R 160252Z APR 08
MARADMIN 245/08
MSGID/GENADMIN/CMC WASHINGTON DC/C4 //
SUBJ/QUARTERLY FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
/REPORTING REQUIREMENTS AND GUIDANCE FOR FY 2008//
REF/A/MSGID:DOC/P.L. 107-347/YMD:20021223//
REF/B/MSGID:DOC/DOD 8510.01/YMD:20071128//
REF/C/MSGID:DOD/DOD 8570.01/YMD:20040815//
REF/D/MSGID:DOC/DOD 8570.01-M/YMD:20051219//
REF/E/MSGID:GENADMIN/DON/221246ZAUG2007//
REF/F/MSGID:GENADMIN/CMC WASHINGTON DC/YMD:20060330//
REF/G/DESC:(DITPR-DON) REGISTRATION GUIDANCE FOR 2006/-/30JUN2006//
NARR/REF A IS THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF
2002 (FISMA).
REF B IS DOD 8510.01, THE DOD IT CERTIFICATION AND ACCREDITATION
PROCESS GUIDANCE (DIACAP).
REF C IS DOD DIRECTIVE 8570.1, THE IA TRAINING, CERTIFICATION AND
WORKFORCE MANAGEMENT DIRECTIVE.
REF D IS DOD 8570.01-M, INFORMATION ASSURANCE WORKFORCE IMPROVEMENT
PROGRAM.
REF E IS THE DON FEDERAL INFORMATION SECURITY MANAGEMENT ACT GOALS
FOR FY 2008.
REF F IS MARADMIN 156-06 AND ESTABLISHES POLICY, GUIDANCE AND
DIRECTION FOR IDENTIFYING, TRACKING, MONITORING AND REPORTING THE
INFORMATION ASSURANCE WORKFORCE ACROSS THE MARINE CORPS.
REF G PROVIDES GUIDANCE ON MAINTAINING DITPR-DON DATA ELEMENTS.
//
POC/CHARLES BUCKLEY/CAPT/HQMC C4 IA/-/TEL:703-693-3490
/TEL:DSN 223-3490/EMAIL:CHARLES.BUCKLEY@USMC.MIL//
POC/MARIA S THOMPSON/MGYSGT/HQMC C4 IA/-/TEL:703-693-3490
/TEL:DSN 223-3490/EMAIL:MARIA.THOMPSON@USMC.MIL//
GENTEXT/REMARKS/1. THIS MARADMIN PROVIDES GUIDANCE AND POLICY TO
COMPLY WITH REF A, THE 2002 FEDERAL INFORMATION SECURITY MANAGEMENT
ACT (FISMA).
2. BACKGROUND.
A. FISMA LEGISLATION REQUIRES FEDERAL AGENCIES TO CERTIFY AND
ACCREDIT INFORMATION TECHNOLOGY (IT) SYSTEMS, CONDUCT ANNUAL
SECURITY REVIEWS, DEVELOP AND TEST CONTINGENCY PLANS, AND TRAIN AND
OVERSEE PERSONNEL WITH SIGNIFICANT IA RESPONSIBILITIES. AGENCIES
SUBMIT ANNUAL REPORTS PROVIDING STATUS OF INFORMATION SECURITY
WITHIN THE AGENCY.
B. PAST YEARS HAVE SHOWN A LACK OF REPORTING IN REQUIRED AREAS. IN
ORDER TO ENSURE THAT REPORTS ARE SUBMITTED IN A TIMELY MANNER AND
TRACKED THROUGHOUT THE CURRENT YEAR AND FUTURE YEARS, THE
REQUIREMENTS IDENTIFIED IN 3(A) HAVE BEEN DEVELOPED.
3. POLICY:
A. PROGRAM MANAGERS (PMS)/COMMAND INFORMATION ASSURANCE MANAGERS
(IAMS)/OFFICERS/CHIEFS THAT MANAGE/MAINTAIN INFORMATION SYSTEMS (IS)
REGISTERED IN DITPR-DON WILL SUBMIT EVIDENCE OF COMPLIANCE WITH THE
FOLLOWING REQUIRED FISMA REPORTING ELEMENTS NO LATER THAN 1 MAY 08,
1 AUG 08, AND 1 DEC 08:
(1). INFORMATION SYSTEM (IS) CERTIFICATION AND ACCREDITATION STATUS.
(2). CONTINGENCY PLAN TESTING.
(3). SECURITY CONTROLS TESTING.
(4). NUMBER OF INDIVIDUALS COMPLETING SECURITY AWARENESS TRAINING
(INITIAL AND REFRESHER)(PMS NOT REQUIRED TO REPORT).
(5). NUMBER OF IA WORKFORCE MEETING TRAINING AND CERTIFICATION
REQUIREMENTS (PMS NOT REQUIRED TO REPORT).
REPORTING BY THESE DATES WILL ENSURE THAT FISMA DATA FOR EACH
DITPR-DON REGISTERED IS IS UPDATED PRIOR TO THE ANNUAL FISMA UPDATE.
B. CONTINGENCY PLAN TESTING MAY TAKE MANY FORMS; INCLUDING TABLE TOP
EXERCISES AND ACTUAL EVENTS THAT CAUSE DISRUPTION AND RESTORAL OF
SERVICES. ADDITIONALLY, THESE EVENTS MAY ALSO INCLUDE ROUTINE
MAINTENANCE, POWER OUTAGES, AND UNINTENTIONAL DISRUPTION.
C. COMMANDS WILL COORDINATE WITH NMCI REPRESENTATIVE/VENDOR TO
GATHER INFORMATION FOR THE ABOVE 5 REPORTS LISTED IN 3A.
D. THE FOLLOWING COMMANDS (TO INCLUDE THEIR MAJOR SUBORDINATE
COMMANDS) WILL PROVIDE REPORTS: COMMARFORCOM, CG BASES LANT,
COMMARFORNORTH, CDRUSMARCENT, CDRUSMARSOC, COMMARFORNORTH,
COMMARFORRES, COMMARFORSTRAT, COMMARFORPAC, CG BASES PAC,
COMMARFORSOUTH, COMMARFOREUR, CMC (C4), CG MCCDC, MCI NCR, CG MCRC,
CG MCSC, CG LOGCOM.
4. OBJECTIVE:
A. COMMANDS OPERATING/PMS MANAGING MISSION CRITICAL (MC), MISSION
ESSENTIAL (ME), AND MISSION SUPPORT (MS) IT ASSETS REQUIRING
CERTIFICATION AND ACCREDITATION (C&A) MUST ACHIEVE A MINIMUM OF
NINETY PERCENT FULL ACCREDITATION (I.E., AUTHORITY TO OPERATE
(ATO)), WITH A GOAL OF 100 PERCENT FULL ACCREDITATION BY 1 AUG 08.
B. COMMANDS AND PMS MUST ACHIEVE/MAINTAIN AT LEAST 90 PERCENT
COMPLIANCE WITH THE FISMA-REQUIRED ANNUAL SECURITY REVIEWS, ANNUAL
TESTING OF SECURITY CONTROLS AND ANNUAL EVALUATION OF CONTINGENCY
PLANS (CP) BY 1 AUG 08.
C. COMMANDS MUST ACHIEVE/MAINTAIN AT LEAST 96 PERCENT ANNUAL
SECURITY AWARENESS TRAINING, 90 PERCENT TRAINING STATUS FOR THE IA
WORKFORCE BY 1 SEPT 08 AND 40 PERCENT IA WORKFORCE CERTIFICATION BY
1 DEC 08. COMMANDS SHALL REPORT THEIR WORKFORCE NUMBERS USING THE
FISMA REQUIRED TEMPLATES. THIS REPORT INCLUDES MILITARY, CIVILAN,
AND CONTRACTORS. THE COMMAND IAM SHALL COORDINATE WITH NMCI TO
GATHER THIS INFORMATION FOR PERSONNEL WITHIN THEIR COMMAND. THE FYO8
FISMA TEMPLATE CAN BE FOUND ON THE HQMC, C4 WEBSITE WITHIN THE
INFORMATION ASSURANCE DIVISION. HTTPS:(SLASH SLASH)
HQDOD.HQMC.USMC.MIL (SLASH) IA.ASP.
5. ACTION:
A.REPORTING COMMANDS:
(1) ENSURE THAT ALL PERSONNEL THAT HAVE ACCESS TO DOD INFORMATION
SYSTEMS ARE PROPERLY TRAINED.
(2) COMMAND INFORMATION ASSURANCE MANAGERS (IAMS) WILL MONITOR,
TRACK AND REPORT COMPLIANCE AS DIRECTED IN REF F.
(3) NO LATER THAN 1 MAY 08, 1 AUG 08 AND 1 DEC 08, PROVIDE THE
INFORMATION REQURIED IN PARAGRAPH 3(A) TO HQMC, C4 IA, EMAIL:
M_HQMC_C4_IA@USMC.MIL.
(4) IDENTIFY ALL SYSTEMS AND APPLICATIONS OPERATING ON THEIR
NETWORKS, AS IDENTIFIED WITHIN THEIR SITE SECURITY ADDENDUM (SSA).
THIS ENSURES ACCURATE AND UP-TO-DATE SSA DOCUMENTATION.
(5) REPORTING REQUIREMENTS FOR FY09 FISMA REPORTING CAN BE EXPECTED
TO MATCH FY08 REQUIREMENTS AND WILL BE DISSEMINATED VIA SEPARATE
CORRESPONDENCE.
B. PROGRAM MANAGERS, PROGRAM OWNERS, SYSTEM AND APPLICATION OWNERS,
SPONSORS AND FUNCTIONAL AREA MANAGERS (FAMS):
(1) NO LATER THAN 1 MAY 08, 1 AUG 08 AND 1 DEC 08, PROVIDE THE
INFORMATION REQURIED IN PARAGRAPH 3(A) (WITH THE EXCEPTION OF
3(A)(4) AND 3(A)(5) TO HQMC, C4IA; EMAIL: M_HQMC_C4_IA@USMC.MIL.
REPORTING VIA HQMC, C4IA IS MANDATED FOR ALL SYSTEMS INCLUDING THOSE
NOT ORIGINATING FROM WITHIN THE MARINE CORPS (I.E. US NAVY). FAILURE
TO REPORT INITIAL OR UPDATED INFORMATION WILL HAVE A SIGNIFICANT
NEGATIVE IMPACT ON THE MARINE CORPS AND COULD RESULT IN SYSTEMS
BEING DISCONNECTED FROM THE MCEN AND PROGRAM FUNDING BEING WITHHELD
BY THE DEPARTMENT OF THE NAVY (DON) AND OFFICE OF MANAGEMENT AND
BUDGET (OMB).
(2) ENSURE DITPR-DON DATA IS CORRECT.
(3) FOR SYSTEMS THAT HAVE NOT YET BEEN ACCREDITED BY THE MARINE
CORPS DAA, COMMENTS WILL BE PROVIDED TO MARCORSYSCOM C4II IA FOR
INCLUSION IN THE REGISTRY REPORT. COMMON REASONS SUCH AS PERFORMING
SECURITY, TEST AND EVALUATION (ST&E), CERTIFICATION SUBMITTED TO THE
MARINE CORPS DAA, OR PROGRAM ON HOLD DUE TO FUNDING FREEZE ARE
ACCEPTABLE BUT MUST BE REPORTED AND MONITORED. SOME USMC SYSTEMS
CURRENTLY IN THE DITPR DON ARE NOT SLATED FOR TRANSITION TO NMCI, OR
ARE BEING PHASED OUT OF USMC BUSINESS PROCESSES; THESE SYSTEMS SHALL
BE IDENTIFIED SO THAT C&A RESOURCES CAN BE FOCUSED ON USMC SYSTEMS
WITH SIGNIFICANT OPERATIONAL IMPORTANCE AND LONG-TERM VALUE TO
MARINE CORPS BUSINESS PRACTICES.
C. MARINE CORPS SYSTEMS COMMAND (MARCORSYSCOM):
(1) EVALUATE IS FOR C&A/FISMA COMPLIANCE.
D. MARINE CORPS NETWORK OPERATIONS AND SECURITY COMMAND
(MCNOSC):
(1) COORDINATE WITH ALL MARINE CORPS COMMANDS TO ENSURE THEY PROVIDE
CONTINGENCY PLAN TEST DOCUMENTATION. THIS IS TO INCLUDE KEEPING
ACCURATE AND UP-TO-DATE C&A DOCUMENTATION ON ALL SITES OPERATING
WITHIN THE MARINE CORPS ENTERPRISE NETWORK (MCEN) ENVIRONMENT.
(2) PASS INFORMATION PERTINENT TO FISMA TO MARCORSYSCOM FOR UPDATING
DITPR.
E. HQMC C4:
(1) TRACK EXPIRATION DATES OF ACCREDITATION DECISIONS.
(2) PROVIDE GUIDANCE AND DIRECTION ON C&A REQUIREMENTS.
(3) AS THE DON DEPUTY CIO (MARINE CORPS), PERFORM OVER-SIGHT AND
DIRECTION FOR USMC FISMA REPORTING. THIS INCLUDES ASSISTING
MARCORSYSCOM IN OBTAINING VALID INFORMATION FROM ALL PM AND SYSTEM
OR NETWORK OWNERS.
(4) MAINTAIN CONSTANT LIAISON WITH DEPARTMENT OF THE NAVY CHIEF
INFORMATION OFFICER AND OSD, ENSURING REPORTING GUIDANCE IS
UNDERSTOOD AND EXPEDITIOUSLY DISSEMINATED THROUGHOUT THE REPORTING
CHAIN.
6. REQUEST WIDEST DISSEMINATION TO SUBORDINATE UNITS.
7. QUESTIONS MAY BE DIRECTED TO THE POCS CITED.
8. RELEASE AUTHORIZED BY BGEN GEORGE J. ALLEN DIRECTOR, COMMAND,
CONTROL, COMMUNICATIONS, AND COMPUTERS.//