Skip to main content

You are here

Shared Service Supplemental Policies

 

Background

There are a number of policy issues that are impacted by a shared service environment, they are listed below:

  • Issue #1 Unifying System of Records Notice (SORN) Requirements for FSSPs: FSSPs do not have the same requirements for their customer agencies with regard to publishing SORNs for customer records.  ESC and ARC do not publish SORNs for customers but IBC and NFC do.  Governing FSSP agencies are interpreting the Privacy Act differently for their shared service components.  Example: For the HUD/ARC FM shared services implementation, HUD took the position that it should not have to issue the SORN for its implementations with ARC because ARC was a shared service provider who owns the systems.  Treasury disagreed and concluded that its recommendation was inconsistent with OMB guidance, which it should want to control its own records, and there is no authority for ARC to issue a government-wide SORN. Treasury also recommended that HUD include some kind of routine use for the work HUD has asked ARC to perform. From Fiscal Service OCC:  OMB dealt with this issue long ago as between the provider and customer.  Customers disclose Customer Agency’s SORN data to ARC employees who maintain records or have a need for the records in the performance of their duties under 5 U.S.C. § 552a(b)(1).  “Movement of records between personnel of different agencies may . . . be viewed as intra-agency disclosures if that movement is in connection with an inter-agency support agreement.”  40 Fed. Reg. 28948, 28954 (1975).  Or, data is disclosed to ARC under Customer Agency’s SORN as a routine use
  • Issue #2 Owner of Privacy Impact Assessment (PIA) Between Customer Agency and FSSP Ambiguous: There is a key distinction between the system (machines) and the system of record (data).  The Privacy Act impact (SORN) for the data is for the data owner (customer) to resolve, but the Privacy Impact Assessment is related to the access controls for the machines.  The PIA should be the responsibility of the owner of the machines.  However, the PIA is based on the data contained on the machine, but that doesn't transfer legal responsibility for that data to the owner of the machine.  Example: Because the PIA and SORN are so closely linked, the PIA ends up being the responsibility of the customer agency but the machines and the access to those machines belong to the FSSP.  With HUD migrating to ARC, HUD was required to conduct the PIA who ultimately seemed ill fitted as the best owner to conduct the assessment.
  • Issue #3 Compliance with Section 508: Section 508 of the Rehabilitation Act of 1973 (29 U.S.C 794d), as amended, requires that agencies' Electronic and Information Technology is accessible to people with disabilities. While guidance on Section 508 has been issued by OMB and GSA, for example, what an agency needs to do to be compliant is interpreted differently by agencies. Customer agencies moving to FSSPs expect to be able to rely on them for compliance with federal requirements within their scope of service. Due to the varying interpretations of how to be compliant with Section 508, some CFO Act agencies looking to move to an FSSP may have more requirements for compliance than the FSSP currently performs, creating an actual or perceived gap in service.  Example: DHS' Office of Accessible Systems and Technology requires the completion of testing procedures, known as the Trusted Tester Certification Program, to test compliance with Section 508. The Interior Business Center, along with its parent agency, the Department of Interior, rely on the Voluntary Product Accessibility Template (VPAT). The VPAT was created by a partnership of the Information Technology Industry Council (ITI) and GSA to create a simple document that could be used by federal contracting and procurement officials to evaluate a product with respect to the provisions contained in Section 508. The Trusted Tester Certification Program does not consider the VPAT by itself to be sufficient evidence of testing for compliance with Section 508.

 

Project Proposal Overview

There is existing guidance for these different policies that an agency has to conform to and in the case of Section 508, provide the appropriate tools for their users.  For these and other similar items, the question arises, how should these be addressed in a shared service environment?  This project seeks to answer questions such as (1) when there are different levels of requirements for the service seeker and provider, which is followed? (2) who has the accountability for compliance and the responsibility to report for each of these policies? 

ACT-IAC will work with the stakeholder community and do research to put forth proposals as to how each of these policies should be addressed in a shared services environment; bearing in mind that the 508 one could be applied overall, not just in shared services. The examples that occurred in the past may or may not be the right course of action in a shared service environment moving forward. 

 

 

Aspect

Proposed Approach

Overall Project Objective

Recommend supplemental policies and resulting considerations for implementation. 

Project Approach

  1. Interview providers and customers (existing and potential) to determine their expectations and generate ideas.
  2. Perform research on best practices in this area of shared services including previous ACT-IAC and other industry organizations work products for the public sector, the international public sector, and published commercial best practices.
  3. Formulate options for potential supplemental guidance for shared service providers and customers.

Anticipated Duration

4-6 months

JFMIP and MOC conference in May and AGA in July, would like to have something by end of March, with initial briefings during April

Anticipated Outcomes

  1. Briefing with findings from the interviews to include options and impacts.

Government Sponsors

  1. Dorsy Yoffie, GSA, USSM
  2. Craig Jennings, CIO Council
  3. Adam Goldberg, Treasury FIT

 

 
 

Project Lead(s)

Click on e-mail address to send e-mail to a Project Lead.
 

Group Project Deliverables

Deliverable Name Deliveable Type Expected/Actual Deliverable Completion
May 2018
 
 
Project/Activity Status: 
Completed
 
Expected/Actual Project Completion: 
Dec 31, 2016
 
 
Participating Groups:
 
Interests: 
Financial Management
Open Government