NAVY HIGH RISK REVIEW PROCESS:
R 021428Z FEB 22 MID600051484537U
FM CNO WASHINGTON DC
INFO CNO WASHINGTON DC
PASS TO OFFICE CODES:
FM CNO WASHINGTON DC//N2N6//
INFO CNO WASHINGTON DC//N2N6//
MSGID/NAVADMIN/CNO WASHINGTON DC/N2N6/FEB//
SUBJ/NAVY HIGH RISK REVIEW PROCESS//
REF/G/DOC/OPNAV N2N6D/FEB 22//
NARR/REF A IS NAVADMIN 154/19, NAVY ECHELON I HIGH RISK ESCALATION PROCESS.
REF B IS DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (NAVY)
MEMORANDUM ON NEW REQUIREMENTS FOR HIGH RISK ESCALATION SUBMISSIONS.
REF C IS DEPARTMENT OF THE NAVY DEPUTY CHIEF INFORMATION OFFICER (NAVY)
MEMORANDUM ON HIGH RISK ESCALATION ADVISORY GROUP STANDARD OPERATING
REF D IS DODI 8510.01, RISK MANAGEMENT FRAMEWORK (RMF) FOR DOD INFORMATION
REF E IS OPNAVINST 5239.1D, U.S. NAVY CYBERSECURITY PROGRAM.
REF F IS USSTRATCOM GENADMIN, NUCLEAR COMMAND, CONTROL, AND COMMUNICATIONS
REF G IS N2N6D HIGH RISK REVIEW (HRR) PROCESS STANDARD OPERATING PROCEDURE,
POC/MEGAN CANE/CIV/OPNAV N2N6D6/TEL: (703) 692-1657
RMKS/1. This NAVADMIN cancels references (a) through (c).
2. This NAVADMIN provides direction on the Navy High Risk Review (HRR)
process and applies to all U.S. Navy (USN) Information Technology (IT) as
defined in references (d) and (e).
a. All program managers and system owners must be familiar with the HRR
process as any program can become high or very high risk at some point in the
life cycle of a system or circuit.
b. The HRR process evaluates the programmatic, technical, and
operational risk, impact, and mission criticality to determine whether the
continued operation of a network, system, or circuit with residual high or
very high risk is justified.
(1) All risk assessments will be based on available information,
regardless of format. Any lack of information will inform the confidence
level of the assessment.
(2) Operational and technical risk assessments will consider
cybersecurity threat-based intelligence as well as measures implemented to
mitigate vulnerability exploitation.
3. Review Process
a. HRR is a 3-tier review process with analysis focused on identifying
exploitable cybersecurity risks of the system, enclave, and platform.
(1) The programs and/or system owners are responsible for identifying
(2) The Navy cybersecurity Technical Authority, Naval Information
Warfare Systems Command, assesses the technical cybersecurity risk of
adversary exploitation based on known deficiencies of system design.
(3) Fleet Commanders (U.S. Pacific Fleet, U.S. Fleet Forces Command,
and Fleet Cyber Command) provide their assessment of the operational risk to
mission and operations if the system is disconnected or exploited.
(4) OPNAV N2N6 considers the factors above, as well as risk to joint
integration, in the holistic risk assessment.
b. The 3-tier review process includes a designated representative from
each voting command at the rank/rate of the applicable board in sequential
(1) The O6/GS-15 HRR Board will develop Courses of Action (COAs),
which must include a fully resourced plan to exit HRR;
(2) The 1-Star Flag Officer (FO) or Senior Executive Service (SES)
HRR Board will refine and recommend COAs with the cognizant system/program
command 1-Star FO/SES; and
(3) The 3-Star FO/SES HRR Board will adjudicate the COAs, finalize
recommendations, and forward to Department of the Navy (DON) Chief
Information Officer (CIO) for consideration and decision.
c. Authorizing Officials (AOs) retain the authority to issue a Denial of
Authorization to Operate (DATO) if the residual cybersecurity risk of
exploitation is unacceptable.
d. Systems, networks, and circuits under cognizance of U.S. Strategic
Command (USSTRATCOM) or U.S. Space Force (USSF).
(1) Require additional time to process per reference (f). Paragraph
5 details the HRR process timeline, including the additional time to support
USSTRATCOM or USSF processes.
(2) Final 3-Star FO/SES HRR Board recommendations will be forwarded
to DON CIO for consideration.
(3) The cognizant AO will forward the DON CIO endorsement
recommendation to USSTRATCOM or USSF for consideration.
4. HRR process. Specific details on the execution of the HRR process can be
found in reference (g), HRR Standard Operating Procedure (SOP).
a. The FCC/C10F Warning Order (WARNORD) or AO/USSTRATCOM/USSF equivalent
notification will be used to identify expired or expiring systems and
circuits for the HRR process.
b. Programs without a Security Control Assessor (SCA) endorsed Security
Assessment Report (SAR) 60-days prior to Authorization Termination Date (ATD)
will be evaluated by the cognizant AO for DATO or entry into the HRR process.
(1) If a SAR is not available, the SCA must consider all available
technical evidence to make an initial risk assessment.
(2) Technical evidence includes but is not limited to defense-in-
depth architecture, vulnerability assessment results (e.g. scanning, red
team, etc.), and explanation of system impact if the high or very high
vulnerabilities are exploited.
c. System Owners assessed by the SCA as having non-compliant controls
with a level of risk of "Very High" or "High" that cannot be corrected or
mitigated immediately will enter the first tier of the 3-tier review process.
5. Exiting HRR. To exit HRR, systems/circuits must:
a. Achieve a moderate or low risk SAR endorsed by the cognizant SCA; or
b. Decommission; or
c. Be issued a DATO
6. Urgent HRR Request Process
a. System owners may request an urgent HRR if:
(1) A new vulnerability or threat is assessed by the cognizant SCA as
high or very high cybersecurity risk of adversarial exploitation AND;
(2) Any delay(s) or gap(s) in authorization will impact a Navy
critical installation and/or capability.
b. System owners requesting urgent consideration are not exempt from the
normal Risk Management Framework or HRR processes.
c. Urgent consideration may grant systems short-term authorizations to
allow time for the system owner to brief at the next available HRR.
d. System owners should notify OPNAV N2N6D and AO as soon as there is
any indication of delay in order to help prevent urgent consideration.
7. HRR In Progress Reviews (IPRs). HRR IPRs are required for programs that
receive a high risk ATO to track progress and alert key stakeholders of any
expected challenges/delays requiring attention.
8. This NAVADMIN will remain in effect until cancelled or superseded.
9. Released by VADM Jeffrey E. Trussler, Deputy Chief of Naval Operations
for Information Warfare, OPNAV N2N6.//