2.21.1 Introduction to Shopping Cart Processing for IT

Manual Transmittal

September 28, 2018

Purpose

(1) This transmits revised IRM 2.21.1, Shopping Cart Processing for Information Technology (IT) Products and Services, Introduction to Shopping Cart Processing for IT.

Material Changes

(1) As of January 1, 2017, the IRS instituted a requirement that the IRM address relevant internal controls, which are now addressed.

(2) The IRM reflects current process and procedures, references and links, and the information is now in chronological order.

(3) The approval process has been updated for IT shopping carts initiated by Business Units (BUs) and functional offices.

(4) References to the Request Tracking System (RTS) have been updated to Procurement for Public Sector (PPS) and “requisitions” have been changed to “shopping cart(s).”

(5) The signature authority references have been updated from Delegation of Authority Modernization and IT Service (MITS 2-1-1) to Delegation of Authority IT-2-1-1 (Rev 3).

(6) Exhibits have been replaced with updated approval process for IT shopping carts initiated by the BUs and functional offices. (Shopping cart Signatory Authority Approval)

(7) Added information on the new contracting writing system - PPS.

(8) Updated reference and link to the IT Security Checklist.

(9) Removed exhibits and added links.

Effect on Other Documents

IRM 2.21.1, dated April 11, 2017, is superseded.

Audience

All IRS personnel involved in the processing of requisitions for IT products and services.

Effective Date

(09-28-2018)


S. Gina Garza
Chief Information Officer

Program Scope and Objectives

  1. Purpose: The purpose of this IRM is to identify the policies, processes and information required to create a PPS shopping cart for IT products and services and the approvals required during the processing of the shopping cart.

  2. Audience: IRS personnel involved in the creation, review and approval of shopping carts for IT products and services.

  3. Policy Owner: Director, Strategic Supplier Management

  4. Program Owner: Program Management (an organization within IT, Strategy & Planning).

  5. Primary Stakeholders: Procurement; Privacy, Government Liaison and Disclosure (PGLD).

  6. Program Goals: Ensure that shopping carts for IT Products/Services have the following attributes:

    1. Required fields are completed accurately

    2. Required acquisition documentation is attached.

    3. Required reviews are documented.

    4. Required approvals are obtained.

    5. Acquisition planning dates are met.

Background

  1. IRS IT is responsible for approving the expenditure of IT funding based on Delegation Order IT-2-1-1 (Rev 3),Approval of IT Resources.

  2. Internal IT organizations and stakeholders have reviews and approvals that need to be documented.

Authority

  1. IRM 1.2.41, Servicewide Policies and Authorities, Delegation of Authorities for IT Activities grants the Chief Information Officer (CIO) the authority to govern all areas related to Information Resources and Technology Management.

  2. Delegation Order IT-2-1-1 (Rev 3), Approval of IT Resources, provides IRS IT leadership with delegated signature authority for approving IT purchases of goods and services.

  3. 1.2.11.1.4 (04-10-1994), Policy Statement 2-92 (formerly P-1-228), (1) Deviation from compatibility standards for Federal Information Processing (FIP) equipment and software requires CIO approval.

  4. 1.2.11.1.5 (11-12-1999), Policy Statement 2-93 (formerly P-1-229), (1) Management and Control of Automated Data Processing (ADP) Property.

Roles and Responsibilities

  1. Requirements Analyst: The person who is responsible for working with the applicable IRS organization to transform the business requirement into a technical requirement and completing the acquisition package.

  2. Requestor: The person who enters a shopping cart into PPS and tracks it through the approval path to Procurement.

  3. Signatory Authority Approver: The person who has the responsibility to ensure the shopping cart is fully compliant with IRS requirements and has the authority to approve shopping carts up to a specified dollar amount as described in Delegation Order IT-2-1-1 (Rev 3).

  4. Financial Plan Manager (FPM): The person who manages the overall spending within the financial plans under their control and approves shopping carts in accordance with IRM 1.35.24, Financial Accounting, Establishing Commitments and Obligations.

