HHS Policy for Enterprise Architecture (EA)

Document #: HHS-OCIO-OES-2024-10-005
Version #: 2.0
Last Reviewed: October 2024
Next Review: October 2027
Owner: OCIO/OES
Approved By: Jennifer Wendel, Acting HHS Chief Information Officer (CIO)

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy

• 6.1 Collaborative Development and Maintenance of HHS EA Framework
• 6.2 Collaborative Data Gathering and Sharing
• 6.3 Collaborative Enterprise Architecture Methods and Tools Selection and Deployment
• 6.4 Federated Oversight of the HHS Enterprise Architecture
• 6.5 Key Effectiveness Indicators

7. Roles and Responsibilities

• 7.1 Secretary of the Department of Health and Human Services
• 7.2 Assistant Secretary for Technology Policy (ATSP)/Office of the National Coordinator (ONC) for Health Information Technology
• 7.3 Assistant Secretary for Administration (ASA)
• 7.4 HHS Chief Information Officer (CIO)
• 7.5 HHS Chief Enterprise Architect (CEA)
• 7.6 HHS Enterprise Architecture Review Board
• 7.7 HHS Chief Information Security Officer (CISO)
• 7.8 HHS Office of the Inspector General
• 7.9 OpDiv CIO
• 7.10 OpDiv CEA
• 7.11 OpDiv Enterprise Architecture Review Boards
• 7.12 IT Stakeholders (Outside of EA)
• 7.13 Business/Functional Stakeholders

8. Information and Assistance
9. Effective Date and Implementation
10. Approved
Appendix A: Procedures
Appendix B: Standards
Appendix C: Guidance
Appendix D: Forms and Templates
Appendix E: References
Glossary and Acronyms
 

1. Nature of Changes

This version of the HHS Policy for Enterprise Architecture (EA), hereafter referred to as this Policy, supersedes the previous iteration (HHS-OCIO-2008-0003.001) and contains significant modifications to all sections of that document. The HHS Policy for Enterprise Architecture was developed through a collaborative effort among HHS Operating Divisions (OpDivs) and Staff Divisions (StaffDivs) with an emphasis on the role of EA in IT governance.

2. Purpose

The purpose of this Policy is to establish the direction-setting needs of the HHS EA Program and to facilitate the various OpDivs’ and StaffDivs’ efforts to deploy the policy with the level of flexibility they need.

3. Background

EA in the federal sector originated from the Clinger Cohen Act of 1996, which focused heavily on the control of information technology (IT) budgets and spending.  As a result, from its start until its decline through the 2010s, EA in the federal sector was built almost entirely on a technology-first foundation and its approach toward its governance role was characterized by a heavy reliance on command-and-control.  
This approach gradually reduced EA’s effectiveness in providing value to the enterprise. EA Programs across the federal government have shown that EA needs to take a more collaborative approach with a focus on the business and data functions of the enterprise with IT serving as an enabler, rather than the foundation. 
As highlighted throughout this document, this Policy builds on that collaborative approach to defining, developing, and executing EA functions across HHS and is guided by the following core principles:

1. EA must not be focused on technology alone. EA must serve the business needs of stakeholders at all levels across all areas of the organization by encompassing business, data, technology and security architectures. EA will ensure that human-centered design ¹ considerations are incorporated into solution architectures.
2. EA must be incorporated into the Department’s planning and resource allocation, control, and oversight processes.
3. EA data must be accurate, reliable, and available for use for approved purposes across the enterprise.

4. Scope

This Policy applies to all HHS entities and organizations that use or maintain IT systems to conduct business for or are either owned or operated on behalf of the Department.  
HHS OpDivs/StaffDivs may create a local version of this policy based on their requirements that is not less restrictive than this Policy.  
This policy does not supersede any applicable law or higher-level agency directive or policy guidance.

5. Authorities

Authorities include:

Federal Law and Directives

• Clinger-Cohen Act of 1996 (40 U.S.C. Chapter 111 Information Technology Management, General; 40 U.S.C. Chapter 113 Responsibility for Acquisitions of Information Technology)
• Federal Information Technology Acquisition Reform Act (FITARA) of 2014, FITARA Enhancement Act of 2017 (40 U.S.C. Chapter 113 Responsibility for Acquisitions of Information Technology; 44 U.S.C. Chapter 36 Management and Promotion of Electronic Government Services)
• 21st Century Integrated Digital Experience Act (IDEA Act) of 2018 (44 U.S.C. § 3501 note)
• E-Government Act of 2002, Federal Information Security Management Act of 2002, Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35 Coordination of Federal Information Policy)
• Federal Zero Trust Strategy, 2022
• Federal Cloud Computing Strategy, 2019
• Federal Data Strategy 2020 Action Plan
• Foundations for Evidence-Based Policymaking Act of 2018 (5 U.S.C. Chapter 3; 44 U.S.C. Chapter 35)
• Government Performance and Results Act of 1993, GPRA Modernization Act of 2010, Performance Enhancement Reform Act, etc. (31 U.S.C. Chapter 11)
• Paperwork Reduction Act of 1995 and Government Paperwork Elimination Act of 1998 (44 U.S.C. Chapter 35 Coordination of Federal Information Policy)
• Privacy Act of 1974 (5 U.S.C. § 552a)
• Enterprise Architecture, V2 – the Common Approach, 2013
• Federal Enterprise Architecture version 2, 2013
• Executive Order on Promoting Safe, Secure, and Trustworthy Artificial Intelligence - October 30, 2023
• Implementation Guidance Following Executive Order on Promoting Safe, Secure, and Trustworthy Artificial Intelligence - November 1, 2023
• Section 255, Telecommunications Act, 1996 (47 U.S.C. § 255)
• Section 508, Rehabilitation Act, 1973 (29 U.S.C. § 794d)

