7.8.7. Procedure for Risk-Based Oversight (RBO) Process
7.8.7.1. Background
7.8.7.2. Procedures for Title 40/Clinger-Cohen Act (CCA) Risk-Based Oversight
7.8.7.3. DoD Component Chief Information Officer (CIO) Self-Assessment Document
7.8.7.1. Background
Since the enactment of the Information Technology Management Reform Act of 1996, currently referred to as the Title 40/CCA, the DoD CIO has overseen the Title 40/CCA implementation of ACAT I and IA weapons and automated information systems, in accordance with the provisions of DoDI 5000.02. Under the risk-based oversight policy, the objective is to make DoD CIO oversight of Title 40/CCA compliance the exception.
Further, the risk-based Title 40/CCA compliance oversight enables the DoD CIO to identify and implement a cost-effective means for ensuring Title 40/CCA compliance, by providing a decision making framework to help leverage Title 40/CCA oversight responsibility to the DoD Component CIO. In a risk-based oversight model, the DoD Component CIOs oversee programs within their portfolios, commensurate with their demonstrated level of capability across Title 40/CCA compliance areas.
7.8.7.2. Procedures for Title 40/CCA Risk-Based Oversight
These procedures are applicable to all MAIS programs and MDAPs, even those delegated to the DoD Components. Nothing in these procedures detracts from responsibilities described in DoDI 5000.02. The risk-based oversight process addresses the manner and level of DoD CIO and DoD Component CIO involvement in oversight of MAIS and MDAP programs. The process is initiated when the DoD Component CIO conducts a self-assessment of Title 40/CCA compliance oversight capability.
7.8.7.3. DoD Component Chief Information Officer (CIO) Self-Assessment Document
This document asks a series of questions related to the implementation of oversight for Title 40/CCA within DoD Components. The primary audience for this assessment is the DoD Component CIO. These questions were derived from a range of resources, including policy and guidance documents, feedback from a 2004-2005 Title 40/CCA Assessment sponsored by the Office of the Assistant Secretary of Defense for Networks and Information Integration/DoD Chief Information Officer ()DoD CIO)/Deputy CIO (DCIO), and USD(AT&L), and input from DoD personnel across multiple organizations and functions. For further information, see the Risk-Based Oversight for Title 40/Clinger-Cohen Act (CCA) Compliance folder in the Information Technology (IT) Community of Practice.
This document "Sample Self-Assessment file: 7.8.7.5. Self-Assessment of CCA Compliance.doc" asks a series of questions related to the implementation of oversight for Title 40/ CCA within DoD Components. The primary audience for this assessment is the DoD Component CIO. These questions were derived from a range of resources, including policy and guidance documents, feedback from a 2004-2005 Title 40/CCA Assessment sponsored by the Office of the Assistant Secretary of Defense for Networks and Information Integration/DoD CIO/DCIO and USD(AT&L), and input from DoD personnel across multiple organizations and functions.