UNCLASSIFIED// ATTENTION INVITED TO ROUTINE R 132022Z OCT 11 PSN 413001K09 FM CNO WASHINGTON DC TO NAVADMIN ZEN//OU=DOD/OU=NAVY/OU=ADDRESS LISTS(UC)/CN=AL NAVADMIN(UC) INFO ZEN/CNO WASHINGTON DC BT UNCLAS ***THIS IS A 2 SECTION MESSAGE COLLATED BY OIX GATEWAY NORFOLK VA*** QQQQ SUBJ: INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE UNCLASSIFIED// FM CNO WASHINGTON DC//N2N6// TO NAVADMIN UNCLAS// NAVADMIN 307/11 MSGID/GENADMIN/CNO WASHINGTON DC/SEP 11// SUBJ/INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE// REF/A/DOC/DODI 8510.01/20071128// REF/B/DOC/OPNAV 5239.1C/20080820// REF/C/DOC/NAVADMIN 099/11/R221430Z MAR 11 NARR/REF A IS DEPARTMENT OF DEFENSE (DOD) INSTRUCTION 8510.01, DOD INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS (DIACAP). REF B IS OPNAVINST 5239.1C, NAVY INFORMATION ASSURANCE (IA) PROGRAM. REF C IS NAVADMIN 099/11, CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE. POC/CDR JULIE ROSATI/OPNAV N2N6FBC4B/LOC: WASHINGTON, DC/EMAIL: JULIANA.ROSATI(AT)NAVY.MIL/TEL: 571-256-8523// POC/KATE MATHERS/CIV/FLTCYBERCOM OPERATIONAL DESIGNATED ACCREDITING AUTHORITY (ODAA)/LOC:NORFOLK, VA/EMAIL: KATHERINE.MATHERS(AT)NAVY.MIL/TEL: 757-417-7903 EXT4/ POC/NATALIE TAYLOR/CIV/FLTCYBERCOM ODAA/LOC: NORFOLK, VA/ TEL: 757-417-7927 EXT 1/EMAIL: NATALIE.TAYLOR(AT)NAVY.MIL// POC/ODAA OFFICE/FLTCYBERCOM/TEL: 757-417-6719 EXT 0/ EMAIL: FCC(UNDERSCORE)ODAA(AT)NAVY.MIL// RMKS/1. EFFECTIVE IMMEDIATELY, OPNAV WILL IMPLEMENT PROVISIONS OF REF A, WHICH REQUIRE DOD COMPONENT CHIEF INFORMATION OFFICER (CIO) APPROVAL FOR SYSTEM ACCREDITATIONS WITH CATEGORY I (CAT I) FINDINGS OR SYSTEMS THAT HAVE BEEN ON AN INTERIM AUTHORITY TO OPERATE (IATO) FOR LONGER THAN 360 DAYS. DEPUTY DEPARTMENT OF THE NAVY (DON) CIO NAVY (DDCIO(N)) SERVES AS THE DOD COMPONENT CIO FOR APPROVAL PURPOSES. EII CIOS MAY REQUEST APPROVAL BY ENTERING THE SYSTEM ESCALATION PROCESS, DESCRIBED IN PARAS 2-4 BELOW. PREVIOUSLY THESE PROVISIONS WERE ENFORCED ONLY FOR ACCREDITATIONS ASSOCIATED WITH A DEFENSE INFORMATION SYSTEMS AGENCY (DISA) COMMAND COMMUNICATIONS SERVICE DESIGNATOR (CCSD). DDCIO(N), IN COLLABORATION WITH U.S. FLEET CYBER COMMAND/U.S. TENTH FLEET (FCC/C10F), WILL ENFORCE POLICY COMPLIANCE FOR ALL ACCREDITATIONS TO REDUCE OVERALL RISK TO THE GLOBAL INFORMATION GRID (GIG) WHILE ENSURING LIMITED IMPACT TO OPERATIONAL READINESS. 