(a) Defense Business Processes Generally.—The Secretary of Defense shall ensure that defense business processes are reviewed, and as appropriate revised, through business process reengineering to match best commercial practices, to the maximum extent practicable, so as to minimize customization of commercial business systems.

Ask a legal question, get an answer ASAP!
Click here to chat with a lawyer about your rights.

(b) Defense Business Systems Generally.—The Secretary of Defense shall ensure that each covered defense business system developed, deployed, and operated by the Department of Defense—

(1) supports efficient business processes that have been reviewed, and as appropriate revised, through business process reengineering;

(2) is integrated into a comprehensive defense business enterprise architecture;

(3) is managed in a manner that provides visibility into, and traceability of, expenditures for the system; and

(4) uses an acquisition and sustainment strategy that prioritizes the use of commercial software and business practices.

(c) Issuance of Guidance.—

(1) Secretary of defense guidance.—The Secretary shall issue guidance to provide for the coordination of, and decision making for, the planning, programming, and control of investments in covered defense business systems.

(2) Supporting guidance.—The Secretary shall direct the Chief Information Officer of the Department of Defense, the Under Secretary of Defense for Acquisition and Sustainment, and the Chief Information Officer of each of the military departments to issue and maintain supporting guidance, as appropriate and within their respective areas of responsibility, for the guidance of the Secretary issued under paragraph (1).

(d) Guidance Elements.—The guidance issued under subsection (c) shall include the following elements:

(1) Policy to ensure that the business processes of the Department of Defense are continuously reviewed and revised—

(A) to implement the most streamlined and efficient business processes practicable; and

(B) to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet or incorporate requirements or interfaces that are unique to the Department of Defense.

(2) A process to establish requirements for covered defense business systems.

(3) Mechanisms for the planning and control of investments in covered defense business systems, including a process for the collection and review of programming and budgeting information for covered defense business systems.

(4) Policy requiring the periodic review of covered defense business systems that have been fully deployed, by portfolio, to ensure that investments in such portfolios are appropriate.

(5) Policy to ensure full consideration of sustainability and technological refreshment requirements, and the appropriate use of open architectures.

(6) Policy to ensure that best acquisition and systems engineering practices are used in the procurement and deployment of commercial systems, modified commercial systems, and defense-unique systems to meet Department of Defense missions.

(7) Policy to ensure a covered defense business system is in compliance with the Department’s auditability requirements.

(8) Policy to ensure approvals required for the development of a covered defense business system.

(e) Defense Business Enterprise Architecture.—

(1) Blueprint.—The Secretary, working through the Chief Information Officer of the Department of Defense, shall develop and maintain a blueprint to guide the development of integrated business processes within the Department of Defense. Such blueprint shall be known as the “defense business enterprise architecture”.

(2) Purpose.—The defense business enterprise architecture shall be sufficiently defined to effectively guide implementation of interoperable defense business system solutions and shall be consistent with the policies and procedures established by the Director of the Office of Management and Budget.

(3) Elements.—The defense business enterprise architecture shall—

(A) include policies, procedures, business data standards, business performance measures, and business information requirements that apply uniformly throughout the Department of Defense; and

(B) enable the Department of Defense to—

(i) comply with all applicable law, including Federal accounting, financial management, and reporting requirements;

(ii) routinely produce verifiable, timely, accurate, and reliable business and financial information for management purposes;

(iii) integrate budget, accounting, and program information and systems; and

(iv) identify whether each existing business system is a part of the business systems environment outlined by the defense business enterprise architecture, will become a part of that environment with appropriate modifications, or is not a part of that environment.

(4) Integration into information technology architecture.—(A) The defense business enterprise architecture shall be integrated into the information technology enterprise architecture required under subparagraph (B).

(B) The Chief Information Officer of the Department of Defense shall develop an information technology enterprise architecture. The architecture shall describe a plan for improving the information technology and computing infrastructure of the Department of Defense, including for each of the major business processes conducted by the Department of Defense.

