FISCAL YEAR 2017 (FY17) CHIEF OF NAVAL OPERATIONS MISSION ASSURANCE ASSESSMENT (CNO-MAA) SCHEDULE FOR SELECT NAVY COMMANDS:

UNCLASSIFIED
ROUTINE
R 031423Z AUG 16
FM CNO WASHINGTON DC
TO NAVADMIN
BT
UNCLAS

NAVADMIN 172/16

MSGID/GENADMIN/CNO WASHINGTON DC/N4/

SUBJ/FISCAL YEAR 2017 (FY17) CHIEF OF NAVAL OPERATIONS MISSION ASSURANCE 
ASSESSMENT (CNO-MAA) SCHEDULE FOR SELECT NAVY COMMANDS//

REF/A/DOC/MISSION ASSURANCE STRATEGY/7MAY12/DEPSECDEF//
REF/B/DOC/MISSION ASSURANCE ASSESSMENT PROGRAM INTERIM IMPLEMENTATON
/27APR15/DEPSECDEF//
REF/C/DOC/2015 DOD MISSION ASSURANCE VULNERABILITY ASSESSMENT 
BENCHMARKS/AUG2015//
REF/D/DOC/CRITICAL ASSET IDENTIFICATION PROCESS/24OCT08//
NARR/REF A IS THE APRIL 2012 DEPUTY SECRETARY OF DEFENSE MISSION ASSURANCE 
STRATEGY.  REF B IS THE DEPUTY SECRETARY OF DEFENSE MEMORANDUM PROVIDING 
INTERIM GUIDANCE ON CONDUCTING MISSION ASSURANCE ASSESSMENTS.  REF C IS THE 
CRITICAL ASSET IDENTIFICATION PROCESS.  REF D DESCRIBES THE BENCHMARKS USED 
IN CONDUCTING AN MAA.
POC/MR. ERIC E. HAMMETT/OPNAV N462/LOC: ARLINGTON, VA/TEL:  (703) 695
-5521, ERIC.HAMMETT (AT)NAVY.MIL AND ERICA M. BERRIGAN/OPNAV N462/LOC: 
ARLINGTON, VA/TEL (703) 695-5022, erica.berrigan1@navy.mil//

RMKS/1.  This NAVADMIN promulgates the CNO-MAA schedule for FY17 that has 
been coordinated with Navy Component commands, CNIC, and respective Regions.  
Changes to the schedule must be coordinated through CNIC, the respective Navy 
Component Commander and OPNAV N462.

2.  Reference (a) provides the mission assurance-centric framework focused on 
ensuring resilience for the capabilities and assets supporting Navy core 
functions, using a risk management process across all protection and 
resilience programs.  Reference (b) directs the integration of all higher 
headquarters vulnerability assessments under the Mission Assurance Assessment 
Program.  This integration consists of a criticality assessment, threat and 
hazard assessment, and vulnerability assessment covering the following 
programs:  Antiterrorism (AT), Continuity of Operations (COOP), Cybersecurity 
(CS), Defense Critical Infrastructure (DCI), Emergency Management (EM), 
Energy Security (ES), Law Enforcement (LE), Physical Security (PS), and 
Chemical, Biological, Radiological, Nuclear and High-Yield Explosive (CBRNE) 
preparedness.

3.  MAAs, conducted by the Joint Staff or CNO Staff, consists of three 
phases.  Phase I is the Mission Analysis (threat-hazard assessment, mission 
identification and analysis, and assessment planning).  This phase includes 
an on-site visit, known as the CNO-MAA Mission Decomposition, and serves to 
focus the efforts of the assessment team.  The overall objective of mission 
analysis is to gain an understanding of the missions executed by a command, 
as well as how they are being executed.  The output of this analysis will 
identify an inventory of assets and supporting infrastructure and systems 
associated with the execution of each mission or task assigned to a command.  
This asset inventory represents a starting point for the execution of the 
Critical Asset Identification Process as required per Reference (c).  Mission 
analysis must involve close coordination between tenant commands and host 
installations.  Utility Security Assessments (USAs) also occur during Phase 
I.  These assessments generate analyses on utility profiles of those 
missions, functions, and assets supported by internal and external utility 
sources.  The profile analysis includes determination of gaps or deficiencies 
in delivery of reliable, secure, and resilient utilities to support those 
missions and assets.  There are two main objectives of the USA program:

     a.  Identify and assess utility infrastructure (power, water,
     communications, etc.) and Control Systems (Industrial Control,
     Building Control and utility control) that support installation
     and
     tenant command mission execution.
     b.  Identify gaps in utility technology infrastructure that
     supports the execution of missions, functions and core
     capabilities.