2. PER REFERENCES A THROUGH C, ALL NAVY OPERATIONAL SYSTEMS AND NETWORKS MUST BE CERTIFIED AND ACCREDITED UNLESS EXEMPTED FROM CERTIFICATION AND ACCREDITATION (C&A) BY DOD OR DON POLICY. ALL C&A PACKAGES FOR SYSTEMS AND NETWORKS MUST BE IN COMPLIANCE WITH REFERENCE A. TO ALLOW SUFFICIENT TIME FOR REVIEW AND ESCALATION OF DIACAP PACKAGES, COMMANDS WITH EXPIRING ACCREDITATIONS MUST ENTER THE C&A PROCESS BY UPLOADING A DIACAP PACKAGE TO INFORMATION ASSURANCE TRACKING SYSTEM (IATS) AND NOTIFY THE ASSIGNED SECOND ECHELON (EII) COMMAND FOR COLLABORATION SCHEDULING WITH C&A STAKEHOLDERS AT LEAST 90 DAYS PRIOR TO EXPIRATION, OR SOONER IN ACCORDANCE WITH EII GUIDELINES. 3. IN CASES WHEN MITIGATION AND/OR CLOSURE OF CAT I FINDINGS IS NOT POSSIBLE OR THE SYSTEM OWNER REQUIRES ADDITIONAL TIME TO ANALYZE AND IDENTIFY SOLUTIONS, THE OWNING EII COMMAND INFORMATION OFFICER (CIO) MAY REQUEST APPROVAL TO CONTINUE SYSTEM OPERATION FROM DDCIO(N). SUBMIT THE REQUEST TO ODAA AT LEAST 75 DAYS PRIOR TO THE BEGINNING OF THE MONTH OF EXPIRATION TO CONTINUE OPERATING WITH CAT I FINDINGS AND/OR FOR LONGER THAN 360 CONSECUTIVE DAYS ON AN IATO. THE FOLLOWING IS THE APPROVAL ESCALATION PROCESS AND TIMELINE: A. NAVY'S OPERATIONAL DESIGNATED ACCREDITING AUTHORITY (ODAA) WILL RELEASE MONTHLY NAVAL MESSAGES PUBLISHING KNOWN EXPIRATIONS OF SYSTEM ACCREDITATIONS DUE TO EXPIRE WITHIN 90 DAYS FOR SYSTEMS THAT HAVE CAT I FINDINGS AND/OR HAVE BEEN ON IATO FOR LONGER THAN 360 DAYS. THIS MESSAGE WILL BE RELEASED, AS A COURTESY, IN CONJUNCTION WITH THE CURRENT CIRCUIT EXPIRATION ALCOM. THIS MAY NOT BE A COMPREHENSIVE LIST IF THE SYSTEM OWNER/EII HAS NOT ENGAGED THE ODAA ON SPECIFIC SYSTEMS. IT IS INCUMBENT UPON THE SYSTEM OWNER/EII TO ENGAGE IN THE C&A PROCESS IN ADVANCE OF EXPIRATION DATES. B. UPON RECEIVING NOTIFICATION, THE EII CIO WILL DETERMINE WHETHER AN APPROVAL REQUEST IS REQUIRED. IF REQUIRED, THE EII CIO WILL ENTER THE ESCALATION PROCESS BY SUBMITTING AN INFORMATION SYSTEM RISK EVALUATION REACCREDITATION REQUEST FORM (AVAILABLE FROM ODAA) WHICH SUMMARIZES THE FINDINGS, POTENTIAL MITIGATION/REMEDIATION ACTIONS, AND TIMELINES FOR RESOLUTION. AN OPERATIONAL IMPACT STATEMENT IS ALSO REQUIRED, TO INFORM DDCIO(N) OF POTENTIAL IMPACT IN THE EVENT THE APPROVAL REQUEST IS DENIED AND THE SYSTEMS IS RELEGATED TO A NON-OPERATIONAL STATUS. EII CIOS MUST SUBMIT THE FORM TO THE ODAA AT LEAST 75 DAYS PRIOR TO THE BEGINNING OF THE MONTH OF EXPIRATION. THE FORM MUST BE ENDORSED BY THE FIRST FLAG OFFICER OR SENIOR EXECUTIVE SERVICE (SES) IN THE EII CIO CHAIN OF COMMAND. IF ODAA REQUIRES ADDITIONAL INFORMATION TO ANALYZE