DODI 5000.74 Enclosure 7: Acquisition Considerations for IT Services

1. GENERAL

The use of IT has become widespread, whether as a direct outcome or as an enabler of services. This enclosure identifies IT considerations in the acquisition of IT services. IT services include providing the operation, support, and maintenance of IT, including long-haul communications and commercial satellite communications services, and may include providing commercial or military unique IT equipment with the services. IT services include the performance of any work related to IT and the operation of IT, including National Security Systems. This includes outsourced IT-based business processes, outsourced IT, and outsourced information functions sometimes referred to as Cloud services, Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other “as-a-Service” terms (Reference (q)). The appropriate decision authority (as outlined in Table 1), in consultation with the PM and DoD Component CIO, or their designee, will determine whether an investment in IT services will be managed under this instruction or Reference (b). If a proposed IT service is expected to achieve the threshold for a Major Automated Information System in accordance with section 2445a of Reference (h) or a Major Defense Acquisition Program in accordance with section 2430 of Reference (h), the decision authority will be the USD(AT&L) or their designee and the program will be managed under Reference (b). This determination applies to the initial acquisition of IT, the incremental delivery of additional capability, and the technical refreshment of existing systems across the system lifecycle. The acquisition strategy, contracts, and service-level agreements will include the appropriate statutory and regulatory requirements for IT.

2. CLINGER COHEN ACT (CCA) COMPLIANCE

CCA compliance applies to all IT services. a. The decision authority will not approve the acquisition of IT services; and DoD Components will not award a contract for IT services until the PM or FSM has satisfied the applicable requirements of the CCA. CCA compliance actions must be executed and certified at the beginning of each effort (program or otherwise), and again when changes to the acquisition strategy would invalidate the previous compliance conditions. However, CCA compliance need not, and often should not, be certified separately for each contract in an effort. For example, the help desk support contract when an IT program reaches the sustainment phase would not require a separate CCA certification. Related contracts should be grouped together for CCA purposes. b. The PM or FSM will use the requirements identified in Table 2 to ensure the IT services comply with the CCA. The documents listed represent the most likely – though not the only – references for the required information. Major IT investments that submit an Office of Management and Budget (OMB) Exhibit 300 or are described in the Component’s Exhibit 53 describe compliance to some CCA requirements in these submissions, in accordance with OMB Circular A-11 (Reference (r)).

Table 2. CCA Compliance

Actions Required to Comply with the CCA Applicable IT Services Documentation
Determine that the acquisition supports core, priority functions of the DoD. Business Case Analysis (BCA); OMB 53
Establish outcome-based performance measures linked to strategic goals. Performance Work Statement (PWS); Statement of Objectives Redesign the processes that the service supports to reduce costs, improve effectiveness, and maximize the use of commercial off-the-shelf technology. BCA
Where comparable IT services exist in public or private sectors, qualitatively benchmark performance against those IT services in terms of cost and performance. BCA
Determine that no private sector or government source can better support the function. Acquisition Strategy
Conduct an analysis of alternatives. BCA; OMB 300
Conduct an economic analysis that includes a calculation of the return on investment; or, for non-Information Systems, conduct a life-cycle cost estimate. BCA
Develop clearly established measures and accountability for the IT service. Quality Assurance Surveillance Plan; Acquisition Strategy; OMB 300
Ensure that the IT service is consistent with the DoD Information Enterprise policies and architecture, to include relevant standards. Acquisition Plan; PWS
Ensure that the IT service has cybersecurity requirements that are consistent with DoD policies, standards, and architectures, to include relevant standards.  Acquisition Strategy, cybersecurity planning for contracts or service-level agreements; PWS
To the maximum extent practical, ensure that IT services are incrementally contracted to manage risk and incorporate commercial IT capabilities in a timely manner. Acquisition Strategy; OMB 300
3. DoD INFORMATION ENTERPRISE

a. IT capabilities that are acquired or provided as a service must align to the DoD’s Information Enterprise and the Joint Information Environment. Alignment includes complying with the:

(1) DoD Information Enterprise Architecture.

(2) DoD-wide reference and solution architectures.

(3) Applicable mission area and DoD Component architectures, in addition to the Defense Information Enterprise Architecture and DoDD 8000.01 (References (s) and (t)).

b. Acquisition planning for IT services should focus on maximizing the ability to seamlessly integrate and interoperate, based on operational context, with existing and planned IT systems and services in accordance with DoDI 8330.01 (Reference (u)) and conform to the DoD Capital Planning and Investment Control process as described in DoDI 8115.02 (Reference (v)).

4. ENTERPRISE IT SERVICES

DoD CIO-designated Enterprise IT services provide a common capability to DoD and will not be duplicated without approval from the DoD CIO. To the maximum extent practical, the PM or FSM should leverage existing IT services that may be shared within and among DoD Components and among federal government agencies. Market research and the acquisition plan should describe the extent to which IT services can be shared and, if applicable, include the scope of implementation for Enterprise IT services. IT services covered by this section include contracts for labor and contracts for services that process, store, or transmit DoD information. Most of the requirements in this enclosure, as will be indicated, are applicable only to the portions of these contracts that provide services that process, store, or transmit DoD information.

5. IT SERVICE MANAGEMENT

The consistent management and effective measurement of IT services will improve service quality and IT service management capability, and provide objective data needed for IT service investment decisions. All IT services must be managed in alignment with the Defense Enterprise Service Management Framework.

6. CYBERSECURITY

All IT services that receive, process, store, display, or transmit DoD information will be acquired, configured, operated, maintained, and disposed of consistent with applicable DoD cybersecurity policies, standards, and architectures. Cybersecurity of IT services is managed by:

a. Integrating the risk management framework steps and activities outlined in DoDI 8510.01 (Reference (w)) into the DoD acquisition of services process from the beginning, which reduces subsequent changes to security controls requirements after the contract award. Contracts and service-level agreements must describe the required security controls along with the roles and responsibilities between the service provider, PM, and network operations entities for the continuous monitoring of the IT services cybersecurity status. Solicitations will include sufficient information to evaluate each offeror’s proposed approach to satisfy the security control requirements.

b. Ensuring all services that include IT capabilities have appropriate protection for the confidentiality, integrity, and availability needs of the information and mission. IT services will be protected and governed under the DoD cybersecurity program in accordance with DoDI 8500.01 (Reference (x)). PMs or FSMs of IT services will categorize the relevant information in accordance with Committee on National Security Systems Instruction No. 1253 (Reference (y)) to determine an associated security control baseline, and include the security control baseline in solicitations to communicate protection requirements.

c. Implementing trusted systems and networks practices and procedures to identify and protect mission-critical functions and components and manage risks to the integrity of critical information and communications technology, if the IT service is or supports a National Security System or other applicable system pursuant to DoDI 5200.44 (Reference (z)). Such processes and best practices will be applied early and across the system development lifecycle and integrated into service-level agreements and contracts, as appropriate.

7. PERSONALLY IDENTIFIABLE INFORMATION

IT services that collect, maintain, use, or disseminate personally identifiable information must be managed in a manner that protects privacy, in accordance with section 552a of Title 5, U.S.C. (Reference (aa)), DoD 5400.11 (Reference (ab)) and DoD 5400.11-R (Reference (ac)). DoDI 5400.16 (Reference (ad)) established the guidance for development, review, and approval of Privacy Impact Assessments, in accordance with chapter 36 of Title 44, U.S.C. (Reference (ae)).

8. CLOUD COMPUTING

Cloud computing services provided by the DoD or commercial service providers can deliver more efficient IT services than traditional approaches and will be used when cost effective and secure.

a. PMs or FSMs must analyze cloud computing options and report cloud service usage and funding investments through the submission of OMB Exhibit 53 in accordance with OMB Memo Reference (r) and the Office of Management and Budget Memo M-13-09 (Reference (af)). PMs or FSMs will consider using cloud computing services based on mission requirements, BCA, data risk assessments, and mission risk assessments.

b. PMs or FSMs must implement any cloud computing services in accordance with DISAprovided Cloud Computing Security Requirements Guide (SRG) found at http://iase.disa.mil/ cloud_security/Pages/index.aspx. Prior to contract award, all commercially provided cloud services must have a DoD Provisional Authorization granted by DISA. Prior to operational use, all cloud services must have an Authority to Operate granted by the PM/FSM’s Authorizing Official. PMs/FSMs that acquire or use cloud services remain responsible for ensuring that end to end security and computer network defense requirements are met.

c. Commercial cloud services hosting controlled unclassified information or non-publically releasable information outside of the Department’s security boundary must be connected to the Department of Defense Information Network (DODIN) through a Cloud Access Point that has been approved by the Information Security Risk Management Committee and the DoD CIO, in accordance with connection approvals in the Chairman of the Joint Chiefs of Staff Instruction 6211.02D (Reference (ah)).

9. SECTION 508 - ACCESSIBILITY OF ELECTRONIC AND INFORMATION TECHNOLOGIES FOR INDIVIDUALS WITH DISABILITIES

PMs will ensure IT services used by the DoD will allow persons with disabilities access to information comparable to the access afforded persons without disabilities, in accordance with section 794d of Title 29, U.S.C., (also known as section 508 of the Rehabilitation Act) (Reference (ai)). For exceptions to section 508 compliance, refer to DoD Manual 8400.01-M (Reference (aj)).

10. COMMERCIAL CELLULAR SERVICES

IT services for commercial mobile device carrier services (e.g., mobile voice and data via cellular) will be consolidated to the greatest extent practical. DoD and government-wide acquisition contracts are preferred to promote the efficient use of government resources.

11. DoD ENTERPRISE SOFTWARE INITIATIVE

When acquiring commercial IT, PMs or FSMs must consider the DoD Enterprise Software Initiative, Federal Strategic Sourcing Initiative procurement vehicles, DoD-wide joint enterprise license agreements, and Defense Componentlevel Enterprise Software Licenses. Instructions and additional detail can be found in subpart 208.74 of Reference (g); the DoD Chief Information Officer Guidance and Policy Memorandum 12-8430 (Reference (ak)); the Department of Defense Information Technology Enterprise Strategy and Roadmap of October 2011 (Reference (al)); OMB Policy Memorandums M-03-14, M-04-08, M-04-16, and M-05-25 (References (am), (an), (ao), and (ap)), and the DoD Enterprise Software Initiative website at http://www.esi.mil.