Marines

HomeNewsMessagesMessages Display

UPDATE TO MARADMIN 090/25 - UPDATED GUIDANCE FOR DEFENSE  AGENCIES INITIATIVE ACCOUNT SEGREGATION OF DUTIES
Date Signed: 3/18/2025 | MARADMINS Number: 136/25
PRINT
MARADMINS : 136/25

R 181339Z MAR 25
MARADMIN 136/25
MSGID/GENADMIN/CMC WASHINGTON DC PR & DC IL// 
SUBJ/UPDATE TO MARADMIN 090/25 - UPDATED GUIDANCE FOR DEFENSE 
AGENCIES INITIATIVE ACCOUNT SEGREGATION OF DUTIES//
REF/A/MARADMIN 577/23//
REF/B/DON ENTERPRISE IT CONTROL STANDARDS VERSION 6.0//
REF/C/INTERIM GUIDANCE FOR THE PERFORMANCE OF  DEFENSE AGENCIES
INITIATIVE (DAI) COMPLEMENTARY USER ENTITY CONTROLS (CUEC)
REF/D/MARADMIN 090/25//
DATED FEB 2023//
NARR/REF A IS THE INITIAL GUIDANCE FOR DEFENSE AGENCIES INITIATIVE
(DAI) ACCOUNT SEGREGATION OF DUTIES (SOD) DATED NOV 2023.
REB B IDENTIFIES THE INFORMATION TECHNOLOGY INTERNAL CONTROLS THE
MARINE CORPS MUST IMPLEMENT.  REF C PROVIDES INTERIM GUIDANCE AND
DEFINES DAI CUECS.//
POC/J. A. GARZA/COL/UNIT: DC PR WASHINGTON DC/TEL: 703-614-2240/
E-MAIL: JEFFREY.GARZA@USMC.MIL//
POC/F. L. MCCLINTICK/COL/UNIT: DC IL WASHINGTON DC/TEL: 571-256-2741/
E-MAIL: FRANK.MCCLINTICK@USMC.MIL//
POC/S. L. NICHOLSON/CIV/UNIT: DC PR SDI WASHINGTON DC/ TEL: 
703-784-6957/ E-MAIL: SHAJUANA.NICHOLSON@USMC.MIL//
POC/S. WARREN/CIV/UNIT: DC I&L WASHINGTON DC/ TEL: 571-256-7183/
E-MAIL: SHEILA.WARREN@USMC.MIL//
POC/R. L. BURNAND/CIV/UNIT: DC PR UMX INDIANAPOLIS 
IN/TEL: 317-200-3534/ E-MAIL: ROBERT.L.BURNAND@USMC.MIL//
POC/J. LYNARD-KONGKIAT/CIV/UNIT: DC PR SDI WASHINGTON
DC/TEL: 843-991-4012/E-MAIL: JESSICA.KONGKIAT.CIV@USMC.MIL//
POC/C. A. DABRIO/CIV/UNIT: DC PR SDI WASHINGTON DC/TEL: 571-733-7737/
E-MAIL: CHERYL.A.DABRIO@USMC.MIL//
GENTEXT/REMARKS/1.  This message updates reference (a) and is a
collaborative effort between Deputy Commandants (DC) for Programs
& Resources (P&R) and Installations & Logistics (I&L) with the
purpose of enhancing the implementation of DAI CUEC 9, hereby
referred to as SOD controls.  To manage risk effectively, comply with
control standards, and achieve its financial statement audit goals,
the Marine Corps must ensure that users with DAI access only have the
necessary permissions required to perform their job functions.
2.  Effectively immediately, all commands at levels 1-4 in DAI must
resolve all identified SOD conflicts by either removing conflicting
responsibilities from users or obtaining waivers from the designated
authority.  
3.  As part of continuing actions, Commands will be required to
support requests for information arising from the monthly review of
SOD reports (Application Access Controls Governor and the
Transactions Controls Governor reports).  As part of this review, the
P&R Systems and Data Integration (SDI) Division and the I&L Logistics
Compliance Branch (LPC) will coordinate with applicable Commands to
remediate identified SOD incidents.
4.  Removing Conflicts.  L1-L4 Commands must assess users’ current
DAI responsibilities and compare them to job requirements. Any
identified conflict or unnecessary responsibilities must be removed
by coordinating with the P&R User Management (UMX) Section. 
5.  Waivers.  Some commands lack the personnel to distribute
 responsibilities between users per SOD requirements.  Therefore, the
 Marine Corps has a waiver process to balance operational needs
against compliance with control standards.
6.  The SDI Division and the LPC Branch identified and reviewed
applicable SOD conflicts.  They ranked each conflict using a
comprehensive review that assessed four risk criteria (fraud, audit,
operations, and personable identifiable information). The analysis
resulted in the following five risk categories and waiver paths:
6.a.  Minimal risk conflicts will be adjudicated via an
enterprise-wide waiver, and thus Commands are not required to address