OMB Publications

• Office of Management and Budget Circular A-11
• Office of Management and Budget Circular A-130
• Office of Management and Budget Memorandum M-19-23

HHS Policies

• HHS Policy for IT Portfolio Management (PfM)
• HHS Policy for IT Enterprise Performance Lifecycle (EPLC)
• HHS Policy for IT System Inventory Management
• HHS Policy for Information Technology Asset Management (ITAM)
• HHS Policy for Information Security and Privacy Protection (IS2P)

6. Policy

It is the policy of HHS that the Department’s Enterprise Architecture be developed, deployed, and maintained through collaboration among the HHS EA Program and all HHS Operating Divisions and Staff Divisions (OpDivs/StaffDivs).

In conjunction with OpDiv EA Programs and offices, the HHS EA Program will capture the necessary data and implement the necessary methods, processes, and tools to facilitate business outcome–driven EA throughout HHS.

The following subsections provide further details on the core elements of this Policy.

6.1. Collaborative Development and Maintenance of HHS EA Framework

The HHS EA Program in the HHS Office of the CIO (OCIO) will work with OpDivs/StaffDivs to establish, deploy, and maintain a collaboratively defined set of approved modeling methodologies and associated standards, processes, practices, procedures, guidance and tools that will henceforth be referred to as the “HHS EA Framework.”

All components of the HHS EA Framework will be approved by the HHS EA Review Board (HHS EARB).  (See section 7.6 for a description of the HHS EARB).

1. The HHS EA Framework will serve as the only approved EA Framework for all IT initiatives across OpDivs/StaffDivs; 
2. OpDivs/StaffDivs must inform the HHS EA Program of any planned or existing deviations from the HHS EA Framework with details regarding the alternate option(s) chosen and the business reasons for the deviations;
3. At both the Department and OpDiv/StaffDiv levels, EA across HHS will develop and maintain the data, business, application, and technology architectures for their organization. OpDivs/StaffDivs may develop baseline and target architectures and transition plans for any of the component architectures as appropriate for their environment;
4. OpDivs/StaffDivs will develop localized Business Reference Model (BRM) Business Function Categories and Data Reference Model (DRM) high-level Data Categories.  The HHS EA Program will gather these documents and make them available to EA Programs across HHS on an as-needed basis;
5. The HHS EA Program must serve as the source of HHS IT System Inventory; OpDiv/StaffDiv EA Programs must provide updates for the HHS OCIO IT System Inventory in accordance with HHS Policy for IT System Inventory Management; and
6. HHS StaffDivs and OpDivs across HHS must contribute to the development, maintenance, and implementation of a sound and integrated business, data, and information technology architecture for the Department.

6.2. Collaborative Data Gathering and Sharing

Data generated through the various EA functions is valuable for a wide variety of planning and decision-making needs of the Department and its OpDivs/StaffDivs. 

1. The HHS EA Program must work with all OpDivs/StaffDivs to collaboratively define the set of necessary and relevant EA data that OpDivs must provide to the HHS EA Program for management in the HHS EA Repository;
2. EA data gathered at both the Department and the OpDivs/StaffDivs must be focused on enhancing delivery of business outcome driven enterprise architectures;
3. OpDiv EA Programs may gather data at a level of detail that is more specific than what the HHS EA Repository will contain.  However, in all cases, the OpDiv EA data must be consistent with and complementary to the HHS EA;
4. OpDivs/StaffDivs must provide a defined set of relevant data regarding their continuing and planned IT initiatives as well as their current IT environment;
5. In addition to the EA data, documents gathered by HHS EA Program and stored in the HHS EA Repository must include but not be limited to Business Reference Model (BRM) Business Function Categories and Data Reference Model (DRM) high-level Data Categories from the various OpDivs/StaffDivs; and
6. Working with the EARB, the HHS EA Program will ensure that information gathered in the HHS EA Repository is shared with authorized individuals for all approved purposes.

