R 291825Z APR 26 MARADMIN 202/26 MSGID/GENADMIN/CMC WASHINGTON DC MRA MP MPC// SUBJ/IMPLEMENTATION GUIDANCE ON USER ACCESS MANAGEMENT FOR CIVILIAN HUMAN RESOURCES INFORMATION SYSTEMS// REF/A/DOC/DOD/12DEC17// REF/B/DOC/DOD/19JUL22// NARR/REF A IS DODI 1400.25, THE DEPARTMENT OF WAR POLICY ON CIVILIAN PERSONNEL MANAGEMENT SYSTEM: CIVILIAN HUMAN RESOURCES MANAGEMENT INFORMATION TECHNOLOGY PORTFOLIO.  REF B IS DODI 8510.01, THE RISK MANAGEMENT FRAMEWORK FOR DOD SYSTEMS.// POC/CARLAMAE AGUINALDO/CIV/MRA (MPC)/TEL: 703-432-9423/TEL: DSN 378-9423/EMAIL: [email protected] OR [email protected]// GENTEXT/RMKS/1.  Purpose.  To announce forthcoming policy for Civilian Human Resources Information Systems (c-HRIS) User Access Management and provide interim guidance.  This guidance will ensure that controls are in place to balance legitimate access needs with the mitigation of risks associated with access vulnerabilities as required by ref (a). 2.  Background.  Per ref (a), the United States Marine Corps (USMC) is committed to ensuring that civilian Human Resources (HR) data is maintained and available to authorized users throughout the Department of War (DoW).  Access management is essential for managing a secure, compliant, and efficient operational environment, as well as for protecting sensitive data and maintaining confidentiality. 3.  Situation.  Effective immediately, the following guidance and responsibilities for managing access to c-HRIS are in effect: 3.a.  Access will be granted based on the principles of "need to know" and "least privilege,” which allows, as identified in ref (b), only authorized accesses for users that are necessary to accomplish assigned organizational tasks.  Access rights will be formally documented, approved, and reviewed at least semi-annually. 3.b.  To gain access, all users will complete annual security awareness and Personally Identifiable Information (PII) training. A System Authorization Access Request (SAAR) form (DD2875) or equivalent must be submitted for approval. 3.c.  Supervisors will validate that users have a "need to know," ensure required training is completed, and submit requests to deactivate accounts within 24 hours of a user's change in status (e.g., termination, job change). 3.d.  HR Directors will monitor and audit c-HRIS accounts on a semi-annual basis and process revocations for account holders who fail to complete required annual training or are no longer authorized access to sensitive HR data.3.e.  Access will be terminated when a user separates or no longer. 4.  This MARADMIN does not supersede or replace established DoW, Department of the Navy (DoN), or Marine Corps guidance or requirements that are more restrictive or prescriptive in nature. 4.a.  This MARADMIN applies to the Total Force.  Commanders will ensure all Marines and Civilians are aware of the forthcoming policy changes. 5.  This MARADMIN is cancelled upon its incorporation into a Marine Corps Order. 6.  Release authorized by Brigadier General Lauren S. Edwards, Director, Manpower Plans and Policy Division, Manpower and Reserve Affairs.//