Frequently Asked Questions (FAQs)
of compliance with the CCA by the Department of Defense
(DoD) Chief Information Officer (CIO). Certification differs from confirmation
in that certification requires that the DOD CIO certify to the congressional
defense committees that the program is being developed in accordance with CCA.
As part of the notification to the congressional defense committees, a funding
baseline and milestone schedule is required to be
1. Q - What is the difference between certification and confirmation of Clinger-Cohen Act (CCA) compliance?
A - Major Automated Information
System (MAIS) programs (ACAT IAM or IAC) require a certification
ACAT ID, IC, II, III
and IV programs (all non-MAIS ACAT programs) that contain Mission Critical
(MC) or Mission Essential (ME) Information Technology (IT) systems require a
of compliance with the CCA.
Confirmation does not require notification to the congressional defense
committees and confirmation authorities are at a lower level than the
certification authority (DOD CIO).
2. Q - What is the difference between
Mission Critical and Mission Essential?
A- Definitions for MC and ME information systems
are provided in the glossary.
3. Q - How do I meet the requirement to provide an
Information Assurance Strategy?
Two areas must be addressed.
The policies, standards, and architectures
content can be satisfied through the Command,
Control, Communications, Computers and Intelligence Support Plan (C4ISP), and/or
the ORD. The certification and accreditation
content can be met through the DoD
Information Technology Security Certification and Accreditation Process
(DITSCAP), and C4ISP . Further guidance on IA strategies is provided in the glossary.
Contact Mr. Mike Davis (info) C4II
for additional guidance.
4. Q - From a
Program Manager's perspective, what s the difference in what I have to do for
a program if designated a MAIS rather than a MDAP?
All IT systems need to be compliant with the
CCA. From a process perspective, the differences are as
MAIS programs require CCA
Certification; MDAP programs require CCA Confirmation. See FAQ #1,
5. Q - Since my program is post-Milestone
C, I don't have any Clinger- Cohen Act "wickets" to go through,
If there are any post-Milestone C IT contracts to be awarded, the PM
must have either confirmation or certification (depending upon ACAT
designation) of CCA compliance, the system must be registered, and the system
must have an appropriate information assurance
6. Q - If I am exercising an option under an existing contract, or
issuing a delivery/task order under an existing contract, am I required to go
through the CCA confirmation/certification process prior to initiating either
No, as long as the contract under question is a DON contract and not a
Federal Supply Schedule or other federal agency
7. Q - If I am increasing the scope of an existing contract to
such an extent that a J&A must be executed prior to that contract being
modified for those increased requirements, am I required to go through the CCA
process prior to the modification being executed?
Under the Competition In Contracting Act, there is no difference
between modifying an existing contract to add requirements outside scope of
that contract and awarding a contract for those new requirements. Therefore,
the answer is "Yes".
8. Q - Does the Clinger-Cohen Act apply to all IT?
YES. This is easier if you
remember the three 'C's of Clinger-Cohen. All IT must be Clinger-Cohen Act
Critical and Mission Essential IT must be confirmed; and all MAIS (ACAT IAM
and ACAT IAC) programs must be certified.
9. Q - Does the Clinger-Cohen Act apply to
National Security Systems (NSS) and/or Weapon Systems?
YES. NSS or Weapon Systems
designation does not exempt IT systems from CCA compliance.
10. Q - What is meant by the phrase, "Command and Control Systems
that are not in themselves IT systems"?
Examples of Command and Control
systems that are not IT systems could be an AAV, LAV or M1A1. Programs such as
GCCS are Command and Control IT
11. Q - Do Abbreviated Acquisition Programs need CCA Compliance
Yes, Defense Acquisition, Interim Guidance, says that CCA
confirmation applies for an acquisition program AT ANY LEVEL. CCA
compliance confirmation authority is the Deputy Cdr, C4II and the Deputy USMC
12. Q - How do I register my system in the DoD IT Registration
- HQMC C4 CP CIO and MARCORSYSCOM C4II/IA are responsible for
coordinating Marine Corps updates to the OSD IT Systems Registry. Detailed
guidance on IT system registration requirements are available from
MARCORSYSCOM C4II/IA or HQMC C4 CP CIO. An IT system information spreadsheet
template is also available from MARCORSYSCOM C4II /IA (Ms. Patricia L
Wallace/Ms. Debra Bouslog) and HQMC C4 CP CIO (Ms. Marilyn Stahovic) that
identifies the IT system information required for proper IT system
registration. Send information on IT systems to be registered to MARCORSYSCOM
C4II/IA (Ms. Patricia L Wallace/Ms. Debra Bouslog). Also, provide MARCORSYSCOM
C4II/IA with a point of contact for system information updates. On a quarterly
basis, C4II will request and compile additions and updates to all USMC systems
information contained in the IT Systems Registry, in accordance with OSD (C3I)
Memo, "DoD Information Technology (IT) Registry," dated February 21,
13. Q - If I manage
an IT system that becomes part of a Joint Program that has done a CCA
confirmation, do I need to do one also? (example: JFRG II becomes part of
GCCS; GCCS has done a CCA confirmation).
A - If either the CCA confirmation
documentation, or the acquisition documentation for the Joint Program
specifically mention your IT system, then you do not need to do a separate CCA
confirmation - you can rely on the Joint Program CCA confirmation to
suffice for your system. If, however, your program is not specifically
addressed in the Joint Program documentation, then you must initiate your own
14. Q - If I manage
a weapons system program whose IT component is from another service
acquisition program and that other service has done a CCA confirmation for the
component, do I need to do another CCA confirmation if that component is the
only IT related to my weapons system? (example: HIMARS is an integration
program. The only IT has been confirmed as CCA compliant by the
A - No, if the only IT
component of your system is identical to the other service IT component that has
had a CCA confirmation done, then you do not need to do another CCA
confirmation. If, however, the IT component you are using is not identical to
the other service IT component or there is additional IT in your weapon system
that has not been otherwise confirmed as compliant, you must initiate your own
15. Q - If my system
is post-milestone C and maintenance is handled under a Service Level Agreement
(SLA) type arrangement (i.e., not via contract award), am I required to
confirm/certify that my system complies with
A - No, if work is being
done under a previously established SLA, it is not considered a contract award.
Hence, the system is not required to formally confirm or certify compliance with
CCA. However, if the system is IT, it is still required to comply with