Contractor Assurance

  • U.S. Department of Energy
  • Fermilab

Management System Gaps and Plans

Draft: MS Gap Analysis and Plan to Fill Gaps

August 26, 2011/01/Chrisman

For each management system, the Management System Owner defines the desired outcomes of the management system and analyzes the gaps between the present and desired future states. The Management System Owners then create plans to address the gaps. MSO’s consult with Line managers who assign needed resources using a risk based approach. MSO assign accountability for actions and a timetable for completion. Those issues worthy of enterprise consideration are promoted by either sector heads or MSO for consideration at the Assurance Council (AC)

Current gap analyses and action plans are summarized below organized by management system.

M.1 Corporate Governance

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.2 Stakeholder Relations

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.3 Performance Planning

M.3.A. Strategic Planning and Goals Development

Gap Analysis:

  • As annually required, the OHAP 10-Year Plan needs updating through 2021
  • The Management System Owner has assessed that Fermilab’s multi-year goals as expressed DOE/Office of Science Fermilab Planning Document have not adequately been promulgated down to the Fermilab staff.
  • The process for approving and promulgating the Strategic Plan needs to be formalized.

Plan to Fill Gaps:

  • Currently OPPS is updating activities matrix through 2020, to be followed by request for personnel needs by project managers and Division/Section/Center Heads. (Responsible: Head of OPPS, Head of OIP, Chief Science Officer, Management System Owner – by December 31, 2011)
  • The Management System Owner proposes that each Fermilab Division/Section/Center produce a set of detailed near-term (1-3 years), mid-term (3-5 year), and long-term (> 5 year) goals specific to their organizations that support Fermilab’s overall goals. The first attempt to implement this is now being undertaken by the Accelerator Sector. (Responsible: Head of Office of Integrated Planning – expect to review goals of Accelerator Section by December 31, 2011, then form lessons learned from Accelerator Sector experience and develop guidance for rest of Fermilab.)
  • Document the process for approving and promulgating the Strategic Plan. (Responsible: Head of OPPS – by September 30, 2011).

M.3.B. Project Management and Oversight

Gap Analysis:

  • The OPMO Policies and Procedures, which are tailored to meet DOE requirements and to provide uniformity across all projects, need completing, specifically a section on Risk Management, along with the more detailed “Desktop Instructions” for many of the existing sections. (Please note that Risk in this context is limited to its use in meeting the specific Project Management requirements of DOE Order 413.3 and does NOT refer to Corporate Risk nor Enterprise Risk as treated elsewhere in the FRA Contractor Assurance System.)

Plan to Fill Gaps:

  • A Project Manager is assigned to provide the Risk* Management Section of the OPMO Policies and Procedures and has been actively working with the Head of OPMO, the Head of OPPS, and the Office of Project Assessment of the DOE Office of Science. It is expected that (at least a draft of) this section be posted on the OPMO website by October 31, 2011. *note: Risk in this context is limited to the definition of risk in project management to satisfy DOE O 413.3, and does not refer to Corporate Risk or Enterprise-level Risk.

M.3.C. Performance Evaluation and Measurement Plan (PEMP)

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.4 Science

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.5 Finance

Gap Analysis:

  • The Director’s policy on Financial Management needs to be updated to reflect current roles, responsibilities, authorities and accountabilities.
  • A Financial Management Manual needs to be developed to consolidate and complete the documentation of CFO policies and procedures, to support the transition of the Finance Management System from an expert-based system to a formal, documented system.

Plan to Fill Gaps:

  • CFO will draft a revised Financial Management Director’s Policy for vetting with the Senior Management Team and approval by Director. Draft will be put forth by March 31, 2012.
  • The development of the Table of Contents for the Financial Management Manual has begun. The Table of Contents and the assignment of priority to content items will be completed by December 31, 2011. High-priority content will be completed by June 30, 2012. Medium-priority content will be completed by September 30, 2012.

M.6 Business Operations

Gap Analysis:

  • There is no written up-to-date Strategic Plan for the Operations Sector that supports the Strategic Plan for Science.
  • Although many individual written system processes exist, an integrated document for these systems, describing how they work together, needs to be written.