(5) Common enterprise data.—The defense business enterprise shall include enterprise data that may be automatically extracted from the relevant systems to facilitate Department of Defense-wide analysis and management of its business operations.

(6) Roles and responsibilities.—

(A) The Chief Information Officer of the Department of Defense, in coordination with the Chief Data and Artificial Intelligence Officer, shall have primary decision-making authority with respect to the development of common enterprise data. In consultation with the Defense Business Council, the Chief Information Officer shall—

(i) develop an associated data governance process; and

(ii) oversee the preparation, extraction, and provision of data across the defense business enterprise.

(B) The Chief Information Officer and the Under Secretary of Defense (Comptroller) shall—

(i) in consultation with the Defense Business Council, document and maintain any common enterprise data for their respective areas of authority;

(ii) participate in any related data governance process;

(iii) extract data from defense business systems as needed to support priority activities and analyses;

(iv) when appropriate, ensure the source data is the same as that used to produce the financial statements subject to annual audit;

(v) in consultation with the Defense Business Council, provide access, except as otherwise provided by law or regulation, to such data to the Office of the Secretary of Defense, the Joint Staff, the military departments, the combatant commands, the Defense Agencies, the Department of Defense Field Activities, and all other offices, agencies, activities, and commands of the Department of Defense; and

(vi) ensure consistency of the common enterprise data maintained by their respective organizations.

(C) The Director of Cost Assessment and Program Evaluation shall have access to data for the purpose of executing missions as designated by the Secretary of Defense.

(D) The Secretary of Defense, the Chairman of the Joint Chiefs of Staff, the Secretaries of the military departments, commanders of combatant commands, the heads of the Defense Agencies, the heads of the Department of Defense Field Activities, and the heads of all other offices, agencies, activities, and commands of the Department of Defense shall provide access to the relevant system of such department, combatant command, Defense Agency, Defense Field Activity, or office, agency, activity, and command organization, as applicable, and data extracted from such system, for purposes of automatically populating data sets coded with common enterprise data.

(f) Defense Business Council.—

(1) Requirement for council.—The Secretary shall establish a Defense Business Council to provide advice to the Secretary on developing the defense business enterprise architecture, reengineering the Department’s business processes, developing and deploying defense business systems, and developing requirements for defense business systems. The Council shall be chaired by the Chief Information Officer of the Department of Defense.

(2) Membership.—The membership of the Council shall include the following:

(A) The Chief Information Officers of the military departments, or their designees.

(B) The Chief Management Officers of the military departments, or their designees.

(C) The following officials of the Department of Defense, or their designees:

(i) The Under Secretary of Defense for Acquisition and Sustainment with respect to acquisition, logistics, and installations management processes.

(ii) The Under Secretary of Defense (Comptroller) with respect to financial management and planning and budgeting processes.

(iii) The Under Secretary of Defense for Personnel and Readiness with respect to human resources management processes.

(iv) The Chief Data and Artificial Intelligence Officer of the Department of Defense.

(g) Approvals Required for Development.—

(1) Initial approval required.—The Secretary shall ensure that a covered defense business system program cannot proceed into development (or, if no development is required, into production or fielding) unless the appropriate approval official (as specified in paragraph (2)) determines that—

(A) the system has been, or is being, reengineered to be as streamlined and efficient as practicable, and the implementation of the system will maximize the elimination of unique software requirements and unique interfaces;

(B) the system and business system portfolio are or will be in compliance with the defense business enterprise architecture developed pursuant to subsection (e) or will be in compliance as a result of modifications planned;

(C) the system has valid, achievable requirements and a viable plan for implementing those requirements (including, as appropriate, market research, business process reengineering, and prototyping activities);

(D) the system has an acquisition strategy designed to eliminate or reduce the need to tailor commercial off-the-shelf systems to meet unique requirements, incorporate unique requirements, or incorporate unique interfaces to the maximum extent practicable; and

(E) the system is in compliance with the Department’s auditability requirements.

