DEPARTMENT OF THE NAVY FFIC EN AGON C Q

Similar documents
DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER MARINE CORPS ROLES AND RESPONSIBILITIES

a. To promulgate policy on cost analysis throughout the Department of the Navy (DON).

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

DEPARTMENT OF THE NAVY INSIDER THREAT PROGRAM. (1) References (2) DON Insider Threat Program Senior Executive Board (DON ITP SEB) (3) Responsibilities

Subj: DEPARTMENT OF THE NAVY (DON) INFORMATION SECURITY PROGRAM (ISP) INSTRUCTION

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

SECNAVINST E CH-1 DUSN (M) 15 Sep 17

Subj: INFORMATION MANAGEMENT/INFORMATION TECHNOLOGY POLICY FOR FIELDING OF COMMERCIAL OFF THE SHELF SOFTWARE

Subj: ADMINISTRATIVE SEPARATIONS FOR CONDITIONS NOT AMOUNTING TO A DISABILITY

Subj: DEPARTMENT OF THE NAVY NUCLEAR WEAPONS RESPONSIBILITIES AND AUTHORITIES

Subj: DEPARTMENT OF THE NAVY CYBERSECURITY/INFORMATION ASSURANCE WORKFORCE MANAGEMENT, OVERSIGHT, AND COMPLIANCE

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON, DC

DEPARTMENT OF THE NAVY OFFICE OF THE SECRETARY 1000 NAVY PENTAGON WASHINGTON, D.C

DEPARTMENT OF THE NAVY COUNTERINTELLIGENCE

DEPARTMENT OF THE NAVY OFFICE OF THE SECRETARY 1000 NAVY PENTAGON WASHINGTON, D.C

D E P A R T M E N T O F THE NAVY

Subj: DEPARTMENT OF THE NAVY POLICY ON INSENSITIVE MUNITIONS

UNITED STATES MARINE CORPS MARINE CORPS BASE 3250 CATLIN AVENUE QUANTICO VIRGINIA

Subj: IMPLEMENTATION OF THE DEPARTMENT OF THE NAVY SMALL BUSINESS PROGRAMS

OPNAVINST DNS 25 Apr Subj: MISSION, FUNCTIONS AND TASKS OF COMMANDER, NAVAL SUPPLY SYSTEMS COMMAND

Subj: DEFENSE CIVILIAN INTELLIGENCE PERSONNEL SYSTEM (DCIPS)

OPNAVINST B N6 9 November 1999 OPNAV INSTRUCTION B

Encl: (1) References (2) Department of the Navy Security Enterprise Governance (3) Senior Director for Security (4) Definitions (5) Responsibilities

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

OPNAVINST G N09P 17 Jul Subj: MISSION, FUNCTIONS, AND TASKS OF THE BOARD OF INSPECTION AND SURVEY

Subj: NAVY NUCLEAR DETERRENCE MISSION PERSONNEL RELIABILITY PROGRAM SELF-ASSESSMENT

SECNAVINST A DON CIO 20 December Subj: DEPARTMENT OF THE NAVY INFORMATION ASSURANCE (IA) POLICY

Subj: DEPARTMENT OF THE NAVY SENIOR GOVERNANCE COUNCILS

SECNAVINST E OUSN 17 May 12 SECNAV INSTRUCTION E. From: Secretary of the Navy

Subj: MISSION, FUNCTIONS, AND TASKS OF COMMANDER, NAVAL INFORMATION FORCE RESERVE

Subj: DEPARTMENT OF THE NAVY (DON) PERSONNEL SECURITY PROGRAM (PSP) INSTRUCTION

Department of Defense INSTRUCTION. 1. PURPOSE. This Instruction, issued under the authority of DoD Directive (DoDD) 5144.

Subj: NAVY ACCELERATED ACQUISITION FOR THE RAPID DEVELOPMENT, DEMONSTRATION, AND FIELDING OF CAPABILITIES

NOTICE OF DISCLOSURE

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

Department of Defense INSTRUCTION. SUBJECT: DoD Information Security Program and Protection of Sensitive Compartmented Information

PARTICIPATION IN THE GOVERNMENT-INDUSTRY DATA EXCHANGE PROGRAM (GIDEP)

ELECTROMAGNETIC SPECTRUM POLICY AND MANAGEMENT

Subj: MISSION, FUNCTIONS, AND TASKS OF NAVAL SPECIAL WARFARE COMMAND

1. Purpose. To prescribe policy and publish guidance governing Department of the Navy (DON) support to the Defense Attache System ( DAS).

