Marine Corps Enterprise Information Assurance Directive 018
- Marine Corps Certification and Accreditation Process V2.0
- 91 pages
- For Official Use Only
- September 2, 2008
- 15.7 MB
The Marine Corps Enterprise Network (MCEN) Designated Accrediting Authority (DAA) issues Marine Corps Enterprise Information Assurance Directives (EIAD). The EIAD series provides modules that guide the implementation of policy direction established in Marine Corps Order (MCO) 5239.2. The modules provide procedural. technical, administrative, and supplemental guidance for all information systems, used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or receipt of data within the MCEN as well as other Marine Corps information systems. Each module focuses on a distinct subject and describes a standard methodology for planning, implementing and executing an element of the Marine Corps Information Assurance Program (MCIAP). The Marine Corps EIAD series will be the authoritative source for implementation of IA policy direction.
…
EXECUTIVE SUMMARY
Under current Federal Certification and Accreditation (C&A) requirements, an information system (IS) is required to undergo a formal accreditation process at least once every three years or when major modifications occur that affect the systems security posture. This Directive provides a standardized approach to obtaining an accreditation decision for United States Marine Corps IS as required under federal law, Department of Defense, and the Deparhnent of the Navy regulations and directives.
The formal C&A process, with associated documentation, provides evidence of a risk mitigation methodology that complies with Marine Corps, Department of the Navy, Department of Defense, National Institute of Standards and Technology (NlST), and Federal standards, laws, and regulations. This program will help define measures of performance used to assure that IS implement and test adequate Information Assurance Controls (LAC), that risks are assessed, and that DLACAP Packages are maintained.
This Directive maps out the tasks and subtasks to be completed to allow for an accredjtation decision to be made by the appropriate authority. This is known as the C&A process.
…
4.3 DESIGNATED ACCREDITING AUTHORITY (DAA)
The DAA is a senior management official or executive with the authority to formally approve the operation of an IT system at an acceptable level of risk. Through accreditation, the DAA asswnes responsibility for the risks of operation of the system in a specific environment. The DAA is an executive with the authority and ability to evaluate the mission and business case for the system in view of the security risks. The DAA must have the authority to oversee information technology system mission or business operations of systems under his/her purview. The DAA also approves security requirements documents, memorandums of agreement (MOA), memorandums of understanding (MOU), and any deviations from security policies. In addition to having the authority to approve systems for operation, the DAA has the authority to disapprove systems for operation and, if the systems are already operational, the authority to halt operations if unacceptable security risks exist.