INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE

UNCLASSIFIED//

ATTENTION INVITED TO  

ROUTINE

R 132022Z OCT 11 PSN 413001K09

FM CNO WASHINGTON DC

TO NAVADMIN
ZEN//OU=DOD/OU=NAVY/OU=ADDRESS LISTS(UC)/CN=AL NAVADMIN(UC)

INFO ZEN/CNO WASHINGTON DC

BT
UNCLAS
***THIS IS A 2 SECTION MESSAGE COLLATED BY OIX GATEWAY NORFOLK VA*** QQQQ

SUBJ: INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE 
UNCLASSIFIED// 

FM CNO WASHINGTON DC//N2N6// 

TO NAVADMIN UNCLAS// 

NAVADMIN 307/11

MSGID/GENADMIN/CNO WASHINGTON DC/SEP 11//

SUBJ/INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE//



REF/A/DOC/DODI 8510.01/20071128//

REF/B/DOC/OPNAV 5239.1C/20080820//

REF/C/DOC/NAVADMIN 099/11/R221430Z MAR 11

NARR/REF A IS DEPARTMENT OF DEFENSE (DOD) INSTRUCTION 8510.01, DOD INFORMATION 
ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS (DIACAP). REF B IS OPNAVINST 
5239.1C, NAVY INFORMATION ASSURANCE
(IA) PROGRAM. REF C IS NAVADMIN 099/11, CERTIFICATION AND ACCREDITATION (C&A) 
COMPLIANCE.
POC/CDR JULIE ROSATI/OPNAV N2N6FBC4B/LOC: WASHINGTON, DC/EMAIL:
JULIANA.ROSATI(AT)NAVY.MIL/TEL: 571-256-8523// POC/KATE 
MATHERS/CIV/FLTCYBERCOM OPERATIONAL DESIGNATED ACCREDITING AUTHORITY 
(ODAA)/LOC:NORFOLK, VA/EMAIL:
KATHERINE.MATHERS(AT)NAVY.MIL/TEL: 757-417-7903 EXT4/ POC/NATALIE 
TAYLOR/CIV/FLTCYBERCOM ODAA/LOC: NORFOLK, VA/
TEL: 757-417-7927 EXT 1/EMAIL: NATALIE.TAYLOR(AT)NAVY.MIL// POC/ODAA 
OFFICE/FLTCYBERCOM/TEL: 757-417-6719 EXT 0/
EMAIL: FCC(UNDERSCORE)ODAA(AT)NAVY.MIL//

RMKS/1. EFFECTIVE IMMEDIATELY, OPNAV WILL IMPLEMENT PROVISIONS OF REF A, WHICH 
REQUIRE DOD COMPONENT CHIEF INFORMATION OFFICER (CIO) APPROVAL FOR SYSTEM 
ACCREDITATIONS WITH CATEGORY I (CAT I) FINDINGS OR SYSTEMS THAT HAVE BEEN ON 
AN INTERIM AUTHORITY TO OPERATE (IATO) FOR LONGER THAN 360 DAYS.  DEPUTY 
DEPARTMENT OF THE NAVY (DON) CIO NAVY (DDCIO(N)) SERVES AS THE DOD COMPONENT 
CIO FOR APPROVAL PURPOSES. EII CIOS MAY REQUEST APPROVAL BY ENTERING THE 
SYSTEM ESCALATION PROCESS, DESCRIBED IN PARAS 2-4 BELOW. PREVIOUSLY THESE 
PROVISIONS WERE ENFORCED ONLY FOR ACCREDITATIONS ASSOCIATED WITH A DEFENSE 
INFORMATION SYSTEMS AGENCY (DISA) COMMAND COMMUNICATIONS SERVICE DESIGNATOR 
(CCSD).  DDCIO(N), IN COLLABORATION WITH U.S.
FLEET CYBER COMMAND/U.S. TENTH FLEET (FCC/C10F), WILL ENFORCE POLICY 
COMPLIANCE FOR ALL ACCREDITATIONS TO REDUCE OVERALL RISK TO THE GLOBAL 
INFORMATION GRID (GIG) WHILE ENSURING LIMITED IMPACT TO OPERATIONAL READINESS.