6.3. Collaborative Enterprise Architecture Methods and Tools Selection and Deployment

The HHS EA Framework will consist of approved modeling methodologies and associated standards. The HHS EA Review Board, comprised of all OpDiv Chief Enterprise Architects (CEAs) and managed by the HHS EA Program, must coordinate the collaborative effort for establishing all aspects of the HHS EA Framework.

1. The HHS EA Program will work with OpDivs/StaffDivs to select a tool that will serve as the central HHS EA Repository for the Department.  The HHS EA Program must be responsible for management of the HHS EA Repository;
2. The HHS EA Repository will maintain a collaboratively defined set of EA data from all OpDivs/StaffDivs;
3. The modeling methodologies and associated standards, practices, procedures, and tools included in the EA Framework must be selected and deployed as a collaborative effort among HHS EA Program and OpDiv CEAs;​
4. All OpDivs/StaffDivs will be required to provide the agreed-upon set of EA data even if they use different repositories, tools, and modeling methodologies; and
5. OpDivs/StaffDivs that deviate from the methods and tools included in the HHS EA Framework must inform the HHS EA Program of their chosen framework and the reason for the deviation.

6.4. Federated Oversight of the HHS Enterprise Architecture

Alignment with HHS EA must be incorporated into the Department’s IT planning, control, resource allocation, and oversight within the OpDivs/StaffDivs.

The HHS EA Program will be responsible for:

1. Supporting all enterprise architecture functions of HHS OS and its StaffDivs;
2. Working with the OpDiv CEAs to improve adherence to established EA standards, processes, and procedures;
3. Tracking the frequency of deviations from various policy elements to help identify areas where the policy can be improved; 
4. Serving as a Critical Partner in the HHS Enterprise Performance Lifecycle (EPLC) for the StaffDivs’ IT initiatives and any HHS enterprise-wide IT initiatives; and
5. Ensuring collaboration among EA Programs across HHS to continuously improve the role of EA in IT governance (e.g., enhancement of the EA critical partner role).

6.5. Key Effectiveness Indicators

As the steward for this Policy, the HHS EA Program will focus on a few key indicators that will help determine the Policy’s effectiveness.  The factors listed in Appendix C: Guidance form an initial set.  The HHS EARB may see fit to expand this list once the HHS EA Framework, described in Section 6.1 above, is developed and put in place. 

7. Roles and Responsibilities

The following sections describe the roles and responsibilities for organizational entities at the Department level that assist in the development and implementation of the HHS EA Program and the effective deployment of this Policy.

7.1. Secretary of the Department of Health and Human Services

The Secretary of Health and Human Services is responsible for ensuring that the Department develops and maintains an enterprise architecture that fulfills legislative, regulatory, and operational requirements consistent with the Federal Enterprise Architecture (FEA)² guidelines.  The Secretary also ensures that Department representatives participate in and implement collaborative FEA initiatives to improve operational and resource management effectiveness across the Department. 

The Secretary ensures Department collaboration in federal government-wide and federally sponsored business or service domain initiatives.

7.2. Assistant Secretary for Technology Policy (ATSP)/Office of the National Coordinator (ONC) for Health Information Technology

The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (hereafter ASTP) is at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide, standards-based health information exchange to improve health care.

The ASTP is responsible for:

1. Assuring that the Chief Data Officer (CDO) and Chief Artificial Intelligence Officer (CAIO) staff resources are available for any relevant EA initiatives and data calls.

7.3. Assistant Secretary for Administration (ASA)

The ASA must:

1. Ensure that EA is incorporated throughout the Department’s budget planning, grants management, financial management, and technology operations; and
2. Ensure allocation of budget and staff resources at levels needed for effective performance of the Department’s EA Program.

7.4. HHS Chief Information Officer (CIO)

The HHS CIO is responsible for planning, budgeting, managing, and monitoring the performance of the Department’s enterprise IT investments. The CIO chairs the HHS CIO Council, which reviews and approves the recommendations of the EARB and related technology, security, and privacy advisory groups.

The HHS CIO must:

1. Ensure alignment with HHS EA is incorporated into the Department’s IT planning, control, resource allocation, and oversight within the OpDivs/StaffDivs;
2. Establish the HHS EA Program within the HHS Office of the Secretary;
3. Establish annual and long-term EA Program priorities, adjusting to updated mandates, as appropriate;
4. Establish policies, procedures, guidelines, and contract clauses that ensure that IT system acquisitions comply with the HHS EA Framework;
5. Delegate the HHS CEA to be responsible for the Department’s EA Program and to serve as the Department’s representative on EA matters, on both intra-Departmental and inter-governmental advisory bodies and forums;
6. Provide direction, support, and resources to the HHS EA Program appropriate to the Department’s scope and complexity;
7. Ensure enterprise architecture considerations are incorporated in the Department’s IT planning, investment, acquisitions, standards-setting, IT security and privacy management, and performance monitoring processes;
8. Ensure that enterprise architecture issues are addressed by the CIO Council;
9. Ensure that the HHS EA Program complies with relevant laws, regulations, policies, and industry standards; and
10. Advocate for EA Program adoption and alignment across all HHS OpDivs/StaffDivs.

