Directive  Administrative Directive 2024-1: Oversight and Approval of IT Procurements

M.G.L. c. 7D, § 2:

There shall be an executive office of technology services and security that will be an executive office within the meaning of section 2 of chapter 6A. The office shall be administered by a secretary who shall be appointed by the governor and who shall supervise all activities concerning information technology of state agencies. The Governor may designate the secretary of the executive office of technology services and security as the chief information officer for the commonwealth. If the Governor does not designate the secretary as the chief information officer, the secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, subject to the approval of the governor, appoint a chief information officer who shall report to the secretary and serve at the pleasure of the secretary. Notwithstanding any general or special law, rule, regulation, executive order, policy or procedure to the contrary, all executive department agencies shall, and other state agencies may, adhere to the policies, procedures and objectives established by the executive office of technology services and security with respect to activities concerning information technology.

M.G.L. c. 7D, § 3:

“(a) The [Executive Office of Technology Services and Security] shall have all powers necessary or convenient to carry out its duties including, but not limited to, the power to: …
(vi) oversee and supervise the maintenance of information technology and the initiation of information technology updates or projects for state agencies;
(vii) initiate procurements of information technology resources for state agencies and enter into agreements or contracts in connection with such procurement on behalf of a state agency or other political subdivision of the commonwealth;
(viii) set policy regarding all procurements of information technology resources;
(ix) review and approve the information technology budget requests of a state agency and IT spending priorities of executive offices and agencies within any executive office;
(x) implement standards for product or service specifications, characteristics or performance requirements of IT resources that increase efficiency and improve security and identify opportunities for cost savings within state agencies based on such standardization; specifically, the office may implement the following: (a) the centralized acquisition and standardization of specifications for desktop computing equipment; (b) consolidation and centralized management of all network resources for the executive department; (c) the consolidation of information technology infrastructure; and (d) following consultation with the secretary of the executive office and the head of the agency or department within the executive offices, effectuate the centralization of other IT services and functions when centralization or standardization will promote greater security, improve service, or reduce costs; …
(b) The office may issue administrative directives pursuant to the authority set forth in this chapter, which shall be binding on all executive department agencies and offices.”

M.G.L. c. 7D, § 4:

The secretary shall, notwithstanding section 45 of chapter 30 and chapter 31, appoint a qualified individual to serve as an enterprise chief information security officer (CISO) for the commonwealth who shall serve at the pleasure of the secretary. The CISO shall advise the secretary and the CIO on preventing data loss and fraud and protecting privacy. The CISO shall ensure all existing IT policies applicable to executive offices and agencies reflect best practices related to security and privacy.

M.G.L. c. 7D, § 7:

Section 7. (a) The CIO shall determine and set a minimum financial threshold above which any proposed IT expenditure by a state agency shall be reviewed and approved by the office. The CIO may suspend an expenditure related to IT until approval has been granted by the office. The operational services division and the comptroller shall adopt procedures and policies to ensure cooperation with the executive office of technology services and security's IT procurement review policies and shall assist in enforcing them.

(b) All state agency contracts for IT shall require the approval of the CIO. The executive office of technology services and security may require that it be named as a party to any IT contract that any agency or office within the executive department enters into. The CIO may negotiate state agency IT contracts and amendments to existing contracts entered into by a state agency for information technology services in order to expand the scope of the contract, extend the term of the contract, improve delivery of services under the contract or to safeguard information from threats to cyber security. The office shall review long-term contracts for information technology services on a quarterly basis to ensure that services delivered pursuant to those contracts are provided in a timely and cost-effective manner to the commonwealth. If the CIO determines that information technology services under any such contract could be improved, the office shall consult and negotiate with each agency and contractor who is a party to the existing contract to obtain terms and conditions more favorable to the commonwealth.

(c) For IT projects that present a complex set of challenges as defined in an administrative directive promulgated by the executive office of technology services and security, the executive office of technology services and security may establish a project oversight function that may include the formation of a committee to develop criteria and benchmarks to evaluate the project and advise the executive office of technology services and security as to whether the project is accomplishing its objectives. A committee established pursuant to this section may include members from the private sector; provided, however, that members shall have no financial interest in the project overseen by the committee.

(d) The CIO shall adopt policies, standards and guidelines governing information technology procurement, development and maintenance, specifically including provisions for:

(i) ensuring effective project management and oversight configurations;

(ii) establishing strategic incentive and requirement structures;

(iii) increasing competition among information technology vendors, including, but not limited to, the undertaking of smaller, short-term information technology projects to provide improved programmatic flexibility;

(iv) utilizing commercial off-the-shelf information technology products to achieve cost savings on information technology projects;

(v) increasing technology procurement innovation using pilot programming;

(vi) identifying which information technology projects and procurements shall require the services of an independent verification and validation consultant;

(vii) creating a team of project managers to oversee and manage large information technology projects;

(viii) gathering and maintaining relevant records, documents and information related to vendor performance on ongoing and completed projects to assist in assessing prospective vendors' past performance; and

(ix) implementing other best practices which may include, but shall not be limited to, those identified in legislative reports and legislatively-required reports.

