DODI 5000.02 Enclosure 11: Requirements Applicable to All Programs Containing IT

1. PURPOSE

This enclosure identifies the additional policy and procedure that apply to all programs containing IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract., including National Security Systems (NSS).

2. APPLICABILITY

This enclosure applies to:

a. IT, as defined in title 40 of U.S. Code (Reference (p)), is any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services, and related resources). IT is equipment used by the DoD directly or is used by a contractor under a contract with the DoD that requires the use of that equipment. IT does not include any equipment acquired by a federal contractor incidental to a federal contract.

b. NSS, as defined in 44 U.S.C. 3552 (Reference (aw)), are telecommunications or information systems operated by or on behalf of the Federal Government, the function, operation, or use of which involves intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or, is critical to the direct fulfillment of military or intelligence missions. NSS do not include systems that are used for routine administrative and business applications (including payroll, finance, and personnel management applications).

c. Information systems, as defined in U.S.C. 3502 (Reference (aw)), are a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

3. CLINGER-COHEN ACT (CCA) COMPLIANCE

Subtitle III of title 40 of U.S. Code (Reference (p)) (formerly known as Division E of CCA) (hereinafter referred to as “CCA”) applies to all IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract. investments, including NSS.

a. For all programs that acquire IT, including NSS, at any acquisition category (ACAT) level, the MDA The Milestone Decision Authority (MDA) is the designated individual with overall responsibility for a program. The MDA shall have the authority to approve entry of an acquisition program into the next phase of the acquisition process and shall be accountable for cost, schedule, and performance reporting to higher authority, including Congressional reporting. will not initiate a program nor an increment of a program, or approve entry into any phase of the acquisition process that requires formal acquisition milestone approval, and the DoD Component will not award a contract for the applicable acquisition phase until:

(1) The sponsoring DoD Component or program manager has satisfied the applicable acquisition phase-specific requirements of the CCA as shown in Table 10 in Enclosure 1 of this instruction; and

(2) The Program Manager has reported CCA compliance to the MDA and the DoD Component Chief Information Officer (CIO), or their designee.

b. Table 10 in Enclosure 1 of this instruction identifies the specific requirements for CCA compliance. These requirements will be satisfied to the maximum extent practicable through documentation developed under the JCIDS and the Defense Acquisition System The Defense Acquisition System is an event-based process where acquisition programs proceed through a series of milestone reviews and other decision points that may authorize entry into a significant new program phase. Details of the reviews, decision points, and program phases are found in Enclosure 2 of DoD Instruction 5000.02, Operation of the Defense Acquisition System. . To report compliance, the Program Manager will prepare a table similar to Table 10 to indicate which documents demonstrate compliance with the CCA requirements. The Program Manager’s table will provide links to the cited documents and serve as Program Manager’s “CCA Compliance Report.”

4. POST IMPLEMENTATION REVIEW (PIR)

The functional sponsor, in coordination with the Component CIO and Program Manager Designated individual with responsibility for and authority to accomplish program objectives for development, production, and sustainment to meet the user’s operational needs. The PM shall be accountable for credible cost, schedule, and performance reporting to the Milestone Decision Authority (MDA)., is responsible for developing a plan and conducting a PIR for all fully deployed IT, including NSS. PIRs will report the degree to which doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy changes have achieved the established measures of effectiveness for the desired capability; evaluate systems to ensure positive return on investment and decide whether continuation, modification, or termination of the systems is necessary to meet mission requirements; and document lessons learned from the PIR. If the PIR overlaps with Follow-on Operational Test and Evaluation, the sponsor should coordinate planning of both events for efficiency. The preparation of the TEMP and the MDA’s The Milestone Decision Authority (MDA) is the designated individual with overall responsibility for a program. The MDA shall have the authority to approve entry of an acquisition program into the next phase of the acquisition process and shall be accountable for cost, schedule, and performance reporting to higher authority, including Congressional reporting. decision to proceed with full-rate production satisfy the requirement for weapons systems. The post fielding assessment(s), the disposition assessment, and the disposition decision for an urgent need (as described in Enclosure 13), meet the requirement for a PIR.

