acquisition package for compliance with federal laws, regulations, policy, and best practices.  The reviewer must also verify that HHS standards are being met in the areas of Information Security and Information Technology policy.

Major Investments:

• Details for IT major investments must be provided by the requesting office
• Engage the CPIC team to validate the IT investment name and number in the eCPIC Folio.  Contact the requestor if this information is not provided. Missing information constitutes an incomplete package

Information Security & Privacy Certification Checklist attached?

Click the "Recommendations" Tab to verify:

• The submitter has a completed and signed certification form attached to the acquisition package
• If not, send submitter an email from the ITARNow portal and advise this document was omitted from the acquisition package but is required.  It must be completed and signed.  Place package on hold for no more than five (5) business days to allow submitter an opportunity to email document (see Table 13 of this SOP for instructions on how to place package on hold).

Security/Privacy Compliance Assessment

Click the “Recommendations” Tab to indicate the results of the Security/Privacy Compliance Assessment:

• Reviewer must conduct an analysis and select the applicable assessment indicating whether the content of the requirements document (i.e., SOO, SOW, PWS) aligns with the Office of Information Security’s Security and Privacy Language for Information and Information Technology Procurements policy and guidance (https://intranet.hhs.gov/document/security-and-privacy-language-information-and-information-technology-procurements).

Follow the steps outlined in Table 16 below to begin a full ITAR Review within the ITARNow application:

ServiceNow Process Steps: Full ITAR Review

Step	Description
1	Use Google Chrome* to log into ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Click “ITAR” then “ITAR Packages” in the Application Navigator menu;
3	From the ITAR Repository, click the “ITAR Number” value of an ITAR Record without a value in “ITAR POC” column;
4	Assign the Reviewer by typing POC name or using the magnify glass icon to look up “ITAR POC” in active directory;
5	Click “Save” in top right corner of screen to save changes;
6	Review Acquisition Package attachments for compliance, FAR, Privacy and Security clauses, HHS Acquisition Regulations, and executive sponsor signatures;
7	Review the “Basic”, “Period of Performance”, and “Financial” tabs to confirm the data entered in the ITARNow portal matches the information provided in the acquisition documents;
8	Modify the ticket as necessary by adding any supplemental data discovered in the acquisition documentation;
9	Enter an ITAR POC Recommendation using the “Recommendation” Tab.

Step 2 - Engage Critical Partners

Critical partner engagement is a key activity in the ITAR process. Critical partners are subject matter experts that contribute expertise in a specific knowledge area; and will provide verification that the requirement(s) have been vetted by the appropriate acquisition lifecycle groups necessary to move an acquisition package through each procurement phase.  A few examples of ITAR critical partners are 508 Compliance, Information Security and Privacy, EPLC, and Cybersecurity.

LegCom requires customers of ITAR to engage critical partners prior to submitting an acquisition package for ITAR processing.  Compliance with this requirement may reduce approval cycle-time if documentation that supports IT governance review, for example, is provided with the ITAR submission.

Critical Partner engagement is applicable to all OpDivs/StaffDivs, OS, and OCIO acquisition packages submitted for ITAR.

The process for engaging Critical Partners is outlined in Table 13 above.  Correspondence to and from critical partners will become part of the ITAR record in the ITARNow portal.  Critical Partner feedback is required (when applicable and based upon the details of each acquisition package) before the review process can move forward.

ServiceNow Process Steps: Critical Partner Engagement

Step	Description
1	Use Google Chrome* to log into the ITARNow: (https://hhsasa.servicenowservices.com); (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Click “ITAR” then “ITAR Packages” in the Application Navigator menu;
3	Click the ITAR Number (e.g., ITAR – 0001234) value;
4	Next, navigate to banner and click the ellipsis (…) to the immediate left of “Update” button; (Example shown in Figure 13 above)
5	Select Email option from menu;
6	Draft Email to Critical Partner(s) with courtesy copy to any other stakeholder(s) / user(s) that need to be informed, including the ITAR reviewer;
7	Click "Send."

Document Critical Partner Engagement

ITAR Reviewers must document their engagement and the results of that engagement with internal HHS ITAR Critical partners. Use the “Critical Partner” Tab to indicate which critical partners were engaged as well as to provide high-level details of those exchanges.  Entries will be stored in the ITAR record as a journal log – shown in Figure 14.

