MULTI-YEAR PROCUREMENT—COST ANALYSIS REQUIREMENTS

a. General. A multi-year procurement contract is a contract for the purchase of property for more than 1, but not more than 5, program years. Under 10 U.S.C. 2306b (Reference (g)), for multi-year contracts for defense acquisition programs that have specifically been authorized by law, the Secretary of Defense must certify in writing by March 1 of the year in which he or she requests legislative authority to enter into the multi-year contract that specified requirements will be met and must provide the basis for that determination to the congressional defense

committees. A part of those conditions specified in section 2306b are:

(1) The use of such a contract will result in substantial savings of the total anticipated costs of carrying out the program through annual contracts.

(2) The minimum need for the property to be purchased is expected to remain substantially unchanged during the contemplated contract period in terms of production rate, procurement rate, and total quantities.

(3) There is a reasonable expectation that throughout the contemplated contract period the head of the agency will request funding for the contract at the level required to avoid contract cancellation.

(4) There is a stable design for the property to be acquired and the technical risks associated with such property are not excessive.

(5) The estimates of both the cost of the contract and the anticipated cost avoidance through the use of a multi-year contract are realistic.

(6) The use of such a contract will promote the national security of the United States. b. CAPE Role and Requirements. Prior to the Secretary’s determination under paragraph 6.a, DCAPE is required to complete a cost analysis and determine such analysis supports the

ENCLOSURE 10 133

Secretary’s findings above. In order for DCAPE to complete the cost analysis in a timely manner, the agency head must submit a list of multi-year procurement contract candidates and supporting information to DCAPE no later than October 1 of the fiscal year prior to the fiscal year in which the request for legislative authority, with accompanying certification, will be made.

c. Additional Requirements. 10 U.S.C. 2306b (Reference (g)) sets forth several other requirements for multi-year contracts. Prior to requesting authority to enter into a multi-year contract, the program manager should consult with his or her agency’s counsel to confirm that the proposed multi-year contract complies with all relevant statutes and regulations.

ENCLOSURE 11 134

ENCLOSURE 11

REQUIREMENTS APPLICABLE TO ALL PROGRAMS CONTAINING INFORMATION TECHNOLOGY (IT)

1. PURPOSE. This enclosure identifies the additional policy and procedure that apply to all programs containing IT, including National Security Systems (NSS).

2. APPLICABILITY. This enclosure applies to:

a. IT, as defined in title 40 of U.S. Code (Reference (p)), is any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis,

evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information; includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services, and related resources). IT is equipment used by the DoD directly or is used by a contractor under a contract with the DoD that requires the use of that equipment. IT does not include any

equipment acquired by a federal contractor incidental to a federal contract.

b. NSS, as defined in the Federal Information Security Management Act of 2002, 44 U.S.C. 3541, et seq. (Reference (aw)), are telecommunications or information systems operated by or on behalf of the Federal Government, the function, operation, or use of which involves intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or, is critical to the direct fulfillment of military or intelligence missions. NSS do not include systems that are used for routine administrative and business applications (including payroll, finance, and

personnel management applications).

c. Information systems, as defined in title 44 of U.S. Code (Reference (aw)), are a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

3. CLINGER-COHEN ACT (CCA) COMPLIANCE. Subtitle III of title 40 of U.S. Code (Reference (p)) (formerly known as Division E of CCA) (hereinafter referred to as “CCA”) applies to all IT investments, including NSS.

a. For all programs that acquire IT, including NSS, at any acquisition category (ACAT) level, the Milestone Decision Authority (MDA) will not initiate a program nor an increment of a program, or approve entry into any phase of the acquisition process that requires formal

acquisition milestone approval, and the DoD Component will not award a contract for the applicable acquisition phase until:

ENCLOSURE 11 135

(1) The sponsoring DoD Component or program manager has satisfied the applicable acquisition phase-specific requirements of the CCA as shown in Table 9 in Enclosure 1 of this instruction; and

(2) The Program Manager has reported CCA compliance to the MDA and the DoD Component Chief Information Officer (CIO), or their designee.

b. The Component CIO, or their designee, will record the CCA compliance in the DoD Information Technology Portfolio Repository upon program initiation and at subsequent major decision points, and in the Acquisition Information Repository, as required.

c. Table 9 in Enclosure 1 of this instruction identifies the specific requirements for CCA compliance. These requirements will be satisfied to the maximum extent practicable through documentation developed under the Joint Capabilities Integration and Development System and the Defense Acquisition System. To report compliance, the Program Manager will prepare a table similar to Table 9 to indicate which documents demonstrate compliance with the CCA requirements.