7.5. HHS Chief Enterprise Architect (CEA)

The HHS CEA establishes, plans, and directs the HHS EA Program and oversees the development and adoption of the HHS EA.  The HHS CEA is the HHS CIO’s EA representative to each of the OpDivs, to the CIO Council, and to related boards. The HHS CEA (or designee) is the HHS representative on EA-related issues to inter-governmental and intra-Departmental advisory bodies and forums.

The HHS CEA must:

1. Develop and communicating the vision, mission, strategic goals, and objectives of the HHS EA Program across the Department;
2. Revise annual and long term priorities to reflect changes to the HHS CIO’s priorities
3. Review federal mandates, laws, and other external requirements to determine annual and long-term EA priorities, and advising the HHS CIO of these considerations;
4. Coordinate with the HHS Section 508 Program Director and assign a Section 508 Program Manager to ensure that Information and Communication Technology (ICT) deployed by HHS StaffDivs conforms to the applicable requirements in the current ICT Standards and Guidelines (36 C.F.R. § 1194);  
5. Ensure collaboration among OpDiv CEAs for establishing the HHS EA Framework and all related policies, processes, procedures, standards, guidance and tools;
6. Establish operational and technical capabilities within the HHS EA Program;
7. Improve integration of enterprise architecture oversight functions into HHS EPLC, Capital Planning and Investment Control (CPIC), and IT Acquisition Review (ITAR) workflows;
8. Provide HHS EA- related training and technical assistance to OpDivs/StaffDivs;
9. Serve as the Chair for the HHS Enterprise Architecture Review Board (EARB), establish and support necessary subcommittees and workgroups, and represent HHS EARB recommendations and concerns to the HHS CIO Council and other governance entities across HHS;
10. Facilitate OpDiv/StaffDiv participation in enterprise-wide initiatives;
11. Designate a federal staff member of the HHS EA team to represent all StaffDivs on the HHS EARB;
12. Record and respond to any StaffDiv EA-related concerns raised in the OS Information Technology Council (OSITC);
13. Serve as the CEA for all StaffDivs;
14. Serve as the Department’s representative for EA on matters before intra-departmental and inter-agency advisory bodies and forums;
15. Ensure that OpDiv/StaffDiv-proposed modifications to HHS EA metamodel and HHS EA technology standards are reviewed by all OpDivs and incorporated into the HHS EA Repository, as appropriate;
16. Support OpDiv CEAs in the planning and monitoring EA alignment, and compliance for HHS-supported investments;
17. Implement and maintain the HHS EA Repository and related tools;
18. Ensure the Department responds to legislative requirements from Congress, as well as performance and compliance mandates from oversight agencies such as Government Accountability Office (GAO), Office of Management and Budget (OMB), as well as Records Management requirements from National Archives and Records Administration (NARA);
19. Work with HHS EARB to track deviations from components of HHS EA Framework.;
20. Ensure that all OpDiv CEAs are informed of all Department-wide initiatives and data calls that have some overlap with Enterprise Architecture functions;
21. Manage completeness of the HHS IT System Inventory in EANow by conducting periodic updates with data from all OpDivs;
22. Work with Office of Information Security (OIS) to ensure the integrity of both the connection and data exchange between EANow and Archer, the HHS Security Governance, and the Risk and Compliance tool; and
23. Manage the HHS Repository and collect EA artifacts from the OpDivs, as per the processes to be established by the HHS EARB.

7.6. HHS Enterprise Architecture Review Board

The HHS Enterprise Architecture Review Board (EARB) consists of CEAs from all OpDivs and is chaired by the HHS CEA.  The EARB must:

1. Manage the identification, development, and deployment of all components of the HHS EA Framework and conducting the vote for formal approval of the EA Framework;
2. Ensure that all HHS IT investments incorporate EA requirements throughout their planning and approval phases;
3. Ensure that HHS IT initiatives address EA alignment requirements throughout their project lifecycles;
4. Ensure that the HHS EA Program continues to execute and strengthen its role of a Critical Partner in the HHS Enterprise Performance Lifecycle (EPLC);
5. Provide advice to and ensure adherence by OpDivs/StaffDivs to HHS EA policies and procedures;
6. Serve as a forum for presentation and discussion of OpDivs’/StaffDivs’ EA-related issues, plans, and advancements;
7. Define a structured process for sharing data in the HHS EA Repository with stakeholders outside of the enterprise architecture programs or across OpDivs; and
8. Assist the HHS CEA in documenting and tracking deviations from components of the HHS EA Framework.

7.7. HHS Chief Information Security Officer (CISO)

The Chief Information Security Officer will work with the HHS CEA to ensure that the HHS EA Framework appropriately incorporates cybersecurity and privacy requirements.