Detailed summaries of critical partner engagements and information that supports the ITAR analysis and review should be typed or pasted into the Summary tab data field (See Step 3 below). Descriptions of critical partner exchanges must include the date of engagement, feedback received, and the outcome. Content entered in the summary field, under the Summary tab, will roll into the final summary email sent to Requestors, their alternate POC, and the CIO and CIO Designee after an approval decision is entered.

If a new ITAR Critical Partner is engaged and they are not represented in the exiting list of options, simply notate the partner, POC name and related details under the summary tab of the ITAR Record.

ITARNow Process Steps: Document Critical Partner Engagement(s)

Step	Description
1	Click the check box adjacent to the critical partner acronym if engaged;;
2	Provide a brief but details summary of the outcome in the “Critical Partner Log” field;
3	Click the check box adjacent to the critical partner acronym if engaged;
4	In the “Critical Partner Log” provide a brief but detailed summary of the critical partner engagement purpose and outcome; (Example shown in Figure 14 below)
5	Log entry must include: Name of POC; Date of exchange and detail of what was discussed; Follow-up action (if any);
6	Click “Save” to insert and store log entry with the ITAR Record.

Step 3: Develop Review Summary

ITAR Reviewers must use information from the acquisition documentation, critical partner feedback, and ITAR data entered in ITARNow to develop an ITAR summary.  ITAR summaries are developed in ITARNow using the “Recommendations” and “Summary” tab’s shown in Figures 15 and 16, below. 

The ITAR summary should be an abstract of the requirement under review.  A standard ITAR Summary will include a background statement and a recommendation that provides feedback to aid with improving the contractual details of the acquisition.  The ITAR summary will offer one of two recommendation types: conditional or non-conditional recommendation.¹

Content entered in the “Recommendation” tab will be automatically pulled into a final disposition email that will be sent to the ITAR Requestor, Requestor’s Alternate POC, HHS CIO, and Deputy CIO once a final approval or rejection decision is entered by the HHS CIO.  A subset of the ITAR summary is shown in Figure 16, below. 

ITAR Reviewers can provide additional information about the ITAR analysis in the “Summary Tab”. Enter additional content to be included in the final disposition email under the bolded “Recommendation” heading found in the “Full Summary” text field displayed in Figure 16.

ITARNow supports copy and paste functions that allow users to draft content in their tool of choice, then paste into ITARNow. Table 19 describes the steps Reviewers will follow to draft the ITAR Summary.

ITARNow Process Steps: Develop Review Summary

Step	Description
1	In the ITAR record, click the “Summary” tab;
2a	Draft ITAR “Background” and “Recommendations” within the ITARNow and in the Full Summary field; or
2b	Draft ITAR Summary outside of the ITARNow Portal then paste into the ITARNow “Full Summary” field;
3	Click the “Save” button to save work and return later to make further inputs;
4	Click “Ready for Approval” radio button then “Save” to run approval workflow.

A2.2: ITAR Approver Process

ITAR Approvers

LegCom Director:  Performs the steps described in Table 20 below to complete pending approval(s). Approvers are cautioned to not “Reject” ITARs until an unequivocal final decision is reached on whether to allow the acquisition to move forward. Prematurely rejecting the ITAR will end the workflow immediately.  Instead, use the comment feature of the approval form to seek additional information about the package under review prior to postulating an approval decision.

CIO or CIO Designee (Executive, Direct Report to CIO): The CIO or CIO Designee will access pending ITAR Approvals following steps 1 through 4 of Table 20. However, the comment function is configured differently for the CIO and CIO Designee. Comments entered on the approval form by the CIO or CIO Designee will populate the “CIO / CIO Designee Conditions” field within the ITAR record, thereby making that comment a part of the approval email sent to the Requestor.

To request additional information prior to making a review decision, follow the steps in Table 14 to send the ITAR Reviewer an email to open discussions for clarification.

Approving ITARs

Table 15, below, lists the steps each approval authority will take to complete their action of approving the ITAR.

ITARNow Process Steps: Approve ITAR

Step	Description
1	Use Google Chrome* to log into the ITARNow: https://hhsasa.servicenowservices.com; (* - Other supported web browsers include FireFox, Microsoft Edge, and Apple Safari. Microsoft Internet Explorer and mobile phone web browsers are not supported.)
2	Next, click “ITAR” then “My Approvals” in Application Navigator menu;
3	Click the “Requested” value under the “State” Column; (Shown in Figure 18 below)
4	Review the ITAR Approval form and acquisition documents; (Shown in Figure 19 below)
5	Optional: Add comments using the comment feature within the ITARNow; (Shown in Figure 21 below): Post comment by clicking “Post” button under comment field;
6	Click “Approve” or “Reject” at the top right corner of the page to submit an approval decision. Approval decisions will end the workflow;
7	Rejecting an ITAR Approval request will end the workflow. Only click “Reject” after it is determined that the acquisition should not move forward. The requesting office will have to resubmit their package if requests are prematurely rejected.

