NextQR CodePrev

UPDATE TO MARADMIN 090/25 - UPDATED GUIDANCE FOR DEFENSE  AGENCIES INITIATIVE ACCOUNT SEGREGATION OF DUTIES

https://www.marines.mil/News/Messages/Messages-Display/Article/4123371/update-to-maradmin-09025-updated-guidance-for-defense-agencies-initiative-accou/

R 181339Z MAR 25 MARADMIN 136/25 MSGID/GENADMIN/CMC WASHINGTON DC PR & DC IL//  SUBJ/UPDATE TO MARADMIN 090/25 - UPDATED GUIDANCE FOR DEFENSE  AGENCIES INITIATIVE ACCOUNT SEGREGATION OF DUTIES// REF/A/MARADMIN 577/23// REF/B/DON ENTERPRISE IT CONTROL STANDARDS VERSION 6.0// REF/C/INTERIM GUIDANCE FOR THE PERFORMANCE OF  DEFENSE AGENCIES INITIATIVE (DAI) COMPLEMENTARY USER ENTITY CONTROLS (CUEC) REF/D/MARADMIN 090/25// DATED FEB 2023// NARR/REF A IS THE INITIAL GUIDANCE FOR DEFENSE AGENCIES INITIATIVE (DAI) ACCOUNT SEGREGATION OF DUTIES (SOD) DATED NOV 2023. REB B IDENTIFIES THE INFORMATION TECHNOLOGY INTERNAL CONTROLS THE MARINE CORPS MUST IMPLEMENT.  REF C PROVIDES INTERIM GUIDANCE AND DEFINES DAI CUECS.// POC/J. A. GARZA/COL/UNIT: DC PR WASHINGTON DC/TEL: 703-614-2240/ E-MAIL: [email protected]// POC/F. L. MCCLINTICK/COL/UNIT: DC IL WASHINGTON DC/TEL: 571-256-2741/ E-MAIL: [email protected]// POC/S. L. NICHOLSON/CIV/UNIT: DC PR SDI WASHINGTON DC/ TEL:  703-784-6957/ E-MAIL: [email protected]// POC/S. WARREN/CIV/UNIT: DC I&L WASHINGTON DC/ TEL: 571-256-7183/ E-MAIL: [email protected]// POC/R. L. BURNAND/CIV/UNIT: DC PR UMX INDIANAPOLIS  IN/TEL: 317-200-3534/ E-MAIL: [email protected]// POC/J. LYNARD-KONGKIAT/CIV/UNIT: DC PR SDI WASHINGTON DC/TEL: 843-991-4012/E-MAIL: [email protected]// POC/C. A. DABRIO/CIV/UNIT: DC PR SDI WASHINGTON DC/TEL: 571-733-7737/ E-MAIL: [email protected]// GENTEXT/REMARKS/1.  This message updates reference (a) and is a collaborative effort between Deputy Commandants (DC) for Programs & Resources (P&R) and Installations & Logistics (I&L) with the purpose of enhancing the implementation of DAI CUEC 9, hereby referred to as SOD controls.  To manage risk effectively, comply with control standards, and achieve its financial statement audit goals, the Marine Corps must ensure that users with DAI access only have the necessary permissions required to perform their job functions. 2.  Effectively immediately, all commands at levels 1-4 in DAI must resolve all identified SOD conflicts by either removing conflicting responsibilities from users or obtaining waivers from the designated authority.   3.  As part of continuing actions, Commands will be required to support requests for information arising from the monthly review of SOD reports (Application Access Controls Governor and the Transactions Controls Governor reports).  As part of this review, the P&R Systems and Data Integration (SDI) Division and the I&L Logistics Compliance Branch (LPC) will coordinate with applicable Commands to remediate identified SOD incidents. 4.  Removing Conflicts.  L1-L4 Commands must assess users’ current DAI responsibilities and compare them to job requirements. Any identified conflict or unnecessary responsibilities must be removed by coordinating with the P&R User Management (UMX) Section.  5.  Waivers.  Some commands lack the personnel to distribute  responsibilities between users per SOD requirements.  Therefore, the  Marine Corps has a waiver process to balance operational needs against compliance with control standards. 6.  The SDI Division and the LPC Branch identified and reviewed applicable SOD conflicts.  They ranked each conflict using a comprehensive review that assessed four risk criteria (fraud, audit, operations, and personable identifiable information). The analysis resulted in the following five risk categories and waiver paths: 6.a.  Minimal risk conflicts will be adjudicated via an enterprise-wide waiver, and thus Commands are not required to address them. 6.b.  