UNCLASSIFIED//

ROUTINE

R 221430Z MAR 11

FM CNO WASHINGTON DC

TO AL NAVADMIN
NAVADMIN

INFO CNO WASHINGTON DC

BT
UNCLAS
FM CNO WASHINGTON DC//N2N6//
TO NAVADMIN
NAVADMIN 099/11

MSGID/GENADMIN/CNO WASHINGTON DC/FEB 11//

SUBJ/CERTIFICATION AND ACCREDITATION (C&A) COMPLIANCE//

REF/A/DOC/DODI 8510.01/20071128//

REF/B/DOC/OPNAV 5239.1C/20080820//

REF/C/GENADMIN/COMFLTCYBERCOM/282138Z JAN11//

NARR/REF A IS DEPARTMENT OF DEFENSE (DOD) INSTRUCTION 8510.01, DOD 
INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS (DIACAP ). 
REF B IS OPNAVINST 5239.1C, NAVY INFORMATION ASSURANCE (IA) PROGRAM.
POC/CDR JULIE ROSATI/OPNAV N2N6C32 IA/LOC:  WASHINGTON,DC
/EMAIL:  juliana.rosati@navy.mil/TEL: 571-256-8523// POC/KATE 
MATHERS/CIV/COMNAVNETWARCOM OPERATIONAL DESIGNATED ACCREDITING AUTHORITY 
(ODAA)/LOC:  NORFOLK,VA/EMAIL:  KATHERINE .mathers@navy.mil TEL:  
757-417-7903 EXTENSION 4/POC/VICKIE MIMS -HARRIS/CIV/COMNAVNETWARCOM 
ODAA/LOC:  NORFOLK,VA/TEL: 757-417-6719 EXTENSION 4/EMAIL: 
vickie.mimsharris@navy.mil// POC/ODAA OFFICE/COMNAVNETWARCOM/TEL:  
757-417-6719 X0/
EMAIL:  NNWC(UNDERSCORE)odaa@navy.mil//

RMKS/1.  IN DECEMBER 2010, THE DEFENSE INFORMATION SYSTEMS AGENCY
(DISA) BEGAN ENFORCING A PROVISION OF REFERENCE A, THAT REQUIRES DOD 
COMPONENT CHIEF INFORMATION OFFICER (CIO) APPROVAL FOR SYSTEM 
ACCREDITATIONS WITH CATEGORY I (CAT I) VULNERABILITIES.  DISA WILL ISSUE 
CIRCUIT APPROVALS FOR NETWORKS WHOSE ACCREDITATIONS MEET THIS 
REQUIREMENT.  REFERENCE A ALSO REQUIRES DOD COMPONENT CIO APPROVAL FOR 
ALL SYSTEMS THAT HAVE BEEN ON AN INTERIM AUTHORITY TO OPERATE
(IATO) FOR LONGER THAN 360 DAYS.  IN THESE TWO CASES, DEPUTY DEPARTMENT 
OF THE NAVY (DON) CIO NAVY (DDCIO(N)) SERVES AS THE DOD COMPONENT CIO 
FOR APPROVAL PURPOSES.  DDCIO(N), IN COLLABORATION WITH 
FLTCYBERCOM/C10F, WILL ENFORCE COMPLIANCE WITH THESE POLICIES TO REDUCE 
NETWORK VULNERABILITIES, STRENGTHEN SECURITY, AND ENSURE OUR ABILITY TO 
COMMAND AND CONTROL OPERATIONAL FORCES.

2.  THIS NAVADMIN REITERATES THE C&A REQUIREMENTS ESTABLISHED IN 
INFORMATION ASSURANCE (IA) POLICIES.  PER REFERENCES A AND B, ALL NAVY 
OPERATIONAL SYSTEMS AND NETWORKS MUST BE CERTIFIED AND ACCREDITED UNLESS 
EXEMPTED FROM C&A BY DOD OR DON POLICY.  ALL C&A PACKAGES FOR SYSTEMS 
AND NETWORKS MUST BE IN COMPLIANCE WITH REFERENCE A.  IN ORDER TO ALLOW 
SUFFICIENT TIME FOR REVIEW OF THESE PACKAGES, COMMANDS WITH EXPIRING 
ACCREDITATIONS MUST ENTER C&A COLLABORATION BY SUBMITTING THE DIACAP 
PACKAGE 90 DAYS PRIOR TO EXPIRATION.  THIS WILL FACILITATE A 
CERTIFICATION DETERMINATION FROM THE NAVY CERTIFYING AUTHORITY (CA) 45 
DAYS PRIOR TO EXPIRATION.

