DON IT Policy Roundup for FY 2013

Published, February 21, 2013

The Department of the Navy Information Technology Policy Roundup for fiscal year (FY) 2013 provides a summary of policies affecting IT projects and programs. For more detail, please review the entire policy at the links provided.

Information Technology Expenditure Approval Authorities

DON leadership believes there are significant opportunities for gains in operational effectiveness and resource efficiency through centralization and consolidation of organizational IT efforts. Decentralized authority to initiate, develop and sustain IT projects often resulted in duplicative capabilities or capabilities not aligned with the DON’s IT goals and objectives, creating inefficiencies and impediments to operational effectiveness. Therefore, the DON has designated three Information Technology Expenditure Approval Authorities (ITEAAs); one each for the Navy, Marine Corps and DON Secretariat. The ITEAAs ensure all IT projects undertaken in the department are not duplicative of and integrated with other DON IT investments and are aligned with DON and Department of Defense (DoD) enterprise architectures, goals and objectives.

DON commands must not perform resource planning, programming or budgeting, or take action to acquire or procure any IT-related software, hardware or service within specified thresholds established by the Navy, Marine Corps and Secretariat ITEAAs unless the action has been approved by the appropriate authority. Designated ITEAAs are listed below, with action officer level points of contact (POC):

• Organization: DON Secretariat, ITEAA: DON CIO, Action Level POC: Trish VanBelle, POC Contact Information: trish.vanbelle@navy.mil
• Organization: Navy, ITEAA: OPNAV N2/N6, Action Level POC: Jeff Dominick, POC Contact Information: jeffery.dominick@navy.mil
• Organization: Marine Corps, ITEAA: HQMC C4, Action Level POC: Robin Thomas, POC Contact Information: robin.a.thomas@usmc.mil

NOTE: DON CIO policy establishes ITEAA approval thresholds as: $1 million or more (Navy and Marine Corps) and $100,000 or more (DON Secretariat). However, the Navy and Marine Corps established lower approval thresholds of $500,000 and $25,000 respectively. Additionally, the Navy and DON Secretariat require all IT expenditures below the ITEAA threshold (excluding authorized exemptions such as supplies and IT embedded weapons systems) to be approved by an Echelon II Command Information Officer (Navy) or the DON Administrative Assistant (DON/AA) (DON Secretariat). View the ITEAA policy memo.

DON/AA POC: Andrew Adam, andrew.adam@navy.mil

Data Center Consolidation

DON CIO memorandum of 20 July 2011, "Department of the Navy Data Center Consolidation (DCC) Policy Guidance" established a moratorium on all DON investment (including individual program of record resources) in increased data storage capacity without first determining that existing DON data center capacity is insufficient to meet requirements and that it is not more cost effective to expand existing DON-owned capacity. Section 2867 of the National Defense Authorization Act (NDAA) for fiscal year 2012 further prohibited obligation for any data center hardware, software or service unless first approved by the applicable Navy or Marine Corps DON Deputy CIO (DDCIO), DON CIO and DoD CIO.

DON organizations are to give first priority to consolidation into existing DON-owned Space and Naval Warfare Systems Command (SPAWARSYSCOM), Navy Marine Corps Intranet (NMCI) or Marine Corps enterprise data centers. The next preferred choice is consolidation into commercial or DoD enterprise data centers that meet or exceed DON enterprise data center standards and are demonstrated by business case analysis (BCA) to be a better value while continuing to meet the DON mission. Achieving savings is a priority for all DON data center consolidations, but appropriate levels of continuity of operations and disaster recovery must be maintained.

