NAVY HIGH RISK REVIEW PROCESS:
UNCLASSIFIED// ROUTINE R 021428Z FEB 22 MID600051484537U FM CNO WASHINGTON DC TO NAVADMIN INFO CNO WASHINGTON DC BT UNCLAS NAVADMIN 023/22 PASS TO OFFICE CODES: FM CNO WASHINGTON DC//N2N6// INFO CNO WASHINGTON DC//N2N6// MSGID/NAVADMIN/CNO WASHINGTON DC/N2N6/FEB// SUBJ/NAVY HIGH RISK REVIEW PROCESS// REF/A/MSG/OPNAV N2N6/111857ZJUL19// REF/B/LTR/DDCIO(N)/18SEP2015// REF/C/LTR/DDCIO(N)/18MAY2016// REF/D/DOC/DOD/29DEC2020// REF/E/DOC/OPNAV/18JUL2018// REF/F/MSG/USSTRATCOM/291941ZMAY20// REF/G/DOC/OPNAV N2N6D/FEB 22// NARR/REF A IS NAVADMIN 154/19, NAVY ECHELON I HIGH RISK ESCALATION PROCESS. REF B IS DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (NAVY) MEMORANDUM ON NEW REQUIREMENTS FOR HIGH RISK ESCALATION SUBMISSIONS. REF C IS DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (NAVY) MEMORANDUM ON HIGH RISK ESCALATION ADVISORY GROUP STANDARD OPERATING PROCEDURE. REF D IS DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION TECHNOLOGY (IT). REF E IS OPNAVINST 5239.1D, U.S. NAVY CYBERSECURITY PROGRAM. REF F IS USSTRATCOM GENADMIN, NUCLEAR COMMAND, CONTROL, AND COMMUNICATIONS CYBERSECURITY REQUIREMENTS. REF G IS N2N6D HIGH RISK REVIEW (HRR) PROCESS STANDARD OPERATING PROCEDURE, LOCATED AT https://portal.secnav.navy.mil/ORGS/OPNAV/N2N6/DDCION/SitePages/Home.aspx POC/MEGAN CANE/CIV/OPNAV N2N6D6/TEL: (703) 692-1657 /EMAIL: megan.a.cane.civ@us.navy.mil// RMKS/1. This NAVADMIN cancels references (a) through (c). 2. This NAVADMIN provides direction on the Navy High Risk Review (HRR) process and applies to all U.S. Navy (USN) Information Technology (IT) as defined in references (d) and (e). a. All program managers and system owners must be familiar with the HRR process as any program can become high or very high risk at some point in the life cycle of a system or circuit. b. The HRR process evaluates the programmatic, technical, and operational risk, impact, and mission criticality to determine whether the continued operation of a network, system, or circuit with residual high or very high risk is justified. (1) All risk assessments will be based on available information, regardless of format. Any lack of information will inform the confidence level of the assessment. (2) Operational and technical risk assessments will consider cybersecurity threat-based intelligence as well as measures implemented to mitigate vulnerability exploitation. 3. Review Process a. HRR is a 3-tier review process with analysis focused on identifying exploitable cybersecurity risks of the system, enclave, and platform. (1) The programs and/or system owners are responsible for identifying programmatic risk. (2) The Navy cybersecurity Technical Authority, Naval Information Warfare Systems Command, assesses the technical cybersecurity risk of adversary exploitation based on known deficiencies of system design. (3) Fleet Commanders (U.S. Pacific Fleet, U.S. Fleet Forces Command, and Fleet Cyber Command) provide their assessment of the operational risk to mission and operations if the system is disconnected or exploited. (4) OPNAV N2N6 considers the factors above, as well as risk to joint integration, in the holistic risk assessment. b. The 3-tier review process includes a designated representative from each voting command at the rank/rate of the applicable board in sequential order: (1) The O6/GS-15 HRR Board will develop Courses of Action (COAs), which must include a fully resourced plan to exit HRR; (2) The 1-Star Flag Officer (FO) or Senior Executive Service (SES) HRR Board will refine and recommend COAs with the cognizant system/program command 1-Star FO/SES; and (3) The 3-Star FO/SES HRR Board will adjudicate the COAs, finalize recommendations, and forward to Department of the Navy (DON) Chief Information Officer (CIO) for consideration and decision. c. Authorizing Officials (AOs) retain the authority to issue a Denial of Authorization to Operate (DATO) if the residual cybersecurity risk of adversary exploitation is unacceptable. d. Systems, networks, and circuits under cognizance of U.S. Strategic Command (USSTRATCOM) or U.S. Space Force (USSF). (1) Require additional time to process per reference (f). Paragraph 5 details the HRR process timeline, including the additional time to support USSTRATCOM or USSF processes. (2) Final 3-Star FO/SES HRR Board recommendations will be forwarded to DON CIO for consideration. (3) The cognizant AO will forward the DON CIO endorsement recommendation to USSTRATCOM or USSF for consideration. 4. HRR process. Specific details on the execution of the HRR process can be found in reference (g), HRR Standard Operating Procedure (SOP). a. The FCC/C10F Warning Order (WARNORD) or AO/USSTRATCOM/USSF equivalent notification will be used to identify expired or expiring systems and circuits for the HRR process. b. Programs without a Security Control Assessor (SCA) endorsed Security Assessment Report (SAR) 60-days prior to Authorization Termination Date (ATD) will be evaluated by the cognizant AO for DATO or entry into the HRR process. (1) If a SAR is not available, the SCA must consider all available technical evidence to make an initial risk assessment. (2) Technical evidence includes but is not limited to defense-in- depth architecture, vulnerability assessment results (e.g. scanning, red team, etc.), and explanation of system impact if the high or very high vulnerabilities are exploited. c. System Owners assessed by the SCA as having non-compliant controls with a level of risk of "Very High" or "High" that cannot be corrected or mitigated immediately will enter the first tier of the 3-tier review process. 5. Exiting HRR. To exit HRR, systems/circuits must: a. Achieve a moderate or low risk SAR endorsed by the cognizant SCA; or b. Decommission; or c. Be issued a DATO 6. Urgent HRR Request Process a. System owners may request an urgent HRR if: (1) A new vulnerability or threat is assessed by the cognizant SCA as high or very high cybersecurity risk of adversarial exploitation AND; (2) Any delay(s) or gap(s) in authorization will impact a Navy critical installation and/or capability. b. System owners requesting urgent consideration are not exempt from the normal Risk Management Framework or HRR processes. c. Urgent consideration may grant systems short-term authorizations to allow time for the system owner to brief at the next available HRR. d. System owners should notify OPNAV N2N6D and AO as soon as there is any indication of delay in order to help prevent urgent consideration. 7. HRR In Progress Reviews (IPRs). HRR IPRs are required for programs that receive a high risk ATO to track progress and alert key stakeholders of any expected challenges/delays requiring attention. 8. This NAVADMIN will remain in effect until cancelled or superseded. 9. Released by VADM Jeffrey E. Trussler, Deputy Chief of Naval Operations for Information Warfare, OPNAV N2N6.// BT #0001 NNNN UNCLASSIFIED//