2. PER REFERENCES A THROUGH C, ALL NAVY OPERATIONAL SYSTEMS AND NETWORKS MUST 
BE CERTIFIED AND ACCREDITED UNLESS EXEMPTED FROM CERTIFICATION AND 
ACCREDITATION (C&A) BY DOD OR DON POLICY. ALL C&A PACKAGES FOR SYSTEMS AND 
NETWORKS MUST BE IN COMPLIANCE WITH REFERENCE A. TO ALLOW SUFFICIENT TIME FOR 
REVIEW AND ESCALATION OF DIACAP PACKAGES, COMMANDS WITH EXPIRING 
ACCREDITATIONS MUST ENTER THE C&A PROCESS BY UPLOADING A DIACAP PACKAGE TO 
INFORMATION ASSURANCE TRACKING SYSTEM (IATS) AND NOTIFY THE ASSIGNED SECOND 
ECHELON (EII) COMMAND FOR COLLABORATION SCHEDULING WITH C&A STAKEHOLDERS AT 
LEAST 90 DAYS PRIOR TO EXPIRATION, OR SOONER IN ACCORDANCE WITH EII 
GUIDELINES.

3. IN CASES WHEN MITIGATION AND/OR CLOSURE OF CAT I FINDINGS IS NOT POSSIBLE 
OR THE SYSTEM OWNER REQUIRES ADDITIONAL TIME TO ANALYZE AND IDENTIFY 
SOLUTIONS, THE OWNING EII COMMAND INFORMATION OFFICER
(CIO) MAY REQUEST APPROVAL TO CONTINUE SYSTEM OPERATION FROM DDCIO(N). SUBMIT 
THE REQUEST TO ODAA AT LEAST 75 DAYS PRIOR TO THE BEGINNING OF THE MONTH OF 
EXPIRATION TO CONTINUE OPERATING WITH CAT I FINDINGS AND/OR FOR LONGER THAN 
360 CONSECUTIVE DAYS ON AN IATO. THE FOLLOWING IS THE APPROVAL ESCALATION 
PROCESS AND TIMELINE:
A. NAVY'S OPERATIONAL DESIGNATED ACCREDITING AUTHORITY (ODAA) WILL RELEASE 
MONTHLY NAVAL MESSAGES PUBLISHING KNOWN EXPIRATIONS OF SYSTEM ACCREDITATIONS 
DUE TO EXPIRE WITHIN 90 DAYS FOR SYSTEMS THAT HAVE CAT I FINDINGS AND/OR HAVE 
BEEN ON IATO FOR LONGER THAN 360 DAYS.
THIS MESSAGE WILL BE RELEASED, AS A COURTESY, IN CONJUNCTION WITH THE CURRENT 
CIRCUIT EXPIRATION ALCOM. THIS MAY NOT BE A COMPREHENSIVE LIST IF THE SYSTEM 
OWNER/EII HAS NOT ENGAGED THE ODAA ON SPECIFIC SYSTEMS. IT IS INCUMBENT UPON 
THE SYSTEM OWNER/EII TO ENGAGE IN THE C&A PROCESS IN ADVANCE OF EXPIRATION 
DATES.
B. UPON RECEIVING NOTIFICATION, THE EII CIO WILL DETERMINE WHETHER AN APPROVAL 
REQUEST IS REQUIRED.  IF REQUIRED, THE EII CIO WILL ENTER THE ESCALATION 
PROCESS BY SUBMITTING AN INFORMATION SYSTEM RISK EVALUATION REACCREDITATION 
REQUEST FORM (AVAILABLE FROM ODAA) WHICH SUMMARIZES THE FINDINGS, POTENTIAL 
MITIGATION/REMEDIATION ACTIONS, AND TIMELINES FOR RESOLUTION. AN OPERATIONAL 
IMPACT STATEMENT IS ALSO REQUIRED, TO INFORM DDCIO(N) OF POTENTIAL IMPACT IN 
THE EVENT THE APPROVAL REQUEST IS DENIED AND THE SYSTEMS IS RELEGATED TO A 
NON-OPERATIONAL STATUS. EII CIOS MUST SUBMIT THE FORM TO THE ODAA AT LEAST 75 
DAYS PRIOR TO THE BEGINNING OF THE MONTH OF EXPIRATION. THE FORM MUST BE 
ENDORSED BY THE FIRST FLAG OFFICER OR SENIOR EXECUTIVE SERVICE (SES) IN THE 
EII CIO CHAIN OF COMMAND. IF ODAA REQUIRES ADDITIONAL INFORMATION TO ANALYZE 
AND MAKE A RECOMMENDATION, THE ODAA WILL COORDINATE WITH THE EII AND/OR 
PROGRAM MANAGER.
C. ADDITIONALLY, THE EII CIO WILL SCHEDULE AND CONDUCT A C&A COLLABORATION 
MEETING WITH THE ODAA FOR SYSTEMS POTENTIALLY MEETING ESCALATION CRITERIA NO 
LATER THAN 75 DAYS PRIOR TO BEGINNING OF MONTH OF EXPIRATION. REQUIREMENT TO 
ESCALATE A SYSTEM WILL NOT BE FINALIZED UNTIL THE NAVY CERTIFICATION AUTHORITY 
(CA) RELEASES A CERTIFICATION DETERMINATION (CD) TO FORMALLY DOCUMENT THE 
SYSTEM RISK AND FINDINGS.
ALL SYSTEMS WITH POTENTIAL CAT I FINDINGS AND/OR IATO OVER 360 SHOULD ENTER 
INTO THE ESCALATION PROCESS IN ORDER TO SEEK ACCREDITATION.
D. ODAA, UNDER HIS AUTHORITY AS SPECIAL ASSISTANT TO FCC/C10F, WILL 
CONSOLIDATE ENDORSEMENTS FROM UNITED STATES FLEET FORCES (USFF); COMMANDER, 
PACIFIC FLEET (CPF) VIA NAVY CYBER FORCES COMMAND (NCF) AND FCC/C10F. ODAA 
WILL SUBMIT THE ENTIRE ESCALATION PACKAGE, INCLUDING ITS RECOMMENDATION, FOR 
ALL AFFECTED SYSTEMS TO DDCIO(N) NO LATER THAN 45 DAYS PRIOR TO THE BEGINNING 
OF MONTH OF EXPIRATION.
QQQQ
E. FOR THE PURPOSE OF HEARING JUSTIFICATION BEHIND ESCALATION  APPROVAL 
REQUESTS DDCIO(N) WILL CONDUCT A SINGLE MONTHLY TELECONFERENCE  WHEREIN THE 
REQUESTING EII CIO(S) SHALL BRIEF THE DDCIO(N). DDCIO(N) WILL  MAKE A DECISION 
ON WHETHER TO GRANT THE IATO AND THEN NOTIFY THE  RESPECTIVE EII CIO, ODAA, 
AND DON CIO OF THE DETERMINATION. ONLY THE EII CIO OR DESIGNATED O6/GS-15 
REPRESENTATIVE MAY PRESENT THIS BRIEF.
F. IN THE EVENT OF A SECOND REQUEST FOR THE SAME SYSTEM, OR IF THE  EII CIO 
DESIRES TO APPEAL THE DDCIO(N)'S DECISION, THE REQUEST PACKAGE WILL BE 
ELEVATED TO DON CIO FOR FINAL ACCREDITATION DECISION.

