R 212153Z Nov 08
UNCLASSIFIED//
MARADMIN 663/08
MSGID/GENADMIN/CMC WASHINGTON DC/C4//
SUBJ/MCBUL 5239. TRANSITION TO THE DOD INFORMATION ASSURANCE /CERTIFICATION AND ACREDITATION PROCESS (DIACAP)//
REF/A/DESC:DOD INSTRUCTION 8510.01 /DOD INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS (DIACAP)/27 NOVEMBER 2007//
REF/B/MSGID: DOC/FEDERAL INFORMATION SECURITY MANAGEMENT ACT 2002/6 JULY 2006//
REF/C/MSGID:DOC/DOD DIRECTIVE 8500.1/24 OCTOBER 2002//
REF/D/MSGID:DOC/USMC ENTERPRISE INFORMATION ASSURANCE DIRECTIVE 018 /USMC CERTIFICATION AND ACCREDITATION PROCESS/1 NOVEMBER 2008//
REF/E/MSGID:DOC /DON DOD INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION HANDBOOK/15 JULY 2008//
REF/F/MSGID:DOC/DON DOD INFORMATION TECHNOLOGY SYSTEM CERTIFICATION AND /ACCREDITATION PROCESS (DITSCAP) TO DIACAP TRANSITION GUIDE/15 MAY 2008//
POC/C. B. BUCKLEY/CAPT/UNIT:C4IA/-/TEL: DSN 223-3490 /TEL:COMM (703)693-3490/EMAIL: CHARLES.BUCKLEY@USMC.MIL//
POC/R. A. LETTEER/CIV/UNIT:C4IA/-/TEL: DSN 223-3490 /TEL:COMM (703)693.3490/EMAIL: RAY.LETTEER@USMC.MIL//
NARR/REF A IS THE DOD CERTIFICATION AND ACCREDITATION POLICY. REF B PROVIDES REQUIREMENTS TO SECURE INFORMATION SYSTEMS AND REPORT COMPLIANCE. REF C IMPLEMENTS THE DOD INFORMATION ASSURANCE PROGRAM.
REF D IS THE USMC CERTIFICATION AND ACCREDITATION DIRECTIVE. REF E PROVIDES DON GUIDANCE IN COMPLETING THE REQUIREMENTS OF THE DIACAP.
REF F PROVIDES DON GUIDANCE ON TRANSITIONING FROM DITSCAP TO DIACAP//
GENTEXT/REMARKS/1. THIS MCBUL ANNOUNCES POLICY RELATED TO CERTIFICATION AND ACCREDITATION OF INFORMATION SYSTEMS AND PROVIDES GUIDANCE RELATED TO THE TRANSITION FROM DITSCAP TO DIACAP.
2. BACKGROUND
A. AS OF 1 NOVEMBER 2008, THE USMC WILL TRANSITION FROM THE DOD INFORMATION TECHNOLOGY SECURITY CERTIFICATION AND ACCREDITATION PROCESS (DITSCAP) TO THE DOD INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS (DIACAP) IN SUPPORT OF THE CERTIFICATION AND ACCREDITATION (C&A) OF USMC INFORMATION TECHNOLOGY (IT) ASSETS.
B. INFORMATION RELATED TO THE USMC C&A PROCESS, THE DIACAP, AND DON TRANSITION GUIDANCE CAN BE FOUND AT: HTTPS(DOUBLE SLASH)HQDOD.HQMC.USMC.MIL(SLASH)CA.ASP.
C. A KEY FEATURE OF THE DIACAP IS AUTOMATION OF THE C&A PROCESS.
THE USMC HAS IMPLEMENTED XACTA IA MANAGER AS THE TOOL FOR CREATING AND MAINTAINING IT ASSET C&A DOCUMENTATION. XACTA IA MANAGER ALSO AUTOMATES THE C&A SUBMISSION PROCESS. INFORMATION RELATED TO XACTA IA MANAGER CAN BE FOUND AT: HTTPS(DOUBLE SLASH)HQDOD.HQMC.USMC.MIL(SLASH)CA.ASP.
