Policy Program and Archive
Office of the Chief Information Officer Policy Program Documents
- 1351.1A: IT Directives Management (January 2, 2020) This policy is DOT’s framework managing IT Policy and accompanying guidance.
- 1351.18: Departmental Privacy Risk Management Policy (September 30, 2014) This policy is DOT’s framework for identifying, assessing and mitigating privacy risk for information stored in DOT information systems.
- 1351.19: PII Breach Notification Controls (May 14, 2009) This policy is DOT’s framework for responding appropriately to situations that involve the unauthorized dissemination of Personally Identifiable Information (PII) to mitigate the risk of harm should a breach occur.
- 1351.21: U.S. Department of Transportation Enterprise License Agreements (ELAs) (June 30, 2009) This policy is DOT's framework for the management of Enterprise License Agreements (ELAs) for software, and for purchase and management of software licenses under those agreements.
- 1351.22.1: Departmental Earned Value Management Policy (July 15, 2010) This policy is DOT's framework for establishing Earned Value Management as a fundamental element of Capital Planning and Investment Control (CPIC) and investment portfolio management oversight.
- 1351.23: Electronic and Information Technology Accessibility Policy (September 11, 2013) This policy is DOT's framework to ensure equal accessibility to DOT's electronic and information technology to persons with disabilities.
- 1351.24: Departmental Web Policy (September 27, 2010) This policy is DOT's framework for creating, managing and maintaining DOT's internal and external Web sites, including Web presences hosted on non“.gov” domains, for audiences both internal and external to DOT.
- 1351.27: Enterprise Architecture Policy (April 19, 2013) This policy is DOT's framework to establish, develop, maintain and facilitate a sound and integrated IT enterprise architecture that provides a comprehensive overview of how DOT IT investments support the Department.
- Open Source Management: This implementation instruction establishes requirements for managing custom software (source code) developed by the Department and its contractors. The instruction ensures that the Department can identify and leverage custom-developed software from all agency components as well as other Federal agencies.
- Open Source Management: This implementation instruction establishes requirements for managing custom software (source code) developed by the Department and its contractors. The instruction ensures that the Department can identify and leverage custom-developed software from all agency components as well as other Federal agencies.
- 1351.28: Records Management (November 1, 2010) This policy is DOT's framework for managing DOT records, including collection, maintenance, use, and disposal.
- 1351.29A: Managing Information Collections Under the Paperwork Reduction Act (April 1, 2022) This policy is DOT's framework for minimizing the paperwork burden on the public.
- 1351.33: Departmental Web-Based Interactive Technologies Policy (Social Media and Web 2.0) (November 23, 2010) This policy is DOT's framework for employee access, conduct, account management, acceptable use, approved sites, and other requirements when using Web-based interactive technologies during work hours.
- 1351.34: Departmental Data Management Policy (July 13, 2017) This policy is DOT's framework for managing and standardizing the quality, objectivity, utility, and integrity of data disseminated to the public.
- 1351.36A: Departmental Forms Management Policy (May 5, 2022) This policy is DOT's framework for ensuring DOT maintains a uniform and accurate inventory and exercises management of the content of all DOT forms.
- 1351.37: Departmental Cyber Security Policy (June 21, 2011) This policy is DOT's framework for providing security for all DOT information systems, information technology, networks, and data that support DOT operations.
- Charter For Identity, Credential, and Access Management (ICAM) Program (May 13, 2011) This document formalizes the lCAM program at the U.S. DOT. The charter presents an overview of the ICAM program, describes the ICAM target state, addresses the purpose, and identifies the need and gaps that the program will fulfill across individual initiatives and investments. This document also identifies the organizational structure, governance model, and process-related requirements associated with the development and implementation of the DOT ICAM program.
- DOT Order 1681.1: DOT ICAM/HSPD-12 Implementation Policy (June 23, 2011) This order establishes the U.S. Department of Transportation's (DOT) policy for the implementation of Identity, Credential, and Access Management (ICAM) and Homeland Security Presidential Directive 12 (HSPD-12), "Policy for a Common Identification Standard for Federal Employees and Contractors."