DON CIO POC: Randy Darrow, randy.darrow@navy.mil

Required Use of DON Enterprise IT Standard Business Case Analysis (BCA) Template

DON CIO memorandum of 15 April 2011, "Department of the Navy (DON) Enterprise Information Technology (IT) Standard Business Case Analysis Template" instituted a standard template for all business case analyses (BCAs) supporting DON IT investments subject to DON Information Enterprise Governance Board (IGB) consideration. DON CIO memorandum of 30 June 2011, "Required Use of Department of the Navy (DON) Information Technology Standard Business Case Analysis Template" extended that requirement to include all DON IT-related initiatives and projects requiring DON, functional area manager or Echelon Two enterprise-level board consideration. The DON CIO requires use of the template for IT investments exceeding $1 million and strongly recommends that other DON decision authorities, such as commanders, command information officers, portfolio and investment managers, resource sponsors and acquisition executives, use the BCA template to support their investment decisions.

Use of the standard template promotes consistency, facilitates meaningful comparisons of alternative proposals, and clearly defines expected costs, benefits, operational impacts and risks. Decision authorities may tailor the template to fit their needs and project scope. View the DON Enterprise IT Standard BCA Template and a User Guide.

DON CIO POC: Trish VanBelle, trish.vanbelle@navy.mil

IM/IT Certification and Annual Review Requirements

Business Mission Area (BMA) Defense Business System (DBS) Certification (DBS > $1M): Section 901 of the FY12 National Defense Authorization Act (NDAA), now codified in Title 10 USC 2222, significantly expands the scope of systems requiring certification to include any business system with a total cost exceeding $1 million over the Future Years Defense Program (FYDP), regardless of appropriation. To satisfy the new Title 10 requirements, the joint Deputy Under Secretary of the Navy Deputy Chief Management Officer (DUSN DCMO) and DON CIO memorandum of Nov. 14, 2012, "Fiscal Year (FY) 2013 Business Mission Area (BMA) Process Changes," implemented the following policy for all business system certifications:

1. Program managers (PMs) are required to establish Architecture Compliance and Requirements Traceability (ACART) Tool accounts (https://acart.osd.mil/) not later than Jan. 31, 2013.
2. PMs are required to complete the self-assertion portion of the DON Enterprise Architecture (EA) and all other fields in the DoD Information Technology Portfolio Repository-DON (DITPR-DON) not later than March 31, 2013.
3. PMs are required to assert compliance with Business Enterprise Architecture (BEA) 10.0 using the ACART Tool and to complete all associated mappings on the ARCH Tab in DITPR-DON not later than March 31, 2013.
4. All appropriate stakeholders and subject matter experts (SMEs) that review DITPR-DON and DON EA data are required to complete their work not later than June 15, 2013. (Note: The CERT Tab should not be signed until the BEA 10.0 mappings on the ARCH Tab are completed.)

Failure to comply with the requirements above may result in a system's exclusion from the DON Organizational Execution Plan (OEP) submitted to OSD for certification. Additional guidance regarding the BMA certification process will be provided by the DUSN DCMO.

DUSN DCMO POC: Jason Greenawalt, jason.greenawalt@navy.mil

BMA DBS Annual Reviews (for DBS < $1M): 10 U.S.C. 2222 established the requirement for annual review of all DBSs, including those with total funding of less than $1 million, in any appropriation, through the FYDP. Per OSD guidance, annual reviews of systems below the $1 million threshold are a component responsibility. Accordingly, it is DON policy that no funding, in any appropriation, may be obligated during FY13 for any BMA system without prior approval by the applicable DDCIO (Navy or Marine Corps). To ensure reviews are performed consistently across the BMA, the BMA certification review timeline and requirements in subparagraphs i through iv above apply equally to BMA DBS annual reviews.

Reviews must be approved by the appropriate authorities not later than June 15, 2013. Failure to obtain approval by that date may result in FY14 Dev/Mod funding deferrals or budget reductions during the FY15 DON budget review. To comply with the law, after a system’s initial review, the applicable DDCIO must approve each subsequent annual review of that system within 12 months of the preceding review. Refer to DON Information Management/Information Technology Investment Review Process Guidance v4.0 of Oct. 1, 2009 for a description of the review/approval process.

