A forthcoming service offering from the Defense Information Systems Agency (DISA) will automate and significantly reduce the time required to process system authorization access requests.
The Department of Defense Form 2875: System Authorization Access Request (SAAR) has long been used to request system access across the department. Completing the manual process can take several weeks to several months, hindering productivity.
The DISA Ecosystem Cyber Services Line of Business (LOB) took on the challenge of automating 2875 requests and created the System Access Management (SAM) application — the first step in eliminating paper 2875s for system access requests.
A module inside of the Enterprise Security Posture System (ESPS), SAM is a fully automated government solution that seamlessly moves the request through the approval process — requestor, supervisor, security manager, and account creator — eliminating the sharing of 2875s via email, local access databases, or local shared drives.
SAM reduces the time, costs, and lifecycle to effectively submit, process, and approve a 2875. Its fully automated workflow processes requests within a day, or even within minutes. Most importantly, SAM processes system access requests without the traditional 2875 form.
“New employees typically require access to 10-12 different systems. So it’s easy to see the efficiencies gained through this automation effort,” said El Jones, section chief of Cyber Automation and Capabilities within the Cyber Services LOB. “The faster people can get onto systems they need, the more productive they can be.”
How SAM works
SAM has an automated workflow built in and routes requests as needed. The high level workflow is below. Steps 1-3 will be pre-populated in SAM after an individual’s initial entry and will not need to be completed again unless any of the information changes.
- Requester submits personal information into SAM.
- Supervisor validates personal information.
- Security manager provides clearance information and information technology (IT) level.
- Requestor requests access to a specific system.
- Supervisor validates that employee requires the access requested.
- Appropriate account creators are notified of pending account creations.
- Account creator group reviews requests and creates account or rejects request.
Features such as auto-population have improved data accuracy and the customer experience, and have reduced the time and manpower required to support the 2875 process, said Jones.
SAM is able to store form data, allowing management to create views to support reporting requirements and, most importantly, address insider threat vulnerabilities.
DISA’s Computing Ecosystem teams continue to enhance the capabilities within the SAM application.
The next phase of the SAM project will provide added capabilities to ensure compliance with the requirement to revalidate all privileged system accounts every 90 days, providing automation to support what has previously been an insurmountable manual effort.
DISA implements SAM
SAM is currently available to the DISA workforce to request access to all agency systems, including those on the Non-classified Internet Protocol Router Network (NIPRNet) and those on the Secure Internet Protocol Router Network (SIPRNet).
The agency recently completed a use case to create accounts and process access requests for approximately 6,000 employees.
“The entire process, from making employees across the globe aware of the requirement to request access to completing the access request process, including obtaining all required approvals, was completed in only four weeks,” said Jones.
Available to mission partners in the summer
Mission partners will be able to request access to SAM this summer, enabling them to seamlessly request access to DISA-managed systems. Additionally, DISA is developing a dashboard that will support mission partner accreditation efforts, enabling the generation of real-time reports with a list of users who have access to a given system.
For more information about SAM, contact firstname.lastname@example.org.