https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42820-PPM_CIO-055-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
AD-RES-AC-055
SAIS-AD (25-1rrrr) 14 January 2025
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Chief Information Officer Clinger-Cohen Act Compliance Guidance for
Non-Acquisition Information Technology Investments
1. References. See Enclosure 1.
2. Purpose. This memorandum standardizes and streamlines Army Chief Information
Officer (CIO) guidance on Clinger-Cohen Act (CCA) requirements for Information
Technology (IT). This guidance is intended for IT investments that—
a. Are not Army-managed acquisition programs IAW DODD 5000.01 (reference 1a),
DODI 5000.02 (reference 1b) and AR 70-1 (reference 1c);
b. Provide enterprise capabilities, allocate funds towards an IT capability, or utilize
Army IT enterprise infrastructure; and
c. Are projected to require a total expenditure between $25 million and less than
$100 million (RDT&E) or less than $400 million (procurement) across the Future Years
Defense Program (FYDP).
3. Background.
a. Army organizations deliver enterprise capabilities via IT systems procured
outside the formal acquisition process, which results in less oversight. These
investments, initially reported to cost below ACAT I and II program thresholds, share
similar characteristics with higher cost ACAT I and II programs but are procured without
undergoing CCA compliance assessments.
b. The CIO is the primary advisor concerning the effective, efficient, and secure use
of IT to accomplish the Army's mission in accordance with 10 United States Code
(U.S.C.) (reference 1d), §2223(b) and 40 U.S.C., Subtitle III, §11315(b) (reference 1e).
c. In accordance with 40 U.S.C., Subtitle III, Chapter 113 (reference 1f), all
programs that acquire information technology, including national security systems, are
subject to the requirements of the Clinger-Cohen Act.
SAIS-AD (25-1rrrr)
SUBJECT: Army Chief Information Officer Clinger-Cohen Act Compliance Guidance for
Non-Acquisition Information Technology Investments
d. The CIO Standardization of Clinger-Cohen Act Compliance Guidance
memorandum dated 1 Dec 23 (reference 1g) applies only to Army-managed acquisition
programs as defined in DODD 5000.01 and DODI 5000.02.
4. Applicability.
a. This guidance applies to all Army organizations, Army commands (ACOMs),
Army Service Component Commands (ASCCs), Program Executive Offices (PEOs),
Direct Reporting Units (DRUs), the Army National Guard, and the Army Reserve.
b. Science & Technology IT efforts, funded using Budget Activities 6.1-6.3, are
excluded from the provisions of this memorandum.
5. Guidance. Prior to capability deployment, all organizations procuring IT systems (as
described in paragraph 2a-c) will ensure investment owners:
a. Select the acquisition pathway and subsequent CCA actions most applicable to
their IT investment. Consult the Defense Acquisition University Adaptive Acquisition
Framework (AAF) website (reference 1h) for more comprehensive information and
guidance specific to each acquisition pathway.
b. Complete and maintain CCA compliance confirmation documentation locally.
This documentation should include the following:
(1) A completed CCA confirmation table indicating the documents that support
applicable CCA compliance actions (see Enclosure 2).
(2) Electronic copies or access to documents cited in the CCA confirmation
table.
c. Register IT in the Army Portfolio Management Solution (APMS) and acknowledge
CCA compliance requirements in accordance with APMS instructions. This does not
remove the requirement to register IT in other applications (e.g., Army Data Catalog,
eMASS).
d. Develop software not subject to formal acquisition oversight in accordance with
Army Directive 2024-02 (reference 1i).
