Enclosure 11 -- Management of Defense Business Systems

1. Purpose
2. Definition
3. Acquisition Review Procedures
   Figure 3. IRB Certification and DBSMC Approval Process
4. Annual Review

1. PURPOSE. This enclosure describes the procedures for review and certification of defense business system modernizations with total modernization or development funding exceeding $1 million.

2. DEFINITION. The term "defense business system" means an information system, other than a national security system, operated by, for, or on behalf of the Department of Defense, including financial systems, mixed systems, financial data feeder systems, and IT and information assurance infrastructure. Defense business systems support business activities such as acquisition, financial management, logistics, strategic planning and budgeting, installations and environment, and human resource management.

3. ACQUISITION REVIEW PROCEDURES

1. Obligation of Funds: Funds shall not be obligated for defense business systems until the DBSMC approves the certification required by section 2222 of Reference (k).
2. IRB: An IRB shall facilitate program communications and issue resolution, and shall support the MDA for ACAT IAM business systems.
3. Enterprise Risk Assessment Methodology (ERAM): An independent risk assessment shall be performed prior to all milestone decisions for each ACAT IAM business system. These assessments are known as ERAM assessments. The ERAM findings shall be provided to the IRB and the MDA prior to all milestone decisions. Additional ERAMs can be requested by the cognizant IRB or the MDA. For programs below the MAIS threshold, the responsible MDA and the PM shall consider a similar independent risk assessment.
4. The CAE shall provide the cognizant IRB with a written statement that the program is compliant with applicable statute and regulation (e.g., the requirements in Enclosure 4), describe any issues applicable to the milestone decision, and recommend approval of the milestone by the MDA.
5. Figure 3 depicts executive-level certification and approval activities for defense business systems. The IRB Concept of Operations (Reference (bx)) and IRB User Guidance (Reference (by)) provide additional detail on the process, roles and responsibilities, and documentation requirements. The following principal actions shall support IRB Certification and DBSMC approval:

Figure 3. IRB Certification and DBSMC Approval Process.

1. Prepare. The PM shall describe the program and update the DoD global business system inventory regarding the specific certification request. The PM shall complete an economic viability review and prepare other plans or analyses as required by the DoD Component Pre-Certification Authority (PCA) or the responsible IRB.
2. Validate. Each DoD Component shall designate a PCA (typically within its CIO organization) with portfolio responsibility for the organization. The PCA shall serve as the primary authority within the DoD Component responsible for review and validation of business systems certification requests, and shall identify the programs requiring IRB Certification and DBSMC approval. The PCA shall be responsible for validation of all information submitted by the PM. The PCA shall maintain a readily available library of supporting documentation for all defense business system programs. The PCA shall transmit the validated defense business system certification request to the responsible IRB for certification.
3. Certify
   1. The responsible IRB advises the IRB Chair on matters related to defense business system certification requests. The IRB Chair shall determine whether each request:
      1. is in compliance with the enterprise architecture; or
      2. is necessary to achieve a critical national security capability or address a critical requirement in an area such as safety or security; or
      3. is necessary to prevent a significant adverse effect on a project that is needed to achieve an essential capability, taking into consideration the alternative solutions for preventing such adverse effect.
   2. If the IRB Chair determines that the certification request satisfies one or more of the above criteria, the Chair shall recommend that the appropriate Approval Authority sign a certification memorandum and request DBSMC approval. The Approval Authorities (also referred to as Certification Authorities) are the USD(AT&L) for any defense business system of which the primary purpose is to support acquisition, logistics, or installations and environment activities; USD(C) for any defense business system of which the primary purpose is to support financial management, or strategic planning and budgeting activities; USD(P&R) for any defense business system of which the primary purpose is to support human resource management activities; ASD(NII) for any defense business system of which the primary purpose is to support information technology infrastructure or information assurance activities; and the Deputy Secretary of Defense for any defense business system of which the primary purpose is to support any DoD activity not covered in this paragraph (section 2222 of Reference (k)). The certification memorandum shall include any conditions placed on the certification.
4. Approve. The DBSMC Chair is the final approval authority for all defense business system certification requests. The Chair shall document decisions in an official memorandum to affected PMs through the DoD Component PCAs. DBSMC Chair approval shall occur before the first milestone review of an acquisition program or technology project. The PM shall include a copy of the DBSMC-approved DoD Certification Authority Memorandum with the documentation provided to the MDA. A DBSMC certification approval does not constitute authority to execute an acquisition program. Consistent with those documents, only the appropriate MDA can approve the acquisition strategy, technology readiness, milestones, and other aspects of a formal acquisition program. The statutory and regulatory requirements specified in this document, and applicable to business systems, shall be followed.

4. ANNUAL REVIEW. Following DBSMC approval, the IRB Chair shall review the program annually. If the IRB Chair determines that the system has failed to comply with previously imposed conditions, or that risks to the system are not acceptable, the Chair may recommend de-certification to the DBSMC through the DoD Certification Authority.