1. IT Service Management in DOD DESMF Enablement, Visibility, Reporting
19 Oct 2017

2. Summary of Issue/Topic
DOD historically is designed for product (Ships, Aircrafts, Weapons, Systems) related environment that provides standards, tools, and organizational structures (Design Authority (DA) , Acquisition Engineering Agent (AEA), Technical Authority (TA), In Service Engineering Agent (ISEA), Software Support Activity (SSA), etc. With emergence of information technology (computers, internet, applications, software, tools, automation, etc.) our focus has shifted to IT services without proper center of excellence that provides guidance on how to provide cradle to grave support for it.
To achieve DoD/DON IT efficiency and consolidation objectives the Navy has acknowledged the need for enterprise services and standards to manage and measure the quality of those IT services and mature the professional IT workforce. However, there continues to be lack of standards, interoperability and enforceability resulting in limited accountability, inefficiencies, increased operational risk, misalignment between IT services and the mission. Approach is working well for the Navy hence we need to Leverage the existing structure/approach and structure that the Navy has for DoD level

3. Enablement, Visibility and Reporting
Enterprise cross-services approach provided by DESMF enables common lexicon and framework while working toward a joint integrated enterprise
Common process architecture enables process integration, cross collaboration and shared learning
DESMF establishes governance mechanisms to develop integrated ITSM capabilities and monitor conformance
Enables communication, to provide inter-service visibility to information and C2 as a vital part of defense and warfighting
DESMF being used outside of DoD as a more palatable approach to establishing ITSM than delving into the entire five volumes of ITIL v3 (e.g. at an Oregon state agency and a large automotive supplier)

4. IT Service Management Prior to DESMF Organizational Status
What this means
A decentralized approach to IT execution
Increased operational inefficiencies and management costs
Overlapping or missing roles and responsibilities across traditional IT functions and the accountable government organizations
Impedes visibility and control of IT
Misalignment between the IT services delivered and the mission they support
Creates gaps or conflicts in accountability for critical IT functions
Mismatch of personnel skills to support IT roles
Insufficient skills management framework for a formal professional and agile IT/Cyber workforce
Lack of standardization in how organizations command and control IT across the enterprise
Increased risk of jeopardizing the successful implementation of enterprise objectives

5. Consistency and Commonality Demanded
“All of our bases, operational headquarters, and defense agencies have their own “IT” infrastructures, processes, and application-ware. This decentralized approach results in large cumulative costs, and a patchwork of capabilities that create cyber vulnerabilities and limit our ability to capitalize on the promise of information technology.”
Robert M. Gates, Secretary of Defense, August 9, 2010

6. IT Service Management Office Based on DESMF
The mission of the ITSMO is to coordinate and govern the development and execution of a customer-focused, wide approach to IT service management that drives improved service quality and interoperability across DoD. The goal of the ITSMO, through the establishment and enforcement of ITSM governance and quality management, is to ensure that IT services delivered to IT customers are fit for purpose, stable, reliable and fully support DoD polices. The ITSMO is charged with:
Coordination of the development of a mission-aligned, Navy IT business service catalog and associated service targets – now aligning with joint efforts
Establishing the enabling ITSM architecture and guidance based on DESMF framework
Prioritization and alignment of ITSM development and improvement activities
Organizational change management required to implement a service management culture and drive IT to measure and demonstrate value
“As CIOs shift the definition of IT service from technology to business outcomes, they need to consolidate the governance of service management and add business management practices. The Service Management Office provides the organizational entity for addressing these evolving needs and supporting strategic IT services”.
– Gartner 2016

7. Applying IT Service Management in the DoD
DESMF DoD Policy ESSWG
NPRM, PCAT, Performance Management, Service Quality, ITSM Lifecycle & Toolkit, Governance Guidance
FLTCYBERCOM Service Operations Instruction; Process training; NGEN frameworks & SOPs; ONE-Net integration; Baseline assessments; Performance metrics; CSI; ITSM training & awareness
Strategic
Operational
Case study on that….how we did the assessments, tactical: instructions and SOPs. Navy Case Study for NGEN
Tactical