7.8. HHS Office of the Inspector General

The HHS Office of Inspector General has a responsibility to maintain independence, so that opinions, conclusions, judgments, and recommendations made to Operating Divisions will be impartial. This may, at times, mean that HHS-OIG is unable to share all details of its business, data, and technology architectures.

7.9. OpDiv CIO

The OpDiv CIO must:

1. Designate an OpDiv Chief Enterprise Architect (OpDiv CEA) or equivalent to oversee EA implementation and alignment within their OpDiv;
2. Provide adequate resources to support the OpDiv CEA in management of the OpDiv EA Program;
3. Ensure adoption, development, and implementation of Department and OpDiv EA policies and procedures;
4. Ensure that all areas (CPIC, Security, etc.) within CIO (CPIC, Security, etc.) provide resources and information as may be required for EA related cross-functional activities.
5. Prioritize OpDiv Enterprise Architecture activities based on annual Department and OpDiv strategic plans as well as annual Department and OpDiv priorities;
6. Facilitate participation by OpDiv program and business stakeholders in EA-related activities;
7. Ensure timely participation of the OpDiv EA Program in departmental and inter-Department activities as needed; and
8. Ensure that the OpDiv acquisition policies, practices and procurement documents incorporate EA considerations as appropriate.

7.10. OpDiv CEA

In some OpDivs, the Enterprise Architecture Program may not have a formal Chief Enterprise Architect as its lead.  However, the roles listed above apply to the individual leading that OpDiv’s EA Program.  The OpDiv CEA must:

1. Develop and disseminate the OpDiv’s EA strategies, policies, standards, and governance requirements that are no less restrictive than those within this policy and the HHS EA Framework;
2. Coordinate with the HHS Section 508 Program Director or OpDiv equivalent and assign a Section 508 Program Manager to ensure that Information and Communication Technology (ICT) deployed by HHS StaffDivs conforms to the applicable requirements in the current ICT Standards and Guidelines (36 C.F.R. § 1194);  
3. Assist the HHS CEA, as needed, to ensure that HHS EA conforms to all administrative and legislative mandates, federal oversight requirements, and all other relevant federal requirements;
4. Adapt the HHS EA Framework to produce an OpDiv-specific enterprise architecture vision, standards, and review process to meet the requirements of their OpDiv;
5. Serve as the OpDiv’s representative on the HHS EARB and its working groups;
6. Monitor alignment of the OpDiv’s IT initiatives with EA requirements;
7. Provide updates to the HHS IT System Inventory in accordance with the HHS Policy for IT System Inventory Management;
8. Advise, educate, and train OpDiv stakeholders on EA processes and tools, as needed;
9. Facilitate development of localized Reference Models as well as Reference Architectures and provide them to the HHS EA Repository according to processes to be established by the HHS EARB;
10. Coordinate with OpDiv data owners, data stewards and other related stakeholders to ensure completeness and quality of the data provided to the HHS EA Repository;
11. Define and align OpDiv EA with standards to be established by the HHS EARB;
12. Inform the HHS CEA of the need for deviation from use of methods, processes, or tools of the HHS EA Framework;
13. Ensure that relevant aspects of the HHS EA Framework are considered as the first option for new initiatives;
14. Ensure that the OpDiv EA Program responds to relevant HHS data calls with accurate data on a timely basis;
15. Establish, update and maintain OpDiv IT systems inventory and provide required updates to the HHS IT System Inventory;
16. Serve as a Critical Partner in the OpDiv’s deployment of the HHS EPLC for OpDiv/StaffDiv IT initiatives; and
17. Serve as the Chair of the OpDiv EARB.

7.11. OpDiv Enterprise Architecture Review Boards

Each OpDiv must deploy either a formal EARB or an equivalent within their respective domains. In some OpDivs, such a review board may have a name other than Enterprise Architecture Review Board.  OpDiv EARBs or equivalents must:

1. Ensure that new and ongoing OpDiv IT initiatives demonstrate EA alignment through documented OpDiv CEA and EARB approvals;
2. Advise the OpDiv CEA on development and deployment of EA-related policies and procedures;
3. Assist the OpDiv CEA in conducting OpDiv EA compliance reviews of proposed and ongoing OpDiv IT initiatives;
4. Assist the OpDiv CEA in responding to internal, Department-wide and government-wide data calls; and
5. Advise the OpDiv CEA on EA-related policies and procedures.

7.12. IT Stakeholders (Outside of EA)

IT stakeholders, for example, IT project managers and infrastructure team leads, at both the HHS and OpDiv/StaffDiv levels must:

1. Participate in capturing relevant functional and technical data throughout the lifecycles of IT initiatives;
2. Assist in aligning IT initiatives with HHS and/or OpDiv/StaffDiv EA guidelines;
3. Comply with EA-related requirements of governance and oversight frameworks including, but not limited to, EPLC, IT Acquisition Review (ITAR), and Capital Planning and Investment Control (CPIC);
4. Participate in the OpDiv/StaffDiv IT systems inventory/census conducted by the HHS or OpDiv EA Program; and
5. Assist the CEA by identifying possible improvements to the relevant EA related processes and procedures.