DDCIO (Navy) POC: Mike Cricchio, michael.cricchio1@navy.mil
DDCIO (Marine Corps) POC: Julius Pfeifle, julius.pfeifle@usmc.mil

Enterprise Information Environment Mission Area (EIEMA) Certification and Annual Reviews:In the DON, the requirements for certifications and annual reviews that apply to DBSs extend to all entities in the EIEMA. Accordingly, DON CIO must approve obligations of $1 million or more in FY13 Dev/Mod funds for EIEMA systems or projects. The appropriate DDCIO must approve obligations below the $1 million threshold. Approvals must be obtained no later than June 15, 2013. Failure to obtain approval by that date may result in FY 14 Dev/Mod funding deferrals or budget reductions during the FY15 DON budget review. To comply with the law, after a system’s initial review, the applicable DDCIO must approve each subsequent annual review of that system within 12 months of the preceding review. Refer to the IM/IT Investment Review Process Guidance for a description of the review/approval process.

DON CIO POC: Anna Tarrant, anna.tarrant@navy.mil
DDCIO (Navy) POC: Mike Cricchio, michael.cricchio1@navy.mil
DDCIO (Marine Corps) POC: Julius Pfeifle, julius.pfeifle@usmc.mil

Warfighter Mission Area (WMA) and Defense Intelligence Mission Area (DIMA) Investment reviews: The DDCIOs will review WMA and DIMA investments, applying the guidance and process formerly provided for BMA and EIEMA Non-Tier annual reviews and outlined in the IM/ITInvestment Review Process Guidance. These reviews will include assessment of DON Enterprise Architecture (EA) compliance. All WMA and DIMA entities registered in DITPR-DON must be reviewed not later than Sept. 13, 2013. Refer to the IM/IT Investment Review Process Guidance for additional details.

DDCIO (Navy) POC: Mike Cricchio, michael.cricchio1@navy.mil
DDCIO (Marine Corps) POC: Julius Pfeifle, julius.pfeifle@usmc.mil

DON Enterprise Architecture Compliance: DON CIO memorandum of Sept. 26, 2012, "Release of the Department of the Navy Enterprise Architecture Version 4.0.000" requires all entities registered in DITPR-DON, including National Security Systems (NSS), to self-assess annually for compliance with the DON EA. These assessments are to be performed in conjunction with Defense Business System certification or DON annual reviews. All BMA and EIEMA entities must be reviewed and validated against the DON EA not later than June 15, 2013. All WMA and DIMA validations must be completed by Sept. 13, 2013. All Navy training systems, devices and simulators that are connected, or those that could potentially connect to the Global Information Grid (GIG), must complete annual DON EA compliance assessment, including commercial off-the-shelf (COTS) software mapping. Training systems, devices and simulators that do not and could not connect to the GIG must use the map tab to identify all software they employ, but they are not required to complete DON EA compliance assessment. Failure to obtain DON EA compliance validation or waiver by the dates specified above may result in FY14 Dev/Mod funding deferrals or budget reductions during the FY15 DON budget review. View details about DON EA compliance and the waiver request process.

DON CIO POC: Fumie Wingo, fumie.wingo@navy.mil

IT Budget PBIS-IT (formerly NITE/STAR), SNaP-IT, DITPR-DON) Registration

10 U.S.C. 2222 requires that each DBS be reported separately in the IT budget exhibits, in each case specifying the amounts budgeted for Dev/Mod and current services. The DON satisfies this requirement by registering each DBS with a unique Program/Budget Information System-Information Technology (PBISIT) (formerly NITE/STAR) Automated Information System extension (AIS/EXT) and a unique Select and Native Programming Data Input System-IT (SNaP-IT) Budget Initiative Number (BIN). Accordingly, DON commands may not obligate FY13 funds (including Navy Working Capital Fund (NWCF) costs and capital budget authority) for a DBS unless it has been assigned a PBISIT AIS/EXT and SNaP-IT BIN and registered in DITPR-DON.

