Memo Ensures Risk Management Consistency

Published, January 9, 2009

In light of the increased reliability on information systems and an increased visibility of cyber security and number of attacks on systems, the criticality of consistent and thoughtful risk management has been recognized by senior leaders throughout the government.

The Department of the Navy Chief Information Officer recently issued a memo aligning the DON Senior Information Assurance Officer (SIAO) authority with the responsibility already invested in the SIAO by federal statutes and Department of Defense policies, to ensure DON systems are assessed against a consistent risk management methodology.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) guidance states that each CIO, supported by an appointed SIAO, is responsible for administration of the overall Certification and Accreditation (C&A) process. The outcome of the C&A process is the official risk management decision to authorize operation of an information system based on mission need and the implementation of an agreed-upon set of security controls.

Actions that will come out of this memo, are a codification of the C&A approval process for deploying information systems for Joint or Defense-wide programs, across the DON enterprise, and within the Navy and Marine Corps domain. This will ensure the critical information technologies used throughout the DON, particularly in fighting the Global War on Terrorism, are available and operating at an acceptable risk level, in order to achieve its mission.