An IT architecture & Security review is performed to assess the fit of new IT solutions, services, or changes into the IT landscape of North Dakota Government. During the review process, the proposed solution or change is evaluated for alignment and compliance with the State's guiding IT Principles and IT Standards. The review process facilitates the management and execution of the statutory duties defined in North Dakota Century Code Chapter 54-59-09 and Chapter 54-59-22.
The review process must be completed for all IT Procurements, including RFPs, APs, and Request for Quotes. Agencies who intend to award a service or application to an external provider must first request an IT Architecture & Security Review.
For procurements, the review and the processing of any resulting exemptions must be completed after the intent to award but before the contract is signed.
For NDIT custom development efforts, the review and the processing of any resulting exemptions need to be completed before the SOW is signed.
Reviews may result in the need for a formal exemption to be processed if the intended solution does not comply with current IT Standards or Statutory Policy. The CIO and OMB director make the final decision regarding if individual exemption requests are denied, approved, or approved with conditions.
Requesting an IT Architecture & Security Review
The review process includes the following steps:
- The agency submits an IT Architecture & Security Review Request or contacts the Business Architecture team @ ITArchitects@nd.gov
- NDIT Business Architects will review the submission, assign to team member, who will contact the Agency subject matter expert listed on the submission.
- Agency completes the IT Solution Questionnaire
- There may be additional vendor and business questions for clarification.
- Findings will be documented and discussed with requesting agency,
- The NDIT assigned Business Architect develops a recommendation for the Chief Information Officer to review (currently delegated to the Chief Technology Officer).
- NDIT completes a Request for Exemption from Information Technology Standards or Statutory Policies (SFN 51687)
- The Request for Exemption will be routed to the requesting agency director for signature.
- If there are exceptions to standards or require remediation, the form will then be routed to the CTO and the director of OMB for a final decision.
- NDIT assigned Business Architect notifies the agency regarding the final decision from NDIT and OMB.
- The standard exemption period is one year from the approval date, at which point the exemption will be reassessed. Reassessment may occur earlier than a year if:
- A security breach was reported or has occurred affecting the assessed environment,
- Non-compliance with State requirements of contracting for cloud services occurs, and/or
- Significant changes in the business or security policies, practices, and controls occurs.
- The standard exemption period is one year from the approval date, at which point the exemption will be reassessed. Reassessment may occur earlier than a year if:
Contact Information
The NDIT Business Architecture team facilitates the review and exemption processes. Please feel free to contact them @ ITArchitects@nd.gov.
FAQ
Review Process
- Why do I need to go through the IT Architecture & Security Review process?
- To comply with North Dakota Century Code - NDCC 54-59-09 and NDCC 54-59-22 North Dakota Information Technology Department developed the IT Architecture Review process.
- Is it a waiver, exemption, or IT Architecture Review, I've seen references to all 3 names?
- Over the years, the process has gone by a few names. We are working on updating the language to an Architecture Review. The reason for the most recent change is to better align with what is happening in the process.
- What is done in the IT Architecture & Security Review process?
- Evaluate solution against guiding IT Principles
- Validate alignment with IT Standards
- Awareness of IT solutions across the enterprise
- Identify opportunities for reducing technical debt and promote reuse across TeamND. This has the potential to reduce costs and provide IT solutions quicker.
- Work with Office of Management and Budget to help facilitate the procurement process
- Identify IT and business trends across TeamND
- Are waivers just for hosting?
- No, hosting is just one of the standards that a proposed solution is evaluated on. It is also the most common exception granted.
- Which standards does NDIT care about?
- All of the standards communicate the desired state for IT in North Dakota State Government. Therefore, all standards are considered equal.
- There is a perception NDIT denies exemptions/waivers, is that true?
- There are instances a request for an exception is denied. However, most of the time, working between the agencies and NDIT, remediation is put in place, or plans are established to fulfill the business needs.
- Are there procurement thresholds that require exemptions?
- The IT Architecture Review does not have any thresholds. All IT has an impact on the enterprise and needs to be evaluated regardless of costs.
- What is involved with a security risk assessment?
- The proposed vendor is tiered based on the data classification they will either host and/or access. The tiering determines what type of third-party assessment is conducted (full or partial).
- Vendor is sent an assessment and is given one week to complete it.
- NDIT and business owner review findings to determine if a vendor response is required.
- If response is required, remediation or risk treatment plans must be satisfactory between NDIT and business owner. If risk still exists, business owner will be required to accept the risk as part of the exemption process.
- When is a security risk assessment not conducted?
- The data the proposed vendor will store and/or access is low risk, meaning:
- The data is intended for public disclosure, and
- Unauthorized disclosure, alteration, or destruction of the data would result in little or no risk to the State and its citizens.
- The data the proposed vendor will store and/or access is low risk, meaning:
Timelines
- When should an agency start the IT Architecture Review process?
- Early awareness is helpful to help ensure a smooth process. A final solution does not need to be selected to start the process. Ideally, knowledge of the business need before selecting a product is best. Doing so encourages early discussion and collaboration.
- What can an agency get ready to help NDIT with an IT Architecture Review process?
-
Completing the Request for Exemption from Information Technology Standards or Statutory Policies (SFN 51687) and the solution questionnaire. This will allow us to better understand the high-level business problem and IT solutions. Ideally, we would have already had awareness when a business need was identified, and we work together through the process.
-
- What can an agency get ready to help NDIT with a waiver process?
-
Submitting an Architecture Request, Completing the IT Solution Questionnaire (outlined above), and any associated information.
-
- Why do some reviews and the completion of potential exemptions take longer than others?
-
We understand this process could add delays to the project if not started during the evaluation of the business need. Every architecture review is unique based on the data processed, technology, implementation, and resources. This introduces many variables to the timeline. Often most delays are due to waiting for additional information from vendors and the requesting agency. Delays could also occur if critical or high risks are identified through the assessment and require vendor response and/or remediation efforts.
-
Existing Exceptions
- How long is an exception valid?
- Starting Exceptions are valid for one year. After this time, the renewal process does a quick review of past acceptance criteria and any changes to standards.
- I have a previous exception and I am moving it to the cloud, adding a module, or doing an update do I need a new exception?
- Yes, we will need to perform an architecture review. If the solution has already gone through the architecture review process, it should be quicker as we have a base of knowledge.