7.13. Business/Functional Stakeholders

Business/Functional stakeholders, such as functional area system owners, data owners, data stewards, and business analysts, at both the HHS and OpDiv/StaffDiv levels must:

1. Ensure quality and completeness of data provided for EA activities;
2. Provide timely and accurate data in response to periodic and ad hoc data calls; and
3. Validate that EA is focused on facilitating delivery of business outcome–focused results.

8. Information and Assistance

HHS Office of the Chief Information Officer (OCIO) is responsible for the development and management of this Policy.  Questions, comments, suggestions, and requests for information about this policy should be directed to HHS_EA_Program@hhs.gov

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved.  This Policy must be reviewed, at a minimum, every three (3) years from the approval date.  The HHS CIO has the authority to grant a one (1) year extension of the policy.  To archive this Policy, approval must be granted, in writing, by the HHS CIO.

10. Approved

/s/
Jennifer Wendel
Acting HHS Chief Information Officer (CIO)

October 8, 2024
Date

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

At this time, there are no procedures required to implement this policy.  However, as mentioned earlier in the document, future procedures associated with the HHS EA Framework will be developed in collaboration with OpDiv CEAs.  This appendix will be updated when those procedures have been developed.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

At this time, there are no standards required to implement this policy. However, as mentioned earlier in the document, standards associated with the HHS EA Framework will be developed in collaboration with OpDiv CEAs.  This appendix will be updated when those standards have been developed.

Appendix C: Guidance

Governance Role of Enterprise Architecture

The Governance section of OMB Circular A-130 ³ specifies that Enterprise Architecture has a vital role in enterprise governance.  Figure 1 below further illustrates the detailed view of the governance and planning roles EA performs through the Strategize, Architect, Invest and Implement phases of OMB’s Performance Improvement Lifecycle ⁴ (PIL). Refer to the Centers for Disease Control and Prevention’s (CDC) Unified Process ⁵ (UP) for more on the PIL.

Figure 1: Role of EA in OMB’s Performance Improvement Lifecycle

Strategize.  In this phase, Enterprise Architecture

1. Provides up to date architectural mappings of data, process, technology and other aspects of the current state that form the foundation for strategizing for a future state.

Architect: In this phase, Enterprise Architecture

1. Develops architectural mappings that help operationalize the vision, goals and objectives to support the future mission, vision, goals and objectives envisioned the Strategic Plan; and
2. Facilitates discovery of gaps between the current state and the future state envisioned in the strategic plan.

Invest: In this phase, Enterprise Architecture:

1. Facilitates selection and periodization of gaps to be closed via funded initiatives; and
2. Ensures that initiatives undertaken to fill the gap adhere to architectural standard.

Implement: In this phase, Enterprise Architecture:

1. Ensures that the initiatives undertaken remain aligned with specified standards throughout the life of the projects; and
2. Maintains an accurate record of the current state by updating the relevant architectural mappings when a new or updated solution is implemented,

Key Indicators
As the steward for this Policy, the HHS EA Program will focus on a few key indicators that will help determine the Policy’s effectiveness.  The factors below form an initial set.  The HHS EARB may see fit to expand this list once the HHS EA Framework, described in Section 6.1 above, is developed and put in place. 

Table 1: Key Effectiveness Indicators

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

At this time, there are no forms or templates required to implement this policy.  However, as mentioned earlier in the document, future templates associated with the HHS EA Framework will be developed in collaboration with OpDiv CEAs.  This appendix will be updated when those templates have been developed.

Appendix E: References

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Federal Law and Directives
Clinger-Cohen Act of 1996 (40 U.S.C. Chapter 111 Information Technology Management, General; 40 U.S.C. Chapter 113 Responsibility for Acquisitions of Information Technology)
https://uscode.house.gov/view.xhtml?path=/prelim@title40/subtitle3/chapter111&edition=prelim 
https://uscode.house.gov/view.xhtml?path=/prelim@title40/subtitle3/chapter113&edition=prelim

Federal Information Technology Acquisition Reform Act (FITARA) of 2014, FITARA Enhancement Act of 2017 (40 U.S.C. Chapter 113 Responsibility for Acquisitions of Information Technology; 44 U.S.C. Chapter 36 Management and Promotion of Electronic Government Services)
https://uscode.house.gov/view.xhtml?path=/prelim@title40/subtitle3/chapter113&edition=prelim 
https://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter36&edition=prelim

21st Century Integrated Digital Experience Act (IDEA Act) of 2018 (44 U.S.C. § 3501 note)
https://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter35&edition=prelim

E-Government Act of 2002, Federal Information Security Management Act of 2002, Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35 Coordination of Federal Information Policy)
https://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter35&edition=prelim

Federal Zero Trust Strategy, 2022 
https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf

Federal Cloud Computing Strategy, 2019 
https://www.whitehouse.gov/wp content/uploads/2019/06/Cloud-Strategy.pdf

Federal Data Strategy 2020 Action Plan 
https://strategy.data.gov/action-plan/

Foundations for Evidence-Based Policymaking Act of 2018 (5 U.S.C. Chapter 3; 44 U.S.C. Chapter 35)
https://uscode.house.gov/view.xhtml?path=/prelim@title5/part1/chapter3&edition=prelim 
https://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter35&edition=prelim

Government Performance and Results Act of 1993, GPRA Modernization Act of 2010, Performance Enhancement Reform Act, etc. (31 U.S.C. Chapter 11)
https://uscode.house.gov/view.xhtml?path=/prelim@title31/subtitle2/chapter11&edition=prelim

Paperwork Reduction Act of 1995 and Government Paperwork Elimination Act of 1998 (44 U.S.C. Chapter 35 Coordination of Federal Information Policy)
https://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter35&edition=prelim

Privacy Act of 1974 (5 U.S.C. § 552a)
https://uscode.house.gov/view.xhtml?req=(title:5%20section:552a%20edition:prelim)

Enterprise Architecture, V2 – the Common Approach, 2013 
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/common_approach_to_federal_ea.pdf

Federal Enterprise Architecture version 2, 2013
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/fea_v2.pdf

Executive Order on Promoting Safe, Secure, and Trustworthy Artificial Intelligence - October 30, 2023 
https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/

Implementation Guidance Following Executive Order on Promoting Safe, Secure, and Trustworthy Artificial Intelligence - November 1, 2023
https://www.whitehouse.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-draft-for-public-review.pdf

Section 255, Telecommunications Act, 1996 (47 U.S.C. § 255)
https://uscode.house.gov/view.xhtml?req=(title:47%20section:255%20edition:prelim)

Section 508, Rehabilitation Act, 1973 (29 U.S.C. § 794d)
https://uscode.house.gov/view.xhtml?req=(title:29%20section:794d%20edition:prelim)

OMB Publications
Office of Management and Budget Circular A-11 https://obamawhitehouse.archives.gov/omb/circulars_a11_current_year_a11_toc

Office of Management and Budget Circular A-130 https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf 
Office of Management and Budget Memorandum M-19-23 
https://www.whitehouse.gov/wp-content/uploads/2019/07/M-19-23.pdf

HHS Policies
HHS IT Portfolio Management Policy 
https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/hhs-policy-information-technology-portfolio-management.html

HHS EPLC Policy
https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/policy-for-information-technology-enterprise-performance.html

HHS Policy for IT System Inventory Management 
https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/hhs-ocio-policy-for-management-of-the-enterprise-it-system-inventory.html

HHS Policy for Information Technology Asset Management (ITAM)
https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/hhs-policy-for-information-technology-asset-management-itam.htm

HHS Policy for Information Security and Privacy Protection (IS2P)
https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/information-security-privacy-program/index.html

Glossary and Acronyms

This section provides brief descriptions/definitions of key terms as well as full forms of acronyms used in this document.

Definitions:

Application Architecture – Represents the structure or behavior of individual software applications within a larger system or organization including the design, components, interfaces, and interactions of these applications as well as the standards and guidelines governing their development and deployment.

Artifact – An abstract representation of some aspect of an existing or to-be-built system, component, or view. Examples of individual artifacts are a graphical model, structured model, tabular data, and structured or unstructured narrative. Individual artifacts may be aggregated.

Baseline Architecture – A cumulative “as-is” or baseline representation of the existing architecture encompassing all components of the overall Enterprise Architecture. 

Business Architecture –The component of the overall enterprise architecture that defines business processes, information flows, and information needed to perform business functions.  This is the component of overall enterprise architecture that most effectively facilitates communication between technology teams and non-IT stakeholders across the enterprise.

Business Reference Model (BRM) – The Business Reference Model (BRM) is a classification taxonomy used to describe the type of business functions and services that are performed in the federal government. The BRM describes the “What we do” of the federal enterprise through the definition of outcome-oriented and measurable functions and services.

Capital Planning and Investment Control (CPIC) – Is the decision-making process that ensures IT Investments integrate strategic planning, budgeting, procurement, and management with a focus on the missions and business needs of the Department of Health and Human Services (HHS).

Chief Enterprise Architect (CEA) – A senior-level position responsible for leading and overseeing HHS’s or an OpDiv’s Enterprise Architecture (EA) program, practices, and initiatives.

Data Architecture – The component of the overall enterprise architecture that defines the blueprint for managing data assets by aligning with organizational strategy to establish strategic data requirements and designs to meet those requirements.

Data Reference Model (DRM) – A framework that describes the data assets, data flows, data architecture, and data standards within an organization.