This document applies to the use of information, information systems, electronic and computing devices, applications, and network resources used to conduct business on behalf of the Commonwealth. The document applies to the Executive Branch including all executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices within an executive office, hereinafter referred to as Commonwealth Agencies and Offices. Commonwealth Agencies and Offices are required to implement procedures that ensure their personnel, including vendors, contractors, and consultants, comply with requirements in regard to safeguarding information owned or entrusted to the Commonwealth.

Chief Information Officer: or ''CIO'', the chief information officer of the Commonwealth.

Information technology: or “IT”, hardware, software, telecommunications equipment and related services designed for the storage, manipulation, and retrieval of data by electronic or mechanical means including, but not limited to, personal computers, mainframes, wide and local area networks, servers, mobile or portable computers, peripheral equipment, telephones, wireless communications, handheld devices, cloud-based application and platform services, public safety radio services, facsimile machines, data centers, dedicated training facilities and switching facilities, and related consulting services, including staff augmentation services.

Secretariat Chief Information Officer: or “SCIO”, the person responsible for technology services, security, and information technology in each executive office other than the executive office of technology services and security, who reports to both the secretary of technology services and security and the secretary of the executive office for whose technology services the SCIO is responsible.

State agency or agency: a legal entity of state government established by the general court as an agency, board, bureau, commission, council, department, office or division of the commonwealth with a specific mission and which is subject to the control of the governor or whose administration has been solely appointed by the governor.

Sharing IT procurement plans well in advance helps us all make more informed decisions that will impact our collective success.  Your support and insights play a vital role in ensuring that our technology investments align with our strategy and deliver the best possible outcomes for the citizens and businesses of the Commonwealth.

Additionally, Administrative Directive 2019-1 details EOTSS’ requirements to review and approve “any planned information technology development project or purchase” by Agencies under the authority of the Governor for which the total projected cost exceeds $200,000 – before the agency obligates funds for the procurement, as well as to submit an annual report to the State Auditor and Legislature  documenting “a complete accounting of and justification for all project-related expenditures totaling $250,000 or more over the previous 12-month period.”  This administrative directive partially rescinds 2019-1 by consolidating the $200,000 requirement into this administrative directive and leaving the $250,000 requirement intact.

This administrative directive is issued to promote transparency, efficiency, and accountability in the procurement of Information Technology (IT) services and products by State Agencies and allows EOTSS to fulfill its reporting obligations. It establishes a framework for Agencies to provide forecasts of IT procurements and to report on these procurements on a quarterly basis.

Accordingly, all Commonwealth Agencies and Offices are required to provide forecasts of their IT procurement needs for the upcoming fiscal year and each fiscal year thereafter. These forecasts must include estimated budgetary requirements and a description of the intended IT procurements, as detailed in Attachment A. Effective immediately, the following applies for all IT procurements using UU¹ codes:

1. Before drafting any detailed requirements, procurements (RFQs, RFRs or RFIs) or requesting quotes from vendors in excess of $500,000, the Agency CIO or his or her designee must submit the following request: IT Procurement $500K+ | ServiceNow and await EOTSS’ written approval prior to taking any additional steps in the procurement process.
2. Secretariat CIOs must consolidate Agency IT procurement forecasts and reports in excess of $200,000 and submit these quarterly to EOTSS-IT-Procurement-Approvals@mass.gov using the template in Attachment A. The quarterly reports must include a complete list of IT procurement forecasts and the progress and status of IT procurements within their respective agencies. These reports shall include the status of ongoing procurements and any changes to budgets or forecasts. The quarterly reports are due by 5:00PM on March 31, June 30, September 30, and December 31 of each calendar year. 

¹The Office of the Comptroller, Expenditure Classification Handbook https://www.macomptroller.org/expenditure-classification-handbook/

Secretariat CIOs are responsible for policy compliance for their secretariats and must designate Agency CIOs, or other knowledgeable person, as the responsible officer to oversee compliance with this directive and provide regular updates to the Secretariat CIO regarding their IT procurement forecasting and reporting activities.

The owner of this document is the EOTSS Secretary (or their designee). It is the responsibility of the document owner to maintain, update and communicate the content of this document. Questions regarding this document must be submitted to the document owner by sending an email to EOTSS-IT-Procurement-Approvals@mass.gov.