E-mail a link to this directive


Number: DOO 15-23
Effective Date: 2017-7-13

Org Chart Available

Org Chart Accessible Text Description Available


.01     This Order prescribes the functions and organization of the Office of the Chief
Information Officer (OCIO).

.02     This revision incorporates new legislation affecting the role and responsibilities of the Department of Commerce’s (the Department) Chief Information Officer (CIO) (Section 3.01), updates the responsibilities of the Department’s CIO (Sections 3.02 – 3.04), realigns the scope of the portfolio of the new Deputy Chief Information Officers, modifies the changes that were Congressionally-approved in 2016, and includes an order of succession to perform the CIO duties.  This revision also reflects changes in the position titles as follows:  updates the titles of the Deputy Chief Information Officer for Management and Business Operations to Deputy Chief Information Officer for Policy and Business Management;  the Director of Office of Cyber Security to Deputy Chief Information Officer for Cybersecurity and Information Technology (IT) Risk Management/Chief Information Security Officer (DCIO/CISO), who will carry out CIO duties in the absence of the CIO; and, the Deputy Chief Information Officer and Chief Technology Officer (DCIO/CTO) to Deputy Chief Information Officer for Solutions and Service Delivery.

.03     The roles, authorities, and responsibilities in this Order do not apply to the Office of Inspector General (OIG) to the extent that they would inhibit the OIG’s statutory independence.  Pursuant to the OMB Memorandum M-15-14, this Order will be implemented in a manner that does not impact the independence of the OIG and the independent authorities the Inspector General has over the personnel, performance, procurement, and budget of the OIG, as provided in the Inspector General Act of 1978, as amended (5 U.S.C. App3).



The organization structure of the OCIO shall be as depicted in the attached organization chart
(Exhibit 1).



.01     The position of CIO was designated in 44 U.S.C. § 3506, as amended by the Clinger-Cohen Act; further defined under the Federal Information Technology Acquisition Reform Act (FITARA); and, further guidance under Office of Management and Budget (OMB) Memorandum M-15-14: Management and Oversight of Federal Information Technology. The CIO shall implement the provisions applicable to the Department of Commerce (the Department) and manage or assist with the management of the Department’s compliance with the Clinger-Cohen Act (Information Technology Management Reform Act of 1996) (40 U.S.C. § 11101 – 11704); Technology Management Reform Act of 1996) (40 U.S.C. § 11101 – 11704); the e-Government  Act of 2002 (P.L. 107-347, H.R. 2458); the Electronic Signatures in Global and National Commerce Act (E-Sign) (15 U.S.C. Chapter 96); the Federal Acquisition and Streamlining Act of 1994 (P.L. 103-355); the Federal Data Quality Act, enacted as § 515(a) of the Treasury and General Government Appropriations Act for Fiscal Year 2001 (P.L. 106-554); the Federal Information Security Modernization Act of 2014 (FISMA) (44 U.S.C. Chapter 35); the Federal Information Technology Acquisition Reform Act (FITARA) (P.L. 113-291); the Federal Records Act of 1950, as amended (44 U.S.C. Chapters 21, 29, 31, 33); the General Services Modernization Act (40 U.S.C. § 101note); the Government Paperwork Elimination Act of 1998 (44 U.S.C. § 3504); the Government Performance and Results Act of 1993 (GPRA), as amended by the Government Performance and Results Modernization Act of 2010 (GPRM) (5 U.S.C. § 306 and 31 U.S.C § 1115 et seq.); the Intelligence Reform and Terrorism Prevention Act of 2004 (50 U.S.C. § 401 note); the Office of Federal Procurement Policy Act (41 U.S.C. Chapter 7); the Paperwork Reduction Act of 1980 (PRA), as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35); the Presidential and Federal Records Act Amendments of 2014 (P.L. 113-187); the Privacy Act of 1974, as amended (5 U.S.C. § 552a); Public Contracts  (41 U.S.C. Chapter 23); Section 508 of the Rehabilitation Act of 1973 (as amended (29 U.S.C. § 794d)).

