If you are employed by the Department of Defense (DoD), chances are you require access to one or more information systems (computer networks). Establishing your access to DoD computer networks requires the completion of a variety of forms. Over the years, many of us have spent a significant amount of time completing these forms over and over as we PCS to or visit commands where we require access to local networks.
There is another process in place that manages similar accesses with similar forms, but requires significantly less administrative overhead. This process is the “access to classified information” process. This article compares and contrasts these two processes and makes recommendations to modernize the “access to computer networks” process.
For ease of discussion, in this article, the “access to computer networks” process will be referred to as the “network access” process. The “access to classified information” process will be referred to as the “information access” process.
Both processes use a key document that articulates government responsibilities as well as user responsibilities associated with granting access. The information access process uses the Standard Form 312, Classified Information Non-Disclosure Agreement (NDA), to capture these responsibilities and educate service members. The NDA is the DoD standard and is applicable to all the services and agencies within the DoD.
Similarly, the network access process uses a “user agreement” form to capture government and user responsibilities and educate service members. Unlike the standard NDA; however, there is no standard user agreement form applicable across the DoD. As such, each service has its own user agreement form, and within some services the form is different from command to command. Within the Navy, the user agreement is captured in the SAAR-N (System Authorization Access Request Navy – OPNAV Form 5239/14 – more about this form below).
My first recommendation is to create a standardized user agreement to be applied across all networks within the DoD. The NDA already models this best practice for the information access process and represents a great example of how the network access process can be improved.
For the information access process, a service member’s first NDA is documented in the Joint Personnel Adjudication System. JPAS is a centralized, web-based site that facilitates managing the information access process. Service members often sign additional NDAs when checking into new commands, but those copies are for local record-keeping requirements only because the original NDA remains documented within JPAS. As such, service members’ access to classified information is rarely (if ever) delayed because of the reduced administration associated with the NDA.
Contrast that to the network access process where the user agreement is not documented in a centralized, web-based site but rather is managed and maintained only locally. As a result, when checking into a new command, service members’ access to local networks is often delayed while the user agreement is processed.
In the case of the Navy, the user agreement is one-in-the-same with the SAAR-N. Unfortunately, the SAAR-N requires review by several entities (supervisor, information owner, Security Manager) resulting in an additional delay to network access for service members until review of the SAAR-N is complete.
My second recommendation is to follow the NDA best practice model and document the original user agreement in a centralized, web-based location.
As alluded to above, and in addition to the user agreement, network access requires a SAAR. The Navy uses OPNAV Form 5239/14 SAAR-N whereas the rest of the DoD uses DD Form 2875 SAAR. (For the remainder of this article, the abbreviation SAAR will be used to represent both the DoD SAAR and the Navy’s SAAR-N.) Many commands require a separate SAAR for access to each network. In addition to network access, many web-based applications require another SAAR for user access. In the aggregate, an average service member spends a significant amount of time completing individual SAARs for each network at each command throughout their career. Further, service members will often go TDY to other commands and spend additional time completing more SAARs in order to access those networks. Coupled with the administrative time spent by those responsible for filing and managing this paperwork, the total administrative overhead associated with managing network access becomes staggering.
Contrast the network access methodology described above to how access to information is managed. Access to information is managed via the centralized, web-based site, JPAS. There is no equivalent SAAR form for accessing classified information. As such, there is no form that needs to be routed to a supervisor, information owner and Security Manager — and there is no form required for each of the classification levels: Confidential, Secret, Top Secret. Instead, the Security Manager reviews a service member’s eligibility within JPAS and assigns access according to the requirements of the job.
The basic tenets of access (eligibility and need to know) are the same for both processes. The information access process manages access to multiple levels of classification via a streamlined, centralized, web-based tool recognized throughout the DoD and available globally. The network access process is managed via individual forms routed to multiple entities for each level of access using locally maintained documentation that is not recognized between commands and is not available globally. Despite the similarities between the two processes, they’ve adopted drastically different management practices.
My third recommendation is to modernize the network access process by using a centralized, web-based tool similar to JPAS to manage the information access process.
In conclusion, the network access and information access processes are similar in that they manage accesses vital to national security at a variety of classification levels. One does this via a modernized, centralized, web-based tool with standardized forms applicable across the entire DoD. The other remains anchored in an antiquated and time-consuming paper-shuffling methodology applicable only locally. The antiquated network access approach results in an unnecessary amount of time spent on administration, as well as lost operational network time, for the would-be network users waiting for network access.
To modernize the network access process, recommendations are summarized below:
- Create a standard user agreement applicable to all DoD networks.
- Document the original user agreement using a centralized, web-based tool.
- Manage network access using a centralized, web based tool.
The views expressed here are solely those of the author, and do not necessarily reflect those of the Department of the Navy, Department of Defense or the United States government.
Cmdr. Roger Koopman is an Information Professional Officer currently assigned as the U.S. Cyber Command Liaison Officer to U.S. Pacific Command.