Email | Cancel Print Preview Print | Feeds

FISCAL YEAR 2005 FISMA GUIDANCE. 

Date Signed: 7/15/2005 
MARADMIN  Number: 313/05 

R 151000Z JUL 05    
      FM CMC WASHINGTON DC(UC)    
      UNCLASSIFIED//    
      MARADMIN 313/05    
      MSGID/GENADMIN/CMC WASHINGTON DC C4//    
      SUBJ/FISCAL YEAR 2005 FISMA GUIDANCE.//    
      REF/A/DOC/CONGRESS/17DEC2002//    
      REF/B/DOC/DOD/30DEC1997//    
      NARR/REF A IS E-GOVERNMENT ACT OF 2002 WHICH DEFINES THE FEDERAL    
      INFORMATION SECURITY MANAGEMENT ACT (FISMA). REF B IS DODI 5200.40,    
      THE DOD IT SECURITY CERTIFICATION AND ACCREDITATION PROCESS    
      (DITSCAP).//    
      POC/LETTEER, R/CIV/HQMC C4 CPIA/-/TEL:DSN 223-3490    
      /EMAIL: LETTEERRA@HQMC.USMC.MIL//    
      POC/DAVIS, M/CIV/MCSC C4II IA/-/TEL: DSN 378-3824    
      /EMAIL: DAVISMF@MCSC.USMC.MIL//    
      POC/BAXTER, J.L./MAJOR/HQMC C4 CPIA/-/TEL:DSN 223-3491    
      /EMAIL: BAXTERJL@HQMC.USMC.MIL//    
      POC/LEVESQUE, N.L./CWO3/MCSC C4II IA/-/TEL: 378-3809    
      /EMAIL: NANCY.LEVESQUE@USMC.MIL//    
      GENTEXT/REMARKS/ 1. FISMA HAS PLACED A LEGAL REQUIREMENT ON FEDERAL    
      AGENCIES TO CERTIFY AND ACCREDIT THEIR INFORMATION TECHNOLOGY (IT)    
      SYSTEMS. IN ADDITION TO REPORTING TO CONGRESS, FISMA DIRECTS THE    
      COMPONENT INSPECTOR GENERAL (IG) TO VERIFY AND VALIDATE    
      CERTIFICATION AND ACCREDITATION (C&A) STATUS, CONTINGENCY PLANS,    
      TRAINING, AND TESTING. DOD IMPLEMENTS THIS FEDERAL MANDATE IAW REF    
      B. THE OFFICE OF THE SECRETARY OF DEFENSE (OSD) HAS MANDATED THE DOD    
      IT REGISTRY AS THE AVENUE USED TO TRACK AND PROVIDE FISMA    
      INFORMATION TO THE OFFICE OF MANAGEMENT AND BUDGET (OMB) AND    
      CONGRESS. THE DON IT REGISTRY IS THAT AVENUE BY WHICH MARINE CORPS    
      SYSTEM UPDATES ARE PROVIDED TO THE DOD IT REGISTRY. THIS MUST BE    
      ACCOMPLISHED ANNUALLY NLT 31 AUG.    
 
      2. ALL MARINE CORPS SYSTEMS MUST COMPLY WITH FISMA AND HAVE A    
      CURRENT ACCREDITATION DECISION, EITHER AN APPROVAL TO OPERATE (ATO)    
      OR AN INTERIM APPROVAL TO OPERATE (IATO) BEFORE THEIR SYSTEM CAN BE    
      USED.  THE MARINE CORPS MUST MEET DOD MANDATED QUARTERLY REPORTING    
      REQUIRMENTS ON THE STATUS OF MISSION    
      CRITICAL/MISSION ESSENTIAL (MC/ME) IT SYSTEMS AND MUST START    
      REPORTING ON MISSION SUPPORT (MS) SYSTEMS. EVENTUALLY SYSTEM    
      SECURITY STATUS ON ALL MARINE CORPS SYSTEMS MUST BE REPORTED IAW    
      FISMA.    
 