3. ACTION
A. EFFECTIVE IMMEDIATELY, ALL USMC IT ASSETS ARE REQUIRED TO TRANSITION TO THE DIACAP. IN ACCORDANCE WITH REF F, PROGRAM MANAGERS AND SYSTEM OWNERS SHALL PLAN THE TRANSITION TO DIACAP FOR USMC C&A ACTIVITIES USING THE FOLLOWING SCHEDULE:
(1) NEW START OR UNACCREDITED OPERATIONAL USMC IT ASSETS WITH NO CURRENT DITSCAP ACTIVITY: INITIATE DIACAP.
(2) ASSETS WHICH HAVE INITIATED DITSCAP BUT DO NOT YET HAVE A SYSTEM SECURITY AUTHORIZATION AGREEMENT (SSAA) SUBMITTED: TRANSITION TO DIACAP.
(3) ASSET HAS A DITSCAP PHASE ONE SIGNED SSAA BUT DOES NOT YET HAVE AN ACCREDITATION DECISION: CONTINUE UNDER DITSCAP. THE RE-ACCREDITATION REQUIREMENTS DOCUMENTED IN THE SSAA SHALL BE MODIFIED TO IDENTIFY AND DESCRIBE THE STRATEGY AND SCHEDULE FOR TRANSITIONING TO DIACAP. THE SCHEDULE SHALL NOT EXCEED THE SYSTEM RE-ACCREDITATION TIMELINE.
(4) ASSET HAS A DITSCAP PHASE ONE SIGNED SSAA, BUT DOES NOT YET HAVE AN ACCREDITATION DECISION AND DOES NOT INCORPORATE ALL DOD BASELINE IA CONTROLS (IACS) AS SPECIFIED IN DODI 8500.2: COMPLY WITH GUIDANCE (3) ABOVE. THE SSAA SHALL BE MODIFIED TO INCORPORATE ALL DOD BASELINE IACS AS SPECIFIED IN DODI 8500.2.
(5) ASSET HAS A DITSCAP ACCREDITATION DECISION THAT IS CURRENT WITHIN THREE YEARS: DEVELOP STRATEGY AND SCHEDULE FOR TRANSITIONING TO DIACAP IN SUPPORT OF FOLLOW ON ACCREDITATION.
(6) ASSET HAS A DITSCAP AUTHORITY TO OPERATE THAT IS MORE THEN THREE YEARS OLD: INITIATE DIACAP IMMEDIATELY.
B. IMPLEMENTATION OF XACTA IA MANAGER:
(A) EFFECTIVE IMMEDIATELY, PROGRAM MANAGERS AND SYSTEM OWNERS OF IT ASSETS THAT SUPPORT AND/OR CONNECT TO THE NIPRNET REQUIRING C&A WILL UTILIZE XACTA IA MANAGER TO ASSIST IN THE CREATION AND SUBMISSION OF C&A DOCUMENTATION.
(B) C&A PACKAGES CURRENTLY UNDER REVIEW WILL CONTINUE WITHOUT BEING ENTERED INTO XACTA.
(C) INFORMATION REGARDING XACTA ACCESS AND TRAINING MAY BE FOUND AT:
HTTPS(DOUBLE SLASH)HQDOD.HQMC.USMC.MIL(SLASH)CA.ASP.
(D) C&A PACKAGES CREATED FOR SIPRNET SYSTEMS AND NETWORKS WILL NOT BE CREATED AND PROCESSED UTILIZING XACTA.
4. CANCELLATION CONTINGENCY. THIS BULLETIN, UNLESS SUPERCEDED, IS CANCELLED 1 OCTOBER 2009.
5. RELEASE AUTHORIZED BY BGEN G. J. ALLEN, DIRECTOR, COMMAND, CONTROL, COMMUNICATIONS, AND COMPUTERS/CHIEF INFORMATION OFFICER OF THE MARINE CORPS.//