them.
6.b.  Low risk conflicts will be adjudicated via waivers signed by
the first General Officer in the chain of command.
6.c.  Medium risk conflicts will be adjudicated via HQMC waivers. The
SDI Director will adjudicate waivers for Financial Management (FM)
and Oracle and Time Labor (OTL) personnel. The LPC Branch Head will
adjudicate waivers for Other Government personnel. 
6.d.  High risk conflicts will be adjudicated via HQMC waivers. The
Assistant Deputy Commandant P&R (Resources) will adjudicate waivers
for FM and OTL personnel.  The Assistant Deputy Commandant I&L
Logistics Division will adjudicate waivers for Other Government
personnel.
6.e.  Waivers will not be granted for zero-tolerance risk conflicts.
7.  Waiver Instructions
7.a.  The SOD matrix, the risk register, waiver templates, and
additional resources are available at https://usmc.sharepoint-mil.us/
sites/DCPR_SDI/Risk_Compliance/
7.a.1.  The SOD matrix provides a summarized view of the identified
restricted role combinations.
7.a.2.  The risk register provides a detailed view of SOD conflicts
and the risk designation.
7.a.3.  The waiver templates document the authorization for users to
maintain SOD conflicts. There is a waiver template for each
identified low, medium, and high-risk SOD conflict. 
7.b.  When users request a new responsibility through the access
management system (i.e., ARMS), the system will identify if the new
responsibility causes an SOD conflict, which requires a waiver to
proceed.  Users must coordinate with their respective Command
Information Owners (IO) to initiate and submit waivers. 
7.c.  Command IOs must complete and submit to the designated
authority a waiver request for each SOD conflict identified.
7.c.1.  For low-risk SOD conflict, Commands should leverage their
internal processes to submit and approve waivers.
7.c.2.  For medium and high-risk SOD conflict, Command IOs must
submit waivers using the Tier 1 Helpdesk JIRA process.
7.d.  Users must upload the approved waiver to their profile in the
access management system.  The P&R UMX Section will validate the waivers. 
7.e.  If the request for a waiver is denied, the conflicting
responsibility will not be granted or if it had already been granted,
it will be removed.
8. When implementing the waivers, the following apply:
8.a.  HQMC will evaluate and qualify the risk each SOD conflict poses
to the enterprise annually and may result in conflicts being assigned
to a different risk category.
8.b.  Waivers are subject to periodic reviews to ensure their
continued relevance and effectiveness. They may be revoked or
modified if it is determined that the risk level has changed or if
compliance issues are identified. 
8.c.  Waivers are not automatically granted and will be voided when
personnel are reassigned.
The Marine Corps reserves the right to remove user responsibilities
as necessary.  All users must 
adhere to any mitigating controls established to minimize associated
risks. Regular reviews and audits will be conducted to ensure
compliance.  
8.d.  All DAI users have a fiduciary responsibility inherent in their
roles as stewards of government resources and must report SOD
conflicts and responsibilities that are no longer required to their
respective IOs.
9.  For specific questions, contact the following POCs:
9.1.  FM personnel: Mr. Robert Burnand and Ms. Shajuana Nicholson.
9.2.  All Other Government personnel: Ms. Sheila Warren.
9.3.  OTL: Ms. Jessica Lynard-Kongkiat and Ms. Cheryl Dabrio.
10.  This MARADMIN is applicable to the Marine Corps Total Force.
11.  Release authorized by Anna N. K. Smith, Assistant Deputy
Commandant for Programs and Resources (R), and BGen F. C. Poole, III,
Assistant Deputy Commandant for Installations and Logistics (LP).//