Title:F/A-18 - EA-18 Aircraft / System Program Protection Implementation Plan

SECNAVINST F DNS Dec 2005

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON DC

Subj: MISSIONS, FUNCTIONS, AND TASKS OF UNITED STATES FLEET FORCES COMMAND

REQUIRED OPERATIONAL CAPABILITY LEVELS FOR NAVY INSTALLATIONS AND ACTIVITIES

Department of Defense INSTRUCTION. SUBJECT: Implementation of Data Collection, Development, and Management for Strategic Analyses

OPNAVINST F N09D 2 JUL 2010

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC OPNAVINST DNS-3 11 Aug 2011

DEPARTMENT OF THE NAVY OFFICE OF THE SECRETARY 1000 NAVY PENTAGON WASHINGTON, DC

OPNAVINST N46 21 Apr Subj: MISSION, FUNCTIONS, AND TASKS OF COMMANDER, NAVY INSTALLATIONS COMMAND

COMMUNICATIONS SECURITY MONITORING OF NAVY TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY SYSTEMS

FOR OFFICIAL USE ONLY. Naval Audit Service. Audit Report

Subj: RESOURCES AND REQUIREMENTS REVIEW BOARD CHARTER

Subj: MISSION, FUNCTIONS AND TASKS OF DIRECTOR, STRATEGIC SYSTEMS PROGRAMS, WASHINGTON NAVY YARD, WASHINGTON, DC

DEPARTMENT OF THE NAVY OFFICE OF THE SECRETARY 1000 NAVY PENTAGON WASHINGTON, DC

Subj: ROLES AND RESPONSIBILITIES OF THE STAFF JUDGE ADVOCATE TO THE COMMANDANT OF THE MARINE CORPS

Department of Defense INSTRUCTION

Overview of Physical Security and Protective Measures

CNATRAINST N6 11 Aug 2016

OPNAVINST DNS-H 15 Aug 2014

NAVAIR IT Compliance

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

NOTICE OF DISCLOSURE

Subj: ACCOUNTABILITY AND MANAGEMENT OF DEPARTMENT OF THE NAVY PROPERTY

ceo A 6 OCT

Subj: CREDIT FOR PRIOR NON-FEDERAL WORK EXPERIENCE AND CERTAIN MILITARY SERVICE FOR DETERMINING LEAVE ACCRUAL RATE

Department of Defense INSTRUCTION

MCO C059 APR Subj: MARINE CORPS MODELING & SIMULATION MANAGEMENT

OPNAVINST B N98 4 Jun 2018

DEPARTMENT OF THE NA VY COMMANDER NAVY RESERVE FORCES COMMAND 1915 FORRESTALDRIVE NORFOLK VIRGINIA Dec 16

FOR OFFICIAL USE ONLY. Naval Audit Service. Audit Report

SAAG-ZA 12 July 2018

1. Purpose. To implement the guidance set forth in references (a) through (e) by:

Subj: MISSION AND FUNCTIONS OF THE NAVAL SAFETY CENTER

Department of Defense DIRECTIVE

Subj: OVERSIGHT OF THE DEPARTMENT OF THE NAVY MILITARY INTELLIGENCE PROGRAM

Department of Defense DIRECTIVE

Subj: DEPARTMENT OF THE NAVY NUCLEAR WEAPON INCIDENT RESPONSE MANAGEMENT

OPNAVINST A N Jan 2015

Subj: MISSION AND FUNCTION OF FIELD SUPPORT ACTIVITY, WASHINGTON, DC

From DIACAP to RMF A Clear Path to a New Framework

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, DC

Department of Defense DIRECTIVE

SECNAVINST ASN(M&RA) 21 Mar 2006

DEPARTMENT OF THE NAVY OFFICE OF THE SECRETARY NAVY PENTAGON WASHINGTON DC

DEPARTMENT OF THE NAVY BUREAU OF MEDICINE AND SURGERY 7700 ARLINGTON BOULEVARD FALLS CHURCH VA 22042

Encl: (1) Nutritional Supplement and Over-the-Counter Medication Screening Guidance (2) Cold and Heat Stress Guidance

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON DC

Subj: DEPARTMENT OF THE NAVY CRITICAL INFRASTRUCTURE PROTECTION PROGRAM

OPNAVINST DNS-3/NAVAIR 24 Apr Subj: MISSIONS, FUNCTIONS, AND TASKS OF THE COMMANDER, NAVAL AIR SYSTEMS COMMAND

SECNAVINST A JAG 20 4 Jan 2006

Subj: MANAGEMENT AND CONTROL OF LEATHER FLIGHT JACKETS

NOTICE OF DISCLOSURE

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 2 NAVY ANNEX WASHINGTON, DC MCO B C4I/CIC 21 Mar 96

