Provider Best Practices

Transcription

1 Overview The Provider Best Practices framework includes elements across five key dimensions (financial, organizational, operational, program management, and technology), and describes proposed best practices for each. As a part of ProviderStat 2017 providers will complete a self-assessment based on this document. This document is inclusive of best practices throughout the provider lifecycle and, hence, some of the elements may be more applicable and significant depending on a provider s strategic plan (e.g., taking on new customers, becoming a new provider). As a provider completes its self-assessment, it can comment/explain on particular element s applicability/significance based on its strategic plan and/or decisions of its governance board/customers. Provider performance against standard operational performance measures and a standard customer satisfaction survey is captured in another part of the ProviderStat framework outside of the Provider Best Practices document. The scope for the annual ProviderStat meeting is inclusive of all three areas. Applying Best Practices Providers will complete a four-point self-assessment of each element of the framework as a part of ProviderStat Italicized language references how the best practices should be assessed. The four point assessment is defined as follows: 1 Does not meet (none of the bulleted items within that element are satisfied) 2 Partially meets (half or fewer than half of the bulleted items within that element are satisfied) USSM_Version 1.0_December 2,

2 3 Substantially meets (more than half of the bulleted items within that element are satisfied) 4 Fully meets (all of the bulleted items within that element are satisfied) Categories Elements Financial 4 Organization 5 Operations 7 Program Management 4 Technology 9 Provider Best Practices Financial Funding sources and service costing/pricing methodologies Element Funding mechanisms Best Practices (assessment method) Has a Revolving Fund that allows for the collection of an operating reserve without fiscal year limitations (Review fund authorizing language, agency legal interpretation, and Annual Operating Plans) Sufficiently funded to support strategic plan initiatives (review initiatives in Strategic Plan against reserves and capital investment plan) Documentation/process to show that investments have been used as planned (documented process to demonstrate use of investment funds) Draft Inter Agency Agreements (IAAs) delivered to customers by June for following year. Actively support customers with questions and processes to ensure IAAs are executed timely (Percentage of IAAs in place by USSM_Version 1.0_December 2,

3 Capital investment plan Costs/Pricing October 1) All services provided to the provider by the home agency must be funded/documented by IAA (IAAs with Parent Agency) Capital investment plan exists and maps clearly to strategic plan (review strategic plan and capital investment plans) Capital needs are documented in Major IT Business Case or Agency IT Portfolio Summary documentation along with appropriate sources of funds (budget submission, Agency IT Portfolio Summary, and Major IT Business Case) Customers pricing, is stable without major unplanned variances across years (variance of customer prices year-over-year for comparable services) Transparent pricing methodology for customers (Annual Operating Plans, customer invoices, customer satisfaction surveys) Costing tool or methodology allows for inputs/services to create service packages (or the equivalent) for customers/potential customers (review costing methodology) Accounting, Auditing and Financial Reporting of the Provider * Service Packages establish the basis to identify what functions and activities a customer will receive from a provider. They include all relevant pieces needed to deliver and price the function/activity. Controls for Anti-Deficiency Act violations, funds expiration (Budget Execution/Funds Control Policy) Independent auditing plan (e.g., SSAE 16) Demonstrates effective management and timely closure of corrective actions arising from provider audit findings and recommendation (e.g., annual POAM report) Maintains no material weaknesses in their internal controls or system configurations that contribute to customer audit deficiencies (e.g., SSAE 16) USSM_Version 1.0_December 2,

4 Organization Governance, stakeholder engagement, organizational capacity, strategy, and personnel skillsets/experience Element Staffing Customer engagement Best Practices (assessment method) Must have a documented HR strategy to maximize the value of a blended workforce (incl. use of contractors, FTE, temporary hires, etc.) and ensure needed skill sets are readily available to meet current and anticipated/expected customer load (review of HR strategy documents) The HR strategy must include providing the necessary training and development to ensure personnel are focused on a customer-centric and customer service perspective (review customer satisfaction metrics related to provider employee knowledge and helpfulness) Distinct integration/implementation team exists (review of organizational charts) Customer relationship management strategy allowing for provider to interact with customers either face to face or virtually on a recurring basis (review of organizational charts and geographic distribution of staff; customer engagement strategy/plan) Staff with appropriate certifications (e.g., PMP) commensurate with current and anticipated needs (review of current certifications compared to current and upcoming customers/projects) Provider has certifications (at the organization level) that align with service offerings (review of current certifications versus service offerings) To the extent feasible based on customer requirements defined in the M3 process, provider has a formal process to document identified gaps between customer requirements and the current configuration and works with the customer to develop a plan for them to be addressed (assessed via M3 tollgates) Providers have formal processes for the routine evaluation of functionality that customers/potential USSM_Version 1.0_December 2,