Program Management and Review

  1. Program Reports

    1. Pipeline Reports: These reports show shopping carts generated from PPS that are on their way to Procurement.

    2. Acquisition Timeliness: The date that shopping carts reach Procurement is compared to Procurement’s Acquisition Planning Due Dates for the fiscal year to determine if they are timely. Strategic Management (SSM) provides a report to measure each ACIO timeliness of shopping carts during Operational Reviews.

  2. Program Effectiveness:

    1. This IRM is reviewed annually to ensure that the information about required reviews and the shopping cart creation process are current. Feedback on the effectiveness of the required reviews is shared with the responsible stakeholder organizations for consideration as part of the annual IRM review process.

Program Controls

  1. Program Controls help SSM to oversee the status of shopping carts for the ACIOs.

    1. Data calls are sent by SSM throughout the fiscal year for SharePoint site updates to be made by the ACIO Acquisition Program Managers (APMs) and Contracting Officer’s Representatives (CORs). The IT areas are responsible for updating their shopping carts listings on the site which are based on the Acquisition Planning Due Dates for that fiscal years.

    2. Meetings are held with Procurement, Financial Management Services (FMS) and APMs to discuss the status of shopping carts.

Terms/Definitions/Acronyms

  1. Defined Terms

    Term Definition
    Approver the manager, in compliance with Delegation Order IT 2-1-1 (Rev 3), who has the authority to sign up to a specified dollar amount and who ensures that the shopping carts is fully compliant with IRS requirements
    Business Requirement a gap in the performance of a business mission or function that can be addressed through purchase of proposed products and/or services
    Financial Plan Manager (FPM) verifies that there is adequate and appropriate funding available; is in approval path
    IT Products tangible and discernible items, including digital file-based output. They can be measured and counted.
    IT Services the result of application of skills and the production of an essentially intangible benefit, either alone or as a significant element of a tangible product, which through some form of exchange, satisfies an identified need
    Maintenance making changes to an existing operational solution or release to maintain functionality
    Requestor initiator of shopping cart
    Shopping Cart used to request money for a requirement formerly called a requisition)
    Signatory Authority Approver the person under IT 2-1-1 (Rev 3) who has the authority to sign up to a specified dollar amount and who ensures that the shopping cart is fully compliant with IRS requirements prior to forwarding it to the FPM
    Software Development the process of conceiving, specifying, designing, programming, documenting, testing and deploying involved in creating and enhancing applications
    Technical Tier Review consists of an architectural, engineering, capacity or standards review for an IT acquisition
  2. Defined Acronyms

    Acronym Definition
    ACIO Associate Chief Information Officer
    ADP Automated Data Processing
    APM Acquisition Program Manager
    BU Business Unit
    CIO Chief Information Officer
    COR Contracting Officer’s Representative
    EA Enterprise Architecture
    EIT Electronic and Information Technology
    ESP Enterprise Standards Profile
    FMS Financial Management Services
    FPM Financial Plan Manager
    IRSAP Internal Revenue Service Acquisition Procedures
    IT Information Technology
    PA Privacy Act
    PGLD Privacy, Government Liaison and Disclosure
    PII Personally Identifiable Information
    PPS Procurement for Public Sector
    SAM Software Asset Management
    SBU Sensitive But Unclassified
    SSM Strategic Supplier Management
    UWR Unified Work Request
    WRMS Work Request Management System

Related Resources

  1. Acquisition Planning Due Dates

  2. Form 14775, Security Compliance Review Checklist for IT Acquisitions

  3. IRM 2.15.1, Enterprise Architecture (EA), EA Overview

  4. IRM 10.8.1, IT Security, Policy and Guidance

  5. Section 508

  6. IRM 11.3.24, Communications & Liaison, Disclosure of Official Information Disclosures to Contractors

  7. IRSAP 1039.9100 Software Development Prerequisites

  8. IT Acquisition Package Document Checklist

  9. IT Shopping Cart Checklist

  10. Procurement 101

  11. Procurement for Public Sector (PPS)

Determine if an Acquisition is Needed

  1. In-house: If the IT organization can provide the needed IT products or services, develop a work request as described in IRM. 2.22.1, Business Planning & Risk Management (BPRM), Unified Work Request (UWR) Process.