The CIO shall implement the provisions applicable to the Department of Commerce (the Department) and manage the Department’s compliance with Executive Order 13011, Federal Information Technology, July 1996; Executive Order 13556, Controlled Unclassified Information, November 2010; Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013; Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014; Homeland Security Presidential Directive 12 (HSPD-12) Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004; Homeland Security Presidential Directive 20 (National Security Presidential Directive 51), National Continuity Policy, May 2007.

The CIO shall implement OMB Circular A-130, “Management of Federal Information Resources,” and other directives regarding the acquisition, management, and use of IT resources. The CIO reports to and is responsible to the Secretary of Commerce (the Secretary) through the Deputy Secretary. 

.02    The CIO, in implementing the Clinger-Cohen Act of 1996, and FITARA, leads the management of information resources throughout the Department, ensuring that the Department’s programs make full and appropriate use of information technology.  The CIO and his/her office support the increased use of leading edge technology to enable the Department to fully and efficiently accomplish its mission through the use of IT products and services.  Oversight of the Department’s IT spending is accomplished through the development of policies and other guidance for Department-wide planning and use of IT, a capital asset management process guided by the Commerce Information Technology Review Board (CITRB), which is jointly chaired by the CIO and the Chief Financial Officer and Assistant Secretary for Administration (CFO/ASA), and through other mechanisms as appropriate.  The CITRB reviews and evaluates proposed IT initiatives and requests for acquisitions, and reviews and evaluates ongoing IT projects.  The CIO serves as the principal advisor to the Secretary on information resources and information systems management.

.03     The CIO shall: (1) approve the Department’s IT budget requests, (2) certify that IT investments adequately implement incremental development, and (3) ensure that all requested IT positions meet ongoing requirements.   The CIO shall prohibit contracting for IT and requesting the reprogramming of IT funds without the CIO's review and approval. Departmental operating units can approve contracts through the Department’s governance process with the approval of the CIO.   The CIO may delegate contract approval duties for OMB-defined non-major IT investments to an individual who reports directly to the CIO.  The CIO shall approve the appointment of and provide input into the performance of any other employee who functions in the capacity of a CIO for any Departmental operating unit.                

.04    The CIO shall be the cybersecurity advisor to the Secretary and Deputy Secretary.  

.05    The Deputy Chief Information Officer for Cybersecurity and IT Risk Management and Chief Information Security Officer, Deputy Chief Information Officer for Policy and Business Management, and Deputy Chief Information Officer for Solutions and Service Delivery shall participate with the CIO in management of the activities of the OCIO.

.06    The Deputy Chief Information Officer for Cybersecurity and IT Risk Management and Chief Information Security Officer, Deputy Chief Information Officer for Policy and Business Management, and Deputy Chief Information Officer for Solutions and Service Delivery, in that order, shall perform the functions of the CIO in the event that the CIO is not able to carry out his or her duties or during a vacancy in the office.


.01    Pursuant to the authority vested in the Secretary by the Clinger-Cohen Act of 1996, FITARA, and the Paperwork Reduction Act of 1995, and subject to such policies and directives as the Secretary may prescribe, the CIO is hereby delegated authority to:

a.      Ensure the Department’s compliance with the applicable provisions of the Clinger-Cohen Act of 1996, and FITARA, regarding the management and use of IT resources and IT acquisition, including:

1.      IT STRATEGIC PLANNING - Develop, maintain, and facilitate the implementation of a Strategic IT Plan for the Department.  Review and update the DOC IT Strategic Plan in alignment with the DOC Strategic Plan and in support of the budget process.  Review the Bureau/Operating Unit IT Strategic Plans annually for alignment with the DOC IT Strategic Plan.