      3. ALL MC/ME/MS SYSTEMS MUST BE REGISTERED IN THE IT REGISTRY AT THE    
      INCEPTION OF PHASE I (DEFINITION) OF THE DITSCAP (REF A). AN    
      ACCREDITATION DECISION IS REQUIRED AT LEAST AT THE END OF PHASE II    
      (VERIFICATION) AND MUST BE REPORTED TO THE DOD IT REGISTRY. FAILURE    
      TO REPORT INITIAL OR UPDATED INFORMATION WILL HAVE A SIGNIFICANT    
      NEGATIVE IMPACT ON THE MARINE CORPS AND COULD RESULT IN SYSTEMS    
      BEING DISCONNECTED FROM THE MCEN AND PROGRAM FUNDING BEING WITHHELD.    
      WITHHOLDING OF FUNDS IS MANDATED BY LAW AND WILL BE EXECUTED BY THE    
      OMB. BECAUSE OF THE SLOW RESPONSE ACROSS THE DEPARTMENT OF NAVY    
      (DON), THE DON CIO HAS STATED IN NUMEROUS MEETINGS WITH HQMC C4 CPIA    
      THAT SECNAV WILL NOT WAIT FOR OMB AND WILL REMOVE PROGRAM FUNDING    
      FROM NONCOMPLIANT SYSTEMS.    
 
      4.  ACTION.    
      A. PROGRAM MANAGERS WILL:    
      (1) IMMEDIATELY PROVIDE THE NECESSARY INFORMATION TO MARCORSYSCOM    
      INFORMATION ASSURANCE (IA) FOR ENTRY INTO THE DON IT REGISTRY. THE    
      MARCORSYSCOM IA TEAM WILLPROVIDE SPECIFIC REQUIREMENTS AND GUIDANCE.     
      (2) ENSURE SYSTEM DATA IS ACCURATE AND COMPLETE BY CONTACTING THE    
      MARCORSYSCOM IA TEAM. BE PREPARED TO PROVIDE PROOF OF C&A ATO STATUS    
      VIA A SYSTEM SECURITY AUTHORIZATION AGREEMENT (SSAA) OR APPLICATION     
      SECURITY PLAN (ASP). OTHERWISE, HAVE AN UPDATED POA&M FOR MITIGATION     
      OF DEFICIENCIES IF AN IATO APPLIES.     
      (3) PROVIDE COMPLETE COMMENTS ON MITIGATING SITUATIONS TO MARCORSYSCOM     
      IA FOR INCLUSION IN THE REGISTRY REPORT FOR SYSTEMS IN PHASE III    
      (VALIDATION) THAT HAVE NOT YET ACHIEVED ATO. ACCEPTABLE COMMENTS    
      INCLUDE: PERFORMING SECURITY,TEST AND EVALUATION (ST&E),    
      CERTIFICATION SUBMITTED TO DAA, OR PROGRAM ON HOLD DUE TO FUNDING    
      FREEZE. THESE SITUATIONS MUST BE REPORTED AND MONITORED. SOME MARINE     
      CORPS SYSTEMS CURRENTLY IN THE DOD IT REGISTRY ARE NOT SLATED FOR    
      TRANSITION TO NMCI, OR ARE BEING PHASED OUT OF MARINE CORPS BUSINESS    
      PROCESSES. IDENTIFY THESE SYSTEMS SO C&A EFFORTS AND RESOURCES WILL    
      NOT BE WASTED.     
      B. MARCORSYSCOM WILL:    
      (1) RECEIVE AND PROCESS NEW OR UPDATED INFORMATION FROM PM'S. THIS    
      INCLUDES PROGRAMS NOT ORIGINATING FROM WITHIN MARCORSYSCOM (I.E.     
      TECOM, I&L, LOGCOM ALBANY).     
      (2) TRACK EXPIRATION DATES OF ATO OR IATO ISSUED FROM THEIR COMMAND    
      AS WELL AS THOSE SYSTEMS REGISTERED WITH MARCORSYSCOM.    
      (3) ACTIVELY MANAGE USMC IT REGISTRY RECORDS.    
      (4) REGULARLY REPORT TO HQMC C4 ON STATUS OF SYSTEMS ACCREDITATION.      
      C. HQMC C4 WILL:    
      (1) TRACK EXPIRATION DATES OF ATO OR IATO ISSUED FOR MARINE CORPS.     
      (2) AS THE DEPUTY DON CIO (MARINE CORPS), PERFORM OVERSIGHT FOR    
      MARINE CORPS REPORTING FOR FISMA. THIS INCLUDES ASSISTING    
      MARCORSYSCOM IN OBTAINING VALID INFORMATION FROM ALL PM'S.    
      (3) MAINTAIN CONSTANT LIAISON WITH DON CIO AND OSD TO ENSURE    
      REPORTING GUIDANCE IS UNDERSTOOD AND EXPEDITIOUSLY DISSEMINATED    
      THROUGHOUT THE REPORTING CHAIN.    
 
      5. CONTACT POCS FOR ADDITIONAL INFORMATION OR CLARIFICATION.//    

Official U.S. Marine Corps Web Site

RSS Feeds

Privacy Policy

External Links

Sitemap

FAQs

FOIA