Table 10 – CCA Compliance

Table 10 is located in Enclosure 1 Section 6 CCA Compliance.

 

Table 10. CCA Compliance
Actions Required to Comply With the CCA
(Subtitle III of title 40 of U.S. Code (Reference (p)))1
Applicable Program Documentation2
1. Make a determination that the acquisition supports core, priority functions of the DoD.3 ICD, IS ICD, Problem Statement for a DBS, or urgent need requirements documents
2. Establish outcome-based performance measures linked to strategic goals.3, 4 ICD, IS ICD, CDD, CPD, AoA, APB7
3. Redesign the processes that the system supports to reduce costs, improve effectiveness and maximize the use of commercial off-the-shelf technology.3, 4 ICD, IS ICD, Concept of Operations, AoA, Business Process Reengineering
4. Determine that no private sector or government source can better support the function.4, 5 Acquisition Strategy, AoA
5. Conduct an analysis of alternatives.4, 5 AoA
6. Conduct an economic analysis that includes a calculation of the return on investment; or for non-AIS programs, conduct a life-cycle cost estimate.4, 5 Component Cost Estimate, Component Cost Position, Program Economic Analysis for MAIS programs
7. Develop clearly established measures and accountability for program progress.4 Acquisition Strategy, APB7, TEMP7
8. Ensure that the acquisition is consistent with the DoD Information Enterprise policies and architecture, to include relevant standards.4 CDD NR-KPP, CPD NR-KPP, ISP
9. Ensure that the program has a Cybersecurity Strategy that is consistent with DoD policies, standards and architectures, to include relevant standards.4 Cybersecurity Strategy, Program Protection Plan, Risk Management Framework Security Plan
10. Ensure, to the maximum extent practicable, (1) modular contracting has been used, and (2) the program is being implemented in phased, successive increments, each of which meets part of the mission need and delivers measurable benefit, independent of future increments.4 Acquisition Strategy
11. Register Mission-Critical and Mission-Essential systems with the DoD CIO.4, 6 DoD Information Technology Portfolio Repository

Notes:
1. Table 2 in this enclosure indicates when the program manager must report CCA compliance.

2. The system documents/information cited are examples of the most likely but not the only references for the required information. If other references are more appropriate, they may be used in addition to or instead of those cited. Include page(s) and paragraph(s), where appropriate. Urgent needs may cite the associated urgent needs documentation to demonstrate CCA compliance, e.g., the Course of Action and/or the network connection documentation.

3. These requirements are presumed to be satisfied for weapons systems with embedded IT and for Command and Control Systems that are not themselves IT systems.

4. These actions are also required to comply with section 811 of Public Law 106-398 (Reference (q)).

5. For NSS, these requirements apply to the extent practicable (40 U.S.C. 11103 (Reference (p)) discusses NSS).

6. Mission-Critical Information System. A system that meets the definitions of “information system” and “national security system” in the Clinger-Cohen Act (Subtitle III of title 40 of U.S. Code (Reference (p))), the loss of which would cause the stoppage of warfighter operations or direct mission support of warfighter operations. (The designation of mission critical will be made by a DoD Component head, a Combatant Commander, or their designee. A financial management IT system will be considered a mission-critical IT system as defined by the Under Secretary of Defense (Comptroller) (USD(C)).) A “Mission-Critical Information Technology System” has the same meaning as a “Mission-Critical Information System.”

Mission-Essential Information System. A system that meets the definition of “information system” in 44 U.S.C. 3502 (Reference (aw)), that the acquiring DoD Component Head or designee determines is basic and necessary for the accomplishment of the organizational mission. (The designation of mission-essential will be made by a DoD Component head, a Combatant Commander, or their designee. A financial management IT system will be considered a mission-essential IT system as defined by the USD(C).) A “Mission-Essential Information Technology System” has the same meaning as a “Mission-Essential Information System.”

7. The APB and TEMP may be submitted in draft to expedite program assessment.

Share This