2.      BUDGET FORMULATION AND CAPITAL PLANNING AND INVESTMENT CONTROL - Implement a process for maximizing the value and managing the risks of IT acquisitions which provide for the selection of IT investments, the management of such investments, and the evaluation of the results of such investments.  To this end, the CIO will serve as Co-Chair of the CITRB (along with the CFO/ASA) and direct the activities to review and evaluate proposed IT initiatives, to review major requests for authority to acquire IT systems and services, to monitor and evaluate the progress of major IT projects, and to recommend appropriate action to the Secretary and/or Deputy Secretary.  This process shall be integrated with Departmental processes for making budget, financial, and program management decisions, and shall be fully coordinated with the CFO/ASA, who shall serve as Co-Chair of the CITRB.  The CIO and the CFO/ASA together integrate the strategic planning, budget formulation, and program performance measurement activities to ensure an effective information technology investment process.  In compliance with FITARA, and in collaboration with the Department’s Budget Office, the CIO shall review and approve each Bureau’s IT budget prior to the Department’s submission of the Department budget.  The CIO shall provide input on IT programs and investments to the Secretary, as requested by the Secretary and/or the CFO, in preparation for budget hearings, or in response to IT specific questions from the conference committees.

3.      ARCHITECTURE PLANNING AND OPERATIONS - Develop, maintain, and operationalize the implementation of an IT Enterprise Architecture (EA). Lead implementation of the Department’s IT Portfolio Management Policy, and take other measures as appropriate to ensure that the Department’s and Bureaus’ programs make full appropriate, efficient, and effective use of the Department’s Enterprise Architecture and Portfolio Management Policy.  Regularly review, update, and submit to OMB the Department’s EA roadmap and the IT Asset Inventory.  Regularly review and assess the risk of the Department’s Legacy IT Ecosystem.

4.      INFORMATION TECHNOLOGY AND service delivery – In collaboration with the Department’s CIO Council, the Office of the Chief Data Officer, the Performance Improvement Officer, Office of Performance and Enterprise Risk Management, and with input from the other Department Chief Councils (e.g. CIO, CFO, CAO), establish goals and metrics for improving the efficiency and effectiveness of the Department’s IT operations and the delivery of IT services, products (including information products), and data to the public.

5.      POLICY AND OVERSIGHT - Develop and issue policies and other guidance for the management of information resources throughout the Department, and monitor and enforce compliance with such policies and guidance.  Ensure compliance with relevant OMB guidelines and Executive Orders.

6.      PERFORMANCE MANAGEMENT OF IT - Monitor and evaluate the performance of IT programs on the basis of applicable performance measurements and advise the Secretary/Deputy Secretary regarding whether to continue, modify, or terminate a program or project.  Ensure Program Objectives, Milestones, and Actions are developed and completed in response to DOC Inspector General and GAO Audits and Reports.  Conduct regular reviews of those programs reported on the Federal CIO Scorecard.  Conduct reviews of projects or programs identified as presenting higher risk to the Department.  Conduct regular PortfolioStat reviews with OMB.

7.      HUMAN CAPITAL MANAGEMENT - Aid in ensuring, through the development of policies, strategies and specific plans for hiring, training, and professional development, that Department personnel have the IT management knowledge and skills necessary to meet Department-wide and operating unit-level goals and objectives for effectively managing IT.

8.      RECORDS MANAGEMENT – Act as the Department’s Senior Agency Official for Records Management.  Conduct an annual review of the records, collections, and systems for changes in classification level.  Submit the Annual Records Assessment to National Archives and Records Administration (NARA).  Gather, archive, and transfer appropriate records to NARA.  Submit PRA Information Collection Reports to OMB.

9.      SECURITY – Manage or assist with the management of Department’s compliance with the provisions of the Computer Security Act of 1987 (P.L. 100-235), and with the provisions of Title III of the E-Government Act of 2002 (P.L. 107-347), known as the Federal Information Security Management Act of 2002, including:

1.      Develop and implement a Departmental IT Security Program to assure the protection, security, confidentiality, integrity, and availability of data and information for use by DOC and bureau employees and stakeholders.  Ensure information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access.  Apply the NIST Cybersecurity and Risk Management Framework to further identify and respond to any and all cyber and information security threats and vulnerabilities.

ii.      Ensure that the Department is in compliance with the regulations imposed under the Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014 (FISMA) (44 U.S.C. Chapter 35).  This provision of the DOO shall serve as the delegation of this function to the Department’s CIO, as required by these Acts. 

iii.    Develop Department-wide policies, procedures, and other directives for IT security, including all Department and Bureau classified IT systems/National Security Systems.
iv.     Promulgate a Cybersecurity culture.  Conduct annual CyberStat review with OMB.  Develop and submit annual FISMA report to Congress.  Ensure continuous diagnostics and monitoring across all IT assets of the Department and the Bureaus. 

