R 311510Z MAY 23
MSGID/MARADMIN/CMC DCI WASHINGTON DC//
SUBJ/USMC INFORMATION TECHNOLOGY REGISTRATION//
REF/B/DOC/SECNAVINST 5230.14/9 NOV 2009//
REF/C/DOC/MCO 5230.21/3 OCT 2012//
REF/D/DOC/IRM 2300-19/24 APR 2023//
REF/E/DOC/DODI 8510.01/19 JUL 2022//
REF/F/DOC/DODD 5000.01/28 JUL 2022//
NARR/REF A IS DEPARTMENT OF THE NAVY (DON) INFORMATION TECHNOLOGY PORTFOLIO MANAGEMENT IMPLEMENTATION. REF B IS USMC INFORMATION TECHNOLOGY PORTFOLIO MANAGEMENT POLICY. REF C IS MARINE CORPS IT REGISTRATION GUIDANCE. REF D IS THE RISK MANAGEMENT FRAMEWORK FOR DEPARTMENT OF DEFENSE (DOD) SYSTEMS. REF E IS THE DEFENSE ACQUISITION SYSTEM.//
POC/D.M. BARTOS/LTCOL/DCI IC4 ICC/TEL: 571-256-9098//
GENTEXT/REMAKS/1. Purpose. The purpose of this MARADMIN is to promulgate additional implementation guidance concerning registration of Information Technology (IT) systems and applications contained in refs A through C.
2. Background. The proliferation of open source or low-code/no-code development software- and platform-as-a-service solutions have made development of IT systems and applications more attainable by common system users than ever before. This access has made it possible to spur innovative and productivity solutions across the Marine Corps. However, registration of IT systems and applications is still required, to ensure proper oversight of IT cybersecurity, operational continuity, and investments.
3.a. All IT systems or applications, to include but not limited to open source or low-code/no-code software, must be categorized as mission-critical, mission-essential, or mission-support. All IT systems and applications that require accreditation through the risk management framework process as described in ref E, or that are categorized as mission-critical or mission-essential are required to be registered within the Department of Defense IT Portfolio Repository – Department of the Navy (DITPR-DON) registry, as appropriate, in accordance with refs A through D.
3.b. For IT systems with Program Managers (PMs), PMs will work with the applicable Functional Area Manager (FAM)-designated IT PfM to register and properly categorize respective systems within DITPR-DON. If a program manager has been assigned to applications, the program manager will work with the IT PfM.
3.c. For IT applications or systems without PMs, individual system owners and or their command G-6 (or equivalent) point of contact will work with the FAM-designated IT PfM to categorize and register respective IT solutions in DADMS or DITPR-DON as appropriate.
3.d. For common-user-developed software on Marine Corps Enterprise Network-approved platforms, to include but not limited to open source or low-code/no-code software, individuals and or their command G-6 (or equivalent) POC will work with the FAM designated IT PfM to determine registration requirements in accordance with refs A through C, and subsequently register the solution in DITPR-DON or DADMS as applicable.
3.e. PMs or system owners who do not properly register systems and applications risk unplanned or unannounced deprecation, disruption, or interruption of their respective systems or applications.
4. Definitions are as follows:
4.a. IT System: Per ref C, any solution that requires a combination of two or more interacting, interdependent, and or interoperable hardware, software, and/or firmware to satisfy a requirement or capability.
4.b. IT Application: Per ref C, any software that uses an existing operating system program to provide the user with a specific capability or function that is independent of other “applications.” If it is dependent on other applications, it becomes a system.
4.c. Low-code/No-code Software: IT solutions that can be created with commonly accessible licenses and services utilizing simplistic user interfaces (e.g., graphical user interfaces) on backend Platform or Software as a Service capabilities, which do not require advanced software development capabilities. Examples include, but are not limited to, desktop or cloud-based versions of Power BI, Power Applications, Power Automate, etc.
4.d. Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.
4.e. Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
4.f. Mission Critical: Per ref F, an IT solution that meets the definitions of “information system” and “National Security System” in the Clinger-Cohen Act, the loss of which would cause the stoppage of warfighter operations or direct mission support of warfighter operations.
4.g. Mission Essential:
4.g.1. Per ref F, an IT solution that the acquiring component head or designee determines is basic and necessary for the accomplishment of the organizational mission.
4.g.2.a. Responsibility for determination of mission essentiality belongs to the Functional Area Manager (FAM) or IT Portfolio Manager (PfM) (e.g., FAM Lead). Individual IT solutions will not be categorized concurrently as mission critical, mission essential, or mission support. While no explicit criteria exist to categorize IT solutions as mission essential, the characteristics listed in subparagraphs 4.g.2.a. through 4.g.2.c. are provided as a guide to determine mission essentiality of an IT system or application regardless of funding source. IT system/application user volume does not necessarily determine mission essentiality.
4.g.2.b. Is mandated for use by Federal, DOD, DON, or USMC policy or directive.
4.g.2.c. Serves as an authoritative data source or produces an authoritative data set.
4.g.2.d. Triggers immediate reporting of a friendly force information requirement at the General Officer, Flag Officer, or Senior Executive Service level in the event of an unplanned outage, disruption, or interruption during intended use.
4.h. Mission Support: systems not categorized as mission critical nor mission essential.
5. Contact the POCs concerning the current listing of FAM or IT Portfolio Management Leads.
6. This MARADMIN is applicable to the total force.
7. Release authorized by LtGen M. G. Glavy, Deputy Commandant for Information.//