  2. Outsource: If the IT organization cannot provide the needed IT products or services, plan an acquisition as described in the next section.

Acquisition Planning

  1. The Requirements Analyst plans the acquisition and produces the documents needed by Procurement, which are attached to the shopping cart. The required documents are described in the IT Acquisition Package Checklist.

  2. Acquisitions should be planned to meet Procurement’s Acquisition Planning Due Dates.

Develop Requirements

  1. Procurement 101 provides guidance on developing requirements.

  2. Privacy Act (PA)/Personally Identifiable Information (PII): If the acquisition involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that is linked or linkable to an individual, contact the *Privacy mailbox for a pre-award review for compliance with privacy and disclosure requirements. See IRM 11.3.24, Disclosures to Contractors for further information.

    1. Caution: A contractor and its employees are not considered employees of the Department of the Treasury for purposes of the Privacy Act 5 USC § 552a. Therefore, PA protected records cannot be disclosed to contractors pursuant to 5 USC § 552a(b)(1). Disclosures of such records to contractors may be made only if one of the statutory disclosure provisions applies. The most commonly applicable disclosure provisions are 1) a published “routine use” in the appropriate system of records notice, and 2) written consent to the disclosure from the individual whose records are at issue.

    2. Caution: A contractor and its employees are subject to the PA’s criminal penalties pursuant to 5 USC § 552a(m)(1) if the contract is to operate a system of records for the agency. The IRS routinely includes disclosure prohibitions in contracts that authorize contractor access to PA protected records.

    3. Caution: For tax returns and return information, IRC § 6103 preempts the PA. Disclosure of tax returns and return information is controlled by IRC § 6103. Returns and return information may not be disclosed to a contractor unless the requirements of IRC § 6103 are met (regardless of whether the PA authorizes disclosure). See IRM 11.3.24 for tax returns and return information contract requirements pertaining to disclosure and IRM 11.3.14.8.1 for privacy requirements. A general nondisclosure clause is not sufficient to meet 6103 (n) requirements to authorize disclosure.

  3. Sensitive But Unclassified (SBU) Information: All IRS IT hardware, software, and files are designated as SBU based on the potentially sensitive information they contain. Accordingly, Treasury Regulation Treasury Security Manual – TD P 15-71 requires all IT acquisitions to include appropriate Disclosure terms and Conditions in the contract per IRM 11.3.24, Disclosures to Contractors.

    Note:

    Post-award compliance contract reviews are conducted to monitor conformity with Disclosure, Privacy Act and Safeguard policies and procedures.

Request Funding

  1. Request funding for the requirement. Your FPM can provide assistance.

    Note:

    Do not use a purchase card for Electronic and Information Technology (EIT), as EIT is on the Restricted Purchase List.

Obtain Requirements Reviews and Approvals

  1. Enterprise Systems Management Review (ESMRVW) – Software acquisitions must be approved by Enterprise Architecture (EA), with the exception of Common Operating Environment (COE) above-baseline software purchased for the desktop environment. You can find additional references and guidance in IRM 2.15.1, Enterprise Architecture (EA), EA Overview.

    1. If the requirement is for the purchase of any software product, check the Enterprise Standards Profile (ESP) to see if it is already approved and available in the catalog.

    2. If you can’t find the product or standard for the software product in the ESP, submit an EA ESP Change Request.

      Note:

      This submission requires access to the Work Request Management System (WRMS). Direct your questions to the EA Office’s Standards and Technology Management at*EA Change Requests.

  2. Technical Tier Review: this review can consist of an architectural, engineering, capacity, or standards review for the IT acquisition. Each of the Technical Tier Reviews has different business processing rules and selection of the appropriate Technical Tier Review is based on the type of IT acquisition. Some acquisitions may require multi-Technical Tier reviews and concurrences.