5 Governance & change engagement (e.g., adding/losing customers, changing service offerings, upgrading technology) customers request and an internal decision-making process for addressing those requirements (or not) (assessed via M3 tollgates) Provider works collaboratively with customers to identify and capture the appropriate performance metrics and targets (service level agreements include customer defined performance measures with associated targets) Defined escalation process exists which includes target response times for resolution as well as assigned executive level customer relationship managers for major customers (review of SLAs and escalation processes) Customers are provided the opportunity to formally review and provide input on strategic decisions as needed and decisions that impact daily operations (review of customer meeting minutes) Process exists to assess the impact of adding new customers and impacts are communicated to governance board, parent agency and existing customers (review of governance board and existing customer meeting minutes) An orderly and disciplined approach to managing, controlling, and documenting proposed or actual system and/or operational changes exists and evidence exists that the plan is adhered to (Existence of a change control plan, CCB board, CCB charter, recent meeting minutes, and change control system/log) Change control board includes customer (Documentation that evidences customer as voting member on change control proceedings and decisions) Inclusion of Cyber Security considerations in the change control process (Review charter or other documentation that includes of the impact change control process on cybersecurity, security controls, and resultant vulnerabilities) Communication of service changes is forward looking and intentional (documentation of change control USSM_Version 1.0_December 2,

6 procedures that include steps for communications both with customers and internal to the provider) Human capital management Strategic thinking Staffing strategies are aligned with current/future needs of provider to ensure ongoing support for current customers while onboarding new customers (review of HR strategy and staffing plans compared to current and anticipated customer load) Performance metrics for staff and contractors are linked to strategic goals of the provider (review of staff performance plans and contracts) Comprehensive onboarding/training practices for new staff directed towards ensuring personnel have a customer-centric and customer service orientation (review of onboarding process and materials) Employees at providers are satisfied at work (review of EVS Satisfaction and Work Experience indices against government average) Provide ongoing employee training and enhancement opportunities (Training Plan/Strategy) Provider has a strategic plan which includes performance metrics and targets (review of strategic plan) Strategic plan articulates a vision for measurable and continuously improving shared service offerings or operations (review of vision statement) Strategic plan articulates an ongoing strategy to upgrade and modernize provider offerings, which includes allocation of funding and resources to conduct proof of concepts, pilots, and migrations to new technologies (review of strategic plan) Provider measures its own progress towards achieving goals in its strategic plan (quarterly review of strategic plan or operating plan) Strategic plan is socialized with customers and employees (review of governance board minutes and EVS USSM_Version 1.0_December 2,

7 questions: 56. Managers communicate the goals and priorities of the organization, 57. Managers review and evaluate the organization's progress toward meeting its goals and objectives and 12. I know how my work relates to the agency's goals and priorities Operations Transition, operations, support services, maintenance and recovery Element Best Practices (assessment method) SLA Management Service Level Agreement (SLA) metrics to be reviewed annually and adjusted in concert with SLA changes and pricing (Documentation of SLAs and pricing in IAAs, customer survey responses) SLA metric results are tracked at an individual customer basis and are available and shared with customers at least monthly (Documentation that evidences individual SLA reporting and transparency to customers on an at least monthly basis) Alignment with ProviderStat standard KPIs (Delivery of KPI results requested in ProviderStat) Service Desk Support Provider uses a per incident, transactional surveying mechanism to allow for anonymous scoring by users of service desk resolutions (documentation that demonstrates incident based surveying mechanism) Service desk resolutions are meaningful and useful to users (Demonstration of incident aggregated survey results that demonstrates 90% or greater resolutions at 80% or better satisfaction e.g. 4 out of 5 or better on a 5 point scale) Provider has implemented service desk system enabling customers to transparently assess current state of requests, comportment to relevant SLA, escalation/contact information, and periodic reporting (evidence of provider service desk system enabling transparency into request status) COOP/Business Continuity Plan COOP systems failover capabilities include ability to meet Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based on documented customer agreements and at least annual testing of USSM_Version 1.0_December 2,

8 Quality/Process Management failover to alternative data centers or cloud. Annual COOP testing that includes coordination with customers. (Documentation of COOP activities ( or a COOP score* by FEMA) that addresses 13 elements - Program Plans & Procedures, Risk Management, Budgeting/Acquisition, Essential Functions, Succession, Delegation of Authority, Continuity of Facilities, Communications, Records Management, HR, Test/Training/Exercise, Devolution of Control, Reconstitution) * A COOP score as determined through Continuity Evaluation Tool by the FEMA National Continuity Program (NCP). It is recognized that the provider s COOP score may be rolled up into the Parent Agency s score at this time due to current policy. As applicable, provider should indicate if it has another way of documenting its COOP activities Organization holds an industry accepted certification in quality or process management (examples include ISO 9001/Baldridge or CMMI) (Documentation of active certification) Transactions are audited for quality on a regular basis by an independent entity (SSAE 16) Release management Release management process that deliberately engages customer in release preparedness and communications (Documentation of release management procedures that include steps for communications both with customers and internal to the provider. Procedures may, but are not limited to including, testing and training prior to the release) Records management/discovery Has a records management strategy and implemented solution that comports to records schedule of customers (Documentation, including procedures, agreements that memorialize the existence of records management capability) Compliant with records management laws and regulations, clear road map, tracking, and execution for compliance of permanent agency records by 2019 in accordance with M (documentation of compliance to or project leading to appropriate levels of compliance over time with M-12-18) USSM_Version 1.0_December 2,

9 Data management Compliance with OMB requirements such as M-13-3 and A-130 on appropriate data management throughout the information life cycle and management of information as an asset. Compliance with relevant Data Act requirements. Enables customer data to be segmented appropriately for the purposes of auditing, discovery, and litigation activity (Policy, Guidelines, Templates for Data Quality, Data Strategy, and Platform solutions that aid in establishing data management maturity) Data is used as an asset within the provider and similarly available to customers in a manner that increases mission return on investment by becoming more efficient with data management and analysis (Data Management Strategy that establishes a vision for the strategic use of data, customer satisfaction with the use of data and information as an asset in driving decision making) USSM_Version 1.0_December 2,

10 Program Management Compliance with government laws/regulations/policies/guidance and effective program/project management when undertaking improvement projects, major upgrades and/or new customer implementations Element Mature Project Management Processes (for migrations and modernizations) Performance Management Best Practices (assessment method) Follows a generally recognized project management approach (e.g. PMBOK, ITIL) (Program Management Plan) Provider Risk management processes consistent with best practices 1 (Risk Management Plan, NIST SP and/or SP managing information security risk at three distinct tiers the organization level, mission/business process level, and information system level) Providers cost management practices consistent with best practices (Change Control - Business Case Analysis processes) Providers schedule management practices consistent with best practices for M3 for integration (documenting results of control gates) (Schedule Management Plan) Compliance with SLAs for operational performance (Dashboard Reports) Variances to Cost, Schedule, and Performance kept within acceptable tolerances as defined in the Program Management Plan (Dashboard Reports) Testing process includes Developer, Unit, End to End, System Acceptance, and User acceptance testing that is well defined (who, what, when, how, where) and documented (Test Plan) Full life-cycle inclusion of cybersecurity requirements in program management processes (A Program Management Plan that integrates NIST Risk Management Framework ) Continuous Improvement Plan exists (Continuous Improvement Plan) Designated responsible and accountable individual(s) are identified for performance accountability 1 As identified in the Project Management Body of Knowledge (PMBOK) guide. USSM_Version 1.0_December 2,

11 Implementation Guidance Program Management (all phases of M3) (Staffing Plan) Meets ProviderStat timeline and resolves action items within given deadlines (ProviderStat meeting) Shows consistent improvement or continuous high level of performance in Provider Performance Assessment (PPA) results (PPA results high level of performance is the highest rating possible in the PPA) Researches benchmarking data available to the Program Management community and performs selfassessment against benchmarking data in order to identify improvement opportunities (Project Review Report) Has documented customer engagement process that follows M3 (Program/Project plan) Works with customer to integrate project management processes (Integrated Governance) Follows M3 (participates in Phase 2 and subsequent tollgates; maps existing documentation to M3 deliverables) Consistently Documents Risks, Action Items, Issues and Decisions (Risk Logs/RAID Logs) Consistently follows the Risk Management Plan (Risk meeting minutes; updates to risk mitigation strategy and documented action items) Monitors the program costs (Dashboard Review) Consistently manages the Integrated Master Schedule (IMS) and analyzes impact to downstream activities (Dashboard; timely updates to schedule, clearly defined critical path) Test Results documented against requirements and validated for accuracy and completeness (Test Results Report/RTM) USSM_Version 1.0_December 2,

