R 181919Z OCT 21
MSGID/GENADMIN/CMC DCI IC4 WASHINGTON DC//
SUBJ/UPDATED POLICY GUIDANCE FOR COMMERCIAL SOLUTIONS FOR CLASSIFIED SYSTEMS//
REF/A/NIST 800-37/MAY 2004//
REF/B/DODI 8510.01/MAR 2014//
REF/C/CMC C4 CY/ECSM 012/1 MAY 2015//
REF/D/CMC C4 CY/ECSM 018/5 JUN 2020//
NARR/REF A IS THE GUIDE FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF FEDERAL INFORMATION SYSTEMS. REF B IS THE DOD INSTRUCTION ON THE RISK MANAGEMENT FRAMEWORK. REF C IS THE MARINE CORPS CYBERSECURITY ARCHITECTURE MANUAL. REF D IS THE MARINE CORPS ASSESSMENT AND AUTHORIZATION PROCESS MANUAL. REF E IS THE POLICY GUIDANCE FOR THE PROCUREMENT OF COMMERCIAL SOLUTIONS FOR CLASSIFIED SYSTEMS. REF F IS TABLET PROCUREMENT, CONFIGURATION, SUSTAINMENT, AND ACCOUNTABILITY GUIDANCE.//
POC/DR. R. A. LETTEER/CIV/HQMC DC/I IC4 CY BRANCH/TEL: 703-693-3490/RAY.LETTEER@USMC.MIL//
POC/B. J. BIENZ/CIV/HQMC DC/I IC4 CY BRANCH/TEL: 709-439-7489/BONNIE.BIENZ@USMC.MIL//
POC/A. ROSENBLATT/MAJ/HQMC DC/I IC4 ICN BRANCH/TEL: 571-256-8828/AARON.ROSENBLATT@USMC.MIL//
POC/N. L. HOGUE/CAPT/HQMC DC/I IC4 ICN BRANCH/TEL: 571-256-8820/NATHAN.HOGUE@USMC.MIL//
GENTEXT/REMARKS/1. Commercial Solutions for Classified (CSfC) precisely layers and architects the latest commercial technologies to protect information up to the Top Secret level. The use of CSfC will become the service’s primary method to protect classified data exchanges.
2. Purpose and Intent. This message is intended to clarify the registration and accreditation process for CSfC capability packages (CP).
3. Situation. Deputy Commandant for Information (DC I) supports the Fleet Marine Forces (FMF) with innovative ideas to securely exchange data for the acceleration of command and control decision-making. However, compliance to regulations and refs (a) through (f) must be enforced for the security of information. This message identifies the steps to submit a CSfC package request and Marine Corps Authorization to Connect (ATC) to avoid impeding progress at the tactical and base levels.
4.a. This message supersedes the guidance in ref (e).
4.b. FMF and supporting establishment units who require a CSfC capability must work with their Information Systems Security Managers (ISSM) and submit all required forms (registration form, compliance checklist, network diagrams, and deviation form(s) (if required)) into the Marine Corps Certification and Accreditation Support Tool-Secret (MCCAST-S). Forms are located at https:(slash)(slash)www.nsa.gov/Resources/Commercial-Solutions-for-Classified-Program/Solution-Registration/.
4.c. ISSMs will check MCCAST-S for existing CPs to determine if the requesting unit’s requirement is unique or can be fulfilled with an existing accredited CP. ISSMs will forward packages to DC I Information, Command, Control, Communication, and Computers (IC4) Cybersecurity (CY) Branch via encrypted e-mail on NIPRNet for processing and validation.
4.d. If an accredited package exists that meets a unit’s requirement, IC4 will direct the requesting unit to adopt the design in the type accreditation package. The requesting unit will upload all CSfC documentation required by National Security Agency (NSA) CSfC Program Management Office (PMO) as an artifact. IC4 CY will ensure the artifacts are compliant with the design in the type authorized solution. If the design is compliant, an Authorization to Operate (ATO)/ATC will be provided.
4.e. If a CSfC solution does not have a pre-accredited solution, the ISSM will create a new Risk Management Framework (RMF) package in MCCAST. All steps must be filled out and the CSfC documentation required by NSA CSfC PMO must be uploaded as an artifact. The requesting unit will submit completed CSfC documents to IC4 CY via encrypted e-mail on NIPRNet for submission to NSA CSfC PMO.
4.f. If NSA CSfC standards are met, IC4 CY will submit the package with a recommendation for a one year ATO/ATC or a conditional ATO/ATC outlining the conditions and timelines that must be completed.
4.g. The Marine Corps Authorizing Official (AO) is the only authority who can approve the operation, connection, and deviation of CSfC capabilities. Upon compliance review, IC4 CY will submit the package to NSA’s CSfC PMO to obtain a Solution Registration Identification Number. After verifying compliance, NSA will provide a letter acknowledging the registration for a specific time period (typically for one year). IC4 CY will update the RMF package with the registration number and the signed ATO/ATC.
4.h. Trusted integrators are encouraged but are not required for CSfC implementation. Units that forgo a trusted integrator will be responsible for designing, building, testing and obtaining approval for their solution(s).
5. The following are approved CSfC packages within the Marine Corps:
5.a. The MAGTF Common Handheld provides a deployable SIPRNet mobile access capability. This equipment set can also provide a Campus Wireless LAN capability to support a wireless Command Operations Center.
5.b. 1st Marine Division has a Campus Wireless LAN capability that supports approximately 30 end users. This solution is used to decrease setup time for a combat operations center and extend critical survivable time within an adversary’s threat capabilities. This package is currently being tested to facilitate the employment of the Multi-Site Connectivity CP within the Marine Corps.
5.c. Marine Forces Central Command uses a Mobile Access and Campus Wireless CP that supports approximately 300 end users. This is a pathfinding project that is helping shape future Marine Corps CSfC initiatives in conjunction with virtual desktop infrastructure and multiple security enclave access through a single end-user device.
6. Registration Renewal Process
6.a. Using units are entirely responsible for ensuring Service ATO responsibilities are met and timelines are adhered to.
6.b. Failure to re-register will result in the expiration of the requesting unit’s solution registration from NSA. Re-registration packages should be submitted 3-6 months in advance due to backlogs at NSA CSfC PMO.
6.c. Requesting units must validate their solutions against the latest version of CPs from NSA CSfC PMO before expiration. Units must submit updated registration and compliance checklist forms to IC4 CY via encrypted e-mail. Upon approval, the AO will sign and forward to NSA CSfC PMO.
6.d. NSA CSfC PMO endorsement of the unit’s registration renewal will be uploaded as an artifact in MCCAST. Assuming no changes have been made to the CSfC baseline and all RMF steps are documented per ref (d), a new one year ATO will be issued.
7. Questions or assistance regarding procedural steps should be directed to the points of contact listed.
8. Release authorized by BGen Joseph A. Matos III, Director, IC4 Division.//