5. DOD INFORMATION ENTERPRISE ARCHITECTURE

The DoD Information Enterprise Architecture will underpin all information architecture development to realize the Joint Information Environment. Program Managers must develop solution architectures that comply with the DoD Information Enterprise Architecture, applicable mission area and component architectures, and DoD Component architecture guidance. A program’s solution architecture should define capability and interoperability requirements, establish and enforce standards, and guide security and cybersecurity requirements. The standards used to form the Standard Viewpoints of integrated architectures will be selected from those contained in the current approved version of the DoD IT Standards Registry within the Global Information Grid Technical Guidance Federation service (Reference (br)). The IT will be tested to measures of performance derived from the solution architecture.

6. CYBERSECURITY

a. Cybersecurity Risk Management Framework (RMF). Cybersecurity RMF steps and activities, as described in DoD Instruction 8510.01 (Reference (bg)), should be initiated as early as possible and fully integrated into the DoD acquisition process including requirements management, systems engineering, and test and evaluation. Integration of the RMF in acquisition processes reduces required effort to achieve authorization to operate and subsequent management of security controls throughout the system life cycle.

b. Cybersecurity Strategy Requirement for all acquisitions of systems containing Information Technology (IT), including National Security Systems (NSS). The Cybersecurity Strategy provides the program's plan for ensuring cybersecurity and will be reviewed prior to all acquisition milestone decisions, program decision reviews, and acquisition contract awards. . All acquisitions of systems containing IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract., including NSS, will have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP) that satisfies the statutory requirement in section 811 of P.L. 106-398 (Reference (q)) for mission essential and mission critical IT systems. Beginning at Milestone A, the Program Manager will submit the Cybersecurity Strategy to the cognizant Component CIO for review and approval prior to milestone decisions or contract awards.

(1) For ACAT ID, IAM, and IAC programs, the DoD CIO will review and approve the Cybersecurity Strategy prior to milestone decisions or contract awards.

(2) CIOs will document the results of all reviews.

(3) If contract award is authorized as part of an acquisition milestone decision, a separate review of the Cybersecurity Strategy prior to contract award is not required.

(4) The approved Cybersecurity Strategy will be an appendix to the PPP.

7. TRUSTED SYSTEMS AND NETWORKS (TSN)

Program managers of NSS; systems that have a high impact level for any of the three security objectives, Confidentiality, Integrity, or Availability; or other DoD information systems that the Component Acquisition Executive or Component CIO determines to be critical to the direct fulfillment of military or intelligence missions must identify and protect mission critical functions and components as required by DoD Instruction 5200.44 (Reference (aj)). TSN plans and implementation activities are documented in PPPs and relevant cybersecurity plans and documentation (see section 13 in Enclosure 3 of this instruction for additional details). Program managers will manage TSN risk by:

a. Conducting a criticality analysis to identify mission critical functions and critical components and reducing the vulnerability of such functions and components through secure system design.

b. Requesting threat analysis of suppliers of critical components (Supplier All Source Threat Analysis).

c. Engaging the pertinent TSN focal point for guidance on managing identified risk.

d. Applying TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems.

8. LIMITED DEPLOYMENT FOR A MAJOR AUTOMATED INFORMATION SYSTEM (MAIS) PROGRAM

At Milestone C, the MDA The Milestone Decision Authority (MDA) is the designated individual with overall responsibility for a program. The MDA shall have the authority to approve entry of an acquisition program into the next phase of the acquisition process and shall be accountable for cost, schedule, and performance reporting to higher authority, including Congressional reporting. for a MAIS program will approve, in coordination with the DOT&E, the quantity and location of sites for a limited deployment of the system for Initial Operational Test and Evaluation Dedicated Operational Test and Evaluation (OT&E) conducted on production, or production representative articles, to determine whether systems are operationally effective and suitable to support a Full-Rate Production (FRP) decision. The term IOT&E is normally associated with programs on the Director, Operational Test and Evaluation Oversight List. . MDAs, in coordination with DOT&E, may also make this determination at Milestone B for incrementally deployed programs, consistent with the procedures in paragraph 5c(3)(d) in this instruction.