8. ITSMO Process Documentation Hierarchy
DESMF
DoDI
COMNAVIFOR M
NPRM
DoDIN-N Process Framework
(Gov’t)
Process Guides
SOPs, TTPs, WIs
(Gov’t and Service Provider)
Enterprise level process definition, purpose, scope, outcomes, activities, roles and responsibilities, interfaces, etc.
Only ONE per process!
Designations are defined in in FCC/PEO-EIS Co-Instruction
Further defines “What” the process tasks, responsible organizations, roles and responsibilities, performance metrics, etc. are for executing the process as well as Monitoring, Managing, and Reporting tasks.
Can be one or multiple guides depending on process and enclave (NMCI, ONE-Net, IT-21, JRSS etc.)
Overarching Guidance
Define “How” the process tasks are being executed – specific steps, checklist, tools used, forms, etc.

9. NAVITSMO Service Management System
Practice Areas
Practice Areas
This "System" is not a computer or IT system although it may contain one or more computer systems (automated processes). It is a generic business system consisting of many inter-related processes, both manual and automated and the assets and resources required to deliver the desired results.
It is not a computer system, although it may use several computer systems.
A Service Management System is the primary means of ensuring a consistent and appropriate level of quality for all Services.
Source:
An SMS is a set of interrelated or interacting elements used to direct and control activities of the service provider
Includes all service management policies, objectives, plans, processes, documentation, roles and necessary and the resources required to design, transition, deliver and improve IT services
The Navy ITSMO segregates activities and artifacts into distinct Practice Areas, each aligned with the overall Service Management System

10. NAVITSMO Practice Areas
NPRM
PCAT
ISO-33000
NAVITSMO combined the NPRM with ISO to inform and develop the Process Capability Assessment model and tool
The PCAT enables an organization to determine where they are in terms of process capability. It helps to answer the question: “How are we doing?”
the assessment and audit practice area contains the international standards-based pcat model, tool, and assessor guidance and training, helping stakeholders answer the question: “How are we doing?” it also houses i.t. risk management guidance, tools and templates.
Process Assessment is a critical element of Service Quality through measurement. Based on International Standards, and combined with ISO for Service Management, Stakeholders have a powerful toolkit to gauge their internal processes and practices.

11. Case Study- NGEN Process Design
Situation
Solution
Benefit & Impact
Shift from Contractor Owned/Contractor Operated model to a Government Owned/Contractor Operated model for NMCI network
Government desired increase situational awareness and command and control
Developed a Navy ITSM framework
Delivered customized ITSM education and awareness for process owners/managers and design teams
Facilitated process design activities
Conducted process architecture reviews
Established effective government oversight over vendor-provided network services
Increased SA and C2
Established Navy Enterprise service management model, paved the road to JIE
Solution:
Developed Navy ITSM Framework to transform IT service provisioning
Provided requirements to guide Performance Work Statement development
NNPDM: governed shared service delivery and define Government and Vendor ITSM roles
Training: to drive cultural change in preparation for new government roles under contract transition
Operating Model and SOPM: documents to govern operation of the network

12. Case Study- NGEN PCA Situation Solution Benefit & Impact
PMW-205 Performance Management was charged with assessing NGEN ITSM processes
There was a need for process assessment tool and techniques
Evaluation of services and processes are necessary going forward to align with planned NGEN-R changes such as expanded cloud capability and ONE-Net integration
Utilized NAVITSMO process capability model and tool and methodology
Provided Assessor’s training to PMW-205 and NNWC
Provided resources to conduct assessments of 13 Service Design, Transition, and Operation processes, plus Service Desk function
Evaluated process focus areas capabilities, and identified potential improvement actions
Provided Continual Service Improvement (CSI) recommendations based on objective evaluation
Prompted long-overdue documentation updates
Provided program management sponsors with solid evidence of the status, strengths and weaknesses of each of their processes
Presents unbiased data that can be used to evaluate CSI opportunities in light of NGEN-R

