ADMINISTRATIVE RULE FOR MITA - CHAPTERS 1 & 2
SUB-CHAPTER 1
Regulation of Computer Facilities
2.12.101 UTILIZATION OF CENTRALIZED STATE FACILITIES
(1) The department is responsible for carrying out the planning and program responsibilities for information technology for state government, except the national guard.
(2) The department shall provide a number of information technology services and operate and maintain a central computer center, a statewide telecommunications network, and a point of entry for electronic government services. Information technology services may include hardware, software, and associated services and infrastructure used to store or transmit information in any form, including voice, video, and electronic data for the use of state government, political subdivisions, and other participating entities under terms and conditions established by the department.
(3) Centralized state facilities will be utilized in accordance with policies adopted relating to enterprise services. Exceptions to using enterprise services will be granted in accordance with ARM 2.12.205. (History: 2-17-512, 2-17-518 and 2-17-1103, MCA; IMP, 2-17-512 and 2-17-518, MCA; Eff. 12/31/72; AMD, 2003 MAR p. 2417; Eff. 10/31/03.)
2.12.102 OBTAINING SERVICES FROM THE PRIVATE SECTOR--PRIOR APPROVAL REQUIRED (IS HEREBY REPEALED) (History: 2-17-301, MCA; IMP, 2-17-301, MCA; Eff. 12/31/72; REP, 2003 MAR p. 2417; Eff. 10/31/03.)
SUB-CHAPTER 2
Montana Information Technology Act
2.12.201 INTRODUCTION (1) The following rules define the development of state agency information technology plans as provided in 2-17-518, MCA, the review and approval process for the acquisition of state agency information technology, the granting of exceptions to these requirements, the establishment of standards and policies, and provide for an appeals process with the exception of those exemptions specifically provided for in 2-17-516, MCA. Provided that they do not conflict with these rules, state agencies are subject to policies, standards, procedures, and guidelines adopted by the director of the department of administration or chief information officer unless an exception is granted pursuant to ARM 2.12.205. Please see the list of applicable policies at Enterprise Policies.
(History: 2-17-518, MCA; IMP, 2-17-518, MCA; 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.202 DEFINITIONS As used in this sub-chapter, the following definitions apply:
(1) "Advisory groups" means those advisory bodies established by statute or executive order that provides guidance for information technology in the enterprise.
(2) "Chief information officer" means a person appointed by the director of the department to carry out the duties and responsibilities of the department relating to information technology.
(3) "Data" means any information stored on information technology resources.
(4) "Department" means the department of administration established in 2-15-1001, MCA.
(5) "Enterprise" means all agencies of the state, including the university system, working collaboratively to use, share, and leverage the investments made in information technology. To this end, agencies of the state and participating entities share systems, networks, and service access entry points, use standard software and hardware, and train employees in common techniques.
(6) "Formal agreement" means any type of agreement that includes the acquisition or modification of information technology between a state agency and another state, local, federal, non-profit or quasi-governmental organization or private vendor.
(7) "Guideline" means a statement or other indication of policy or procedure by which to determine a course of action.
(8) "Information technology" means hardware, software, and associated services and infrastructure used to store or transmit information in any form, including voice, video, and electronic data.
(9) "Information technology board" means the information technology board established in 2-15-1021, MCA.
(10) "Procedure" means a set of established forms, processes or methods for conducting the affairs of the department.
(11) "Software and management systems" means information technology systems, either commercially available or custom written software including application development systems, operating systems, database management systems and any other software installed on a computer.
(12) "State agency" means any entity of the executive branch, including the university system.
(13) "Statement of work" means a description of scope of a project including any background statements, a comprehensive listing of responsibilities for buyers and sellers, deliverables and their schedules, acceptance criteria and special terms and conditions of performance.
(14) "Statewide telecommunications network" means any telecommunications facilities, circuits, equipment, software, and associated contracted services administered by the department for the transmission of voice, video, or electronic data from one device to another. (History: 2-15-518, MCA; IMP, 2-15-506, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.203 AGENCY INFORMATION TECHNOLOGY PLANS (1) Each state agency director will submit its final information technology plan to the department by the 15th day of May in every even numbered year on forms provided by the department.
(2) Prior to May 15, agencies may submit draft information technology plans to the department for initial screening and feedback. Department staff will review each state agency’s information technology plan using review criteria defined in 2-17-524, MCA, and the review form.
(3) For those plans subject to approval in 2-17-527, MCA, if a state agency information technology plan meets the review criteria, the department will submit the information technology plan for approval to the chief information officer (CIO). Upon approval, the CIO will notify the state agency director in writing.
(4) For those plans subject to approval in 2-17-527, MCA, if a state agency information technology plan does not meet review criteria, the department will identify the areas of noncompliance and provide comment back to the state agency director regarding clarification or refinement of the information technology plan. The department will document the requested changes and return the information technology plan and recommendations to the state agency director, with a copy to the CIO. The state agency director will revise the information technology plan based upon the recommendations provided by the department. The information technology plan will then be submitted to the CIO for approval. Upon completion of their review, the CIO will notify the state agency director in writing of the status of the state agency IT plan. (History: 2-17-518, MCA; IMP, 2-17-524, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.204 REVIEW AND APPROVAL PROCESS FOR PROCUREMENT, DEVELOPMENT, AND OVERSIGHT OF INFORMATION TECHNOLOGY RESOURCES AND SOFTWARE AND MANAGEMENT SYSTEMS (1) State agencies shall submit on forms as required by the department a request for all information technology procurements or state agency development efforts in accordance with policies, standards, procedures, and guidelines.
(2) Agencies may request a preliminary project planning meeting with the department to identify important project issues, including project schedule, time frames for review and approval, project management requirements, reporting and approval requirements, and any other issues identified by the agency or the department.
(3) In accordance with the policies and principles established in 2-17-505, MCA, the department shall use the following process in reviewing the request:
(a) determine if the request is subject to approval as defined in 2-17-527, MCA;
(b) determine if the request meets all applicable policies, standards, procedures, and guidelines;
(c) verify if the request complies with the state strategic plan for information technology;
(d) determine if the request is based upon state agency defined business requirements;
(e) verify the request supports the state agency’s current information technology strategic plan;
(f) refer the request to subject matter experts as necessary;
(g) follow procedures for signature requirements;
(h) approve or deny the request and notify the state agency of the decision.
(4) For all formal agreements, a statement of work that complies with the format established by the department should accompany the request.
(a) Contracts shall use the standardized state information technology contract or note why it could not be used.
(b) The CIO or their designee shall review and approve all formal agreements.
(5) In the case of state agency procurement or development of software and management systems, the department will look at completeness, compliance with strategic direction of the state, policies, standards, procedures, guidelines, appropriateness, and duplication of functionality as general guidelines in the approval decision.
(a) Agencies shall report progress of software and management system procurement or development in accordance with policies, standards, procedures and guidelines.
(6) The department may delegate to agencies duties associated with the procurement and oversight of information technology so long as the duties are carried out in conformity with the requirements established in an information technology procurement delegation between the department and state agencies. (History: 2-17-518, MCA; IMP, 2-17-524, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.205 GRANTING EXCEPTIONS (1) State agencies may make a written request for an exception from a rule, policy, standard or procedure in writing to the CIO. The request must:
(a) clearly outline a compelling business case, which includes a cost benefit analysis for the state agency and whether there is an impact to the enterprise, including an analysis of the economic impact on private businesses in Montana, demonstrating why it is in the best interests of the state of Montana to grant the exception;
(b) provide a description why enterprise accepted solutions, current policies and standards will not meet the state agency business requirements;
(c) demonstrate that the proposed solution conforms with the state strategic plan for information technology, other policies, standards, procedures and guidelines; and
(d) demonstrate that the proposed solution does not interfere with the ongoing conduct of business in other agencies or create other costs to the enterprise or other agencies.
(2) The department shall apply the following process in reviewing the request:
(a) determine the policies, standards, procedures, and guidelines which apply and the effect of granting the exception;
(b) compare the business case against the components of the business case model such as business requirements, cost/benefit analysis, return on investment, proposed technology environment, risk assessment and outcome measures;
(c) determine that the state agency has the technical capabilities to be granted an exception;
(d) determine the effect upon the enterprise of granting the exception.
(3) Exception requests shall be reported to the information technology board, the information technology managers council, the office of budget and program planning, and the legislative finance committee following the CIO’s decision. (History: 2-17-518, MCA; IMP, 2-17-515, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.206 Establishing Policies, Standards, PROCEDURES AND GUIDELINES (1) If a state agency determines a need for a new enterprise standard or policy or a modification to an existing enterprise standard or policy, a written request may be submitted in accordance with processes and forms adopted by the department. The request must:
(a) describe the need for a new or amended standard or policy;
(b) describe the of consequences of failure to adopt or modify a standard or policy;
(c) specify details of the standard or policy;
(d) offer alternatives to the standard or policy;
(e) analyze the impact on the enterprise of adoption and non-adoption of the standard or policy;
(f) provide a proposed effective date of the standard or policy.
(2) The department shall apply the following process in reviewing the request:
(a) determine if the proposal is in compliance with strategic direction of the state;
(b) confer with subject matter experts within and outside of the department;
(c) solicit input in accordance with department adopted standard development and policy development processes;
(d) evaluate input received;
(e) conduct a review by the CIO;
(f) at the discretion of the department, present the proposal to the information technology board or other advisory groups;
(g) notify the requesting state agency director, advisory groups and stakeholders of approval and associated effective date or disapproval of the standard or policy.
(3) When the department creates or modifies procedures or guidelines that directly affect how a state agency interacts with the department, the department will review those with the necessary advisory groups prior to adoption.
(4) Any agency within the enterprise may develop their own information technology standards and policies as needed within their organization as long as these standards and policies do not conflict with statute, rule or enterprise standards and policies established by the department. (History: 2-17-518, MCA; IMP, 2-17-512, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)
2.12.207 Appeal Process as it applies to Information Technology plans, procurements and granting exceptions(1) If an issue or issues associated with information technology plans cannot be resolved through mutual agreement between the state agency director and department or if, after revision, the CIO does not approve an state agency's information technology plan, the state agency director may appeal to the department director who will resolve the issue prior to June 30 of that year provided that sufficient notice is given.
(2) The state agency director may appeal the department decision in regard to procurements and exception requests to the CIO. If unsatisfied with the CIO's decision, then the state agency director may appeal the department decision to the department director who will resolve the issue.
(3) The CIO will report all appeals and their resolution to the information technology board. (History: 2-17-518, MCA; IMP, 2-17-515, 2-17-518 and 2-17-524, MCA; NEW, 2003 MAR p. 2417, Eff. 10/31/03.)