ENCLOSURE 5

IT CONSIDERATIONS

1.  CLINGER-COHEN ACT COMPLIANCE. Subtitle III of title 40 of the United States Code (Reference (v)) (formerly known as Division E of the Clinger-Cohen Act (CCA)) (hereinafter referred to as “Title 40/CCA”) applies to all IT investments, including NSS.

     a. For all programs that acquire IT, including an NSS, at any ACAT level, the MDA shall not initiate a program or an increment of a program, or approve entry into any phase of the acquisition process; and the DoD Component shall not award a contract until:

(1) The sponsoring DoD Component or PM has satisfied the requirements of Title 40/CCA;

(2) The DoD Component CIO, or designee, confirms Title 40/CCA compliance; and

(3) For MDAPs and MAIS programs only, the DoD CIO also confirms Title 40/CCA compliance.

     b. The Title 40/CCA requirements identified in Table 8 of this enclosure shall be satisfied to the maximum extent practicable through documentation developed under the JCIDS and the Defense Acquisition System. The DoD Component Requirements Authority, in conjunction with the Acquisition Community, is accountable for actions 1-5 in Table 8; the PM is accountable for actions 6-11. The PM shall prepare a table similar to Table 8 to indicate which documents (including page and paragraph) correspond to the Title 40/CCA requirements. CIOs shall use the documents cited in the table prepared by the PM to assess and confirm Title 40/CCA compliance.

     c. The OIPT shall resolve issues related to compliance for MAIS programs and MDAPs. The Investment Review Board (IRB) shall resolve issues related to compliance for MAIS and MDAP defense business systems. Reference (f) has more information supporting Title 40/CCA compliance.

2.  TIME-CERTAIN ACQUISITION OF AN IT BUSINESS SYSTEM. Before providing Milestone A approval for an IT business system, the MDA shall determine that the system will achieve IOC within five years (section 811 of P.L. 109-364 (Reference (az))). This MDA determination is not required for NSS, but is required for AIS defense business systems, including those that are also MAIS or MDAP.

3.  DEFENSE BUSINESS SYSTEMS MANAGEMENT COMMITTEE (DBSMC) CERTIFICATION APPROVAL. For defense business system acquisition programs that have modernization funding exceeding $1,000,000, the MDA shall not grant any milestone or full-rate production approval or their equivalent, and the authority to obligate funding shall not be granted until the certification under paragraph (a) of section 2222 of Reference (k) has been approved by the DBSMC (see Enclosure 11).

Table 8. Title 40, Subtitle III /CCA Compliance.

Actions Required to Comply With Subtitle III of Title 40 U.S.C. (formerly Division E of the Clinger-Cohen Act (CCA) of 1996 (Reference (v))	Applicable Program Documentation1
1. Make a determination that the acquisition supports core, priority functions of the Department.2	ICD Approval
2. Establish outcome-based performance measures linked tostrategic goals. 2, 3	ICD, CDD, CPD and APB approval
3. Redesign the processes that the system supports to reduce costs, improve effectiveness and maximize the use of COTStechnology. 2, 3	Approval of the ICD, Concept of Operations, AoA, CDD, and CPD
4. Determine that no Private Sector or Government source can better support the function. 4	Acquisition Strategy page XX, para XX AoA page XX
5. Conduct an analysis of alternatives. 3, 4	AoA
6. Conduct an economic analysis that includes a calculation ofthe return on investment; or for non-AIS programs, conduct a Life-Cycle Cost Estimate (LCCE).3, 4	Program LCCE Program Economic Analysis for MAIS
7. Develop clearly established measures and accountability for program progress.	Acquisition Strategy page XX APB
8. Ensure that the acquisition is consistent with the Global Information Grid policies and architecture, to include relevant standards.	APB (Net-Ready KPP) ISP (Information Exchange Requirements)
9. Ensure that the program has an information assurance strategy that is consistent with DoD policies, standards and architectures, to include relevant standards.3	Acquisition Information Assurance Strategy
10. Ensure, to the maximum extent practicable, (1) modular contracting has been used, and (2) the program is being implemented in phased, successive increments, each of whichmeets part of the mission need and delivers measurable benefit, independent of future increments.	Acquisition Strategy page XX
11. Register Mission-Critical and Mission-Essential systems withthe DoD CIO. 3, 5	DoD IT Portfolio Repository
1. The system documents/information cited are examples of the most likely but not the only references for the required information. If other references are more appropriate, they may be used in addition to or instead of those cited. Include page(s) and paragraph(s), where appropriate. 2. These requirements are presumed to be satisfied for Weapons Systems with embedded IT and for Command and Control Systems that are not themselves IT systems. 3. These actions are also required to comply with section 811 of P.L. 106-398 (Reference (ag)). 4. For NSS, these requirements apply to the extent practicable (section 11103 of Reference (v)) 5. Definitions:     Mission-Critical Information System.  A system that meets the definitions of “information system” and “national security system” in the CCA (Reference (v)), the loss of which would cause the stoppage of warfighter operations ordirect mission support of warfighter operations. (Note: The designation of mission critical shall be made by a Component Head, a Combatant Commander, or their designee. A financial management IT system shall be considered a mission-critical IT system as defined by the Under Secretary of Defense (Comptroller) (USD(C)).) A “Mission-Critical Information Technology System” has the same meaning as a “Mission-Critical Information System.”     Mission-Essential Information System.  A system that meets the definition of “information system” in Reference (v), that the acquiring Component Head or designee determines is basic and necessary for the accomplishment of the organizational mission. (Note: The designation of mission essential shall be made by a Component Head, a Combatant Commander, or their designee. A financial management IT system shall be considered a mission-essential IT system as defined by the USD(C).) A “Mission-Essential Information Technology System” has the same meaning as a “Mission-Essential Information System.”

 4.  MAIS CANCELLATION OR SIGNIFICANT REDUCTION IN SCOPE. As required by section 806 of P.L. 109-163 (Reference (ah)), the DoD CIO shall notify the congressional defense committees at least 60 days before any MDA cancels or significantly reduces the scope of a MAIS program that has been fielded or has received Milestone C approval.

5.  LIMITED DEPLOYMENT FOR A MAIS ACQUISITION PROGRAM. At Milestone C, the MDA for a MAIS acquisition program shall approve, in coordination with DOT&E, the quantity and location of sites for a limited deployment of the system for IOT&E.

6.  DoD ENTERPRISE SOFTWARE INITIATIVE. When the use of commercial IT is considered viable, maximum use of and coordination with the DoD Enterprise Software Initiative shall be made.