ASN (FM&C) POC: B. J. Dauro, bj.dauro@navy.mil

DADMS/DITPR-DON Registration

The joint DUSN DCMO and DON CIO memorandum of Sept. 17, 2012, "Achieving Measurable Efficiencies Through Data Center Consolidation, System and Application Rationalization Guidance" requires all unclassified ashore networks to be registered in the DON Application and Database Management System (DADMS). Specifically, it stipulates that the DDCIO (Navy), DDCIO (Marine Corps), and Secretariat FAMs must ensure that all unclassified ashore networks are registered DADMS.

DON commands may not obligate FY13 funds (including NWCF and capital budget authority) for acquisition, development, modernization, operation or maintenance of unregistered networks, servers or associated network devices.

Navy and Marine Corps policy requires all software applications to be registered in DADMS and approved by the appropriate FAM (see NAVADMIN 124/05 and MARADMIN 226/04). No software application is authorized to operate on DON networks unless it is registered in DADMS and designated "Approved" or "AWR" by the appropriate FAM.

The DITPR and DoD SIPRNET IT Registry Guidance of Aug. 10, 2009 requires registration of all IT systems (including NSS) in DITPR or the DoD SIPRNet IT Registry, as appropriate. The DON registers systems in DITPR-DON for upload to DITPR. The criteria that qualify projects as IT systems for this purpose are defined in the DITPR-DON Process Guidance v1.0.

DON commands may not obligate FY13 funds (including NWCF and capital budget authority) for any unregistered IT system.

DITPR/DADMS POC: Katie Petrillo, katie.petrillo@navy.mil

Federal Information Security Management Act (FISMA)

FISMA applies to the DON Information Assurance (IA) program. The act requires certification and accreditation (C&A) of DON systems and networks, all-hands IA awareness training, and specialized training for users with privileged network functions. It also requires oversight of system and network protection (including system and network intrusion metrics), annual security plan and contingency plan testing, and annual security reviews. It is DON policy to maintain continuous 100 percent compliance with FISMA requirements. Any DON system reported in DITPR-DON as delinquent for annual testing, privacy impact assessment (PIA) or certification & accreditation (authority to operate or interim authority to operate) is subject to non-compliance consequences at any time. Consequences may include denial of authorization to operate or restrictions on use of dev/mod funds to only those actions necessary to attain FISMA compliance until compliance is achieved. View the DON Federal Information Security Management Act Goals.

DON CIO POC: Jennifer Ellett, jennifer.ellett@navy.mil

Electromagnetic Spectrum Supportability

OMB Circular A-11, Part 2, Sec. 31, Para. 31.12 directs that the National Telecommunications and Information Administration, Department of Commerce certify that the necessary radio frequency can be made available before estimates are submitted for development or procurement of major radio spectrum-dependent communications electronics systems (including all systems employing space satellite techniques). DON commands may not obligate funds for a spectrum-dependent system unless a Spectrum Supportability Risk Assessment conducted per Enclosure 3 of DODI 4650.1, "Policy and Procedures for Management and Use of the Electromagnetic Spectrum," has determined that spectrum sufficient for system operation will be available throughout its life cycle.

DON CIO POC: Tom Kidd, thomas.kidd@navy.mil

Portals

DON Navy Marine Corps Portal (NMCP) Environment Strategy of 7 July 2011, establishes the vision, goals, objectives and governance to be used to migrate DON organizations to the NMCP environment. The NMCP environment must provide secure, interoperable, and integrated portal capabilities and resources to rapidly deliver secure data and information to operational forces around the globe. As DON portals are consolidated, recovered resources will be used to fund the remaining centralized portals. Consolidation will be overseen by DON CIO, which has approval and exception authority for EIEMA investments (including portals) of $1 million or more, and the DON Deputy CIOs, who exercise the same authorities for EIEMA investments under $1 million.