MCO D C Sep 2008

Subj: MISSION AND FUNCTIONS OF THE NAVAL INSPECTOR GENERAL

OPNAVINST N Dec Ref: (a) 37 U.S.C. 404 (b) Joint Federal Travel Regulations, Volume 1

DEPARTMENT OF THE NAVY OFFICE OF THE ASSISTANT SECRETARY (FINANCIAL MANAGEMENT AND COMPTROLLER) 1000 NAVY PENTAGON WASHINGTON DC

Subj: DEPARTMENT OF THE NAVY ENERGY PROGRAM FOR SECURITY AND INDEPENDENCE ROLES AND RESPONSIBILITIES

Transcription:

DEPARTMENT OF THE NAVY FFIC EN AGON 2 35-10C Q 13 May 2009 MEMORANDUM FOR DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (NAVY) DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (MARINE CORPS) COMMANDER, NAVAL NETWORK WARFARE COMMAND Subj: DEPARTMENT OF THE NAVY INFORMATION ASSURANCE AND CERTIFICATION AND ACCREDITATION PROCESS CONCEPT OF OPERATIONS Ref: (a) DON CIO memo, Senior Information Assurance Officer Alignment and Responsibilities for Information Assurance and Certification and Accreditation Processes, of 18 Dec 08 Encl: (1) Department of the Navy Information Assurance and Certification and Accreditation Process Concept of Operations of 15 May 2009 As required by reference (a), enclosure (I) is promulgated. The Department of the Navy Chief Information Officer points of contact for this action are Dr. Richard Etter, 703-602-6882, richard.etter@navy.mil; Ms. Sonya Smith, sonya.r.smithl@navy.mil, 703-604-7059; and Mr. Raymond Moon, raymond.l.moon@navy.mil, 703-601-1234. Co y to: DON SIAO

Department of the Navy Information Assurance and Certification and Accreditation Process Concept of Operations 13 May 2009 Foreword Information Technology (IT) is critical to the Department of the Navy's (DON) ability to achieve its mission. However, the ever-increasing threat to DON IT assets and information magnifies the importance of secure operations of systems and networks within the DON. The DON Chief Information Officer (CIa), in accordance with references (a), (b) and (c), is designated as the DON Senior Information Assurance Officer (SIAO), responsible for developing and managing the DON Information Assurance (IA) security program. Subsequently, per reference (d), the DON SIAO was tasked with implementing an integrated IA program. This Concept of Operations (CONOPS) expands upon, clarifies, and implements reference (e) to instantiate the business rules, and aligns the DON risk management and Certification and Accreditation (C&A) processes. This CONOPS: Implements the policy for joint visibility and risk management, as it pertains to the C&A process to ensure appropriate alignment across the Department; Identifies roles and responsibilities of major process participants in the C&A process; and Describes the high-level interactions that must occur among the process participants for the DaN's C&A process operates effectively and efficiently.

Table of Contents 1. Purpose 3 2. Background 3 3. Roles and Responsibilities 3 4. DON C&A Infonnation Aows - Inter-Service (Marine Corps and Navy) Accreditations...4 5. DON C&A Infonnation Aows - Inter-DoD (Marine CorpslNavy & External Combatant Comman er, Service, and/or Agency) Accreditations 6 6. DON Infonnation Assurance Council (lac) 7 Figures: Figure 1. Inter-Service Accreditation with Concurrence 5 Figure 2. Inter-Service Accreditation without Concurrence 5 Figure 3. Inter-DoD (Marine CorpslNavy & External Combatant Commander, Service, an or Agency) Accreditations 6 Attachment A - References 2

