Summary of Order
The purpose of DOE O 200.1A Chg 2 (LtdChg) is to ensure responsible management of IT assets.
LBNL Implementation
| Clause | Implementation | Status | |
|---|---|---|---|
| 1.a | Information Technology Strategic Planning. Maintain a strategic plan that coordinates IT planning and investment decisions and links contractor-specific missions and goals to the Departmental strategic plan, as well as: | The IT strategic/business plan aligns with LBNL-wide strategic objectives and the mission and objectives of Operations. | ✓ |
| 1.a.1 | Implement an IT investment decision process that utilizes Enterprise Architecture principles; | LBNL uses an IT investment decision process that is based on its short and long-term goals and takes place within the context of Laboratory Budget Planning and Strategy activities. | ✓ |
| 1.a.2 | Implement and manage IT acquisition processes to achieve cost savings through appropriate IT hardware and software standards, negotiated buying arrangements, and refresh policies. | LBNL leverages strategic sourcing and optimizes on the basis of automating commodity procurement costs. These costs and milestones are tracked at the level of overall procurements by CFO. | ✓ |
| 1.b | Capital Planning and Investment Control. Develop, implement, and maintain a Capital Planning and Investment Control (CPIC) process, as well as: | CPIC describes two processes – Federal CPIC (53s and 300s) and the need for a select, control, and evaluate process for investments. Our exhibit 53s and 300s are available on request and our strategic plan describes our investments. Senior management determines major investments based on scientific projects and based on science outcomes. | ✓ |
| 1.b.3 | Execute program and office specific processes that support Department-wide CPIC efforts by monitoring and demonstrating effective control of the cost, schedule, and performance of investments and corresponding projects; | We assume this requirement is specific to the 300s, and these processes are in place. | ✓ |
| 1.b.4 | Implement appropriate internal policies regarding the acceptable use of IT assets; | Our Acceptable Use of Information Technology policy sets institutional requirements. | ✓ |
| 1.b.5 | Prioritizing and selecting investments, based upon performance and results, as part of the budget development process. | The Business Systems Council selects and prioritizes operations applications investments. IT management selects and prioritizes infrastructure investments based on stakeholder input, equipment refresh needs, and IT trends using an annual prioritization process. IT management selects and prioritizes other non-hardware investments for science, collaboration, and productivity based on stakeholder input, external trends, and senior management input. Scientific investments are based on science outcomes. | ✓ |
| 1.c | Enterprise Architecture. Maintain an Enterprise Architecture for the life-cycle management of information resources and related IT investments funded by or operated for DOE. | ||
| 1.d | Hardware and Software Acquisition. Ensure the acquisition, use, and management of IT hardware and software funded by or operated for DOE meet program and mission goals to promote sound resource management, specifically to: | Our Lifecycle Management for Information, Hardware, Software, and Services policy sets requirements for responsible stewardship for non-centralized and centralized information and IT. | ✓ |
| 1.d.1 | Promote consolidation of software acquisition, volume purchasing arrangements, enterprise wide agreements and best practices in software implementation, consistent with the Program Evaluation Management Plan and/or the SmartBuy program. | Software procurement is consolidated through the software buying website that leverages bulk purchasing agreements negotiated through procurement. Procurement also negotiates purchasing agreements for certain non-bulk and usually specialized acquisitions and works with IT where needed. | ✓ |
| 1.d.2 | Implement a Software Quality Assurance (SQA) program that applies a graded, risk-based approach. | There are two primary grades of software at LBNL: safety software and all else. Safety software requirements are met via Safety Software Quality Assurance Requirements . The general requirements of quality management apply to all other software use and development. | ✓ |
| 1.d.3 | Ensure compliance with negotiated contract procurement requirements for IT procurements. (1) Deploy acquisition strategies for IT hardware designed to take advantage of volume discount savings. (2) Promote use of common hardware and software configurations, where appropriate. (3) Adopt standard replacement policies to make the best use of existing resources. | Procurement leverages negotiated buy agreements. Hardware configurations and replacement cycles in operations are managed by the Operations Desktop Support group. Scientific hardware leverages the standard buying processes, and configurations and replacement lifecycles are tailored by scientific division and may depend on the local PI. | ✓ |
| 1.e | IT Operations and Use. Implement and manage IT operations and processes to ensure that information published to Federal service-to-citizens public websites are appropriate, timely, and accessible to the public and individuals with disabilities. | While we currently do not have any “services to citizens” functions, we work to ensure that websites are accessible. See Accessibility Policy Note. | ✓ |
| 2.a | The Contractor must institute an IPv6 program consistent with Departmental Element and Site Office federal direction to implement OMB Memorandum M21-07, Completing the Transition to Internet Protocol Version 6 (IPv6), to transition DOE information systems to operate solely using the IPv6 Internet addressing protocol. The contractor’s IPv6 program must meet the requirements in 2.b., below. | ||
| 2.b | Consistent with OMB M-21-07 and subsequent IPv6 guidance, all existing IPv4 equipment and systems will be upgraded to IPv6-only, and all new acquisitions of IP-enabled assets for Federal information systems will be IPv6 compliant to improve operational efficiency, provide the general public with continued access to citizen services, ensure the Federal government is capable of accessing IPv6-only services, and to keep pace with and leverage this evolution in networking technology. | ||
| 2.b.1.a | Exemption. National Security Systems, as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-59, Guideline for Identifying an Information System as a National Security System, are exempted or excluded from implementation of this order. | ||
| 2.b.1.b | Exceptions. In unique circumstances where requirements for IPv6-only operation may be delayed for some period or indefinitely, exceptions may be made. Exceptions to IPv6-only requirements or schedule should follow DE approval processes and will be submitted to the Office of the DOE CIO for awareness, reporting, and adjudication as needed. 1) The following three categories are exceptions that may be documented using this process: a. Break Mission Exceptions. Mission situations where current operations make it logistically impossible to implement IPv6-only operations. b. Technically Incompatible Exceptions. Information systems that are not compatible with IPv6-only implementation due to the age and configuration of the system. c. Increased Risk Exceptions. Situations in which implementing IPv6-only would significantly increase the risk to current architecture or systems. When these systems reach end-of-life, there will be a plan for future systems to be IPv6-only compliant. | ||
| 2.b.2 | Implementation Plans. Detailed implementation plans for IPv6-only operation (and subsequent plan updates) must be submitted to the DEs for Labs, Sites, and facilities that acquire and operate Federal information systems with IP-enabled assets. The plans must incorporate an intent to acquire IPv6-compatible equipment whenever it is available to meet requirements for specialized IT (e.g., scientific and operational-technology equipment and devices), and to transition general-purpose IT to IPv6 operation within the schedule established by OMB. | ||
| 2.b.3 | Acquisitions. For specialized IT, distinct from general-purpose commodity IT, the following acquisition requirements apply to the extent that IPv6-compliant equipment is available. Exceptions must be documented and justified in the procurement requests. For general-purpose IT and networking acquisitions, availability of IPv6-compliant acquisition options is assumed, and compliance is expected. | ||
| 2.b.3.a | All hardware and system acquisitions, except for the exceptions noted above, made after inclusion of this clause into the pertinent contract, that are Internet Protocol (IP)-aware or perform IP functions, must be capable of operating in an IPv6-only mode. | ||
| 2.b.3.b | All software developed or acquired, except for the exceptions noted above, after inclusion of this clause into the pertinent contract, that incorporates direct IP-addressing or functionality, must also be capable of operating in an IPv6-only mode. | ||
| 2.b.3.c | Hardware and system acquisitions and software development, except for the exceptions noted above, should all meet the requirements of the U.S. Government v6 Profile (USGv6), defined in the most current version of NIST SP 500-267. |
in the bottom right or navigate to