UNCLASSIFIED
ROUTINE
R 031423Z AUG 16
FM CNO WASHINGTON DC
TO NAVADMIN
BT
UNCLAS
NAVADMIN 172/16
MSGID/GENADMIN/CNO WASHINGTON DC/N4/
SUBJ/FISCAL YEAR 2017 (FY17) CHIEF OF NAVAL OPERATIONS MISSION ASSURANCE
ASSESSMENT (CNO-MAA) SCHEDULE FOR SELECT NAVY COMMANDS//
REF/A/DOC/MISSION ASSURANCE STRATEGY/7MAY12/DEPSECDEF//
REF/B/DOC/MISSION ASSURANCE ASSESSMENT PROGRAM INTERIM IMPLEMENTATON
/27APR15/DEPSECDEF//
REF/C/DOC/2015 DOD MISSION ASSURANCE VULNERABILITY ASSESSMENT
BENCHMARKS/AUG2015//
REF/D/DOC/CRITICAL ASSET IDENTIFICATION PROCESS/24OCT08//
NARR/REF A IS THE APRIL 2012 DEPUTY SECRETARY OF DEFENSE MISSION ASSURANCE
STRATEGY. REF B IS THE DEPUTY SECRETARY OF DEFENSE MEMORANDUM PROVIDING
INTERIM GUIDANCE ON CONDUCTING MISSION ASSURANCE ASSESSMENTS. REF C IS THE
CRITICAL ASSET IDENTIFICATION PROCESS. REF D DESCRIBES THE BENCHMARKS USED
IN CONDUCTING AN MAA.
POC/MR. ERIC E. HAMMETT/OPNAV N462/LOC: ARLINGTON, VA/TEL: (703) 695
-5521, ERIC.HAMMETT (AT)NAVY.MIL AND ERICA M. BERRIGAN/OPNAV N462/LOC:
ARLINGTON, VA/TEL (703) 695-5022, erica.berrigan1@navy.mil//
RMKS/1. This NAVADMIN promulgates the CNO-MAA schedule for FY17 that has
been coordinated with Navy Component commands, CNIC, and respective Regions.
Changes to the schedule must be coordinated through CNIC, the respective Navy
Component Commander and OPNAV N462.
2. Reference (a) provides the mission assurance-centric framework focused on
ensuring resilience for the capabilities and assets supporting Navy core
functions, using a risk management process across all protection and
resilience programs. Reference (b) directs the integration of all higher
headquarters vulnerability assessments under the Mission Assurance Assessment
Program. This integration consists of a criticality assessment, threat and
hazard assessment, and vulnerability assessment covering the following
programs: Antiterrorism (AT), Continuity of Operations (COOP), Cybersecurity
(CS), Defense Critical Infrastructure (DCI), Emergency Management (EM),
Energy Security (ES), Law Enforcement (LE), Physical Security (PS), and
Chemical, Biological, Radiological, Nuclear and High-Yield Explosive (CBRNE)
preparedness.
3. MAAs, conducted by the Joint Staff or CNO Staff, consists of three
phases. Phase I is the Mission Analysis (threat-hazard assessment, mission
identification and analysis, and assessment planning). This phase includes
an on-site visit, known as the CNO-MAA Mission Decomposition, and serves to
focus the efforts of the assessment team. The overall objective of mission
analysis is to gain an understanding of the missions executed by a command,
as well as how they are being executed. The output of this analysis will
identify an inventory of assets and supporting infrastructure and systems
associated with the execution of each mission or task assigned to a command.
This asset inventory represents a starting point for the execution of the
Critical Asset Identification Process as required per Reference (c). Mission
analysis must involve close coordination between tenant commands and host
installations. Utility Security Assessments (USAs) also occur during Phase
I. These assessments generate analyses on utility profiles of those
missions, functions, and assets supported by internal and external utility
sources. The profile analysis includes determination of gaps or deficiencies
in delivery of reliable, secure, and resilient utilities to support those
missions and assets. There are two main objectives of the USA program:
a. Identify and assess utility infrastructure (power, water,
communications, etc.) and Control Systems (Industrial Control,
Building Control and utility control) that support installation
and
tenant command mission execution.
b. Identify gaps in utility technology infrastructure that
supports the execution of missions, functions and core
capabilities.
4. Phase II is the risk assessment, conducted on-site, using reference (d).
A risk assessment involves the collection and evaluation of the following
data to determine the overall risk posture to missions assets and supporting
infrastructure: (1) asset criticality based on mission impacts; (2) probable
threats and hazards specific to the installation; and, (3) degree of
vulnerability. A risk assessment involves a systematic, rational, and
defensible process for identifying, quantifying, and prioritizing risks.
5. Phase III is the risk management process, a standardized process to
manage risk and enable decision making that balances risk and cost with
assuring the mission. Risk management allows the commander to decide how
best to employ allocated resources to reduce risk, or, where circumstances
warrant, request additional resources, waivers to policy or acceptance of the
identified risk. This process starts by directing the assessed installation
and associated tenant commands to coordinate on the completion of the
Corrective Action Plan, on identified vulnerabilities within 90 days of
receipt of the final report. The Corrective Action Plan will be socialized
and endorsed by each office within the assessed installation and tenant
commands chain-of-command and ultimately coordinated with CNIC, Navy
Component commands and OPNAV resource sponsors to prioritize projects with
unacceptable risk to missions and capabilities.
6. CNO-MAAs and USAs will be conducted on the following installations:
NSA Naples
NSF Deveselu
Norfolk Naval Shipyard
NS Norfolk
NS Newport
NB Guantanamo Bay
NSA Souda Bay
NSA South Potomac
NAS Patuxent River
NSA Washington
NSF Diego Garcia
SUBASE New London
NB Point Loma
NB San Diego
NB Coronado
NAWS China Lake
NS Everett
CFA Chinhae
NAF Misawa
NAS Whidbey Island
7. CNO-MAAs (no USA) will be conducted on the following installations:
NSA Crane
NCTAMS LANT Det Cutler
NRTF Grindavik
NRTF Lamoure
NCS H.E. Holt
PMRF Barking Sands
8. Joint MAAs led by the Defense Threat Reduction Agency (DTRA) will be
conducted on the following installations:
US Naval Observatory
NB Guam (Andersen AFB only)
9. A Mobile Training Team (MTT) will provide MA training on the current MA
Assessment tools: Navy Critical Asset Management System (NAV-CAMS);
Enterprise Mission Assurance Assessment Tool (eMAAT) and the Mission
Assurance Assessment Standalone Tool (MAAST).
a. NAV-CAMS supports the analysis and documentation of
criticality assessments, missions and mission impacts, basic
elements of information, all-hazards threat assessments linked
to assets and the vulnerability assessment of assets linked to
threats and hazards to produce a standardized risk rating.
This will be the Navy’s authoritative database.
b. The Enterprise Mission Assurance Assessment Tool (EMAAT) is
a classified (SIPR), web-based database that is an interactive
tool for both assessors and the installation POC to input assessment
data. The tool allows the assessment team to input benchmark
input, track assessor comments, input asset data and track the
assessment schedule and merge the submissions into the report format.
This tool provides the installation POC the ability to conduct an
annual self-assessment and coordinate the assessment schedule with the
CNO-MAA Coordinator.
c. MAAST is the primary tool which uses a structured risk
analysis algorithm in order for the assessors to input data on
an installations critical assets and quantify the risk to the
critical assets based on criticality, threats/ hazards, and
vulnerabilities.
10. Mission Assurance training will be hosted at the following locations for
calendar year 2016. There are 30 seats available per session.
NSA Naples 22-26 Aug 2016
NB Norfolk 14-18 Nov 2016
Training POC is Ms. Erin Breen: Erin.Breen.ctr@usmc.mil
11. Official notification letters, Key Leader Engagement meetings, and
specific assessment requirements (e.g., list of required documents and on-
site logistics requirements) will be sent via separate correspondence.
12. Released by VADM P. H. Cullom, N4.//
BT
#0001
NNNN
UNCLASSIFIED//