13. Process Capability Assessment Model
The Process Capability Assessment Model is an approach to evaluate and measure the competency of a particular process to meet its intended purpose, outcomes, and alignment with requirements
The capability model provides a set of attributes for each process to determine how the process is being performed, managed, established, predicted, and innovating
The approach is adopted to support Navy IT service management efforts
Identify the strengths, weaknesses and risks of selected processes with respect to a particular specified requirements/outcomes and their alignment with the business mission
Current State
Capability
the process capability assessment model is an approach to evaluate and measure the competency of any process to meet its intended purpose, outcomes and alignment with the business or mission. The model establishes a set of attributes distributed at various levels to determine how the process is being performed, managed, established, predicted and optimized (Note: change to Innovating). the model help establish a current state or baseline capability for the process at a particular level, and Through repeatable and incremental application of the plan-do-check-act deming cycle, quality is built into successive baselines in an ever-increasing process capability that meets or exceeds customer requirements and expectations.

14. Process Assessment Capability Levels
Description 1
Performed
The implemented process achieves its purpose and outcomes
Process Performance 2
Managed
The process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained
Performance Management
Work Product Management 3
Established
The process is implemented, defined and capable of achieving its outcomes
Process Definition
Process Deployment 4
Predictable
The process operates within defined limits to achieve its outcomes
Quantitative Analysis
Quantitative Control 5
Innovating
The process is continuously improved to meet relevant current and projected mission and business enterprise goals
Process Innovation
Process Innovation Implementation
the pcat capability levels start with level one – performed. a process that has achieved level one capability is one that is achieving its stated purpose and outcomes – regardless of how efficiently or effectively it is doing so.
a process that has achieved level two capability is one that has been implemented in a manged fasion – it is planned, monitored and adjusted as required. it contains elements of performance management and manages work products.
a process that has achieved level three capability is one that is established and is now implemented, defined, and capabile of achieving its outcomes. it contains elements of process definition and process deployment.
a process that has achieved level four capability is one that is predictable in that it operates within defined limits to achieve its outcomes. it contains elements of process measurement and process control. (Note: Update to Quantative Analysis and control)
and lastly, a process that has achieved level five capability is one that is optimizing, in that it is continuously improving to meet relevant business and mission Goals. it contains elements of process innovation and process optimization. (Update to reflect slide)

15. Process Reference Model
An assessment is carried out utilizing conformant Process Assessment Model(s) related to one or more conformant or compliant Process Reference Models.
- ISO/IEC 15504
The Navy Process Capability Assessment Model conforms to The Navy Process Reference Model (NPRM). The NPRM:
provides a comprehensive set processes that support the Navy ITSM domain
describes 34 ITSM processes at a high level using standardized descriptions and structure
provides process components that may be used by multiple processes
Promotes interoperability of processes
Provide a starting point for process standardization for process design teams
The NPRM conforms to the DESMF.
Note that the DESMF provides a framework, but is not a stand-alone process reference model
according to iso 15504, an assessment is carried out utilizing a process assessment model, which is based on attributes derived from a process reference model.
The navy I-T-S-M-O has developed a process reference model (NPRM) for 34 ITSM processes, which provides a baseline for process design activities. it incorporates 34 of the most common i-t-s-m processes in use throughout industry. using the itil phases for service strategy, service design, service transition, and service operation, the nprm contains all 26 ITIL processes, as well as an additional 8 processes gleaned from international standards and industry best practice that relate directly to navy i-t operational requirements.
The N-P-R-M processes are designed to follow accepted international conformance and compliance requirements, capability assessments, government controls, and is based on Department of Defense and Department of Navy C-I-O guidance. it is also consistent with Information Dominance Enterprise Architecture or i-d-e-a, DEPARTMENT of Defense Architecture Framework or d-o-d-a-f, SPAWAR INSTRUCTION , ITIL Version 3, ISO-20k and ISO in addition, it contains the control elements from the isaca COBIT framework, the Capability Maturity Model Integration or C-M-M-I and other common industry leveraged practices and management frameworks. A key value-added addition to the N-P-R-M version 2 is the incorporation of skill-to-role profiles derived from the skills framework for the information age or SOPHIA.