12 Technology - System tools and processes, facilities and security Best Practices (assessment method) Provider Best Practices Full Life Cycle Technology Management and Modernization Software/Sys Alignment to Requirements Provider has established and adheres to systems development and technology modernization planning and execution. Provider leverages approaches such as System/Software Development Lifecycle (SDLC) and Agile with appropriate feedback loops for self-assessment and continuous improvement (Documentation of Provider Modernization strategy and/or plan) Provider s solutions/systems adhere to Federal Functional Requirements and outcomes established by applicable line of business. (System/Solution documentation of requirements that establish traceability back to line of business outcomes and requirements) Privacy Policy, Procedures Established Privacy Management program, customer level protection of data through mechanisms such as logical/physical data segmentation and/or appropriate security controls and auditing (Documentation that demonstrates Privacy Mission Statement, Privacy framework, periodic review by Privacy Officer, Privacy metrics, compliance with relevant NIST Guidance ( , , ) and Privacy awareness training by a designated percentage of Provider staff) Authority to Operate Provider has Authority to Operate that comprehensively includes Security Plan, Security Assessment Report, and Plan of Action and Milestones (review ATO documentation completed by an independent 3 rd party within the last 3 years or after major changes to Provider Distributed Computing environment) Provider ATO should include the following [FedRAMP and NIST] documentation: Data Center and/or Cloud Operations Provider has established data center operations plan and road map that includes consideration of goals outlined in M-16-19, as well as scalability through virtualization/cloud, energy efficiency, climate USSM_Version 1.0_December 2,

13 control, physical and logical security, and redundant power management such that overall availability of data center services to customers performed at 99.9% in its most recent year. Providers (Documentation of annual performance metrics and data center operations documentation in accordance with M-16-19) Enterprise Architecture Provider executes deliberate approach to management of their Enterprise Architecture Model in a manner that comports to Federal enterprise architecture guidelines to include consideration for each of Performance Reference Model (PRM), Business Reference Model (BRM), Data Reference Model (DRM), Application Reference Model (ARM), Infrastructure Reference Model (IRM), Security Reference Model (SRM). (Review documentation of provider s approach to Enterprise Architecture management) Environmental Segmentation A production environment logically and physically separate from development, test, and/or preproduction environments such that changes, updates, and other modifications will not compromise the integrity of production operations. (Documentation of production environment validating logical and physical separation from other test and development environments) Interoperability Provider has established interoperability between solutions and systems within own environment and has mechanisms for the secure electronic exchange of data with customers, across functional areas and other stakeholders. System interconnection agreements and controls actively managed and coordinated with customers and compliant with (Enterprise architecture map) Security NIST Risk Management Framework (800-37) implemented to promote a comprehensive, organizationwide view of risk considerate of strategic objectives, priorities and stakeholder interests. (Demonstrates alignment of RMF planning to relevant legislation, directives and policy. Clearly defined organization roles in Provider RMF; Provider alignment to 6 Stages of RMF Lifecycle Categorize, Select, Implement, Assess, Authorize, and Monitor; objective review of most recent 3 years of IG Audit/Evaluation findings USSM_Version 1.0_December 2,

14 as they relate to Provider Cybersecurity) System categorization based on data and systems sensitivity (Documentation of information system categorization that comports to standards set forth in FIPS-199 and FIPS-200) Security Controls appropriately available and actively managed commensurate to data sensitivity (Evidence of 18 control families identified in NIST SP Appropriate controls, processes, responsibilities, and reporting identified in System Security Plan NIST SP ) Continuous monitoring program inclusive of 6 monitoring phases - Define, Establish, Implement, Analyze/Report, Respond, and Review/Update (Documentation compliant with NIST indicating participation in a continuous monitoring program that identifies security metrics, risk tolerance thresholds, is holistically inclusive of IT assets, tracks threats/vulnerabilities and is integrated into change control across 6 ISCM phases) Integrated Security considerations into SDLC and other Project Management Methodologies (Review of documentation and evidence related to NIST with respect to Security integration into 6 phases of SDLC - Initiation, Development/Acquisition, Implementation/Assessment, Operations and Maintenance, Disposal) Assessment planning and processes include implementation and blending of examine, interview, and test methodologies outlined in NIST guidance (Documentation that reflects test and assessment processes comport to NIST A and ) Plan of Action and Milestone (POAM) process inclusive of customer in awareness and review (Review of POAM log, meeting minutes that indicate customer involvement in POAM review) Security Training Provider staff appropriately trained on Annual Cybersecurity Awareness training and Role-Based Training (Most recent year course completion certifications or documentation for all Provider staff, and for those staff subject to role-based training requirements) System decommissioning /disposal meets requirements commensurate to data sensitivity (Documentation of system decommissioning/disposal procedures and evidence past disposal activities USSM_Version 1.0_December 2,

15 hard drive shredding, ) A holistic exfiltration and data loss prevention capability (Evidence of reporting, procurements, and procedures specifically aimed at employing the prevention, detection, and reporting of data loss and exfiltration through mechanisms such as detachable devices, network/internet, and pattern-behavior anomalies) USSM_Version 1.0_December 2,