Acquisition of Services
AAF > Acquisition of Services > IT Services
Contracted Services
Policy
Category Management
Procedures
IT Services
FAQs & Resources
*AAF Pathway Resources*
Responsibilities
Seven-step Process
Planning Phase
Step 1: Form the Team
Step 2: Current Strategy
Step 3: Market Research
Development Phase
Step 4: Reqts Definition
Step 5: Acquisition Strategy
Execution Phase
Step 6: Execute Strategy
Step 7: Performance Mgmt
IT Services
How To Use This Site
Each page in this pathway presents a wealth of curated knowledge from acquisition policies, guides, templates, training, reports, websites, case studies, and other resources. It also provides a framework for functional experts and practitioners across DoD to contribute to the collective knowledge base. This site aggregates official DoD policies, guides, references, and more.
DoD and Service policy is indicated by a BLUE vertical line.
Directly quoted material is preceeded with a link to the Reference Source.
Reference Source: DODI 5000.74 Defense Acquisition of Services, Section 5.1
IT services are IT capabilities designed to provide awareness of, access to, and delivery of data or information made available for consumption by one or more users. Users can be an individual, organization, or machine. Examples of IT services include outsourced IT-based business processes, outsourced IT operations, outsourced information functions, and outsourced cloud computing.
Programs used to acquire commercial-off-the-shelf information systems as a supply or service, and requiring modification, development, or integration (other than what is customarily available in the commercial marketplace) in order to deliver the required capability, will follow the procedures specified in DoDI 5000.02, DoDD 8470.01E, and DoDI 5000.75, as appropriate.
Reference Source: Guidance from OUSD(A&S)
Based on DAG CH 10-2.1.1 Acquisition of Services, Jan 2020
Information Technology (IT) Services: These include providing the operation, support, and maintenance of IT, including long-haul communications and commercial satellite communications services, and may include providing commercial or military unique IT equipment with the services. IT services also include any IT or operation of IT such as the National Security Systems which are required for daily work performance. This includes outsourced IT-based business processes, outsourced IT, and outsourced information functions sometimes referred to as Cloud services, Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other “as-a-Service” terms referenced in the National Institute of Standards and Technology Special Publication 800-145.
Reference Source: DoDI 5000.74 Defense Acquisition of Services, Section 1.1 b(8)
This issuance does not apply to: Services that are managed and reviewed as part of major and non-major defense acquisition programs and major and non-major information technology (IT) acquisition programs, services that meet the Major Automated Information Systems thresholds (to include software as a service), or non-major programs whose primary purpose is to provide capabilities, goods, or systems in accordance with DoDI 5000.02. However, it may apply to services in the operations and support phase of these programs at the discretion of the milestone decision authority.
For more detailed guidance on how to manage the IT acquisitions, refer to DAG Chapter 6, Acquisition Information Technology and Business Systems.
Clinger- Cohen Act (CCA) Compliance
Reference Source: DODI 5000.74 Defense Acquisition of Services, Section 5.2
Clinger- Cohen Act (CCA) Compliance. CCA compliance applies to all IT services.
The CCA of 1996 was designed to improve the way the Federal Government acquires, uses and disposes of IT. It encompasses the Information Technology Management Reform Act (Division E) and the Federal Acquisition Reform Act (Division D) which were signed into law as part of the National Defense Authorization Act for Fiscal Year 1996. The Act establishes an approach for executive agencies to improve the acquisition and management of their information resources. The decision authority will not approve the acquisition of IT services and DoD Components will not award a contract for IT services until the FSM has satisfied the applicable CCA requirements.
CCA compliance actions must be executed and certified at the beginning of each effort (program or otherwise), and again when changes to the acquisition strategy would invalidate the previous compliance conditions. However, CCA compliance need not, and often should not, be certified separately for each task order in an effort. For example, the help desk support contract would not require a separate CCA certification when an IT program reaches the sustainment phase. Related task orders should be grouped together for CCA purposes.
DoD Information Enterprise
Reference Source: DODI 5000.74 Defense Acquisition of Services. Section 5.3
DoD Information Enterprise
IT capabilities that are acquired or provided as a service must align to the DoD’s Information Enterprise and the joint information environment. Alignment includes complying with:
(1) The DoD Information Enterprise Architecture.(2) DoD-wide reference and solution architectures.
(3) Applicable mission area and DoD Component architectures, in addition to the DoD Information Enterprise Architecture and DoDD 8000.01.
Acquisition planning for IT services should focus on maximizing the ability to seamlessly integrate and interoperate, based on operational context, with existing and planned IT systems and services in accordance with DoDI 8330.01.
Cloud Computing
Reference Source: DODI 5000.74 Defense Acquisition of Service, Section 5.5
Cloud Computing
Cloud computing services can deliver more efficient IT services than traditional approaches and will be used when cost effective and secure.
FSMs must comply with Subpart 239.76 of the DFARS when contracting for cloud computing services.
FSMs must refer to and comply with the current version of the DoD Cloud Computing Security Requirements Guide (CC SRG) when deciding to acquire, use, or implement any application, system, or service that uses cloud computing services. The CC SRG establishes the DoD baseline security requirements for cloud computing services.