v.      Coordinate with the Senior Agency Official for Privacy (SAOP) in implementing the requirements of the privacy controls for Federal information systems and programs.  In consultation with SAOP, require information system owners to set a high priority for upgrading, replacing, or retiring information systems and components that cannot be appropriately protected or secured.

b.      Implement the provisions of 44 U.S.C. Chapter 35, ("Coordination of Federal Information Policy”), the Paperwork Reduction Act of 1995 (P.L. 104-13), and the Government Paperwork Elimination Act, which are applicable to the Department, including management of Departmental compliance with 44 U.S.C. §§ 3506 (c)(1) through (c)(3) regarding information collections from the public, and § 3513(c) regarding information management reviews; the Federal Data Quality Act enacted as § 515 (a) of the Treasury and General Government Appropriations Act for Fiscal Year 2001 (P.L. 106-554); and § 508 of the Rehabilitation Act, 29 U.S.C. § 794d, as amended.

c.      Serve as the Department's Chief Infrastructure Assurance Officer (CIAO) to implement the critical infrastructure protection policies provided in Presidential Decision Directive 63 of May 22, 1998, and support implementation of the Department’s Critical Infrastructure Protection Program.

d.      Carry out the Secretary's responsibilities under OMB Circular A-130, "Management of Federal Information Resources."

e.      Develop, coordinate, and implement the Department’s policies, directives, and guidelines for the planning, use, and evaluation of IT resources, and as appropriate support equivalent activities in conjunction with the Office of the CFO/ASA as they relate to acquisition of IT resources.

f.       Provide direction and oversee the management (including risk management) and use of IT resources, and review of the life cycle development of all of the Department's major automated information systems.

g.      Develop, coordinate, and implement the Department’s policies and procedures to promote electronic government, and for the external interchange and dissemination of data and information in electronic media and via the Internet.

h.      Oversee, in concert with the CFO/ASA, the Department’s use of IT to support the Department’s administrative systems, including property, procurement, human resources management, and financial management systems.

i.       Provide IT management and technical assistance services to the Office of the Secretary and designated operating units, and consultative services as requested by Department officials.

j.       Serve as Chair of the Commerce CIO Council to promote effective IT management practices throughout the Department and share information of a crosscutting nature.

k.      Represent the Department in interactions with OMB and other Federal agencies on IT matters, and participate in the activities of the Federal CIO Council.

l.       Implement the applicable provisions of 40 U.S.C. § 759, “Federal Property and Administrative Services Act of 1949” and provide Department-wide guidance for the acquisition, management, and use of telecommunications-related IT resources.

m.     Administer 40 U.S.C. § 759(d)(3) insofar as it is required to exercise the functions of the Secretary under provisions in Federal Information Processing Standards (FIPS) authorizing the Secretary to waive compliance with requirements of the FIPS standards by operating units of the Department in accordance with the conditions stated in the Secretary's memorandum to Heads of Executive Departments and Agencies of November 14, 1988; subject: "Procedures for Waivers for the Federal Information Processing Standards."  This authority may not be re-delegated.

.02       The Department’s CIO, referred to here as the CIO, may re-delegate the authorities in section 4, and as authorized by the FITARA, unless otherwise restricted or prevented by law, statute, regulation, or executive order.  The CIO shall be assisted in these duties by operating units and operating unit CIOs. 

.03    The Department CIO shall:

a.      Assist operating units in the establishment of the most effective IT management structure for each operating unit, and shall actively participate in the selection of the operating unit CIO and SES level IT employees, as set forth in Human Resources Bulletin 206.

b.      Serve as the supervisor of record for a critical element entitled “Business Acumen” for SES CIOs and “IT Management” for GS-15 CIOs which focuses on support of Department- and government-wide goals, and accounts for 25 percent of the operating unit CIOs’ annual performance plan.  (Information technology issues internal to the bureau, and other administrative matters, remain the affirmative management responsibility of the operating unit supervisor of record to the individual CIO, unless otherwise agreed between Bureau executive leadership and the CIO.)