- ITIM 2022-006 DOT Implementation Guidance for Multi-Factor Authentication for Users of Information Systems and Applications (July 8, 2022) This memorandum provides requirements and strategies for the consistent and uniform implementation and enforcement of Multi-Factor Authentication (MFA) for user access to DOT networks, systems and applications in alignment with Federal Zero Trust requirements and principles.
- Charter For Identity, Credential, and Access Management (ICAM) Program (May 13, 2011) This document formalizes the lCAM program at the U.S. DOT. The charter presents an overview of the ICAM program, describes the ICAM target state, addresses the purpose, and identifies the need and gaps that the program will fulfill across individual initiatives and investments. This document also identifies the organizational structure, governance model, and process-related requirements associated with the development and implementation of the DOT ICAM program.
- 1351.38: Privacy Policy for Information Sharing Environment (ISE) (June 5, 2012) This policy is DOT's framework for collecting, using, storing, sharing and securing terrorism-related Protected Information (PI) shared through the Information Sharing Environment (ISE.)
- 1351.39.A: Departmental IT Management Policy (August 3, 2017) This policy ensures IT management policies to align with the Federal Information Technology Acquisition Reform Act (FITARA) requirements that impose significant new responsibilities on Department-level CIOs for approving IT investments, budgets and acquisitions. At the same time, this policy also affirms the role of OA CIOs supporting FITARA requirements.
- Investment Management Guidance: The Investment Management Guidance takes an integrated approach to the oversight and management of IT resources, and serves as the mechanism used by the Department to coordinate and manage the compliance of all things IT. The Guidance outlines the DOT’s strategy and process steps necessary to enhance the integration, streamlining and maturity of Capital Planning and Investment Control (CPIC) activities for the enterprise management of IT resources. The investment management process centers on the guiding principles of a data-driven, portfolio-based approach and CPIC methodology that allows for an expansive and thorough look across the enterprise of DOT IT assets and resources. This empowers the Department to make evidence-based decisions on the pre-selection, selection, control, and evaluation of new and ongoing IT investments. It also facilitates the identification and elimination of legacy systems no longer required to meet the Department’s goals and objectives.
- Enterprise Program Management Review (EPMR): EPMR serves as the authoritative framework used to promote the integrated management oversight and life cycle review among the DOT stakeholder communities responsible for initiating, reviewing, approving, and monitoring DOT IT investments. EPMR provides users a common and executable understanding of program management processes and activities to navigate for the efficient and effective procurement and sustainment of information technologies. In addition, EPMR aids in the implementation of the Federal Information Technology Acquisition Reform Act’s (FITARA) new accountability and oversight responsibilities that have been designated for the Chief Information Officer (CIO) and Senior Agency Official (CXO) communities.
- Investment Management Guidance: The Investment Management Guidance takes an integrated approach to the oversight and management of IT resources, and serves as the mechanism used by the Department to coordinate and manage the compliance of all things IT. The Guidance outlines the DOT’s strategy and process steps necessary to enhance the integration, streamlining and maturity of Capital Planning and Investment Control (CPIC) activities for the enterprise management of IT resources. The investment management process centers on the guiding principles of a data-driven, portfolio-based approach and CPIC methodology that allows for an expansive and thorough look across the enterprise of DOT IT assets and resources. This empowers the Department to make evidence-based decisions on the pre-selection, selection, control, and evaluation of new and ongoing IT investments. It also facilitates the identification and elimination of legacy systems no longer required to meet the Department’s goals and objectives.
- 1351.40: Common Operating Environment (COE) Shared Services Policy (March 5, 2015) This policy it DOT's framework for execution of IT Shared Services activities to rationalize investments, drive down costs and improve service.
Please contact OCIOITPolicy@dot.gov with any 508 Accessibility questions.
Last updated: Monday, March 10, 2025