Enterprise – An organization supporting a defined business scope and mission. An enterprise is comprised of interdependent resources (people, organizations, and technology) that coordinate functions and share information in support of a common mission (or set of related missions).

Enterprise Architecture (EA) – A strategic information asset base that defines the mission; the information and technologies necessary to perform the mission and the transitional processes for implementing new technologies in response to changing mission needs; and includes a current architecture, a future architecture, and a sequencing plan. (Source: The Common Approach to Federal Enterprise Architecture; May 2, 2012)

Enterprise Architecture Roadmap – A strategic blueprint that communicates how an enterprise's IT plans will help the organization achieve its business objectives.

Enterprise Performance Life Cycle (EPLC) – A methodology that establishes a project management and accountability environment for HHS IT projects to achieve consistently successful outcomes that maximize alignment with Department-wide and individual OpDiv/StaffDiv goals and objectives.  Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk.

Federal Enterprise Architecture (FEA) – A business-based framework for governmentwide improvement developed by the Office of Management and Budget that is intended to facilitate efforts to transform the federal government to one that is citizen-centered, results-oriented, and market-based.

Federal Health Architecture (FHA) – An E-Government Line of Business initiative designed to bring together the decision makers in federal health IT for inter-agency collaboration — resulting in effective health information exchange (HIE), enhanced interoperability among federal health IT systems and efficient coordination of shared services. FHA also supports federal agency adoption of nationally recognized standards and policies for efficient, secure HIE.

HHS EA – The combination of the HHS EA Framework and the compiled EA data and artifacts in the HHS EA Repository (knowledgebase).

HHS EA Framework – A collaboratively defined set of approved modeling methodologies and associated standards, practices, procedures, and tools. It serves as a comprehensive guide for structuring and aligning enterprise architecture efforts across HHS.

HHS EA Program – HHS OCIO EA functions led by the HHS Chief Enterprise Architect.

HHS EA Repository – A centralized knowledge base containing information on HHS business, data, applications, and technologies captured through enterprise architecture documentation and artifacts.

HHS Enterprise Architecture Review Board (EARB) – A cross-Division body responsible for guiding the development, implementation, and evolution of the HHS Enterprise Architecture. With its membership from all HHS OpDivs, the HHS EARB aims to ensure consistency, coherence, and efficiency across IT systems and infrastructure within the enterprise. OpDivs and StaffDivs may have an equivalent entity within their domains as well.

IT System Inventory – The inventory of the HHS IT systems that is maintained by HHS Enterprise Architecture in EANow. 

Metamodel – A set of entities that allow architectural concepts to be captured, stored, filtered, and queried.

Principle – A statement of preferred direction or practice. Principles constitute the rules, constraints, and behaviors that an organization will abide by in its daily activities over a long period of time.

Policy – A set of principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals.

Target Architecture – A representation of a desired future state or “to be built” for the enterprise within the context of the strategic direction. Target Architecture establishes the future data, business, and technology environments to support the future state of the enterprise.

Technical Architecture – The structure and behavior of the IT systems required to support the business processes of an organization. This includes hardware, software, data, communications, and security components, along with the standards and guidelines governing their integration and interoperability.

Transition Plan – A document that defines the strategy for changing the enterprise from the current baseline to the target architecture.

Acronyms:

• ASA – Assistant Secretary for Administration
• ASTP – Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology
• BRM – Business Reference Model
• CDC – Centers for Disease Control and Prevention
• CEA – Chief Enterprise Architect
• CIO – Chief Information Officer
• CPIC – Capital Planning and Investment Control
• DRM – Data Reference Model
• EA – Enterprise Architecture
• EARB – Enterprise Architecture Review Board
• EPLC – Enterprise Performance Lifecycle
• FEA – Federal Enterprise Architecture
• FHA – Federal Health Architecture
• FISMA – Federal Information Security Modernization Act
• GAO – Government Accountability Office
• HIE – Health Information Exchange
• HHS – Department of Health and Human Services
• ICT – Information and Communication Technology
• IDEA – 21st Century Integrated Digital Experience Act (IDEA Act)
• IT – Information Technology
• ITAM – Information Technology Asset Management
• ITAR – Information Technology Acquisition Review
• NARA – National Archives and Records Administration
• OES – Office of Enterprise Services
• OMB – Office of Management and Budget
• OS – Office of the Secretary
• PIL – Performance Improvement Lifecycle
• UP – Unified Process

Endnotes

¹  21st Century Integrated Digital Experience Act (IDEA Act) of 2018 (44 U.S.C. § 3501 note)

²  Federal Enterprise Architecture Version 2; January 2013

³  OMB Circular A-130; Section 5(b), pp 8-9; July 2016.

⁴  “Enterprise Architecture Alignment with EPLC”; CDC UP Project Management Newsletter, Volume 3, Issue 9, January 2009.

⁵  Centers for Disease Control and Prevention Unified Process