Plan to Fill Gaps:

  • The draft Sector Strategic Plan will be completed and vetted with customers of the Sector by mid-FY12.
  • Once the Sector strategic plan is complete attention will focus on a broader, integrated management system description. This should be complete by the end of FY12.
  • While items 1 & 2 are being completed those major processes without a written description will develop outlines of a description. As the strategic plan is under development those major processes with descriptions will plan on bringing them into congruence with the strategy.

M.7 ES&H

ES&H has been under CAS through O 226.1 since 2005. ES&H has addressed all open findings from previous CAS reviews. ES&H meets the requirements of the H-clause. ES&H was registered for ISO 14001 first in August of 2007 and then for OHSAS 18001 in April of 2008. ES&H continues to be ISO/OHSAS registered/certified.

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.8 Quality

[No significant gaps and action plans outside of routine analyses for continual improvement.]

M.9 Engineering

Gap Analysis:

  • There was no provision or process under this Manual or Management System to determine whether these requirements have been implemented throughout Fermilab, nor how well or how effectively, they have been implemented.
  • Director’s Policy Manual #8: Design should be modified to point to the Engineering Manual versus the no longer used Engineering Standards Manual .
  • The Engineering Manual should include a chapter on Continued Engineering Support which refers to activities such as Operations, Maintenance, Repair, and Modification. Experimental Operations is already included in the Science Management System.

Plan to Fill Gaps:

The Engineering Manual was formulated by an ad hoc appointed team of Fermilab engineers, which stood down after completing this task. The long-standing Engineering Policy Committee consisting of senior Fermilab engineers has recently been charged by the Fermilab Director to provide engineering advice and to help define policy over the entire range of engineering issues to the Management System Owner (Head of the Office of Program and Project Support).

In prioritized order, the initial tasks of the Management System Owner, assisted by the Engineering Policy Committee, will be to:

  • develop a methodology and assign a small team to assess and report on the level of compliance with the requirements of the existing Engineering Manual by the Fermilab engineering community (complete assessment by October 31, 2011); and
  • based on that assessed level of compliance, develop a remedial plan to assure compliance;
  • prepare a recommendation to modify Director’s Policy Manual #8 Design as discussed in item 1 above, submit this recommendation to Fermilab COO (called Associate Director for Administration) as per Director’s Policy #1 (by August 31, 2011); [combine paras 3, 4 and 5]change the name of Engineering Management System Process # 10 to Continuing Engineering Support (by Management System Owner by September 30, 2011);
  • modify the Engineering Manual to address this Process # 10 (by December 31, 2011).

M.10 Information Technology

M.10.1. IT Governance and Enterprise Architecture

Gap Analysis:

  • The Scientific Computing Portfolio management team is in the process of being set up
  • The IT Infrastructure Portfolio management team has not been set up
  • The Enterprise Architecture Board and EA governance functions are immature and not fully operational.
  • The IT Policy Board has recently been split from the Computer Security Board. Formerly both were part of a governance body called the “CSExec meeting”, referenced in the Computer Security Program Plan. The operating processes of the IT Policy Board have not been written down and formalized and the membership has not been expanded to include members at large from throughout the lab.
  • Some IT Service Management ITIL V2 processes are immature and need further development, and more detailed metrics.
  • The lab has not yet applied for or achieved ISO/IEC 20000 certification on core IT services

Plan to Fill Gaps:

  • The Scientific Computing Portfolio management team and processes will become operational in the first half of FY12
  • The IT Infrastructure Portfolio management team will become operational by the end of FY12
  • The IT Policy Board charter, membership and processes will be formalized during FY12.
  • All ITIL processes in support of IT Service Management will be matured, undergo review and continuous improvement during FY12
  • The lab will achieve ISO/IEC 20000 certification before the end of FY12.

M.10.2. Information Technology Infrastructure

Gap Analysis:

  • Service Level Agreements (SLA) and Operational Level Agreements (OLA) are in place, but immature and need to be refined based on collection of better metrics on Incident, Availability, Capacity and Continuity of services – through IT service management operations.
  • Availability and Service Continuity Plans, based on risk, need to be fully completed for all services.
  • Financial Management processes do not yet yield reliable service costs that could be used to benchmark against other labs and organizations.