4.  Phase II is the risk assessment, conducted on-site, using reference (d).  
A risk assessment involves the collection and evaluation of the following 
data to determine the overall risk posture to missions assets and supporting 
infrastructure:  (1) asset criticality based on mission impacts; (2) probable 
threats and hazards specific to the installation; and, (3) degree of 
vulnerability.  A risk assessment involves a systematic, rational, and 
defensible process for identifying, quantifying, and prioritizing risks.

5.  Phase III is the risk management process, a standardized process to 
manage risk and enable decision making that balances risk and cost with 
assuring the mission.  Risk management allows the commander to decide how 
best to employ allocated resources to reduce risk, or, where circumstances 
warrant, request additional resources, waivers to policy or acceptance of the 
identified risk.  This process starts by directing the assessed installation 
and associated tenant commands to coordinate on the completion of the 
Corrective Action Plan, on identified vulnerabilities within 90 days of 
receipt of the final report.  The Corrective Action Plan will be socialized 
and endorsed by each office within the assessed installation and tenant 
commands chain-of-command and ultimately coordinated with CNIC, Navy 
Component commands and OPNAV resource sponsors to prioritize projects with 
unacceptable risk to missions and capabilities.

6.  CNO-MAAs and USAs will be conducted on the following installations:

NSA Naples
NSF Deveselu
Norfolk Naval Shipyard
NS Norfolk
NS Newport
NB Guantanamo Bay
NSA Souda Bay
NSA South Potomac
NAS Patuxent River
NSA Washington
NSF Diego Garcia
SUBASE New London
NB Point Loma
NB San Diego
NB Coronado
NAWS China Lake
NS Everett
CFA Chinhae
NAF Misawa
NAS Whidbey Island

7.  CNO-MAAs (no USA) will be conducted on the following installations:

NSA Crane
NCTAMS LANT Det Cutler
NRTF Grindavik
NRTF Lamoure
NCS H.E. Holt
PMRF Barking Sands

8.  Joint MAAs led by the Defense Threat Reduction Agency (DTRA) will be 
conducted on the following installations:

US Naval Observatory
NB Guam (Andersen AFB only)

9.  A Mobile Training Team (MTT) will provide MA training on the current MA 
Assessment tools:  Navy Critical Asset Management System (NAV-CAMS); 
Enterprise Mission Assurance Assessment Tool (eMAAT) and the Mission 
Assurance Assessment Standalone Tool (MAAST).
     a.  NAV-CAMS supports the analysis and documentation of
     criticality assessments, missions and mission impacts, basic
     elements of information, all-hazards threat assessments linked
     to assets and the vulnerability assessment of assets linked to
     threats and hazards to produce a standardized risk rating.  
     This will be the Navy’s authoritative database.
     b.  The Enterprise Mission Assurance Assessment Tool (EMAAT) is
     a classified (SIPR), web-based database that is an interactive
     tool for both assessors and the installation POC to input assessment
     data.  The tool allows the assessment team to input benchmark
     input, track assessor comments, input asset data and track the
     assessment schedule and merge the submissions into the report format.
     This tool provides the installation POC the ability to conduct an
     annual self-assessment and coordinate the assessment schedule with the
     CNO-MAA Coordinator.
     c.  MAAST is the primary tool which uses a structured risk
     analysis algorithm in order for the assessors to input data on
     an installations critical assets and quantify the risk to the
     critical assets based on criticality, threats/ hazards, and
     vulnerabilities.

10.  Mission Assurance training will be hosted at the following locations for 
calendar year 2016.  There are 30 seats available per session.
NSA Naples 	22-26 Aug 2016
NB Norfolk	14-18 Nov 2016
Training POC is Ms. Erin Breen:  Erin.Breen.ctr@usmc.mil

11.  Official notification letters, Key Leader Engagement meetings, and 
specific assessment requirements (e.g., list of required documents and on-
site logistics requirements) will be sent via separate correspondence.

12.  Released by VADM P. H. Cullom, N4.//

BT
#0001
NNNN
UNCLASSIFIED//