XLC Complexity Levels
The XLC model provides a streamlined approach to project oversight and execution. It is the next generation of project life cycle processes with a flexible approach to project execution and governance. The level of governance is directly associated with the complexity of the project. This model facilitates agility, effective review of projects, and the determination of the appropriate level of oversight early in the process.
Page Contents
COMPLEXITY LEVEL OVERVIEW back to top
The XLC provides Business Owners and IT project managers with three tailored XLC oversight levels to manage the project. The benefits of determining a project’s complexity level are:
- Identifies the needed reviews, including those that may be combined or waived
- Identifies the needed artifacts, including those that may be combined or waived
- Identifies the needed tests, including those that may be combined or waived
These results help you understand the amount of work to be done. Consider this information when you develop your project plan including schedule and rough order of magnitude (ROM) costs.
As shown in the figure below, your project’s complexity level significantly affects the reviews and corresponding artifacts your project requires.
This figure outlines the reviews recommended for the varying levels of project complexity
DETERMINING YOUR PROJECT’S COMPLEXITY LEVEL back to top
Determine the project’s complexity level by using the Complexity Worksheet tab in the Project Process Agreement. The tables on this page show the information used to establish project complexity.
Project Characteristic Complexity Rating Worksheet
For each project characteristic, select the rating guidance that fits your project best, filling in that number on the far right of the worksheet.
Once the Project Characteristic Complexity Worksheet has been completed, the Project Complexity is automatically calculated using the logic in the Project Complexity Determination Worksheet.
Project Characteristic | Complexity Level | Rating Guidance | Your Project’s Level? |
Shared Services Implications | 3 | Creating new shared service(s) | 1, 2, or 3 (select 1) |
2 | Modifying existing shared service(s) | ||
1 | Using existing shared service(s) as is | ||
Program / Business Process Profile (with Design / Development Implications) | 3 | New business process model, or process that may lead to significant cross program coordination and/or significant coordination with external business partners and/or developing new code on a new or existing system | 1, 2, or 3 (select 1) |
2 | Some new requirements and information flows, minor changes to code in an existing system | ||
1 | Requirements and information flows are similar to current programs, no new code | ||
Privacy Implications | 3 | Any Personally Identifiable Information (PII), Personal health Information (PHI), or Federal Taxpayer Information (FTI) data identified that is used, accessed, stored, or transmitted by the system | 1, 2, or 3 (select 1) |
2 | N/A – Privacy is either Complexity Level 1 or 3 | ||
1 | No PII, PHI, or FTI data | ||
Security Implications (based on Information Type1 processed, accessed, stored, or transmitted) | 3 | · Investigation, intelligence-related, and security information · Mission-critical information | 1, 2, or 3 (select 1) |
2 | · Information about persons · Financial, budgetary, commercial, proprietary or trade secret information · Internal administration · Other Federal agency information · New technology or controlled scientific information · Operational information · System configuration management information | ||
1 | · Other sensitive information · Public information | ||
Data Complexity (ties to data’s financial implications) | 3 | · Completely new data for the agency · Data is serving as a corporate asset | 1, 2, or 3 (select 1) |
2 | Some new data is introduced | ||
1 | · Data is similar to existing agency systems · Data scope focused on one service/system/domain | ||
Interface Complexity | 3 | · Interaction with non-Federal agencies in business rules · Data access via internet · Extensive interaction with other systems, especially external organizations and agencies · Shared service or system access via internet · Extensive interactions with other systems, databases, or new / updated COTS products | 1, 2, or 3 (select 1) |
2 | · Interaction with other Federal agencies in business rules · Data access via extranet · Moderate interaction with other systems, especially external organizations and agencies · Shared service or system access via extranet · Moderated interaction with other systems, databases, or new / updated COTS products | ||
1 | · No interaction w/ external organization in business rules · Data access via internal HHS network access only · No interaction with other systems, especially external organizations and agencies · Shared service or system access via internal HHS network access only · No interaction with other systems, databases, or new / updated COTS products |
1 Information Type definitions are from CMS System Security and e-Authentication Assurance Levels by Information Type available at https://www.cms.gov/informationsecurity/downloads/ssl.pdf
Project Complexity Determination Worksheet back to top
| Results from the Project Characteristic |
| Project Complexity Level |
| More than one complexity level 3 project characteristic |
| 3 |
If your project has… | Only one complexity level 3 project characteristic -or- No complexity level 3 project characteristics and more than one complexity level 2 project characteristic. | …then your project is complexity level: | 2 |
| No complexity level 3 project characteristics and only one complexity level 2 project characteristic -or- All complexity level 1 project characteristics. |
| 1 |
The resulting Project Complexity Level is a guide to which lane of the XLC applies to your project. The next step is to complete the Project Process Agreement which documents and helps in selecting which reviews and artifacts are appropriate for your project.
RISK CONSIDERATIONS back to top
When planning project activities and life cycle processes, it is important to consider the risk of waiving a review and plan appropriate mitigation strategies to ensure project success. For descriptions of the risks of omitting a given review, please refer to the CMS XLC Detailed Description Document.
Downloads
- Page last Modified: 08/10/2012 10:19 AM
- Help with File Formats and Plug-Ins