I. Purpose a. This CONOPS describes the roles and responsibilities of the DON SIAO and the interaction between the Marine Corps Enterprise Network (MCEN) Designated Accrediting Authority (DAA), Navy Operational Designated Accrediting Authority (ODAA), and the DON SIAO. It also identifies the role of the DON Deputy CIOs (Navy and Marine Corps) in C&A m e oversight. b. All IT systems designated for use outside the DON and IT systems from other departments or agencies for use within the DON require coordination and participation of the DON SIAO and Service DAAs in the C&A process and risk management decision. c. This CONOPS applies to the C&A process for General Service (GENSER) IT systems and does not address the C&A process supporting intelligence, Sensitive Compartmented Information (SCI), or Special Access Program (SAP) IT systems. d. The Service DAAs shall: keep the DON SIAO and supporting staff informed of Service efforts related to the implementation of the IA program. The DON SIAO supports the Service DAAs in their risk management efforts. 2. Background a. Establishing a consistent risk management methodology and C&A processes across the DON are key part of the DON IA program. b. The DON SIAO, per reference (d), is tasked to establish and enforce the C&A process as part of the overall DON IA program. For clarity, certification includes the comprehensive evaluation of technical and non-technical security features of systems and networks based on IA policy and testing results. Certification identifies and assesses the residual risk ofoperating a system and the acceptable controls to correct or mitigate IA security weaknesses. Accreditation is the formal determination by the DAA of the risk of operating a system in a particular manner with appropriate safeguards in place to ensure the level ofrisk is acceptable. c. To ensure this process is visible, transparent, consistent, and integrated, the DON must ~ rm.ze an ali n the proce. s for b th Servi s' C&A approval pro e: e. 3. Roles and Responsibilities a. DON SIAO. The responsibilities are specified in reference (e). b. DON Deputy CIOs (Navy and Marine Corps). The DON Deputy CIOs (Navy and Marine Corps) are responsible for: (1) Ensuring all enterprise-wide systems comply with requirements of applicable DON, Department of Defense (DoD), and Federal policies and mandates, such as references (a), (d), and (f) through (i); (2) Tracking the C&A status of Navy and Marine Corps information systems that are rn y lh ~ 0 1 (3) Ensuring certification quality, capacity, visibility, and effectiveness; 3

(4) Facilitating a consistent application of IA policies, processes, responsibilities, and procedures across the Department; (5) Determining with the DON SIAO that the DAA decision making processes are acceptable and consistently applied; and (6) Overseeing and managing WC&A compliance evaluations and assessments. c. Designated Accrediting Authority (DAA). Per references (d), (j) and (k), the DAA is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with Designated Approving Authority and Delegated Accrediting Authority. The DAA must understand the operational need for the system(s) and the operational consequences of not operating the system(s), as part of the risk management decision process. The DAA is responsible for: (I) Granting interim and final authorization to operate (IATO!ATO) of a network or system in a specified security mode, and denying authorization to operate (DATO) when the network or system poses an unacceptable risk; (2) Ensuring security is incorporated as an element of the information system life-cycle process; (3) Ensuring the operational information system's security policies are in place for each system, project, program, and organization or site for which the DAA has authorization authority; (4) Ensuring the establishment, administration, and coordination of security for systems that the DAA's command or organization operates; and (5) Implementing IA requirements. 4. DON C&A Information Flows - Inter-Service (Marine Corps and Navy) Accreditations a. Certification and accreditation packages for information systems designated for use in both the Navy and Marine Corps will be processed according to normal Navy and Marine Corps business rules. The Navy CAlODAA or the MCEN CAlDAA will notify the DON SIAO of packages that meet the criteria for inter-service accreditation. This allows for situational awareness and DON visibility into all inter-service accreditations ready for an accreditation decision and gives the DON SIAO the opportunity to review documentation associated with the system. While the goal is to identify an IS early in the process as an inter-service program, this may not always be known at the start of the C&A process. To accommodate this, at any point a participant ofthe C&Ateam (Program Manager (PM), Echelon II (EII)/MajorSubordinate Command (MSC), CA, DAA, DON SIAO) discovers the information system is intended for use by both services, that party shall notify both Service DAAs and the DON SIAO. If the package is acceptable to both the Navy ODAA and the MCEN DAA, the accreditation decision is finalized b,th r. s:.1 s ' c a a a cr it i a rid rs m n is is u d y the other service. The responsible service DAA will notify the DON SIAO of the accreditation. Normal business practices showing inter-service accreditation with concurrence are depicted in Figure 1. 4

Information System...---- em package Required ~ Notification Optional DON SIAO Accreditation Approval Endorsement Figure 1. Inter-Service Accreditation with Concurrence Figure 2 identifies the DON SIAO role in the C&A process when a DAA intends to deny authorization to operate for a system. This would occur when a DAA determines there is unacceptable level of unmitigated system risk. The Service DAAs will notify the DON SIAO of their intent to deny authorization to operate. The DON SIAO will work with the DAAs and others to resolve the differences to achieve the best results for the DON. Required ~ Notification ~ Optional DON SIAO Other Service OAA Accreditation Declson Figure 2. Inter-Service Accreditation without Concurrence 5

5. DON C&A Information Flows - Inter-DoD (Marine CorpslNavy & External Combatant Commander, Service, and/or Agency) Accreditations a. For an IS owned and accredited by another Military Department, Agency, or a Combatant Command, requiring Navy or Marine Corps acceptance of an accreditation decision, the DAA (Navy ODAA or MCEN DAA) is responsible for evaluating that accreditation decision. The respective DAA will use the certification artifacts associated with the IS to make the accreditation decision. b. The Navy and Marine Corps CAs and DAAs will notify the DON SIAO of packages that meet the criteria for inter-dod accreditation, allowing for situational awareness and Department visibility into all inter-dod accreditations. The DON SIAO will have the opportunity to review documentation associated with the system. The notifications will occur upon initial entry, CA recommendation, and reciprocity concurrence. The Service DAAs, once they have a recommended accreditation decision, shall notify the DON SIAO of their intent. The Service DAAs will not issue their decision until the DON SIAO acknowledges this intent. The time that DON SIAO has to acknowledge is 72 hours from receipt of notification of intent. Ifthe DON SIAO does not acknowledge within 72 hours, DAAs will issue their accreditation decision. Figure 3 shows the process for systems accredited within the DON and utilized by other DoD components. Jnformatlon System,. C&A ReciprOCity Request t Concurran ~ mmendati n I / \ Required.. Notification Optional I I DON SIAO USN or USMC DM,H-.."---"7-+--1 USMC or USN DM 1+--------'t----1JUlCIDAanl_-- 1----------'t---lJttnt~<nl.-- """'If'/I..."""'ll'-... Figure 3. Inter-DoD (Marine CorpslNavy & External Combatant Commander, Servo e, and/or Ag n y) Ace di two 6

c. For inter-service accreditations described above, the DAA(s) will notify the DON SIAO should an IS present unacceptable risk to the Navy or Marine Corps before issuing a denial of authorization to operate. For these situations, the respective DON Deputy CIa (NavylMarine Corps) and the DON SIAO will work with the Military Departments, Agency, or Combatant Command to resolve the unacceptable risk. If an agreement cannot be reached with the external organization, the DON SIAO, and the respective DAA will present the issue to the Principal Accrediting Authorities (PAAs) for resolution. d. While the goal is to identify an IS as an inter-dod program early in the process, this may not always be known at the start of the C&A process. To accommodate this, at any point a participant of the C&A team (Program Manager (PM), Echelon II (EII)/Major Subordinate Command (MSC), CA, DAA, DON SIAO) discovers the information system is coming in to or going out of the DON, that party shall notify both Service DAAs and the DON SIAO. 6. DON Information Assurance Council (lac) a. In December 2007, the DON SIAO established the Information Assurance Council (lac), chaired by the DON Deputy SIAO, to coordinate and collaborate on IA matters and issues. The lac meets monthly and membership includes the MCEN DAA, Navy ODAA and DON Deputy CIa Navy (OPNAV N6l) representative. b. The DON SIAO will use the lac as the venue for addressing and resolving risk management and C&A issues. In the event an issue requires senior level attention, the DON Deputy SIAO will coordinate with lac members to set up a meeting with the DON SIAO and the Service Flag level DAAs to resolve the issue. Members of the lac are responsible for briefing their respective senior leadership on the issues prior to the meeting. lac members can raise an issue at any time and are not limited to the monthly meetings. Additionally, the lac will maintain the DON IA and C&A process concept of operations to ensure it evolves with continuous process improvements. 7

References a. Federal Information Security Management Act of 2002, Title 11 of E-Government Act of 2002, PL 107-347, (codified in sections of40,44 U.S.c.) b. OMB memo, M-09-02, Information Technology Management Structure and Governance Framework, of 21 Oct 08 c. DON CIO memo, Designation of the Department of the Navy Senior Information Assurance Officer, of 11 Jan 05 d. DoDINST 8510.0I, DoD Information Assurance Certification and Accreditation Process (DIACAP) e. DON CIO memo, Senior Information Assurance Officer Alignment and Responsibilities for Information Assurance and Certification and Accreditation Processes, of 18 Dec 08 f. SECNAVINST 5430.7P, Assignment of Responsibilities and Authorities in the Office of the Secretary of the Navy g. Clinger-Cohen Act of 1996 (Title 40), USC Title 10 et seq) h. DoDINST 8500.01E, Information Assurance l. DoDINST 8500.2, Information Assurance Implementation j. CJCSM 6510.01, Defense-In-Depth: Information Assurance (IA) and Computer Network Defense (CND), of 25 Mar 03 k. SECNAVINST 5239.3A, Department of the Navy Information Assurance (IA) Policy, of 20 Dec 2004 Attachment A

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback