R 151000Z JUL 05
FM CMC WASHINGTON DC(UC)
UNCLASSIFIED//
MARADMIN 313/05
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/FISCAL YEAR 2005 FISMA GUIDANCE.//
REF/A/DOC/CONGRESS/17DEC2002//
REF/B/DOC/DOD/30DEC1997//
NARR/REF A IS E-GOVERNMENT ACT OF 2002 WHICH DEFINES THE FEDERAL
INFORMATION SECURITY MANAGEMENT ACT (FISMA). REF B IS DODI 5200.40,
THE DOD IT SECURITY CERTIFICATION AND ACCREDITATION PROCESS
(DITSCAP).//
POC/LETTEER, R/CIV/HQMC C4 CPIA/-/TEL:DSN 223-3490
/EMAIL: LETTEERRA@HQMC.USMC.MIL//
POC/DAVIS, M/CIV/MCSC C4II IA/-/TEL: DSN 378-3824
/EMAIL: DAVISMF@MCSC.USMC.MIL//
POC/BAXTER, J.L./MAJOR/HQMC C4 CPIA/-/TEL:DSN 223-3491
/EMAIL: BAXTERJL@HQMC.USMC.MIL//
POC/LEVESQUE, N.L./CWO3/MCSC C4II IA/-/TEL: 378-3809
/EMAIL: NANCY.LEVESQUE@USMC.MIL//
GENTEXT/REMARKS/ 1. FISMA HAS PLACED A LEGAL REQUIREMENT ON FEDERAL
AGENCIES TO CERTIFY AND ACCREDIT THEIR INFORMATION TECHNOLOGY (IT)
SYSTEMS. IN ADDITION TO REPORTING TO CONGRESS, FISMA DIRECTS THE
COMPONENT INSPECTOR GENERAL (IG) TO VERIFY AND VALIDATE
CERTIFICATION AND ACCREDITATION (C&A) STATUS, CONTINGENCY PLANS,
TRAINING, AND TESTING. DOD IMPLEMENTS THIS FEDERAL MANDATE IAW REF
B. THE OFFICE OF THE SECRETARY OF DEFENSE (OSD) HAS MANDATED THE DOD
IT REGISTRY AS THE AVENUE USED TO TRACK AND PROVIDE FISMA
INFORMATION TO THE OFFICE OF MANAGEMENT AND BUDGET (OMB) AND
CONGRESS. THE DON IT REGISTRY IS THAT AVENUE BY WHICH MARINE CORPS
SYSTEM UPDATES ARE PROVIDED TO THE DOD IT REGISTRY. THIS MUST BE
ACCOMPLISHED ANNUALLY NLT 31 AUG.
2. ALL MARINE CORPS SYSTEMS MUST COMPLY WITH FISMA AND HAVE A
CURRENT ACCREDITATION DECISION, EITHER AN APPROVAL TO OPERATE (ATO)
OR AN INTERIM APPROVAL TO OPERATE (IATO) BEFORE THEIR SYSTEM CAN BE
USED. THE MARINE CORPS MUST MEET DOD MANDATED QUARTERLY REPORTING
REQUIRMENTS ON THE STATUS OF MISSION
CRITICAL/MISSION ESSENTIAL (MC/ME) IT SYSTEMS AND MUST START
REPORTING ON MISSION SUPPORT (MS) SYSTEMS. EVENTUALLY SYSTEM
SECURITY STATUS ON ALL MARINE CORPS SYSTEMS MUST BE REPORTED IAW
FISMA.
3. ALL MC/ME/MS SYSTEMS MUST BE REGISTERED IN THE IT REGISTRY AT THE
INCEPTION OF PHASE I (DEFINITION) OF THE DITSCAP (REF A). AN
ACCREDITATION DECISION IS REQUIRED AT LEAST AT THE END OF PHASE II
(VERIFICATION) AND MUST BE REPORTED TO THE DOD IT REGISTRY. FAILURE
TO REPORT INITIAL OR UPDATED INFORMATION WILL HAVE A SIGNIFICANT
NEGATIVE IMPACT ON THE MARINE CORPS AND COULD RESULT IN SYSTEMS
BEING DISCONNECTED FROM THE MCEN AND PROGRAM FUNDING BEING WITHHELD.