(2) Appropriate official.—For purposes of paragraph (1), the appropriate approval official with respect to a covered defense business system is the following:

(A) Except as may be provided in subparagraph (C), in the case of a priority defense business system, the Chief Information Officer of the Department of Defense.

(B) Except as may be provided in subparagraph (C), for any defense business system other than a priority defense business system—

(i) in the case of a system of a military department, the Chief Information Officer of that military department; and

(ii) in the case of a system of a Defense Agency or Department of Defense Field Activity, or a system that will support the business process of more than one military department or Defense Agency or Department of Defense Field Activity, the Chief Information Officer of the Department of Defense.

(C) In the case of any defense business system, such official other than the applicable official under subparagraph (A) or (B) as the Secretary designates for such purpose.

(3) Annual certification.—For any fiscal year in which funds are expended for development or sustainment pursuant to a covered defense business system program, the appropriate approval official shall review the system and certify, certify with conditions, or decline to certify, as the case may be, that it continues to satisfy the requirements of paragraph (1). If the approval official determines that certification cannot be granted, the approval official shall notify the milestone decision authority for the program and provide a recommendation for corrective action.

(4) Obligation of funds in violation of requirements.—The obligation of Department of Defense funds for a covered defense business system program that has not been certified in accordance with paragraph (3) is a violation of section 1341(a)(1)(A) of title 31.

(h) Responsibility of Milestone Decision Authority.—The milestone decision authority for a covered defense business system program shall be responsible for the acquisition of such system and shall ensure that acquisition process approvals are not considered for such system until the relevant certifications and approvals have been made under this section.

(i) Definitions.—In this section:

(1)(A) Defense business system.—The term “defense business system” means an information system that is operated by, for, or on behalf of the Department of Defense, including any of the following:

(i) A financial system.

(ii) A financial data feeder system.

(iii) A contracting system.

(iv) A logistics system.

(v) A planning and budgeting system.

(vi) An installations management system.

(vii) A human resources management system.

(viii) A training and readiness system.

(B) The term does not include—

(i) a national security system; or

(ii) an information system used exclusively by and within the defense commissary system or the exchange system or other instrumentality of the Department of Defense conducted for the morale, welfare, and recreation of members of the armed forces using nonappropriated funds.

(2) Covered defense business system.—The term “covered defense business system” means a defense business system that is expected to have a total amount of budget authority, over the period of the current future-years defense program submitted to Congress under section 221 of this title, in excess of $50,000,000.

(3) Business system portfolio.—The term “business system portfolio” means all business systems performing functions closely related to the functions performed or to be performed by a covered defense business system.

(4) Covered defense business system program.—The term “covered defense business system program” means a defense acquisition program to develop and field a covered defense business system or an increment of a covered defense business system.

(5) Priority defense business system.—The term “priority defense business system” means a defense business system that is—

(A) expected to have a total amount of budget authority over the period of the current future-years defense program submitted to Congress under section 221 of this title in excess of $250,000,000; or

(B) designated by the Chief Information Officer of the Department of Defense as a priority defense business system, based on specific program analyses of factors including complexity, scope, and technical risk, and after notification to Congress of such designation.

(6) Enterprise architecture.—The term “enterprise architecture” has the meaning given that term in section 3601(4) of title 44.

(7) Information system.—The term “information system” has the meaning given that term in section 11101 of title 40, United States Code.

(8) National security system.—The term “national security system” has the meaning given that term in section 3552(b)(6)(A) of title 44.

(9) Business process mapping.—The term “business process mapping” means a procedure in which the steps in a business process are clarified and documented in both written form and in a flow chart.

(10) Common enterprise data.—The term “common enterprise data” means business operations or management-related data, generally from defense business systems, in a usable format that is automatically accessible by authorized personnel and organizations.

(11) Data governance process.—The term “data governance process” means a system to manage the timely Department of Defense-wide sharing of data described under subsection (e)(6)(A).