7.8. The Clinger-Cohen Act (CCA) -- Subtitle III of Title 40 United States Code (U.S.C.)
7.8.1. Overview
7.8.2. Definitions of "information technology" and "National Security System" from Title 40/Clinger-Cohen Act
7.8.3. Mandatory Policies
7.8.1. Overview
Subtitle III of Title 40 of the United States Code (formerly known as Division E of the Clinger-Cohen Act (CCA) (hereinafter referred to as "Title 40/CCA") applies to all Information Technology (IT) investments, including National Security Systems (NSS). (Note: Throughout the remainder of this subchapter 7.8, the term “IT” is presumed to mean “IT, including NSS.”) Title 40/CCA requires Federal agencies to focus more on the results achieved through its IT investments, while streamlining the Federal IT procurement process. Specifically, this Act introduces much more rigor and structure into how agencies approach the selection and management of IT projects.
Title 40/CCA generated a number of significant changes in the roles and responsibilities of various Federal agencies in managing the acquisition of IT. It elevated oversight responsibility to the Director of the Office of Management and Budget (OMB) and established and gave oversight responsibilities to the departmental Chief Information Officer (CIO). Also, under this Act, the head of each agency is required to implement a process for maximizing the value and assessing and managing the risks of the agency's IT acquisitions.
In DoD, the DoD CIO has the primary responsibility of providing management and oversight of all Department IT to ensure the Department's IT systems are interoperable, secure, properly justified, and contribute to mission goals.
The basic requirements of the Title 40/CCA, relating to DoD's acquisition process, have been institutionalized in DoD Instruction 5000.02, "Operation of the Defense Acquisition System;" in particular, Enclosure 5, IT Considerations. The requirements delineated in the Title 40/CCA Compliance Table at Enclosure 5 of DoD Instruction 5000.02 must also be considered and applied to all IT investments, regardless of acquisition category, and tailored commensurate to size, complexity, scope, and risk levels. Table 7.8.1.T1 depicts a summary of Title 40/CCA obligations and authorities.
Table 7.8.1.T1. Summary of Clinger-Cohen Act Compliance Confirmations*
|
Statutory Authority
|
Regulatory Authority
|
|
40 U.S.C. Subtitle III
(aka Clinger-Cohen Act (CCA))
|
2001 NDAA §811
(P.L. 106-398)
|
DoDI 5000.02
|
|
MDAP
|
Comply
|
n/a
|
Confirm* Compliance
by Component CIO
|
|
MAIS
|
Comply
|
Confirm Compliance
|
Confirm Compliance
by Component CIO
|
|
All Other
|
Comply
|
n/a
|
Confirm Compliance
by Component CIO
|
|
* "Certifications" of CCA compliance are no longer required by any statute or regulation.
|
This section assists program managers, program sponsors/domain owners, members of the joint staff, and DoD Component CIO community to understand and comply with Title 40/CCA requirements. Their responsibilities are defined throughout this section and at the IT Community of Practice knowledge center, which also contains a vast array of information pertinent to specific aspects of Title 40/CCA compliance.
7.8.2. Definitions of "information technology" and "National Security System" from Title 40/Clinger-Cohen Act
Information technology.— The term “information technology”—
(A) with respect to an executive agency means any equipment or interconnected system or subsystem of equipment, used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency, if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency that requires the use—
(i) of that equipment; or
(ii) of that equipment to a significant extent in the performance of a service or the furnishing of a product;
(B) includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources; but
(C) does not include any equipment acquired by a federal contractor incidental to a federal contract.
(1) National security system.— In this section, the term “national security system” means a telecommunications or information system operated by the Federal Government, the function, operation, or use of which—
(A) involves intelligence activities;
(B) involves cryptologic activities related to national security;
(C) involves command and control of military forces;
(D) involves equipment that is an integral part of a weapon or weapons system; or
(E) subject to paragraph (2), is critical to the direct fulfillment of military or intelligence missions.
(2) Limitation.— Paragraph (1)(E) does not include a system to be used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).
7.8.3. Mandatory Policies
A comprehensive compilation of Federal laws, OMB and Budget circulars, DoD directives and instructions, and OSD policy memorandums, relevant to all aspects of Title 40/CCA compliance, is available in the CCA Policy Folder of the Acquisition Community Connection.
The Title 40/CCA Compliance Table, Table 7.8.4.T1, in Section 7.8.4 below, details actions required to comply with Title 40/CCA regulatory requirements, mandatory DoD policy, and the applicable program documentation that can be used to fulfill the requirement. This table emulates the DoD Instruction 5000.02 Title 40/CCA Compliance Table, Table 8, with the addition of columns relating the requirement to applicable Milestones and regulatory guidance.
The requirements in this table must be satisfied before Milestone approval of any Acquisition Category (ACAT) I (i.e., Major Defense Acquisition Program (MDAP)) and ACAT IA (i.e., MAIS Program) and prior to the award of any contract for the acquisition of a Mission-Critical or Mission-Essential IT system, at any level.
TAKE NOTE: The requirements delineated in this table must also be considered and applied to all IT investments, regardless of acquisition category, and tailored commensurate to size, complexity, scope, and risk levels.
DAG Tutorial 