16. Performing an Assessment

17. Assessment Triggers
A process assessment may apply in the following circumstances:
by or on behalf of an organization with the objective of understanding the state of its own processes for process improvement
by or on behalf of an organization with the objective of determining the suitability of its own processes for particular requirement
by or on behalf of one organization with the objective of determining the suitability of another organization’s processes
typically, a process assessment may be triggered by or on behalf of an organization to establish or baseline the current state of their it processes, or to determine the suitability of its own processes for a particular requirement. in particular, a higher-echelon command may direct a process assessment for its it-related subordinate activities in order to establish a baseline process capability across the enterprise.

18. Performing the Assessment
The assessment input consists of an assessment plan which defines the purpose of the assessment, the scope of the assessment, what constraints apply to the assessment and any additional information that needs to be gathered
Plan: a plan for the assessment shall be developed and documented
Scope: scope is determined by the level (1-5) and the areas to which the assessment is going to be executed
Data collection: data required for evaluating the processes within the scope of the assessment
The assessment output consists of a set of process attribute ratings for each process assessed, and also includes the capability level achieved by that process
Process attribute rating: a rating shall be assigned based on validated data for each process attribute
Report: assessment report summarizes the observations, findings, and recommendations
planning the assessment is a critical first-step and an assessment plan must be developed that provides the scope of the assessment and defines the data to be collected. assessor training is another critical element that ensures the assessment is properly documented and carried out in accordance with the assessment plan. The output of each assessment is captured in a report that will be communicated to the customer and stakeholders. The report includes the assessed capability level, the focus areas, ratings, findings, and most importantly, recommendations for improvement.
The navy I-T-S-M-O has developed an assessment plan template, report template and other supporting documentation to assist assessors who are preparing for their own process assessments.

19. What to Assess
Focus areas that can be addressed during the Process Assessment:
Purpose
Outcomes
Management Activities
Interfaces
Roles and Teams
Information Work Products
Tools
Each focus area has a set of attributes that:
Define achievement within the focus area
Determine objectives for full achievement within the focus area
Measure the incremental achievement to determine the overall capability of the assessed process
the assessment tool ensures appropriate attention is paid to the focus areas contained within each of the five capability levels. These focus areas are: Purpose, outcomes, management activities, interfaces, roles and teams, information work products and tools. additionally, each focus area has a set of attributes that help define achievement, determine objectives for full achievement, and measure the incremental achievement to determine the overall capability of the process.
The scope of the assessment can be limited to one or multiple focus areas

20. Example: Level 1 Capabilities Outcomes
Change Management
Outcomes
Requests recorded & classified
Requests assessment criteria
Requests approved before develop/deploy
Schedules communicated
Approved changes developed and tested
Unsuccessful changes reversed or remedied
Capability Indicator
Questions
Do the process activities identify tasks that accomplish the outcome?
Are all outcomes being performed to meet process purpose?
Data Collection: Evidence verifying outcomes are achieved (e.g. RFC form, change schedule log, etc.)
For example, notice the change management outcomes for a level one assessment as defined in the N-P-R-M. The assessor will use the assessors guide and the pcat among other resources to investigate and find answers to the attribute questions that reveal the level of attainment for a particular attribute.

21. Assessment Report
In conformance with provisions of the DESMF and of DoDI , the process assessment provides a report on the capability status
Assessment Report consists of:
Overall Assessment Profile including numerical ratings
Documentation Review
Summary of findings and ratings
Strengths – Weaknesses – Opportunities – Threats (SWOT) Analysis
Recommendations
Assessment Report Example (Chuck)