R 031735Z MAY 22
MSGID/GENADMIN/CMC DCI IC4 WASHINGTON DC//
SUBJ/REVISED GUIDANCE FOR MANAGEMENT OF SYSTEM AUTHORIZATION ACCESS REQUEST (SAAR)//
Ref/(a)/MSG/MARADMIN 068-10/R 032057Z Feb 10//
Ref/(b)/DOC/ECSM 007/ 5 NOV 15//
Ref/(c)/MSG/MARADMIN 442-21/R 231927Z Aug 21//
Ref/(d)/DOC/MCO 5239.01B/2 Nov 15//
NARR/ Ref (A) IS MARADMIN 068-10: Mandatory Requirement To Use DD2875 System Authorization Access Request (SAAR) Form dated Aug 2009 With User Agreement And DD2875 Addendum. REF (B) IS ECSM 007 Resource Access Guide, dated Nov 2015. Ref (c) is Marine Corps Order 5239.02B, Marine Corps Cybersecurity, dated 5 Nov 2015. Ref (d) is MARADMIN 422-21: Annual Cyber Awareness Training And Cyber Awareness Challenge Training Compliance Reporting.//
POC/R. LETTEER/CIV/DC I IC4 DIV/TEL: 703-693-3490/EMAIL: RAY.LETTEER@USMC.MIL//
POC/C. HESEMANN/CIV/DC I IC4 DIV/TEL: 703-693-3490/EMAIL: CHRISTINE.HESEMANN@USMC.MIL//
GENTEXT/REMARKS/1. This MARADMIN cancels and replaces Ref (A) and updates policy for SAARs in Ref (B). This guidance and related policies apply across the Service and are not subject to change or modification by commands.
2. BACKGROUND. When and how individuals submit SAARs within the Marine Corps is inconsistent and often leads to people submitting multiple SAARs unnecessarily. Existing policies, if implemented uniformly, can mitigate those problems and save individuals and commands significant duplicative effort. The goal of this message is to clarify a uniform set of rules to reduce the number of times a user completes a SAAR and a standardized review cycle for SAARs. The intent is to eliminate unnecessary submission of multiple SAARs for access to Marine Corps systems when going TAD, PCS, on exercise, or deploying within the three-year life of the SAAR.
3. POLICY. Per Ref (C), only one SAAR is required per user persona for NIPR, SIPR, and/or Joint Worldwide Intelligence Communications System (JWICS) access. The SAAR is good for 3 years from the date in the Date Processed block of Section IV or until the date in block 16a, whichever comes first, unless deactivated sooner.
4.A. SAARs shall be validated by the Information System Security Manager (ISSM) or ISSM designee using confirmation email to the Information System Coordinator (ISC) for continued user access need and training compliance 547 days from the date in the Date Processed block of Section IV. ISSM or designee user need validation review shall be documented in the Date Revalidated block of Section IV.
4.B. SAARs shall be resubmitted every three years from the date in the Date Processed block of Section IV or date of block 16.a., whichever comes first. Users shall submit the renewal SAAR 30 days prior to the applicable expiration date of the preceding SAAR.
4.C. SAARS shall be entered and retained on file in the REMEDY “people record” by the unit’s ISC until the account is deactivated. This includes the initial SAAR activating an account and any subsequent SAARs submitted (e.g., modification or deactivation requests).
4.D. Commands will incorporate their ISC in the check-out process to ensure timely actions are taken to deactivate accounts upon loss of affiliation with the Marine Corps (e.g. EAS, retirement, end of contract, end of employment).
4.E. Signature requirements for initial SAARs.
4.E.1. For individuals with DoD-approved digital signature certificates, the initial SAAR must be digitally signed by the account requestor, the supervisor level person (supervisor or ISO or ISC or ISSM), the security manager, and the validating official (system administrator) before the account is provisioned and enabled. The supervisor level signature CANNOT be the same as the account requestor.
4.E.2. For individuals without DoD approved digital signature certificates, the user shall submit the initial SAAR with a wet signature. Like SAARs for users with those certificates, the supervisor level person, security manager, and validating official (system administrator) shall digitally sign the SAAR before the account is provisioned. The supervisor level signature CANNOT be the same as the account requestor.
4.F. SAARs submitted with signatures older than 90 days in Section I will be not be accepted for initial account. Once initial provisioning is complete, original signatures on the document will stand for the period prior to the applicable expiration.
4.G. Modifications to move accounts in within the MCEN and reactivate disabled accounts due to inactivity do not require a new SAAR. ISCs will request account movement or reactivation via Remedy trouble ticket after reviewing the current SAAR and proof of mandatory training, per Ref (D), prior to action completion.
4.H. A new SAAR shall be submitted upon change personnel category status (e.g. MIL to CTR, CTR to CIV, MIL to CIV) and prior SAAR will be updated by the ISC to request account deactivation to retain separation of personas (e.g. CIV, MIL, CTR, VOL).
4.I. SAARs submitted for de-provisioning will have the digital signature of either the supervisor, ISC, or ISSM plus validating official.
4.J. SAARs must be deleted/destroyed when no longer needed for administrative, legal, audit or other operational per Records Management policy. Under no circumstance shall the SAAR be deleted/destroyed prior to the associated account(s) is/are deactivated.
4.K. The Marine Corps currently authorized SAAR form is located at the following uniform resource locator (URL): https:(slash)(slash)usmc.sharepoint-mil.us/sites/DCI_IC4_CY/Public/Forms/AllItems.aspx?id=%2Fsites%2FDCI%5FIC4%5FCY%2FPublic%2FUSMC%20SAAR%20Forms&viewid=d372894c%2De2a9%2D4e81%2D94d3%2D4fe040efe40b.
5. Released authorized by BGen J. A. Matos, Director, Information C4 Division, Deputy Commandant for Information.//