The Department’s CIO, may re-delegate the authorities in section 4.01 as appropriate to and within the Office of the CIO, unless otherwise specified. Except for functions retained in the direct office of the CIO, the functions shall be carried out by the following Offices: 

1.      The Office of Policy and Business Management (OPBM) enables the Department to maximize the business value of IT investments through effective oversight and management of the IT portfolio and development of strategic IT governance, policies and solutions.  OPBM also seeks to leverage efficiencies in the areas of fiscal, business, acquisition and workforce management through the effective application of project management, performance management, administrative and process controls. OPBM guides the Department’s IT investment management process to maximize the contribution of the business and IT programs/projects to DOC’s mission by creating an accessible source of consistent, reliable, accurate, useful, and secure information to DOC stakeholders to ensure the effective and efficient use of current and emerging technologies to develop, implement, and manage the transition to and operation of the DOC target business model. OPBM administers the Department's multi-year strategic information resources planning process, administers the review of IT initiatives, and coordinates control, evaluation and review of ongoing IT projects through the Commerce IT Review Board.   OPBM provides internal strategic, budget, administrative and management support in support for the OCIO organization.  OPBM provides sound financial management of the CIO’s internal budget, and leads acquisition and procurement management activities.  Additionally, OPBM provides direction and support to OCIO line offices in areas of budget formulation and execution, overall business process improvement, automation, IAA/MOU policy and management and financial reporting. OPBM seeks to maximize the return on investment of the OCIO organization by providing tools, training, automation and processes for successful project and performance management. 

b.      The Office of Cybersecurity and IT Risk Management (OCRM) shall provide the Department-wide framework for the effective oversight of cybersecurity and information technology risk through the management of cybersecurity solutions and services, cybersecurity reporting and analytics and the delivery of IT risk management programs.  OCRM shall provide services to include, DOC-wide common technical cybersecurity controls; active incident detection and response; near-real-time measurement and reporting of the DOC; near-real-time measurement and reporting of the DOC cybersecurity posture; cybersecurity policy subject matter expertise; risk assessment of information technology owned or operated on behalf of DOC; and, provide desktop and network solutions and services for customers with classified mission requirements.
c.      The Office of Solution and Services Delivery (OSSD) is responsible for providing complete IT solutions to our customers by leveraging industry-leading infrastructure and advanced technology service solutions to maintain and improve their experience. OSSD provides business partnership services which advises and assists customers on state-of-the-market proven technologies to meet their mission needs.  OSSD focuses on the customer’s business needs and enhances the training experience, while advocating for effective and efficient long-term IT solutions to achieve 100% customer satisfaction. OSSD also provides services delivery which entails collaboration with the customer to improve the quality of our products and services utilizing network and web-resources to deliver a consistent, reliable, and dependable platform to assist in fulfilling the customer’s business needs.
The OSSD provides proven, innovative, and effective technology solutions to the Department in order to transform operations to best serve their customers and mission.  OSSD is responsible for the enterprise architecture, strategy and planning and emerging technologies.  OSSD is specifically focused on business alignment and integration allowing OSSD to focus on and promote the technology services that deliver the highest levels of satisfaction for the Department. OSSD also serves to align business strategies with effective technology solutions.  OSSD 1) provides education and guidance to Department leadership on the complex IT landscape and promotes more informed decision making using best practices and industry standards; 2) leads business improvement initiatives to maximize results, optimize ROI, reduce risk, leverage existing assets, and foster success; 3) guides IT initiatives from concept to implementation on behalf of our clients; 4) develops organizational standards based on industry best practices and architectures; and 5) develops strategies to leverage existing technologies, common initiatives, and economies of scale to drive down costs and build synergy between bureau mission and technical environments.


This Order supersedes Department Organization Order 15-23, dated February 28, 2013.


Signed by: CFO/ASA performing the non-exclusive duties of the Deputy Secretary

Questions and Comments

Send Questions or Comments on the Commerce Directives Management program to Directives@doc.gov.

Office of Privacy and Open Government
Office of the Chief Financial Officer and Assistant Secretary for Administration
U.S. Department of Commerce


Page last updated: July 17, 2017