AND MAKE A RECOMMENDATION, THE ODAA WILL COORDINATE WITH THE EII AND/OR PROGRAM MANAGER. C. ADDITIONALLY, THE EII CIO WILL SCHEDULE AND CONDUCT A C&A COLLABORATION MEETING WITH THE ODAA FOR SYSTEMS POTENTIALLY MEETING ESCALATION CRITERIA NO LATER THAN 75 DAYS PRIOR TO BEGINNING OF MONTH OF EXPIRATION. REQUIREMENT TO ESCALATE A SYSTEM WILL NOT BE FINALIZED UNTIL THE NAVY CERTIFICATION AUTHORITY (CA) RELEASES A CERTIFICATION DETERMINATION (CD) TO FORMALLY DOCUMENT THE SYSTEM RISK AND FINDINGS. ALL SYSTEMS WITH POTENTIAL CAT I FINDINGS AND/OR IATO OVER 360 SHOULD ENTER INTO THE ESCALATION PROCESS IN ORDER TO SEEK ACCREDITATION. D. ODAA, UNDER HIS AUTHORITY AS SPECIAL ASSISTANT TO FCC/C10F, WILL CONSOLIDATE ENDORSEMENTS FROM UNITED STATES FLEET FORCES (USFF); COMMANDER, PACIFIC FLEET (CPF) VIA NAVY CYBER FORCES COMMAND (NCF) AND FCC/C10F. ODAA WILL SUBMIT THE ENTIRE ESCALATION PACKAGE, INCLUDING ITS RECOMMENDATION, FOR ALL AFFECTED SYSTEMS TO DDCIO(N) NO LATER THAN 45 DAYS PRIOR TO THE BEGINNING OF MONTH OF EXPIRATION. QQQQ E. FOR THE PURPOSE OF HEARING JUSTIFICATION BEHIND ESCALATION APPROVAL REQUESTS DDCIO(N) WILL CONDUCT A SINGLE MONTHLY TELECONFERENCE WHEREIN THE REQUESTING EII CIO(S) SHALL BRIEF THE DDCIO(N). DDCIO(N) WILL MAKE A DECISION ON WHETHER TO GRANT THE IATO AND THEN NOTIFY THE RESPECTIVE EII CIO, ODAA, AND DON CIO OF THE DETERMINATION. ONLY THE EII CIO OR DESIGNATED O6/GS-15 REPRESENTATIVE MAY PRESENT THIS BRIEF. F. IN THE EVENT OF A SECOND REQUEST FOR THE SAME SYSTEM, OR IF THE EII CIO DESIRES TO APPEAL THE DDCIO(N)'S DECISION, THE REQUEST PACKAGE WILL BE ELEVATED TO DON CIO FOR FINAL ACCREDITATION DECISION. 4. ACTION. AFFECTED EII CIOS WILL ENSURE COMPLIANCE WITH ALL APPLICABLE REQUIREMENTS IDENTIFIED IN THIS NAVADMIN. THE IMPLICATIONS TO THEIR OPERATIONS MAY BE SIGNIFICANT IN THE EVENT DDCIO(N) DISAPPROVES A REQUEST FOR IATO EXTENSION OR CONTINUED OPERATION OF A SYSTEM WITH CAT I FINDINGS. DENIALS OF REQUESTS OR FAILURE TO COMPLY WITH REQUIREMENTS SPECIFIED IN THIS MESSAGE WILL RESULT IN A DENIAL OF AUTHORITY TO OPERATE (DATO). EXPECT ENHANCED SCRUTINY OF FUTURE REQUESTS AS NAVY STRIVES TO ELIMINATE THE CURRENT FREQUENCY AND VOLUME OF EMERGENT REQUESTS. 5. MY POINT OF CONTACT, AND DDCIO(N) REPRESENTATIVE, IS MS. JANICE HAITH, AT COMMERCIAL (571) 256-8523, EMAIL: JANICE.HAITH(AT)NAVY.MIL. 6. REQUEST WIDEST DISSEMINATION OF THIS MESSAGE. 7. RELEASED BY VADM KENDALL L. CARD, DCNO FOR INFORMATION DOMINANCE, N2N6.// BT #1116 NNNN