DON CIO POC: Molly Johnson, molly.johnson@navy.mil

Commercial Software Investment

DON activities and programs must comply with applicable policy when acquiring commercial software, regardless of dollar amount or ordering method (including orders placed through defense contractors). Applicable policy includes:

• Defense Federal Acquisition Regulation Supplement (DFARS) 208.74 and 212.212
• Enclosure 5, paragraph 6 of DoD Instruction 5000.02
• Paragraph 3.2. of Secretary of the Navy Instruction 5000.2E
• Under Secretary of Defense (AT&L) – DoD CIO Joint Policy Memorandum dated Dec. 22, 2005, "Department of Defense (DoD) Support for SmartBUY Initiative" and
• ASN (RD&A)/ASN (FM&C)/DON CIO Memorandum of Feb. 22, 2012, "Mandatory Use of Department of the Navy Enterprise Licensing Agreements"

A requiring or buying official who deems it necessary to waive use of DoD Enterprise Software Initiative agreements must request a waiver following the process prescribed by Navy Marine Corps Acquisition Supplement (NMCARS) Subpart 5208.7403 and Enclosure (2) of the Feb. 22, 2012 DON joint memorandum (listed above).

DON CIO POC: Floyd Groce, floyd.groce@navy.mil

DoD CIO Memo of Jan. 3, 2012, "DoD SHA-256 Cryptographic & Hash Algorithm Transition Guidance" directs that COTS software purchased for use on the NIPRNET or SIPRNET that implements or supports DoD network cryptographic logon, web server authentication, reading/signing email, or digital document signing must be SHA-256 compliant (i.e., it will have embedded support for use of the SHA-256 algorithm in the purchased software). View more information about SHA-256 compatible COTS products.

DON CIO POC: Roddy Staten, roddy.staten@navy.mil

DON Enterprise Licensing Agreements (ELAs)

The ASN (RD&A), ASN (FM&C) and DON CIO joint memorandum of Feb. 22, 2012, "Mandatory Use of Department of the Navy Enterprise Licensing Agreements" requires that when a DON ELA exists, DON organizations and programs must employ it to procure software, hardware and related services, including procurement via government purchase card. Authority to waive DON ELA use resides with the DON CIO and is delegated to the DDCIOs for their respective services. All DON Secretariat waiver requests will be adjudicated by the DON CIO, who will also consider appeals for waiver requests denied by the DDCIOs.

POCs (for policy questions):
ASN(RD&A): Roger Yee, roger.yee@navy.mil
ASN(FM&C): B.J. Dauro, bj.dauro@navy.mil
DON CIO: Don Reiter, donald.reiter@navy.mil

POCs (for waiver requests)
DON CIO: Don Reiter, donald.reiter@navy.mil
DDCIO (Navy): Andi St. John, andrea.stjohn@navy.mil
DDCIO (USMC): Robin Thomas, robin.thomas@usmc.mil

Electronic Records Management (ERM)

Title 36, Code of Federal Regulations, Section1236.6(a) requires agencies to integrate records management (RM) into the design, development, enhancement, and implementation of electronic information systems (EIS). DON policy, per SECNAV Instruction 5210.8D requires incorporation of records management into EIS development and redesign. Exporting a system's records to a DoD certified records management application (RMA) is an acceptable way to meet RM requirements.

Per SECNAVINST 5210.8D and DON CIO memorandum, "Department of the Navy Electronic Records Management and Record Electronic Mail (E-Mail) Management," of June 15, 2007 RMAs used for managing electronic records, including record email, must comply with DoD 5015.2-STD, "Electronic Records Management Software Applications Design Criteria Standard," of April 25, 2007. Total Records and Information Management (TRIM), a certified RMA, is available to DON organizations served by NMCI/NGEN.

DON CIO POC: Jim Knox, jim.knox@navy.mil

TAGS: Cybersecurity, DADMS/DITPR-DON, DCC, Efficiencies, ELA, KM, RM, Spectrum