6. Compliance.
a. The CIO will ensure IT investments are aligned with the Army’s strategic vision
and operational direction through established governance forums (e.g., Chief
Information Officer Executive Board (CIO EB), Army Unified Network Council (AUNC)),
2
SAIS-AD (25-1rrrr)
SUBJECT: Army Chief Information Officer Clinger-Cohen Act Compliance Guidance for
Non-Acquisition Information Technology Investments
and in coordination with IT stakeholders (e.g., Mission Areas, Program Executive
Offices (PEOs)).
b. The CIO will coordinate with system owners, as necessary, throughout the IT
system lifecycle to provide recommendations, respond to inquiries, and provide support
as needed.
c. System owners will conduct yearly strategic reviews, capability gap assessments,
risk assessments, and interdependency assessments in accordance with DA PAM 25-1-1
(reference 1j). Results will be communicated through existing processes and
governance forums.
d. System owners will maintain and update IT records and associated CCA
compliance status in APMS as necessary, or minimum yearly, in accordance with
APMS instructions.
7. Duration.
a. This guidance is effective upon signature and remains in effect until superseded,
rescinded, or incorporated into Army regulation.
b. The Office of the CIO will ensure this memorandum is reviewed no later than 1
October of each calendar year for supersession, rescission, or inclusion in the next
edition of AR 25-1 (reference 1k).
8. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-AD: Dr. Gregory C. Smoots, Deputy Director, Architecture, Data,
Standards, at gregory.c.smoots.civ@army.mil.
3 Encls LEONEL T. GARCIGA
1–2. as Chief Information Officer
3. Terms of Reference
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
(CONT)
3
SAIS-AD (25-1rrrr)
SUBJECT: Army Chief Information Officer Clinger-Cohen Act Compliance Guidance for
Non-Acquisition Information Technology Investments
DISTRIBUTION: (CONT)
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Corrections Command
U.S. Army Human Resources Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigative Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
4
References
a. DoDD 5000.01 (The Defense Acquisition System)
b. DoDI 5000.02 (Operation of the Adaptive Acquisition Framework)
c. AR 70-1 (Army Acquisition Policy)
d. 10 U.S.C., § 2223 (Information Technology)
e. 40 U.S.C., Subtitle III, § 11315 (Agency Chief Information Officer)
f. 40 U.S.C., Subtitle III, § 11101 et seq. (Clinger-Cohen Act of 1996)
g. CIO memorandum (U.S. Army Chief Information Officer Standardization of Clinger-
Cohen Act Compliance Guidance), 01 Dec 2023
h. Defense Acquisition University, Adaptive Acquisition Framework (AAF) website
(https://aaf.dau.edu/)
i. Army Directive 2024-02 (Enabling Modern Software Development and Acquisition
Practices)
j. AR 25-1-1 (Army Information Technology Implementation Instructions)
k. AR 25-1 (Army Information Technology)
l. DoDI 8580.1 (IA in the Defense Acquisition System)
m. Joint Capabilities Integration and Development System Manual (Manual for the
Operation of the Joint Capabilities Integration and Development System)
n. DoDD 8000.01 (Management of the Department of Defense Information Enterprise
(DOD IE))
o. DoDI 5000.75 (Business Systems Requirements and Acquisition)
p. DoDI 5000.82 (Acquisition of IT)
q. DA PAM 70-3 (Army Acquisition Procedures)
r. Secretary of the Army memorandum (Information Technology Investment
Accountability), 21 July 2020
s. Federal Acquisition Regulation
t. Defense Federal Acquisition Regulation Supplement
Enclosure 1
CCA Compliance Implementation Guidance. This enclosure describes compliance
considerations and provides examples of likely sources of information that demonstrate
compliance with each of the 11 CCA actions. Investment owners should consult the
examples in this enclosure to help identify the CCA actions applicable to their
investment situation.
Note: Not all 11 CCA actions may apply to every investment.
For more comprehensive information and guidance specific to each acquisition
pathway, consult the Adaptive Acquisition Framework Document Identification
(AAFDID) tool on the Defense Acquisition University Adaptive Acquisition Framework
(AAF) website (https://aaf.dau.edu/).
1. CCA Compliance Action 1. Make a determination that the acquisition supports
core, priority functions of the DOD.
a. Documents submitted to comply with this action should validate and explain the
rationale supporting the relationship between the Army’s mission (i.e., core/priority
functions) as found in Army mission and strategy documents, and the IT function
supported by the investment or acquisition.
b. Supporting information is generally found in an approved Initial Capabilities
Document (ICD), Information Systems (IS) ICD, Capability Requirements Document
(CRD), or Capability Needs Statement (CNS). DOD core/primary functions are
documented in national strategies and DOD mission and strategy documents like the
Quadrennial Defense Review, Strategic Planning Guidance, Joint Operating Concepts,
Joint Functional Concepts, Integrated Architectures, the Business Enterprise
Architecture, the Universal Joint Task List, mission area statements, or Service mission
statements. Other potential sources include the Capability Development Document
(CDD) and Analysis of Alternatives (AoA).
2. CCA Compliance Action 2. Establish outcome-based performance measures
linked to strategic goals.
a. Documents submitted to comply with this action should describe the desired
outcome and how the program would develop and deploy the solution to achieve that
outcome. Outcome-based performance measures (OBPMs) should measure the value-
added contribution of the IT investment to missions, goals, and objectives and provide a
clear basis for assessing accomplishment and aiding decision-making.
b. Supporting documentation is generally found in an approved ICD or IS ICD, CDD,
CNS, CRD, AoA, Acquisition Program Baseline (APB), or Performance Measurement
Plan.
Enclosure 2
3. CCA Compliance Action 3. Redesign the processes that the system supports
to reduce costs, improve effectiveness, and maximize the use of commercial off-
the-shelf technology.
a. Documents submitted to comply with this action should demonstrate how the
investment reduces costs and improves performance. Documents should describe the
actions taken to streamline, re-engineer, or redesign existing processes to reduce costs,
improve effectiveness, and maximize the use of commercial-off-the-shelf (COTS) items
or tailored versions of government-off-the-shelf (GOTS) technology that better support
the organization’s mission.
b. Supporting information is generally found in an approved ICD or IS ICD, Concept
of Operations, AoA, CDD, Acquisition Strategy, or Business Process Reengineering
documentation.
4. CCA Compliance Action 4. Determine that no private sector or government
source can better support the function.
a. Documents submitted to comply with this action should demonstrate that the
acquisition is being undertaken by the Army because it requires unique capabilities that
are not found in the private sector or elsewhere in the public sector in a way that can
support the function more effectively or at less cost. The Program should determine that
the proposed function does not duplicate or overlap with an existing function being
performed elsewhere by the Federal Government, DOD, or Army agencies.
b. Supporting information is generally found in an approved Acquisition Strategy,
supported by an approved AoA or equivalent analysis. Another potential source is the
Market Survey (if one has been performed).
5. CCA Compliance Action 5. Analyze alternatives.
a. Documents submitted to comply with this action are generally an Acquisition
Strategy and an approved AoA or equivalent analysis. Use OMB Circular A-11,
Preparation, Submission and Execution of the Budget, to determine the criteria to be
used in the AoA or equivalent analysis. Another useful document is OMB's Capital
Planning Guide, especially Part 7, Section 300 (Planning, Budgeting, Acquisition, and
Management of Capital Assets), and the Part 7 Supplement. Other potential sources
include the Business Case Analysis, Trade Survey, Cost and Operational Effectiveness
Analysis (COEA), Market Surveys, Cost-Benefit Analysis (CBAs), or equivalent
documents that demonstrate best value.
b. The AoA or equivalent analysis submitted to comply with this action should
address—
(1) Whether the program conducted a thorough analysis and considered enough
reasonable alternatives (DODI 5000.02 states that in developing feasible alternatives,
2
the AoA identify a wide range of solutions that have a reasonable likelihood of providing
the needed capability),
(2) The alternatives examined (including the pros and cons of each alternative),
(3) And why the selected alternative was chosen and why the remaining
alternatives were not chosen.
6. CCA Compliance Action 6. Conduct an Economic Analysis that includes a
calculation of the return on investment; or for non-automated information system
(AIS) programs, conduct a life-cycle cost estimate.
a. Documents submitted to comply with this action should provide a calculated
Return on Investment (ROI) or LCCE depending on the type of system being acquired.
