UNCLAS 231345Z MAR 07
CMC WASHINGTON DC(UC)
AL MARADMIN(UC)
MARADMIN
MARADMIN 220/07
MSGID/GENADMIN/CMC WASHINGTON DC C4 IA//
SUBJ/QUARTERLY FEDERAL INFORMATION SECURITY
/MANAGEMENT ACT (FISMA)//
REF/A/MSGID:DOC/P.L. 107-347/YMD:20021223/-//
REF/B/MSGID:DOC/DOD 8510.BB/YMD:20060706/-//
REF/C/MSGID:DOC/DOD /YMD:20040815/-//
REF/D/MSGID:DOC/DOD/YMD:20051219/-//
REF/E/MSGID:GENADMIN/DON/071857ZNOV2006/-//
REF/F/MSGID:GENADMIN/CMC WASHINGTON/YMD:20060330//
REF/G/MSGID:DITPR-DON REGISTRATION GUIDANCE FOR 2006/-//
NARR/REF A IS THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF
2002 (FISMA).  REF B IS DODI 8510.bb, THE DOD IT CERTIFICATION AND
ACCREDITATION PROCESS GUIDANCE (DIACAP).  REF C IS DOD DIRECTIVE
8570.1, THE IA TRAINING, CERTIFICATION AND WORKFORCE MANAGEMENT
DIRECTIVE.  REF D IS DOD 8570.01-M, INFORMATION ASSURANCE WORKFORCE
IMPROVEMENT PROGRAM.  REF E IS THE DON FEDERAL INFORMATION SECURITY
MANAGEMENT ACT GOALS FOR FY 2007.  REF F IS MARADMIN 156-06 AND
ESTABLISHES POLICY, GUIDANCE AND DIRECTION FOR IDENTIFYING, TRACKING,
MONITORING AND REPORTING THE INFORMATION ASSURANCE WORKFORCE ACROSS
THE MARINE CORPS.  REF G IS LOCATED ON THE DON CIO WEBSITE
(WWW.DONCIO.NAVY.MIL) AND PROVIDES CURRENT GUIDANCE ON MAINTAINING
THE FISMA FIELDS IN DITPR-DON.//
POC/CHARLES BUCKLEY/CAPT/HQMC C4 IA/-/TEL:703-693-3490
/TEL:DSN 223-3490/EMAIL:CHARLES.BUCKLEY@USMC.MIL//
POC/MARIA THOMPSON/MGYSGT/HQMC C4 IA/-/TEL:703-693-3490
/TEL:DSN 223-3490/EMAIL:MARIA.THOMPSON@USMC.MIL//
GENTEXT/REMARKS/1. THIS MARADMIN PROVIDES GUIDANCE AND POLICY TO
COMPLY WITH REF A, THE 2002 FEDERAL INFORMATION SECURITY MANAGEMENT ACT
(FISMA).
2. BACKGROUND.
A. FISMA LEGISLATION REQUIRES FEDERAL AGENCIES TO CERTIFY AND ACCREDIT
THEIR INFORMATION TECHNOLOGY (IT) SYSTEMS, CONDUCT ANNUAL SECURITY
REVIEWS, DEVELOP AND REVIEW CONTINGENCY PLANS, TRAIN AND OVERSEE PERSONNEL
WITH SIGNIFICANT IA RESPONSIBILITIES, AND ANNUALLY SUBMIT REPORTS
PROVIDING STATUS OF INFORMATION SECURITY WITHIN THE DOD.
B. PAST FISMA REPORTING YEARS HAVE SHOWN A LACK OF REPORTING IN REQUIRED
AREAS. IN ORDER TO ENSURE THAT REPORTS ARE SUBMITTED IN A TIMELY MANNER AND
TRACKED THROUGHOUT THE CURRENT YEAR AND FUTURE YEARS, THE MARINE CORPS IS
ESTABLISHING A REPORTING CHAIN AND QUARTERLY SUBMISSION TIMELINE.
3. POLICY
A. COMMAND INFORMATION ASSURANCE MANAGERS (IAMS)/OFFICERS/CHIEFS WILL SUBMIT
RESULTS OF THE FOLLOWING REQUIRED FISMA REPORTING ELEMENTS NO LATER THAN 01
MAY AND 01 AUG 07:
1. SECURITY SELF ASSESSMENTS
2. INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION STATUS
3. CONTINGENCY PLAN TESTING
4. SECURITY CONTROLS TESTING
5. PRIVACY INFORMATION ACT TRAINING
(INITIAL AND REFRESHER)
6. SECURITY AWARENESS TRAINING (INITIAL AND REFRESHER)
7. IA WORKFORCE TRAINING AND CERTIFICATION THESE DATES WERE CHOSEN TO ENSURE
THAT FISMA DATA FOR EACH DITPR-DON ENTRY IS UPDATED PRIOR TO THE QUARTERLY
FISMA UPDATE.  FOR FY08, THE INITIAL QUARTERLY UPDATE MUST BE RECEIVED NO
LATER THAN 01 NOV 07.  B. CONTINGENCY PLAN TESTING AND SECURITY CONTROLS
TESTING CAN TAKE MANY FORMS; INCLUDING TABLE TOP EXERCISES AND ACTUAL EVENTS
THAT CAUSE DISRUPTION AND RESTORAL OF SERVICES.  THESE EVENTS CAN INCLUDE
ROUTINE MAINTENANCE, POWER OUTAGES, AND UNINTENTIONAL DISRUPTION. COMMANDS
WILL COORDINATE WITH NMCI REPRESENTATIVE/VENDOR TO GATHER INFORMATION FOR
THE ABOVE 7 REPORTS LISTED IN 3A.  C. THE FOLLOWING COMMANDS (TO INCLUDE
THEIR MAJOR SUBORDINATE COMMANDS) WILL PROVIDE QUARTERLY REPORTS:
COMMARFORCOM, CG BASES LANT, COMMARFORNORTH, CDRUSMARCENT, CDRUSMARSOC,
COMMARFORNORTH, COMMARFORRES, COMMARFORSTRAT, COMMARFORPAC, CG BASES PAC,
COMMARFORSOUTH, COMMARFOREUR, CMC (C4), CG MCCDC, MCI NCR, CG MCRC, CG MCSC,
CG LOGCOM.
4. OBJECTIVE:
A. ALL MARINE CORPS COMMANDS WITH MISSION CRITICAL (MC), MISSION ESSENTIAL
(ME), AND MISSION SUPPORT (MS) IT ASSETS REQUIRING CERTIFICATION AND
ACCREDITATION (C&A) PER FY07 FISMA GUIDANCE MUST ACHIEVE A MINIMUM OF EIGHTY
PERCENT FULL ACCREDITATION (I.E., AUTHORITY TO OPERATE
(ATO)) BY 31 MAR 07.  
B. ALL MC, ME, AND MS IT ASSETS REQUIRING C&A MUST ACHIEVE AT LEAST NINETY
PERCENT FULL ACCREDITATION (I.E., ATO) BY 01 SEP 07, WHICH COINCIDES WITH
THE EXPECTED FINAL SUBMISSION DATE FOR THE FY07 DOD FISMA REPORT TO OMB AND
CONGRESS.
C. COMMANDS MUST ACHIEVE/MAINTAIN AT LEAST 90 PERCENT COMPLIANCE WITH THE
FISMA-REQUIRED ANNUAL SECURITY REVIEWS, ANNUAL TESTING OF SECURITY CONTROLS
AND ANNUAL EVALUATION OF CONTINUITY OF OPERATIONS PLANS
(COOP) BY 01 SEP 07.
D. COMMANDS MUST ACHIEVE/MAINTAIN AT LEAST 96 PERCENT ANNUAL SECURITY
AWARENESS TRAINING, 90 PERCENT TRAINING STATUS FOR THE IA WORKFORCE AND 40
PERCENT IA WORKFORCE CERTIFICATION BY 01 SEP 07. COMMANDS SHALL REPORT
QUARTERLY THEIR WORKFORCE NUMBERS USING THE FISMA REQUIRED TEMPLATES. THIS
REPORT INCLUDES MILITARY, CIVILAN, AND CONTRACTORS. THE COMMAND IAM SHALL
COORDINATE WITH NMCI TO GATHER THIS INFORMATION FOR PERSONNEL WITHIN THEIR
COMMAND. THE FYO7 FISMA TEMPLATE CAN BE FOUND ON THE HQMC, C4 WEBSITE WITHIN
THE INFORMATION ASSURANCE DIVISION. HTTPS:(SLASH SLASH) HQDOD.HQMC.USMC.MIL
(SLASH) IA.ASP 5. ACTION:
A.REPORTING COMMANDS:
(1) ENSURE THAT ALL PERSONNEL THAT HAVE ACCESS TO DOD IT SYSTEMS ARE PROPERLY
TRAINED.
(2) COMMAND INFORMATION ASSURANCE MANAGERS (IAMS) WILL MONITOR, TRACK AND
REPORT COMPLIANCE AS DIRECTED IN REF F.
(3) AS THE LOCAL AUTHORITY, PROVIDE IA DOCUMENTATION TO SUPPORT CONTINUED
OPERATION OF SYSTEMS TO MARINE CORPS SYSTEMS COMMAND (MARCORSYSCOM) C4II IA,
EMAIL:M_QUAN_MCSC_IA@USMC.MIL FOR INCLUSION IN DITPR-DON.
(4) MARINE CORPS COMMANDS ARE TO PROVIDE THEIR QUARTERLY DATES FOR BOTH COOP
AND INCIDENT RESPONSE TEST PLANS TO THE MCNOSC AND HEADQUARTERS MARINE CORPS,
C4 INFORMATION ASSURANCE,M_HQMC_C4_IA@USMC.MIL. COMMANDS ARE ALSO REQUIRED TO
INCLUDE IN THE TESTS ALL SYSTEMS AND APPLICATIONS OPERATING ON THEIR NETWORKS,
AS IDENTIFIED WITHIN THEIR SITE SECURITY ADDENDUM (SSA). THIS ENSURES ACCURATE
AND UP-TO-DATE SSA DOCUMENTATION, ENSURING CHANGES ARE PROVIDED TO THE MCNOSC
AS THEY OCCUR.
B. PROGRAM MANAGERS, PROGRAM OWNERS, SYSTEM AND APPLICATION OWNERS, SPONSORS
AND FUNCTIONAL AREA MANAGERS (FAMS):
(1) IN ORDER TO PROVIDE THE MOST ACCURATE FISMA DATA, PROVIDE THE NECESSARY
INFORMATION TO HQMC C4IA FOR ENTRY INTO THE DITPR-DON.  REPORTING VIA HQMC C4IA
IS MANDATED FOR ALL SYSTEMS INCLUDING THOSE NOT ORIGINATING FROM WITHIN HE
MARINE CORPS (I.E. US NAVY). FAILURE TO REPORT INITIAL OR UPDATED INFORMATION
WILL HAVE A SIGNIFICANT NEGATIVE IMPACT ON THE MARINE CORPS AND COULD RESULT
IN SYSTEMS BEING DISCONNECTED FROM THE MCEN AND PROGRAM FUNDING BEING WITHHELD
BY THE DEPARTMENT OF THE NAVY (DON) AND OFFICE OF MANAGEMENT AND BUDGET (OMB).
(2) ENSURE SYSTEM DATA IS ACCURATELY DOCUMENTED IN THE ACCREDITATION PACKAGE
PRIOR TO SUBMISSION TO MARCORSYSCOM FOR C&A REVIEW AND MARINE CORPS DESIGNATED
ACCREDITING AUTHORITY (DAA) APPROVAL. THE PM MUST PROVIDE A PLAN OF ACTION AND
MILESTONE (POA&M) FOR MITIGATING IDENTIFIED VULNERABILITIES.
(3) FOR SYSTEMS IN PHASE III (VALIDATION) THAT HAVE NOT YET BEEN ACCREDITED BY
THE MARINE CORPS DAA, COMMENTS WILL BE PROVIDED TO MARCORSYSCOM C4II IA FOR
INCLUSION IN THE REGISTRY REPORT. COMMON REASONS SUCH AS PERFORMING SECURITY,
TEST AND EVALUATION (ST&E), CERTIFICATION SUBMITTED TO THE MARINE CORPS DAA,
OR PROGRAM ON HOLD DUE TO FUNDING FREEZE ARE ACCEPTABLE BUT MUST BE REPORTED
AND MONITORED. SOME USMC SYSTEMS CURRENTLY IN THE DITPR DON ARE NOT SLATED FOR
TRANSITION TO NMCI, OR ARE BEING PHASED OUT OF USMC BUSINESS PROCESSES; THESE
SYSTEMS SHALL BE IDENTIFIED SO THAT C&A RESOURCES CAN BE FOCUSED ON USMC
SYSTEMS WITH SIGNIFICANT OPERATIONAL IMPORTANCE AND LONG-TERM VALUE TO MARINE
CORPS BUSINESS PRACTICES.
C. MARINE CORPS SYSTEMS COMMAND (MARCORSYSCOM):
(1) CONTINUE TO RECEIVE AND INPUT NEW OR UPDATED FISMA COMPLIANCE INFORMATION
FROM PMS FOR SYSTEMS IN C&A PROCESS. THIS INCLUDES PROGRAMS NOT ORIGINATING
FROM WITHIN MARCORSYSCOM, BUT MAY IMPACT PROGRAMS OF RECORD.
(2) EVALUATE IT SYSTEMS FOR C&A/FISMA COMPLIANCE.
D. MARINE CORPS NETWORK OPERATIONS AND SECURITY COMMAND
(MCNOSC):
(1) COORDINATE WITH ALL MARINE CORPS SITES TO ENSURE THEY PROVIDE QUARTERLY
TEST DATES FOR BOTH COOP AND INCIDENT RESPONSE TEST PLANS. THIS IS TO INCLUDE
KEEPING ACCURATE AND UP-TO-DATE SSAA DOCUMENTATION ON ALL SITES OPERATING
WITHIN THE MARINE CORPS ENTERPRISE NETWORK (MCEN) ENVIRONMENT.
(2) PASS INFORMATION PERTINENT TO FISMA TO MARCORSYSCOM FOR UPDATING DITPR.
E. HQMC C4:
(1) TRACK EXPIRATION DATES OF ACCREDITATION DECISIONS.
(2) PROVIDE GUIDANCE AND DIRECTION ON C&A REQUIREMENTS AND FISMA COMPLIANCE.
(3) AS THE DON DEPUTY CIO (MARINE CORPS), PERFORM OVER-SIGHT AND DIRECTION FOR
USMC FISMA REPORTING.
THIS INCLUDES ASSISTING MARCORSYSCOM IN OBTAINING VALID INFORMATION FROM ALL
PM AND SYSTEM OR NETWORK OWNERS.
(4) MAINTAIN CONSTANT LIAISON WITH DEPARTMENT OF THE NAVY CHIEF INFORMATION
OFFICER AND OSD, ENSURING REPORTING GUIDANCE IS UNDERSTOOD AND EXPEDITIOUSLY
DISSEMINATED THROUGHOUT THE REPORTING CHAIN.
(5) PROVIDE DETAILED GUIDANCE ON C&A REQUIREMENTS AND PROCESSES TO INCLUDE
DOCUMENTATION REQUIRED TO ATTAIN ACCREDITATION.
6. ALL USMC PERSONNEL, INCLUDING COMMANDERS, CERTIFYING AUTHORITIES, FUNCTIONAL
AREA MANAGERS (FAMS), PROGRAM MANAGERS (PM), SYSTEM OWNERS, AND ALL IT USERS
(INCLUDING MILITARY, CIVILIAN, AND CONTRACTORS) SHARE IN THE RESPONSIBILITY
FOR IA AND FOR FISMA COMPLIANCE.
7. REQUEST WIDEST DESSIMINATION TO SUBORDINATE UNITS.
8. QUESTIONS MAY BE DIRECTED TO THE POCS CITED.//