3.  IN SOME CASES, THE EXPIRATION OF A CIRCUIT APPROVAL MAY RESULT IN 
DISCONNECTION FROM THE GLOBAL INFORMATION GRID (GIG), CAUSING 
SIGNIFICANT NEGATIVE MISSION IMPACT.  IN SUCH CASES, THE OWNING SECOND 
ECHELON (EII) CIO MAY REQUEST APPROVAL TO CONTINUE OPERATING WITH CAT I 
VULNERABILITIES AND/OR AN IATO FOR LONGER THAN 360 DAYS FROM DDCIO(N) 
PRIOR TO EXPIRATION.  FOLLOWING IS THE APPROVAL REQUEST PROCESS AND 
TIMELINE:
A.  ODAA RELEASES MONTHLY NAVAL MESSAGES FORECASTING EXPIRATIONS OF 
CIRCUIT APPROVALS OVER THE ENSUING 120 DAYS.  ODAA ALSO PROVIDES EII 
COMMAND INFORMATION OFFICERS (CIO) WITH SPECIFIC STATUS OF CIRCUIT 
APPROVALS EXPIRING IN THE NEXT 90 DAYS, INCLUDING THOSE WHICH HAVE BEEN 
OPERATING ON AN IATO FOR 360 CONSECUTIVE DAYS AND/OR THOSE WHICH HAVE 
KNOWN CAT I VULNERABILITIES.
B.  UPON RECEIVING THIS NOTIFICATION, EII CIO SHALL DETERMINE WHETHER AN 
APPROVAL REQUEST IS JUSTIFIED AND DESIRED.  IF SO, THE EII CIO STAFF 
SHALL CREATE A PACKAGE INCLUDING AN OPERATIONAL MISSION IMPACT STATEMENT 
AND PLAN OF ACTION AND MILESTONES (POAM) TO ADDRESS THE SPECIFIC 
SECURITY VULNERABILITIES.  SUBMIT PACKAGE TO THE ODAA AT LEAST 45 DAYS 
PRIOR TO CIRCUIT APPROVAL EXPIRATION.  FAILURE TO PROVIDE A POAM WILL 
RESULT IN A RETURN OF THE PACKAGE TO THE OWNING EII CIO FOR REWORK.  THE 
PACKAGE MUST BE SIGNED BY THE FIRST FLAG OFFICER OR SENIOR EXECUTIVE 
SERVICE (SES) IN THE EII'S CHAIN OF COMMAND.
C.  ODAA WILL REVIEW THE PACKAGE AND PROVIDE A RECOMMENDATION TO 
DDCIO(N).  ODAA AND DDCIO(N) STAFFS WILL SCHEDULE A TELECONFERENCE 
WHEREIN THE EII CIO SHALL BRIEF THE REQUEST TO THE DDCIO(N).  ONLY THE 
EII CIO OR THEIR DESIGNATED O6/GS-15 REPRESENTATIVE MAY PRESENT THIS 
BRIEF.
D.  DDCIO(N) MAKES DECISION ON WHETHER TO GRANT THE IATO AND NOTIFIES 
THE AFFECTED EII CIO, ODAA, DISA, AND DON CIO OF THE DETERMINATION.
E.  IN THE EVENT OF A SECOND REQUEST FOR THE SAME NETWORK, OR IF THE EII 
CIO DESIRES TO APPEAL THE DDCIO(N)'S DECISION, THEY MAY RESUBMIT THE 
REQUEST PACKAGE DIRECTLY TO THE DON CIO FOR REVIEW AND ADJUDICATION.  
WITH FEW EXCEPTIONS, THE DON CIO WILL NORMALLY FOLLOW THE RECOMMENDATION 
OF THE DDCIO(N) WHEN MAKING AN APPROVAL DETERMINATION.

4.  ACTION.  EII CIO'S AFFECTED BY THIS ISSUE SHALL ENSURE COMPLIANCE 
WITH ALL APPLICABLE REQUIREMENTS IDENTIFIED IN SECTIONS TWO AND THREE OF 
THIS NAVADMIN.  THE IMPLICATIONS TO THEIR OPERATIONS WILL BE SIGNIFICANT 
IN THE EVENT DDCIO(N) DISAPPROVES A REQUEST FOR IATO EXTENSION OR 
CONTINUED OPERATION OF A CIRCUIT WITH CAT I VULNERABILITIES.  DENIALS OF 
REQUESTS WILL RESULT IN A DISCONNECTION DETERMINATION BY USCYBERCOM.  
EXPECT ENHANCED SCRUTINY OF FUTURE REQUESTS AS NAVY STRIVES TO ELIMINATE 
THE CURRENT FREQUENCY AND VOLUME OF EMERGENT REQUESTS.

5.  MY POINT OF CONTACT, AND DDCIO(N) REPRESENTATIVE, IS MS. JANICE 
HAITH, AT COMMERCIAL (571) 256-8523, EMAIL: janice.haith@navy.mil .

6.  REQUEST WIDEST DISSEMINATION OF THIS MESSAGE.

7.  RELEASED BY VADM DAVID J. DORSETT, DCNO FOR INFORMATION DOMINANCE 
N2N6.//

BT
#0001
NNNN