DODI 5000.75 provides guidance on how to satisfy the ROI requirement for Defense
Business Systems acquisition programs. DODI 7041.03 provides guidance on how to
satisfy the ROI requirement for all other defense programs. DODI 5000.74 provides
CCA guidance for the acquisition of contracted services.
b. Supporting information generally describe the benefits that will calculate the ROI
and a distinction between cost avoidance and cost savings.
7. CCA Compliance Action 7. Develop clearly established measures and
accountability for program progress.
a. Documents submitted to comply with this action should describe the process
reporting, tools, and metrics for measuring program progress and post-deployment
evaluation to include cost, schedule, and technical performance. Clearly established
measures and accountability for program progress should be linked to strategic goals.
The respective roles and responsibilities for the PMO and the contractors involved in the
program in enforcing program control and Milestone Decision Authority-level directions
to ensure accountability for program progress should be described.
b. Supporting information is generally found in an approved Acquisition Strategy.
Other potential sources are an approved APB and an Earned Value Management
System (EVMS).
8. CCA Compliance Action 8. Ensure that the acquisition is consistent with the
DOD Information Enterprise policies and architecture, to include relevant
standards.
a. Architecture viewpoints and models submitted to comply with this action should
best represent approved requirements, capabilities and functions of requirements, and
the technical interfaces and integration points required for interoperability. Submissions
should provide graphic views that define integration and alignment to the information
enterprise and describe the system's function, dependencies, and interfaces with other
3
IT. Viewpoints and models should be developed in accordance with Department of
Defense Architecture Framework (DoDAF) or the Unified Architecture Framework (UAF)
and CIO Information Technology Architecture guidance.
b. The supporting documentation are associated Information Technology
Architecture viewpoints and models, generally found in an Information Support Plan
(ISP), an approved Joint Capabilities and Integration Development System (JCIDS)/
Army Capabilities Integration and Development System (ACIDS) capability development
document, CNS, or CRD. The final ISP is required during the milestone before the final
decision to deploy the capability.
9. CCA Compliance Action 9. Ensure that the program has a Cybersecurity
Strategy that is consistent with DOD policies, standards, and architectures, to
include relevant standards.
a. All acquisitions of systems containing IT, will have a Cybersecurity Strategy
(CSS), in accordance with DoDI 8580.1 (reference 1l). The PM will develop the CSS
and obtain Army CIO approval as part of the program protection plan prior to milestone
decisions or contract awards.
b. The CSS submitted to comply with this action should describe how the program’s
Cybersecurity features comply with applicable DOD and Army policies, standards, and
architectures, and describe the program’s certification and accreditation approach.
For more comprehensive CSS information, requirements, and applicability, consult the
Army CIO Cybersecurity Directorate.
10. CCA Compliance Action 10. Ensure, to the maximum extent practicable, (1)
modular contracting has been used, and (2) the program is being implemented in
phased, successive increments, each of which meets part of the mission need
and delivers measurable benefit, independent of future increments.
a. Documents submitted to comply with this action should describe the extent to
which modular contracting principles are adhered. Under modular contracting, a system
is acquired in successive acquisitions of interoperable increments that allow for the
following: easier to manage, address complex IT objectives, not dependent of
subsequent increments, take advantage of technology advancements and reduces risk
through avoidance of custom-designed components. Documentation should describe
the relationship between each increment and the mission need and benefit associated
with that increment.
b. Supporting information is generally found in an approved Acquisition Strategy.
11. CCA Compliance Action 11. Register Mission-Critical and Mission-Essential
systems with the DOD CIO.
4
a. The program or system must be registered in the Army Portfolio Management
Solution (APMS) and receive an Army IT Registry (AITR) number, which feeds the DOD
Information Technology Portfolio Repository (DITPR).
b. Program Managers and system owners are responsible for—
(1) Ensuring the program is registered in APMS.
(2) Ensuring system registration contains the appropriate designation for the
CCA Compliance requirement.