Low risk conflicts will be adjudicated via waivers signed by the first General Officer in the chain of command. 6.c.  Medium risk conflicts will be adjudicated via HQMC waivers. The SDI Director will adjudicate waivers for Financial Management (FM) and Oracle and Time Labor (OTL) personnel. The LPC Branch Head will adjudicate waivers for Other Government personnel.  6.d.  High risk conflicts will be adjudicated via HQMC waivers. The Assistant Deputy Commandant P&R (Resources) will adjudicate waivers for FM and OTL personnel.  The Assistant Deputy Commandant I&L Logistics Division will adjudicate waivers for Other Government personnel. 6.e.  Waivers will not be granted for zero-tolerance risk conflicts. 7.  Waiver Instructions 7.a.  The SOD matrix, the risk register, waiver templates, and additional resources are available at https://usmc.sharepoint-mil.us/ sites/DCPR_SDI/Risk_Compliance/ 7.a.1.  The SOD matrix provides a summarized view of the identified restricted role combinations. 7.a.2.  The risk register provides a detailed view of SOD conflicts and the risk designation. 7.a.3.  The waiver templates document the authorization for users to maintain SOD conflicts. There is a waiver template for each identified low, medium, and high-risk SOD conflict.  7.b.  When users request a new responsibility through the access management system (i.e., ARMS), the system will identify if the new responsibility causes an SOD conflict, which requires a waiver to proceed.  Users must coordinate with their respective Command Information Owners (IO) to initiate and submit waivers.  7.c.  Command IOs must complete and submit to the designated authority a waiver request for each SOD conflict identified. 7.c.1.  For low-risk SOD conflict, Commands should leverage their internal processes to submit and approve waivers. 7.c.2.  For medium and high-risk SOD conflict, Command IOs must submit waivers using the Tier 1 Helpdesk JIRA process. 7.d.  Users must upload the approved waiver to their profile in the access management system.  The P&R UMX Section will validate the waivers.  7.e.  If the request for a waiver is denied, the conflicting responsibility will not be granted or if it had already been granted, it will be removed. 8. When implementing the waivers, the following apply: 8.a.  HQMC will evaluate and qualify the risk each SOD conflict poses to the enterprise annually and may result in conflicts being assigned to a different risk category. 8.b.  Waivers are subject to periodic reviews to ensure their continued relevance and effectiveness. They may be revoked or modified if it is determined that the risk level has changed or if compliance issues are identified.  8.c.  Waivers are not automatically granted and will be voided when personnel are reassigned. The Marine Corps reserves the right to remove user responsibilities as necessary.  All users must  adhere to any mitigating controls established to minimize associated risks. Regular reviews and audits will be conducted to ensure compliance.   8.d.  All DAI users have a fiduciary responsibility inherent in their roles as stewards of government resources and must report SOD conflicts and responsibilities that are no longer required to their respective IOs. 9.  For specific questions, contact the following POCs: 9.1.  FM personnel: Mr. Robert Burnand and Ms. Shajuana Nicholson. 9.2.  All Other Government personnel: Ms. Sheila Warren. 9.3.  OTL: Ms. Jessica Lynard-Kongkiat and Ms. Cheryl Dabrio. 10.  This MARADMIN is applicable to the Marine Corps Total Force. 11.  Release authorized by Anna N. K. Smith, Assistant Deputy Commandant for Programs and Resources (R), and BGen F. C. Poole, III, Assistant Deputy Commandant for Installations and Logistics (LP).//

CookiesThis site is not officially connected to or endorsed by the USMC.CopyrightPrivacy