Risk Management Framework (RMF)/ Authority to Operate (ATO) Report; User registration; Updated tutorials; Unclassified but sensitive information (VDPs); AURLL and PII (and adding an anti-AURLL); Digital Garrison Gates API.
At the last teleconference it was mentioned that the "availabilty sessions" weren't quite as helpful as they should be. An agenda was requested. This time we did have an agenda, and I believe quite a bit of information got passed along (too much?) The Trojan Horse illustration was a weak attempt at humor. How funny is an agenda?
Risk Management Framework and Authority to Operate: the basic point is that to have Authority to Operate (Capitalized because it is a Thing) from AMC, their G6 must be able to affirm that IEWfollows the DoD (actually, Federal) security rules, known as the Risk Management Framework.
Registration and member life cycle
To meet that need, we have been changing the way we do business -- most important right now, the way we register and train our members. We must maintain DD Form 2875 and associated certificates at both the garrison and headquarters levels. Whenever you add someone, follow the process described in Tutorial 5 and on THIS PAGE. Always check back for the latest version of the DD 2875 with IEW overlay available from the HQ Webmaster page. The overlay includes necessary information, so use that one.
The registration amnesty is coming to a close. Up to now, and for a short while longer, send us your registrations and unless you hear from us, assume the registration is OK. Once we catch up with our backlog, we will go garrison-by-garrison, identify unregistered users, and automatically disable their accounts (we'll give you a date).
Our preferred method of receiving registrations is one email per user, with DD 22875 and all certificates attached. That said, we don't want to hold you up; contact me and we'll discuss bulk registration. And please use the Expedited Registration Matrix.
Registration includes training. See the account requirements page for exactly what is required.
I did clarify that fully trained/qualified 46A/46Z/GS-1035/GS-1082 can be site managers without first attending OPSEC Level II training. This doesn't mean someone fresh from MOM|POP Marketing Solutions, but someone who has the background to know when to engage OPSEC.
We also discussed the other end of the lifecycle. The instructions in How to Say Goodbye are still the standard. Using the magic of email, all parties who need notification are alerted. Casual as it sounds, it works as a record and we will treat it that way.
Tutorials 5 and 6 are updated to reflect these changes; they will be published Friday. Always check the dates to make sure you have the latest.
Unclassified but sensitive information (VDPs)
Reminder to keep all documents marked FOUO or CUI OFF YOUR SERVERS. ARCYBER is literally paying a bounty to hackers who find weaknesses in Army systems. Home.army.mil is on the target list by name. Scanning for FOUO is how mama hackers teach their cubs how to hunt.
A question about the Authorized URL List came up. It was recommended that we provide a list ofr rejected sites with reasons for the rejection. That idea is a good one and it is in the queue.
Gates API should be operational soon, automatiang the update of gate hours