(3) Verifying system information is complete, current, and accurate.
5
Terms of Reference
Acquisition Category (ACAT)
Categories established to facilitate decentralized decision making and execution and
compliance with statutorily imposed requirements. The categories determine the level of
review, decision authority, and applicable procedures. (DoDD 5135.02)
Army Unified Network Council (AUNC)
The AUNC serves as the principal forum for Army Unified Network Plan (AUNP)
governance and reviews topics requiring Army Senior Leader decisions for potential
referral to the Army Digital Oversight Council (ADOC) and Information Technology
Oversight Council (ITOC). This governance structure synchronizes decisions, precludes
actions being worked in siloed forums, and provides risk-informed direction for
execution.
Chief Information Officer Executive Board (CIO EB)
The CIO EB provides strategic guidance and direction to the Army, related to the CIO's
authority and duty to take action on all matters related to information resource
management (IRM), cybersecurity, and IT architecture. The CIO EB ensures that
stakeholders' needs and conditions are evaluated to develop balanced, enterprise wide
IRM, cybersecurity, and IT architecture objectives.
Information Technology
Any equipment or interconnected system or subsystem of equipment, used in the
automatic acquisition, storage, analysis, evaluation, manipulation, management,
movement, control, display, switching, interchange, transmission, or reception of data or
information by the executive agency, if the equipment is used by the executive agency
directly or is used by a contractor under a contract with the executive agency that
requires the use— (i) of that equipment; or (ii) of that equipment to a significant extent in
the performance of a service or the furnishing of a product; (B) includes computers,
ancillary equipment (including imaging peripherals, input, output, and storage devices
necessary for security and surveillance), peripheral equipment designed to be controlled
by the central processing unit of a computer, software, firmware and similar procedures,
services (including support services), and related resources; but (C) does not include
any equipment acquired by a federal contractor incidental to a federal contract. (DAU
Glossary of Defense Acquisition Acronyms and Terms)
Information Technology Oversight Council (ITOC)
The ITOC is a senior leader review group, co-chaired by the Under Secretary of the
Army and Vice Chief of Staff of the Army designed to provide Army senior leaders with
greater situational under-standing of IT programs, investments, and resourcing. The
ITOC is designed to integrate activities and assessments across the four IT mission
areas: WMA, EIEMA, DIMA, and the BMA in order to provide guidance and direction,
prioritize investment, allocate resources, and resolve conflicts.
Enclosure 3
Managed Acquisition Program
A directed, funded effort that provides a new, improved, or continuing materiel, weapon
or IS, or service capability in response to an approved need. (DoDD 5000.01)
National Security System
Any information system (including any telecommunications system) used or operated by
an agency or a contractor of an agency, or other organization on behalf of an agency,
the function, operation, or use of which: (1) involves intelligence activities; (2) involves
cryptologic activities related to national security; (3) involves the command and control
of military forces; (4) involves equipment that is an integral part of a weapons or
weapons system; or (5) is critical to the direct fulfillment of military or intelligence
missions. Item (5) above does not include a system that is to be used for routine
administrative and business applications (including payroll, finance, logistics, and
personnel management applications). (DAU Glossary of Defense Acquisition Acronyms
and Terms)
Resource Integration Group (RIG)
The RIG is a senior level advisory body chartered to advise the Program Budget
Advisory Committee and the AENC on resourcing strategies; provide in-depth advice on
financial aspects of the Army’s network, including data flow, storage, and access; and
provide input on all IT strategies for hardware (HW) sustainment and refresh policy
through the planning, programming, budgeting, and execution (PPBE) process.
System
A functionally, physically, and/or behaviorally related group of regularly interacting or
interdependent elements; that group of elements forming a unified whole.
Threshold
Reflects the minimum performance required to achieve the required operational effect,
while being achievable through the current state of technology at an affordable life-cycle
cost. Performance below the threshold value is not operationally effective or suitable or
may not provide an improvement over current capabilities. (DAU Glossary of Defense
Acquisition Acronyms and Terms)
2