WITHHOLDING OF FUNDS IS MANDATED BY LAW AND WILL BE EXECUTED BY THE
OMB. BECAUSE OF THE SLOW RESPONSE ACROSS THE DEPARTMENT OF NAVY
(DON), THE DON CIO HAS STATED IN NUMEROUS MEETINGS WITH HQMC C4 CPIA
THAT SECNAV WILL NOT WAIT FOR OMB AND WILL REMOVE PROGRAM FUNDING
FROM NONCOMPLIANT SYSTEMS.
4. ACTION.
A. PROGRAM MANAGERS WILL:
(1) IMMEDIATELY PROVIDE THE NECESSARY INFORMATION TO MARCORSYSCOM
INFORMATION ASSURANCE (IA) FOR ENTRY INTO THE DON IT REGISTRY. THE
MARCORSYSCOM IA TEAM WILLPROVIDE SPECIFIC REQUIREMENTS AND GUIDANCE.
(2) ENSURE SYSTEM DATA IS ACCURATE AND COMPLETE BY CONTACTING THE
MARCORSYSCOM IA TEAM. BE PREPARED TO PROVIDE PROOF OF C&A ATO STATUS
VIA A SYSTEM SECURITY AUTHORIZATION AGREEMENT (SSAA) OR APPLICATION
SECURITY PLAN (ASP). OTHERWISE, HAVE AN UPDATED POA&M FOR MITIGATION
OF DEFICIENCIES IF AN IATO APPLIES.
(3) PROVIDE COMPLETE COMMENTS ON MITIGATING SITUATIONS TO MARCORSYSCOM
IA FOR INCLUSION IN THE REGISTRY REPORT FOR SYSTEMS IN PHASE III
(VALIDATION) THAT HAVE NOT YET ACHIEVED ATO. ACCEPTABLE COMMENTS
INCLUDE: PERFORMING SECURITY,TEST AND EVALUATION (ST&E),
CERTIFICATION SUBMITTED TO DAA, OR PROGRAM ON HOLD DUE TO FUNDING
FREEZE. THESE SITUATIONS MUST BE REPORTED AND MONITORED. SOME MARINE
CORPS SYSTEMS CURRENTLY IN THE DOD IT REGISTRY ARE NOT SLATED FOR
TRANSITION TO NMCI, OR ARE BEING PHASED OUT OF MARINE CORPS BUSINESS
PROCESSES. IDENTIFY THESE SYSTEMS SO C&A EFFORTS AND RESOURCES WILL
NOT BE WASTED.
B. MARCORSYSCOM WILL:
(1) RECEIVE AND PROCESS NEW OR UPDATED INFORMATION FROM PM'S. THIS
INCLUDES PROGRAMS NOT ORIGINATING FROM WITHIN MARCORSYSCOM (I.E.
TECOM, I&L, LOGCOM ALBANY).
(2) TRACK EXPIRATION DATES OF ATO OR IATO ISSUED FROM THEIR COMMAND
AS WELL AS THOSE SYSTEMS REGISTERED WITH MARCORSYSCOM.
(3) ACTIVELY MANAGE USMC IT REGISTRY RECORDS.
(4) REGULARLY REPORT TO HQMC C4 ON STATUS OF SYSTEMS ACCREDITATION.
C. HQMC C4 WILL:
(1) TRACK EXPIRATION DATES OF ATO OR IATO ISSUED FOR MARINE CORPS.
(2) AS THE DEPUTY DON CIO (MARINE CORPS), PERFORM OVERSIGHT FOR
MARINE CORPS REPORTING FOR FISMA. THIS INCLUDES ASSISTING
MARCORSYSCOM IN OBTAINING VALID INFORMATION FROM ALL PM'S.
(3) MAINTAIN CONSTANT LIAISON WITH DON CIO AND OSD TO ENSURE
REPORTING GUIDANCE IS UNDERSTOOD AND EXPEDITIOUSLY DISSEMINATED
THROUGHOUT THE REPORTING CHAIN.
5. CONTACT POCS FOR ADDITIONAL INFORMATION OR CLARIFICATION.//