4. POST IMPLEMENTATION REVIEW (PIR). The functional sponsor, in coordination with the Component CIO and Program Manager, is responsible for developing a plan and conducting a PIR for all fully deployed IT, including NSS. PIRs will report the degree to which doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy changes have achieved the established measures of effectiveness for the desired capability; evaluate systems to ensure positive return on investment and decide whether continuation, modification, or termination of the systems is necessary to meet mission requirements; and document lessons learned from the PIR. If the PIR overlaps with Follow-on Operational Test and Evaluation, the sponsor should coordinate planning of both events for efficiency. The preparation of the TEMP and the MDA’s decision to proceed with full-rate production satisfy the requirement for weapons systems. The post fielding assessment(s), the disposition assessment, and the disposition decision for an urgent need (as described in Enclosure 13), meet the

requirement for a PIR.

5. DOD INFORMATION ENTERPRISE ARCHITECTURE. The DoD Information Enterprise Architecture will underpin all information architecture development to realize the Joint

Information Environment. Program Managers must develop solution architectures that comply with the DoD Information Enterprise Architecture, applicable mission area and component architectures, and DoD Component architecture guidance. A program’s solution architecture should define capability and interoperability requirements, establish and enforce standards, and guide security and cybersecurity requirements. The standards used to form the Standard Viewpoints of integrated architectures will be selected from those contained in the current approved version of the DoD IT Standards Registry within the Global Information Grid Technical Guidance Federation service (Reference (br)). The IT will be tested to measures of performance derived from the solution architecture.

ENCLOSURE 11 136

6. CYBERSECURITY

a. Cybersecurity Risk Management Framework (RMF). Cybersecurity RMF steps and activities, as described in DoD Instruction 8510.01 (Reference (bg)), should be initiated as early as possible and fully integrated into the DoD acquisition process including requirements

management, systems engineering, and test and evaluation. Integration of the RMF in

acquisition processes reduces required effort to achieve authorization to operate and subsequent management of security controls throughout the system life cycle.

b. Cybersecurity Strategy. All acquisitions of systems containing IT, including NSS, will have a Cybersecurity Strategy. The Cybersecurity Strategy is an appendix to the Program Protection Plan (PPP) that satisfies the statutory requirement in section 811 of P.L. 106-398 (Reference (q)) for mission essential and mission critical IT systems. Beginning at Milestone A, the Program Manager will submit the Cybersecurity Strategy to the cognizant Component CIO for review and approval prior to milestone decisions or contract awards.

(1) For ACAT ID, IAM, and IAC programs, the DoD CIO will review and approve the Cybersecurity Strategy prior to milestone decisions or contract awards.

(2) CIOs will document the results of all reviews.

(3) If contract award is authorized as part of an acquisition milestone decision, a separate review of the Cybersecurity Strategy prior to contract award is not required.

(4) The approved Cybersecurity Strategy will be an appendix to the PPP.

7. TRUSTED SYSTEMS AND NETWORKS (TSN). Program managers of NSS; systems that have a high impact level for any of the three security objectives, Confidentiality, Integrity, or Availability; or other DoD information systems that the Component Acquisition Executive or Component CIO determines to be critical to the direct fulfillment of military or intelligence missions must identify and protect mission critical functions and components as required by DoD Instruction 5200.44 (Reference (aj)). TSN plans and implementation activities are documented in PPPs and relevant cybersecurity plans and documentation (see section 13 in Enclosure 3 of this instruction for additional details). Program managers will manage TSN risk by:

a. Conducting a criticality analysis to identify mission critical functions and critical components and reducing the vulnerability of such functions and components through secure system design.

b. Requesting threat analysis of suppliers of critical components (Supplier All Source Threat Analysis).

ENCLOSURE 11 137

d. Applying TSN best practices, processes, techniques, and procurement tools prior to the acquisition of critical components or their integration into applicable systems.

8. LIMITED DEPLOYMENT FOR A MAJOR AUTOMATED INFORMATION SYSTEM