    1. Tier II Review: This tier includes minicomputers (i.e. computers usually containing multiple microprocessors, capable of executing multiple processes simultaneously, and may serve multiple users by way of a communications network) including hardware, software, and peripheral subsystems used in that environment.
      i. Request approval via e-mail submission to the *IT T2 Requisition Review mailbox.
      ii. Once approval has been given, include the e-mail approval as an attachment to the shopping cart.

    2. Tier III Review: This tier consists of end-user computing-related hardware, software, maintenance and related services, including desktops, laptops, and personal communications devices.
      i. Requests for software purchases/maintenance should be submitted to the UNS Software Asset Management (SAM) group with the purchase details (e.g., software name, version, quantity, cost) using the *IT T3 Software Review mailbox.
      ii. IRS purchases for all Tier III IT hardware/maintenance and related purchases must be reviewed to ensure proper barcoding, tracking, management and shipment confirmation. An email should be sent to the review mailbox at *IT Asset Management Review.
      iii. Once approval has been given, include e-mail approval as an attachment to the shopping cart.

  3. Security Compliance Review: This review applies to the following:

    1. any acquisition for the procurement of an IT system, or IT products; any IT hardware and/or software, telecommunications, equipment, maintenance or service.

    2. acquisition of any consulting services, commercial service provider, out-sourcing or cloud provider that will operate, manage, access or use any IRS IT system and/or data, including SBU, PII and/or IRS taxpayer data.

    Complete and submit Form 14775, Security Compliance Review Checklist for IT Acquisitions.

    Note:

    PerIRM 10.8.1, IT Security, Policy and Guidance, any vendor that will operate, manage or use any IRS IT system and/or data, including SBU, PII and/or IRS taxpayer data, must follow the guidance of IRS Publication 4812, Contractor Security Controls for any contractor operated system and is subject to the IRS contractor site review/assessment process.

  4. Section 508 Compliance: for information technology purchased, developed and maintained, ensure the technology is compliant with Section 508 of the Rehabilitation Act and Section 255 of the Act.

    Note:

    Section 508 does not apply if state and local entities are the supplier.

Determine the Shopping Cart Routing Path

  1. IT shopping carts initiated by an IT ACIO area must be routed to the appropriate manager, per Delegation Order IT-2-1-1 (Rev 3), for review and approval.

    Note:

    Each ACIO may have their own internal management review process, which may require adding reviews prior to the Signatory Authority Approver.

  2. Signature Authority Approver: The signature authorities and associated re-delegations supported by Delegation Order IT 2-1-1, (Rev 2) apply to shopping carts for purchases of IT products and services.

  3. FMS Financial Plan Manager approves IT shopping carts in accordance with IRM 1.35.24, Financial Accounting, Establishing Commitments and Obligations.

  4. IT shopping carts, initiated by a non-IT BOD, must be routed to the Appropriate ACIO for review and approval only after FMS has approved funding.

Prepare Shopping Cart

  1. Create the shopping cart:

    1. Follow the appropriate work step instructions to complete the shopping cart fields

    2. If the acquisition involves software development, indicate so in the Description field of the PPS record and include the nature of the software development. This action notifies the Contracting Officer that certain clauses must be incorporated into the contract. See Internal Revenue Service Acquisition Procedures (IRSAP) 1039.9100 Software Development Prerequisitesfor more information.

    3. Unfunded shopping cart:
      i. Enter a price and quantity and the cost center data in the Item Overview line.
      ii. Change the Accounting Assignment Category from Cost Center to Unfunded.

    4. Attach the required documents as described in the IT Acquisition Package Document Checklist.

  2. Validate the shopping cart using the IT Shopping Cart Checklist and attach the checklist to the shopping cart.

  3. Submit the shopping cart for approval.

Review and Approve Shopping Cart

  1. Each ACIO area may have their own review process for shopping carts.

  2. The shopping cart Signatory Authority Approver is the person who has the authority to sign shopping carts up to a specified dollar amount and ensure the shopping cart is fully compliant with IRS requirements prior to forwarding it to the Financial Plan Manager in accordance with Delegation IT-2-1-1 (Rev 3).

  3. The FPM validates availability of funds and releases the shopping cart to Procurement.