9. CLOUD COMPUTING

Cloud computing services can deliver more efficient IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract. than traditional acquisition approaches. Program managers will acquire DoD or non-DoD provided cloud computing services when the business case analysis determines that the approach meets affordability and security requirements. Program managers will ensure that cloud services are implemented in accordance with Defense Information Systems Agency (DISA) provided Cloud Computing Security Requirements Guidance; and will only use cloud services that have been issued both a DoD Provisional Authorization by DISA and an Authority to Operate by their Component’s Authorizing Official. In addition, non-DoD cloud services used for Sensitive Data must be connected to customers through a Cloud Access Point that has been approved by the DoD CIO. Program managers report cloud service funding investments through the submission of the Office of Management of Budget (OMB) Exhibit 53 in accordance with OMB Circular A-11 (Reference (c)).

10. DOD ENTERPRISE SOFTWARE INITIATIVE (ESI)

When acquiring commercial IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract., Program Managers must consider the DoD ESI, Federal Strategic Sourcing Initiative procurement vehicles, and Defense Component level Enterprise Software Licenses. The Defense Federal Acquisition Regulation Supplement subpart 208.74 (Reference (al)) and OMB Policy Memorandums M-03-14, M-04-08, M-04-16 and M-05-25 (References (bs) through (bv)) and the DoD ESI web site at http://www.esi.mil/ provide additional detail.

11. DOD DATA CENTER CONSOLIDATION

Any program manager who intends to obligate funds for data servers, data centers, or the information systems technology used therein, must obtain prior approval from the DoD CIO. The request must be signed by the Component CIO and include a completed request for the Authorization of Funds for Data Centers and Data Server Farms in accordance with section 2867 of P.L. 112-81 (Reference (v)).

12. IT, INCLUDING NSS, INTEROPERABILITY

To achieve the information superiority and interoperability goals of DoD Directive 5000.01 (Reference (a)), program managers will design, develop, test and evaluate systems to ensure IT interoperability requirements are achieved. At key decision points and acquisition milestones, interdependencies, dependencies, and synchronization with complementary systems must be addressed. The Program Manager will ensure that interoperability certification is achieved in accordance with DoD Instruction 8330.01 (Reference (ab)).

13. DATA PROTECTION

Program managers of DoD IT Any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly, or is used by a contractor under a contract with the executive agency that requires the use of: (1) that equipment, (2) that equipment to a significant extent in the performance of a service or the furnishing of a product. It includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a federal contractor incidental to a federal contract. systems (including those supported through contracts with external sources) that collect, maintain, use, or disseminate data must protect against disclosure to non-approved sources while meeting the organization’s record keeping needs.

a. Personally Identifiable Information (PII) must be managed in a manner that protects privacy. PII will be collected, maintained, disseminated, and used in accordance with DoD Directive 5400.11 (Reference (bw)) and DoD Regulation 5400.11-R (Reference (bx)). Privacy Impact Assessments will be managed in accordance with DoD Instruction 5400.16 (Reference (by)).

b. Scientific and technical information must be managed to make scientific knowledge and technological innovations fully accessible to the research community, industry, the military operational community, and the general public within the boundaries of law, regulation, other directives, and executive requirements, in accordance with DoD Instruction 3200.12 (Reference (bz)).

c. Program managers will comply with record-keeping responsibilities under the Federal Records Act for the information collected and retained in the form of electronic records (see DoD 5015.02-STD (Reference (bc)) for additional information on the DoD Records Management Program). Electronic record-keeping systems must preserve the information submitted, as required by 44 U.S.C. 3101 (Reference (aw)) and implementing regulations. Program managers will develop data archiving plans that delineate how records are collected, created, and stored within their systems. These plans must include processes for disposition of both temporary and permanent records. Program managers should work with Component records managers early and throughout the acquisition process.

14. SECTION 508 – ACCESSIBILITY OF ELECTRONIC AND INFORMATION TECHNOLOGY FOR INDIVIDUALS WITH DISABILITIES

Program managers will ensure that electronic and information technology developed, procured, maintained, and used by the DoD will allow persons with disabilities access to information comparable to that afforded persons without disabilities, in accordance with section 508 of the Rehabilitation Act (i.e., 29 U.S.C. 794d (Reference (ca))). For exceptions to section 508 compliance, refer to DoD Manual 8400.01-M (Reference (cb)).