Figure 17, below, identifies the approval users and their respective approval threshold. Additionally, the figure lists the hierarchical order and sequence in which approval notifications will be sent.

If an ITAR does not contain enough information for a decision Approvers are cautioned to take no action with regard to approving or rejecting. Instead, engage the ITAR POC following the directions provided in Table 20, above. Return to the approval request once sufficient information about the requirement is provided to complete the approval action.

Figure 19 is an example of the ITAR Summary approvers will review. 

Figure 20, sits atop the ITAR Summary and is used to approve or post comments to the ITAR record. Approvers can delve deeper into a requirement by opening the documents attached to the ITAR record.  To provide input on the acquisition under review or request an action of the requesting office, approvers can post comments to the record. 

Approval Descriptions

ITAR Approvers can render one of two decisions in the ITARNow.  Approval users have the option to either “Approve” or “Reject” the acquisition under review in the ITARNow. Table 21 provides a description of each action and the subsequent results.

Decision	Description
Approve	The CIO or CIO Designee approves, and the acquisition can move forward. OS and OCIO acquisitions must attach the ITAR approval to the requisition in UFMS.
Reject	The CIO or CIO Designee does not approve the acquisition; therefore, the procurement cannot move forward.  If the requesting office intends to resubmit the acquisition package, it must first take the action of satisfying the disapproval conditions provided in the disapproval notice.  Resubmitted ITARs require documentation that disclose the actions taken to remediate identified issues.

A2.3 Quality Control/Quality Assurance

The ITAR Application is built in the ServiceNow with a set of business rules The ITARNow application is built in ServiceNow with a set of business rules that are designed to improve ITAR process quality measures.  This qualitative improvement adds value to all stakeholders of ITAR by incorporating workflow automation tools that models, displays, orchestrates, executes, and tracks work products as activities occur.  The ITARNow workflow automation feature will also eliminate much of the human intervention that existed in the legacy ITAR process in terms of management and reporting of performance metrics.

Several of the ITAR Business Rules are described in the table below:

Rule	Description
Calculate Number of Days in Process	Sets value for Number of Business Days in Process
Calculate Number of Suspended Days	Sets Number of suspended days Cannot be triggered if Suspend Date is empty Uses the current date if the Resume Date is not set.
Check for No Approval Required 1	Checks for: Requisition Amount is less than $150,000.00 This will notify ITAR reviewer that minimum threshold for ITAR is not met
Check for No Approval Required 2	Checks for: Ready for Approval is true Requisition Amount is less than $150,000.00 If both conditions are not satisfied, this prevents saving the ITAR package, there by not allowing the approval workflow to start.
Check for No Approval Required 3	Checks for: Ready for Approval is true ITAR POC field empty If both conditions are not satisfied, this prevents the approval workflow from triggering
Check Mandatory fields for values	Checks for: Acquisition Title is true Requestor is true OpDiv is true Requesting Office is true ITAR automated attestation is true Contract Type is true Signed Information Security & Privacy Certification Checklist Attached is true Security/Privacy Compliance Assessment is true Acquisition Amount equal to $0 is false Acquisition Amount is equal to or greater than $150K Period of Performance is true Total Number of Option Years is true If any of the above values are false, the approval workflow is prevented from triggering and the user is notified to enter a required information
Set ITAR Number	On Save of a new record
Set Submitted Date	Sets date when the ITAR Package was submitted and subsequently, when the review timeline begins
Set ITAR fields when Done	Sets Archival Date when the ITAR Package goes to “Done”
Start ITAR Approval Check	Records the approval Start Date

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are associated with this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

• Office of the Chief Information Officer (OCIO) Policies
• HHS Policy for Information Technology Procurements - Security And Privacy Language

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

HHS Acquisition Templates:

• In the HHS Acquisition Portal, the HHS Office of Acquisition Templates are an excellent resource for HHS templates, checklists, and other tools.

Information Security and Privacy Certification Checklist

• The Information Security and Privacy Certification Checklist can be found in “Appendix D: Forms and Templates” of the HHS Policy for Information Technology Procurements - Security And Privacy Language. In addition, a “pdf” version can be found on the Information Security & Privacy Certification Checklist page.
• Note:  The Information Security & Privacy Certification Checklist must be signed by both the OpDiv/StaffDiv Chief Information Security Officer (CISO) and the Privacy Act Officer.