FSMs will only acquire and use cloud computing services from a DoD or non-DoD cloud service provider (CSP) that has been granted provisional authorization (PA) by the Defense Information Systems Agency at or above the information impact level required for the DoD information being processed or stored by the cloud computing service, in compliance with the DFARS cloud computing clause. Cloud computing services possessing a PA are listed in the DoD Cloud Service Catalog.
FSMs must require non-DoD CSP’s cloud computing services to be securely connected to DoD networks in compliance with the CC SRG (referenced in Paragraph 5.8.b.) to ensure the cybersecurity posture of the DoD is not compromised. FSMs must register all cloudbased applications, their CSP’s cloud service offering, and connection method in the Defense Information Systems Agency System Network Approval Process database Cloud Module.
FSMs should refer to the section entitled “Cloud Computing” in Chapter 6 of the DAG, the Cloud Cyberspace Protection Guide, and the DoD Cloud Connection Process Guide for additional information.
FSMs must analyze cloud computing options and report all appropriate information on cloud computing service usage and investments within the Select and Native Programming Data Input System–Information Technology as directed in DoD CIO annual IT budget guidance for each cloud computing service. FSMs will consider using cloud computing services based on:
(1) Mission requirements.
(2) BCA or other cost analysis processes.
(3) Cybersecurity requirements as specified within the CC SRG.
FSMs that acquire or use cloud computing services remain responsible for ensuring that end to end security and computer network defense requirements are met and are supported by a cybersecurity service provider in accordance with DoDI 8530.01. Before operational use, all applications, services, and information systems being delivered using a cloud service must have an authority to operate granted by the FSM’s authorizing official. Leveraging the DoD PA for the cloud service, the authority to operate will cover the use of the cloud service and any DoD provided software, data, networks, system connections, and processes that comprise the application, service, or information system.
Reference Source: DoD Cloud Acquisition Guidebook
DoD Approach for Acquisition of Commercial Cloud Services
Acquiring cloud services should follow normal acquisition processes with associated systems engineering rigor. In other words, acquiring cloud products and services does not mean throwing out all existing processes and practices. This means that solid requirements definition, robust market research and other applicable actions should take place. However, there is a difference in how to effectively harness commercial best practices in the cloud such as rate-based/consumption-based services using existing acquisition constraints. To help in these efforts, the following table provides suggested activities that specifically assist in acquiring cloud services. In addition to the information below, Appendix C in this Guidebook provides detailed Examples of different Commercial Cloud Acquisition Scenarios as an effective aid in understanding common cloud computing requirements and walks through defining an acquisition approach and understanding associated considerations.
Commercial IT
Reference Source: DODI 5000.74 Defense Acquisition of Services, Section 5.8
Commercial IT
When acquiring commercial IT and commercial IT services (e.g., software as a service, software maintenance as a service, IT maintenance, and software assurance), FSMs must consider the DoD Fourth Estate, Federal Category Management Leadership Council-designated, best-in-class procurement vehicles, DoD-wide Joint Enterprise License Agreements (JELAs), DoD Component-level Enterprise License Agreements (ELAs), and Core Enterprise Technology Agreements. Enterprise acquisition vehicles for IT services are listed on the DoD Enterprise Software Initiative portal (http://www.esi.mil/).
Instructions and additional detail can be found in Subpart 208.74 of the DFARS; the DoD CIO Guidance and Policy Memorandum 12-8430; the Department of Defense Information Technology Enterprise Strategy and Roadmap of October 2011; OMB Policy Memorandums M03-14, M-04-08, M-04-16, and M-05-25; and the DoD Enterprise Software Initiative website. Information about IT and strategic sourcing purchasing solutions, including JELA and ELA information, can be found at http://www.esi.mil. JELA and ELA information can be found at http://www.ditco.disa.mil.
Reference Source: DODI 5000.82, Acquisition of Information Technology, Section 3.9
IT Category Management and the DOD Enterprise Software Initiative (ESI)
When acquiring commercial IT, PMs and acquisition personnel must consider, taking into account government contracting laws and regulations, the suitability of using DoD IT Category Management purchasing solutions, the DoD ESI, Federal Category Management procurement vehicles, and DoD Component level enterprise software licenses. PMs and acquisition personnel will document these considerations in the acquisition strategy, to include selection rationale. These purchasing vehicles are not intended to dictate the products or services to be acquired.
For procurement of commercial software that is within the scope of a core enterprise technology agreement, adherence to DoDD 8470.01E is required. Additional detail is provided in:
- Subpart 208.74 of the Defense Federal Acquisition Regulation Supplement.
- Office of Management and Budget Policy Memorandums M-19-13, M-16-02, M-16-12, and M-16-20.
- The DoD ESI website.
References
- GSA Cloud Information Center
- DoDI 5010.44, Intellectual Property (IP) Acquisition and Licensing
- NIST Definition of Cloud Computing
- Cybersecurity Quick Reference (Black Card)
- Department of Veterans (VA) Affairs Mobile Applications Cloud Migration Case Study
- DoDI 5000.82, Acquisition of Information Technology