UPDATED POLICY ON DENIAL OF AUTHORIZATION TO OPERATE (DATO) OF SYSTEMS
Date Signed: 6/19/2017 | MARADMINS Number: 313/17
MARADMINS : 313/17
R 161515Z JUN 17
MARADMIN 313/17
SUBJ/UPDATED POLICY ON DENIAL OF AUTHORIZATION TO OPERATE (DATO) OF SYSTEMS//
REF/A/DOC/DOD/DODI 8510.01/20160524//
AMPN/REF A IS THE RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT).//
POC/DR. R. A. LETTEER/GS-15/HQMC C4 CY/TEL: 703-693-3490/EMAIL: RAY.LETTEER@USMC.MIL//
POC/D. A. FICKEL/MGYSGT/HQMC C4 WF/TEL: 703-693-3490/EMAIL: DARYCK.FICKEL@USMC.MIL//
POC/E. RADA/GYSGT/MARFORCYBER/TEL: 443-654-6363/EMAIL: ERADA@NSA.GOV//
GENTEXT/REMARKS/1.  Purpose.  This is a joint Marine Corps Forces Cyberspace Command (MARFORCYBER) and Headquarters United States Marine Corps Command, Control, Communications, and Computers (C4) MARADMIN.  The purpose of this MARADMIN is threefold: 1) Update policy on the authorization to operate (ATO) of systems.  2) Change issued date of the DATO to 90 days prior to the expiration of the ATO.  3) Add an effective date to the DATO, this date will reflect the expiration of the ATO plus one day.  This will give Program Managers (PM), System Managers (SM), and Information System Security Managers (ISSM) advanced warning that their system will be removed from the network as soon as the ATO terminates.  Additionally, issuance of the DATO at 90 days allows commanders time to analyze operational impact and request timelines for completion of requirements.
2.  Background.  Per ref (a), the policy has always been to issue the DATO after the ATO has expired.  This process delayed the disconnection of a vulnerable system and increased risk to the Marine Corps Enterprise Network (MCEN).
3.  Execution
3a.  Systems within 180 days of the system authorization expiration date will be reported in the Federal Information Security Modernization Act (FISMA) message and monitored by MARFORCYBER and HQMC (C4).
3b.  Systems that have not completed and documented required actions by 90 days prior to the scheduled expiration date of the ATO will be issued a DATO.
3c.  Failure to gain reauthorization by the end of the 90 day period will result in MARFORCYBER issuing a notice of intent to disconnect (NOID) on the effective date of the DATO.  This will affect the capability to access the system through isolation and disconnection.
4.  Release authorized by MajGen L. E. Reynolds, Commander, Marine Corps Forces Cyberspace Command and BGen D. A. Crall, Director, Command, Control, Communications, and Computers (C4) Department/Deputy Department of the Navy Chief Information Officer (Marine Corps).//