AR 380-19 Information Systems Security


Chapter 3
Automated Information System Accreditation

3-1. Accreditation overview

3-2. Generic accreditation

3-3. Operational accreditation

Operational accreditation is applicable to all AIS that have not been accredited by a generic accreditation. Operational accreditation is also required for AIS covered by a generic accreditation, if the AIS does not operate within the security bounds of the generic accreditation. Operational accreditation may apply to-

3-4. Certification

3-5. The accreditation process

3-6. Reaccreditation

3-7. Accreditation records

Copies of AIS accreditation or reaccreditation documentation will be maintained by the appropriate accreditation authority or his or her representative.

3-8. Designated accreditation authorities

3-9. Special provisions for systems processing intelligence data (RCS: CIA 1003).

3-10. Interim approval to operate before accreditation

Figure 3-1. Sample format of an accreditation statement

SUBJECT: Automated Information System (AIS) Accreditation

Commander (name)

1. Reference AR 380-19, chapter 3, dated (date) Subject: Information Systems Security.

2. Having reviewed the security measures which have been implemented and planned in the areas of security management, software, hardware, procedures, communications, personnel, and physical security, operation of the (computer, room, building, and address) and its associated peripherals is considered to be within the bounds of acceptable risk.

3. Accordingly, accreditation is granted to store and process (insert sensitivity level from paragraph 2-2a) information in the (insert security mode from paragraph 2-2b) security mode.

4. A reaccreditation is required immediately if any event listed in paragraph 3-6, reference 1, occurs.

(Signature block)

Authentication by
accreditation authority