ITAR Forms: ITAR Submitter Checklists

Table 17, below, is provided as a checklist to aid ITAR Submitters in executing the task of transmitting IT Acquisition Packages for ITAR approval:

Develop Acquisition Package	Complete
Do you have a complete Acquisition Package? See Appendix A1. Step 1 for guidance.	☐
Did you engage the appropriate SMEs and critical partners based on the type of product or service being acquired? (Examples: CISO, Privacy Officer, System Owner)	☐
Have your SMEs and critical partners reviewed the requirements and documented their recommendations and approvals?	☐
Did you do your due diligence to work with your SMEs in order to delineate required FAR, HHSAR and/or requirements language that are specific and unique to your requirement, understanding it is not solely the responsibility of acquisition reviewers and the Contracting Office to know what applies and should be included in your SOW/SOO, PWS?	☐
Did you fill out the ITAR Approval Form? Is it signed by your program office?	☐
Enter Acquisition Data in ITAR Service Portal	Complete
Accessed ITAR Service Portal Page via the internet	☐
Followed the instructions on Portal Page to complete the ITAR Submission form	☐
Ensured all necessary and mandatory data relevant to the Acquisition is entered in the appropriate data field	☐
Used paper clip icon to upload all supporting documentation and signed ITAR Approval Form	☐
Submit Request to LegCom	Complete
Clicked "Save" button at bottom of form to send ITAR request to LegCom ITAR team	☐
Checked Microsoft Outlook regularly for delivery confirmation email from Service Portal (OS ISM Service Desk (OS/OCIO ( HHS_OSISM@hhs.gov)	☐
Responded to request for additional information within 5 business days to ensure the ITAR review team can route the acquisition package for approval in a timely manner	☐

ITAR Reviewer and Approver Checklists

The checklist below is provided to aid ITAR Reviewer and Approvers with executing the task of obtaining ITAR approval for IT acquisitions.

The Service Portal ITAR Application Access - Reviewer and Approver	Complete
Ensure ability to access the Service Portal ITAR application	☐
Preliminary Review of Acquisition Package - Reviewer	Complete
Ensure ability to edit submitted acquisition data within the ITAR Record	☐
Determine if acquisition meets minimum dollar threshold for ITAR review	☐
Determine if any missing information or clarifications are required	☐
Determine if acquisition is IT or other with IT Components	☐
Determine whether an existing contract or strategic sourcing could be leveraged	☐
Validate that the data entered in the Service Portal matches data in the requirement document(s)	☐
Develop Summary and Recommendations - Reviewer	Complete
Name of Acquisition/Program/Project	☐
Description of Goods or Services	☐
Background Information	☐
Period of Performance (PoP)	☐
Cost (Base Year + Options)	☐
Identified Risks	☐
Synopsis of Acquisition	☐
Recommendations and Noteworthy Information	☐
Closing out the Reviewer Process/Prepare for Approver Process - Reviewer	Complete
ITAR POC name entered in the Service Portal data field	☐
Confirm the acquisition data fields in the Service Portal are accurate	☐
Engage Critical Partners / Incorporate Critical Partner Input	☐
Finalize the ITAR Review Summary	☐
Review ITAR Review Summary for comprehension and completeness	☐
Check "Ready for Approval" radio button then clicks "Update" to launch workflow	☐
Approval - Approver	Complete
Review the comprehensive ITAR Summary provided by ITAR Reviewers	☐
Reference acquisition package documents for further information or to obtain clarity if needed during approval analysis	☐
Determine if you concur with the recommendations provided by the reviewer	☐
Record your recommendations, concerns, conditions for approval and/or concurrence with the reviewer's recommendations using the comment feature on the approval form	☐
Click "Approve" or "Reject" on the approval form to move the ITAR record to the next approver or end the workflow (depending on $ threshold)	☐
Notification - Reviewer/The Service Portal Tool	Complete
Notify Requesting Office of CIO or CIO Designee Decision	☐
Provide Requesting Office with ITAR Approval Package	☐

Glossary and Acronyms

Definitions:

• Acquisition Plan:
  1. As defined in the Federal Acquisition Regulation (FAR) Part 2 "Definitions" and further explained under FAR Part 7 "Acquisition Planning".
     The process by which the efforts of all personnel responsible for an acquisition are coordinated and integrated through a comprehensive plan for fulfilling the agency need in a timely manner and at a reasonable cost. It includes developing the overall strategy for managing the acquisition.
  2. Definition explained further in supplemental agency guidance: HHS Directive for the Acquisition Strategy (revised February 2018).
     The Acquisition Plan (AP) is a tactical document approved in HALF Phase 3 - Program Development which identifies the steps necessary to implement the approved Acquisition Strategy for the Program/Project (P/P). Unlike the Acquisition Strategy (AS), which is an overall strategy for all acquisitions that might be necessary for a P/P, the AP outlines the specific actions necessary to acquire resources. An approved AP serves as a formal agreement between the various parties as to how the acquisition will proceed. An AP is execution-oriented and contract-focused and therefore very different than the AS.
• Acquisition Strategy: As defined in the HHS Directive for the Acquisition Strategy (revised February 2018).
  The AS, an essential part of the overall Program/Project Lifecycle Document (PLD) for each P/P, is a strategic document approved in HALF Phase 2 - Program Definition. The AS describes the entire mission/portfolio or program, defines the mission and business needs for the mission/portfolio or program, and provides the critical foundation necessary to determine the plans for the acquisition(s). The approval of the AS is required before developing management plans for the P/P structure and other details summarizing success factors and expected outcomes/results. The AS also provides the basis for meeting the organization's mission and business needs and established P/P objectives, thereby acting as an aid for the P/PM to gain acceptance, support, and approval for an acquisition. Development of the AS is a logical, systematic way of transforming a defined mission/business need into a comprehensive, top-level plan to direct the P/P management. Even though overarching strategies are required for all P/Ps, the AS is only required if the P/P will be augmented by contractor services/support. The AS Development Process consists of a series of iterative steps for identifying, analyzing, and resolving issues related to the essential elements of an AS. Documenting the AS is a means of performing adequate strategic planning in the beginning and throughout the program, thereby reducing potential diversions from program objectives that could adverse cost, schedule, and technical consequences.
• Information Technology (IT): As defined in OMB M-15-14: Management Oversight of Federal Information Technology
  1. Any services or equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency; where
  2. Such services or equipment are 'used by an agency' if used by the agency directly or if used by a contractor under a contract with the agency that requires either use of the services or equipment or requires use of the services or equipment to a significant extent in the performance of a service or the furnishing of a product.
  3. The term "information technology" includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including provisioned services such as cloud computing and support services that support any point of the lifecycle of the equipment or service), and related resources.
  4. The term "information technology" does not include any equipment that is acquired by a contractor incidental to a contract that does not require use of the equipment.
• Major Information Technology (IT) Investment: As defined OMB M-15-14: Management Oversight of Federal Information Technology
  An IT investment requiring special management attention because of its importance to the mission or function to the government; significant program or policy implications; high executive visibility; high development, operating, or maintenance costs; unusual funding mechanism; or definition as major by the agency's capital planning and investment control process. Agencies should also include all "major automated information system" as defined in 10 U.S.C. 2445 and all "major acquisitions" as defined in the OMB Circular A-11 Capital Programming Guide consisting of information resources. OMB may work with the agency to declare IT investments as major IT investments. Agencies must consult with assigned OMB desk officers and resource management offices (RMOs) regarding which investments are considered "major." Investments not considered "major" are "non-major."

Acronyms:

• AP - Acquisition Plan
• AS - Acquisition Strategy
• ASFR - Assistant Secretary for Financial Resources
• CFO - Chief Financial Officer
• CIO - Chief Information Officer
• CPIC- Capital Planning and Investment Control
• EA - Office of Enterprise Architecture
• FAR - Federal Acquisition Regulation
• FITARA - Federal Information Technology Acquisition Reform Act
• HHS - Department of Health and Human Services
• HHSAR - Department of Health and Human Services Acquisition Regulation
• IGCE: Independent Government Cost Estimate
• IAA - Inter-Agency Agreement
• IT - Information Technology
• LegCom - Legislative Compliance Division
• OA - Office of Acquisition
• OES - Office of Enterprise Services (OES)
• OCIO - Office of the Chief Information Officer
• OIS - Office of Information Security
• OMB - Office of Management and Budget
• OpDiv - HHS Operating Division
• MOU - Memorandum of Understanding
• P/P - Program/Project
• PLD - Program/Project Lifecycle Document
• PSC - Program Support Center
• StaffDiv - HHS Staff Division
• SOW - Statement of Work
• VMO - Vendor Management Office

---

Footnotes