U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

CCA Compliance


  1. Home
  2. About AAFDID
  3. CCA Compliance

CCA Compliance

Actions Required to Comply With the CCA
(Subtitle III of title 40 of U.S. Code)

Applicable Program Documentation

​1. Make a determination that the acquisition supports core, priority functions of the DoD.3

​ICD, Information Systems (IS) ICD, or urgent need requirements documents

​2. Establish outcome-based performance measures linked to strategic goals.3, 4


​3. Redesign the processes that the system supports to reduce costs, improve effectiveness and maximize the use of commercial off-the-shelf technology.3, 4

ICD, IS ICD, Concept of Operations, AoA, Business Process Reengineering

​4. Determine that no private sector or government source can better support the function.4, 5

​Acquisition Strategy, AoA

​5. Conduct an analysis of alternatives.4, 5


​6. Conduct an economic analysis that includes a calculation of the return on investment; or for non-AIS programs, conduct a life-cycle cost estimate.4, 5

​Component Cost Estimate, Component Cost Position

​7. Develop clearly established measures and accountability for program progress.4

​Acquisition Strategy, APB7,TEMP7

​8. Ensure that the acquisition is consistent with the DoD Information Enterprise policies and architecture, as described in DoDI 5000.82 .4

​CDD NR-KPP, ISP, Applicable JIE Reference Architectures

​9. Ensure that the program has a Cybersecurity Strategy that is consistent with DoD policies, standards and architectures, to include relevant standards.4

​Cybersecurity Strategy, Program Protection Plan, Risk Management Framework Security Plan

10.  Ensure, to the maximum extent practicable, (1) modular contracting has been used, and (2) the program is being implemented in phased, successive increments, each of which meets part of the mission need and delivers measurable benefit, independent of future increments.4

​Acquisition Strategy

​11. Register Mission-Critical and Mission-Essential systems with the DoD CIO.4, 6

​DoD Information Technology Portfolio Repository

Table Notes:

1. The Milestone and Phase Information Requirements table indicates when the PM must report CCA compliance.

2. The system documents/information cited are examples of the most likely but not the only references for the required information.  If other references are more appropriate, they may be used in addition to or instead of those cited.  Include page(s) and paragraph(s), where appropriate.  Urgent needs may cite the associated urgent needs documentation to demonstrate CCA compliance, e.g., the Course of Action and/or the network connection documentation.

3. These requirements are presumed to be satisfied for weapons systems with embedded IT and for Command and Control Systems that are not themselves IT systems.

4. These actions are also required to comply with §811 of P.L. 106-398.

5  For NSS, these requirements apply to the extent practicable (40 U.S.C. 11103 discusses NSS).

6. Mission-Critical Information System.  A system that meets the definitions of “information system” and “national security system” in the Clinger-Cohen Act (Subtitle III of title 40 of U.S. Code, the loss of which would cause the stoppage of warfighter operations or direct mission support of warfighter operations.  (The designation of mission critical will be made by a DoD Component head, a Combatant Commander, or their designee.  A financial management IT system will be considered a mission-critical IT system as defined by the Under Secretary of Defense (Comptroller)/Chief Financial Officer, Department of Defense (USD(C)/CFO).)  A “Mission-Critical Information Technology System” has the same meaning as a “Mission-Critical Information System.”

Mission-Essential Information System.  A system that meets the  definition of “information system” in 44 U.S.C. 3502, that the acquiring DoD Component head or designee determines is basic and necessary for the accomplishment of the organizational mission.  (The designation of mission-essential will be made by a DoD Component head, a Combatant Commander, or their designee.  A financial management IT system will be considered a mission-essential IT system as defined by the USD(C)/CFO.)  A “Mission-Essential Information Technology System” has the same meaning as a “Mission-Essential Information System.”

7. The APB and TEMP may be submitted in draft to expedite program assessment.