Plan to Fill Gaps:

  • Service Level Management process will work on continuous improvement of SLAs and OLAs
  • Service Continuity process manager will continue to work with IT infrastructure service owners to complete and refine Service Continuity plans
  • The costs for implementing the documented and required Service Continuity (based on risk and cost) will be assessed and a 3 year plan made to bring all services into compliance with the agreed upon plan. The 3 year plan will be completed by the end of FY12 and executed partially in each of FY12, FY13 and FY14.
  • Financial management processes will mature as other ITIL processes mature and by mid FY13 will yield reliable costs for service that can be compared to industry and other organizations.

M.10.3. Information Systems

Gap Analysis:

  • Service Level Agreements (SLA) and Operational Level Agreements (OLA) are in place, but immature and need to be refined based on collection of better metrics on Incident, Availability and Continuity of services – through IT service management operations.

Plan to Fill Gaps:

  • Service Level Management process will work on continuous improvement of SLAs and OLAs
  • Availability and Service Continuity process manager will continue to work with IT infrastructure service owners to complete and refine these plans
  • The costs for implementing the documented and required Service Continuity (based on risk and cost) will be assessed and a 3 year plan made to bring all services into compliance with the agreed on Service Continuity plan. The 3 year plan will be completed by the end of FY12 and executed partially in each of FY12, FY13 and FY14.

M.10.4. Scientific Computing

Gap Analysis:

  • Service Level Agreements (SLA) and Operational Level Agreements (OLA) are mostly not in place, and the MOU process with experiments and Scientific Programs is not used uniformly and with reference to SLAs.

Plan to Fill Gaps:

  • Service Level Management process will work on continuous improvement of SLAs and OLAs
  • Availability and Service Continuity process manager will continue to work with IT infrastructure service owners to complete and refine these plans
  • The costs for implementing the documented and required Service Continuity (based on risk and cost) will be assessed and a 3 year plan made to bring all services into compliance with the agreed on Service Continuity plan. The 3 year plan will be completed by the end of FY12 and executed partially in each of FY12, FY13 and FY14.

M.10.5. Cyber Security

Gap Analysis:

  • The entire Computer Security Program plan for both the General Computing Enclave and the Open Science Enclave is in the process of being updated for NIST 800-53 Rev 3 controls and in compliance with the current Office of Science Program Cyber Security Plan.
  • The manner in which the Computer Security Program is to be monitored and overseen by DOE is changing to come in line with the Contractor Assurance program. This requires the DOE have greater visibility into both the operations and metrics associated with the Computer Security Program plan and the defense of IT assets and information. Formerly information was presented only on audit or inspection and some aspects of the program are expert based and not fully documented and transmitted informally during bi-weekly meetings with DOE.

Plan to Fill Gaps:

  • Updated documentation will be produced for the Computer Security Program plan and additional controls required by NIST 800-53 Rev 3 will be applied and tested as needed. This will be done by March 1, 2012 when the current ATO expires. Greater visibility will be provided into KPIs related to the functioning of the Computer Security Program. This will be a continuous process, but an executive information system with the most significant KPIs will be provided by the end of FY12.

M.11 Communications

Gap Analysis:

  • There is no comprehensive, integrated assurance system in place for communication activities. A comprehensive system will include:
    • A Director’s Policy for Public Affairs that adequately defines the laboratory-wide policy toward external communication and public relations activities.
    • A written Director’s Policy for internal communication.
    • Clearly defined roles and responsibilities for external and internal communication.
    • Documented processes and procedures.
    • Identified performance and efficiency metrics and mechanisms for self-assessment or independent assessment.

Plan to Fill Gaps:

  • Survey organizational units that have responsibility for Communication Management System activities to gather information on what CAS-related policies, procedures, processes, metrics and assessments are in place and documented. (by December 31, 2011)
  • Define and communicate Communication Management System roles and responsibilities. Draft prioritized list of policies, procedures, processes, metrics and assessments that need to be created and/or defined and/or documented. Draft plan for integration of all Communication Management System activities. (by April 30, 2012)
  • First draft of comprehensive, integrated Communication Management System description available, including all high-priority policies, procedures, processes, metrics and assessments. Communication Management System functioning with high-priority activities. (by September 30, 2012)
Last modified: 07/20/2012 |