4. ACTION. AFFECTED EII CIOS WILL ENSURE COMPLIANCE WITH ALL APPLICABLE 
REQUIREMENTS IDENTIFIED IN THIS NAVADMIN.  THE  IMPLICATIONS TO THEIR 
OPERATIONS MAY BE SIGNIFICANT IN THE EVENT DDCIO(N) DISAPPROVES A REQUEST FOR 
IATO EXTENSION OR CONTINUED OPERATION OF A SYSTEM WITH CAT I FINDINGS. DENIALS 
OF REQUESTS OR FAILURE TO COMPLY WITH REQUIREMENTS SPECIFIED IN THIS MESSAGE 
WILL RESULT IN A DENIAL  OF AUTHORITY TO OPERATE (DATO).  EXPECT ENHANCED 
SCRUTINY OF FUTURE REQUESTS AS NAVY STRIVES TO ELIMINATE THE CURRENT FREQUENCY 
AND  VOLUME OF EMERGENT REQUESTS.

5. MY POINT OF CONTACT, AND DDCIO(N) REPRESENTATIVE, IS MS. JANICE HAITH, AT 
COMMERCIAL (571) 256-8523, EMAIL: JANICE.HAITH(AT)NAVY.MIL.

6. REQUEST WIDEST DISSEMINATION OF THIS MESSAGE.

7. RELEASED BY VADM KENDALL L. CARD, DCNO FOR INFORMATION DOMINANCE, N2N6.//

BT
#1116
NNNN

%d bloggers like this: