If an accreditation decision is approaching its Authorization Termination Date (ATD), the DAA must reinitiate the C&A process and issue a new accreditation decision. Ideally, the new ATO/IATO will be issued and an updated CAP package uploaded to SNAP or SGS a minimum of 30-days prior to the expiration of the current ATC/IATC.

The expiration date of an ATC/IATC is usually the same as (and will never go beyond) the ATD expiration date of the associated scorecard. In some instances, the results of the CAO or DSAWG risk assessment may warrant the issuance of an ATC/IATC with an accreditation period shorter than that of the associated scorecard. An expired ATC/IATC will prompt a review by USCYBERCOM, and may possibly result in an order to disconnect the IS/enclave from the DISN network/service.

The DAA could decide that planned changes to an IS/enclave are significant enough to warrant reinitiating the full C&A process, with subsequent issuance of a new accreditation decision inside the normal 3-year ATO (or 180-day IATO) cycle. If no physical reconfiguration of the DISN circuit is needed to effect the planned changes, such modifications to an IS/enclave (even if significant enough to warrant a new accreditation decision) do not need to be coordinated with the corresponding DISN Service Manager (SM). However, the planned events may have a significant impact on the IA security posture of the IS/enclave, and consequently on the risk the IS/enclave poses to the DISN community at large. Pre-coordination with the CAO is necessary to ensure the updated topologies, accreditation, and risk decision artifacts are updated and available for the connection approval decision.

Examples of high-impact events requiring pre-coordination with the CAO are:

• Deployment of a cross domain solution (CDS)
• Deployment of a UC product enhancing the capability of the enclave (i.e., Soft Switch VoIP, VoSIP, CVVoIP,), even if the application is already accredited by the IS/enclave DAA
• Rehoming of an reaccreditation enclave to a new DEMARC; such as a moving to a new facility where a new CCSD(s) is issued by DITCO.

Note: The deployment to a partner enclave of an AIS accredited by the DISA DAA for DISN/GIG Enterprise deployment generally does not trigger a requirement for pre-coordination with the CAO prior to deployment.

The following medium-impact events do not need to be pre-coordinated with the CAO prior to deployment/implementation. However, these events must be identified to the CAO no later than deployment/implementation by providing an updated network topology diagram and SIP.

Examples of medium-impact events:

• Deployment of new VoIP phones requiring a new VLAN segment within the enclave
• Deployment of new VTC (UC APLITS approved) products
• Changes in the IP address range assigned to the IS/enclave
• DISA transport re-homing actions that change entry points and DISN, not the partner’s reaccreditation enclave where the enclave remains at the same facility.
• Upgrade of bandwidth service

DoD partners are required to use the DIACAP and to upload to SNAP or SGS (at a minimum) a complete and accurate DIACAP Executive Package, which includes the following documents/artifacts.

• System Identification Profile (SIP)
• DIACAP Scorecard
• IT Security Plan of Action and Milestones (POA&M), if required
• Detailed Ttopology diagram (not a DIACAP artifact, however it is required for Connection Approval)
  

(For instructions on how to complete these requirements, see DIACAP and the DIACAP Knowledge Service at https://diacap.iaportal.navy.mil/login.htm.)

At the completion of the C&A process, the DAA makes a reaccreditation decision. An ATO decision has a maximum validity period of 3 years, while the IATO has a maximum validity period of 180 days. In accordance with the DIACAP, consecutive IATOs shall not exceed 360 consecutive days (unless approved in writing by the DoD component CIO).

DoD mission partners are required to update the system of record registration for their Information System using the following processes.

• The NIPRNet SNAP NIPR module to update their registrations and submit their updated DIACAP executive package artifacts for unclassified connections to the DISN.
• The NIPRNet SNAP DSN module to update their registrations and submit their updated DIACAP executive package artifacts for their voice switch connections.
• The NIPRNet SNAP Waiver module to update their registrations and submit their updated briefing for ISP GIG Waiver.
• The SIPRNet SGS GIAP module to update their registrations and submit their updated DIACAP executive package artifacts for classified connections to the DISN.
  

The Mission Partner reaccreditation requests are submitted to the CAO in the form of a CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the existing ATC or IATC date to ensure service continuity. CAP Package document requirements are listed in the applicable appendix at the end of this document.

A DAA Appointment Letter must be included if there is a new DAA or if the information is not already on file in the Connection Approval Office (CAO).  The letter must appoint an official specifically by name, not the office to which the managerial official is assigned.  If the DAA has delegated signature authority to an authorized official, written evidence of a delegation action must be provided to the CAO prior to the acceptance of any CAP package documentation.

Account Registration for the SNAP (Unclassified) and SGS (Classified) Database

CAP packages for connections will be uploaded by the partner in the SNAP (unclassified) or SGS (classified) database.  In order to submit a CAP package, you must register for an account.

SNAP (Unclassified)

• Request a SNAP account
• Go to  https://snap.dod.mil/gcap/home.cfm
• Click on “request a SNAP account”
• Upload a completed signed DD Form 2875 System Authorization System Request (SAAR). The 2875 can be downloaded from SNAP.
• Complete section 13 of the 2875, “Justification for Access” by specifying the SNAP module and user role for your CC/S/A.
• Complete your profile data, asterisked item are required fields.
• Click “Submit Request” for approval

SGS (Classified)

• For classified connections go to https://giap.disa.smil.mil/gcap/home.cfm
• Click on “request a SGS account”
• Upload a completed signed DD Form 2875 SAAR.  The 2875 can be downloaded from the SGS website.
• Complete section 13 of the 2875, “Justification for Access” by specifying the  SGS module and user role for your CC/S/A.
• Complete your profile data, asterisked items are required fields.
• Click “Submit Request” for approval
• Once the account is approved, proceed with the creation/registration of the connection to include the submittal/upload of the DIACAP executive package artifacts once your local DIACAP C&A is completed.

Registration and Submittal Process for Unclassified and Classified Packages

SNAP (Unclassified)

• Logon to SNAP: https://snap.dod.mil/gcap/home.cfm
• Hover the mouse over "NIPR" and select "New Registration" 
• Complete all required fields of Sections0-6 of the NIPR Checklist (Sections with a locked icon are reserved for use by CAO Analyst).
• Upload Attachments for your DIACAP executive package artifacts in Sections 7.1 through 7.6 as applicable.  Please note: Only Sections 7.1 through 7.5 require the upload of attachments.
• Once all sections are completed,  a submit button at the bottom of the screen will be available in order to submit the entire registration.

NOTE: For 24/7 SNAP assistance; contact the DISN Global Support Center – (800) 554-3476

SGS (Classified)

• Logon to SGS: https://giap.disa.smil.mil/gcap/home.cfm
• Hover the mouse over "GIAP" and select "New Registration" 
• Complete all required fields of Sections 0-9 of the GIAP Checklist (Sections with a locked icon are reserved for use by CAO Analyst).
• Upload Attachments for your DIACAP executive package artifacts in Sections 9.1 through 9.10 as applicable.
• Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration.

Upon receipt of the CAP package, the CAO reviews the contents for completeness. In the event an incomplete package is received by the CAO, the package will be rejected and no CAO tracking number assigned. The partner will receive notification of a rejected package to include what documentation is missing from the package. Typically, when all the connection approval requirements are met an ATC or IATC will be issued within eight (8) business days.

As an integral part of the process, the CAO assesses the level of risk the partner's IS or network enclave poses to the specific DISN network/service and to the GIG community at large. The identification of IA vulnerabilities or other non-compliance issues and the responsiveness of the affected enclave in implementing appropriate remediation or mitigation measures against validated vulnerabilities will have a direct impact on the risk assessment, and subsequently on the connection approval decision.

The following are some of the indicators that would contribute to the assessment of an elevated risk:

• Missing, incomplete, or inaccurate CAP package input (because unknowns lead to a lower level of confidence in the IA status of the partner IS/enclave).
• Unsatisfactory results during an on-site or remote compliance monitoring/vulnerability assessment event where IA controls are tested and policy compliance is reviewed.

If the risk is “low” or “medium,” the CAO will normally issue an ATC or IATC. A “medium” risk assessment will cause the CAO to monitor more closely the IA status of the IS/enclave during the connection life cycle. “Low” risk assessments will not affect a new request or an reaccreditation connection.

An ATC/IATC will normally authorize the partner to remain connected to the DISN network/service defined in the connection approval, up to the accreditation decision ATD. The results of the risk assessment may warrant the issuance of a connection approval decision with a validity period shorter than that of the accreditation decision ATD. In such cases, the CAO will provide justification to the DAA for the shorter validity period.

If the CAO assesses a "high" risk, it will provide the DAA the justification for the assessment and inform the DAA that current guidance (i.e., policy, DSAWG decision, STIGs, etc.) from DISN/GIG DAAs precludes the issuance of an ATC without additional review of the IS/enclave IA status by the community accreditation bodies.

Connection Approval

If the reaccreditation request is approved, the partner is issued an ATC or IATC. The connection approval validity period is specified in the ATC/IATC letter. The DAA must notify the CAO of significant changes, such as architecture changes requiring re-accreditation, movement of the IS enclave to a new location, changes in risk posture, etc., that may cause a modification in the IA status of the system/enclave or if the connection is no longer needed.

Denial of Approval to Connect

If the reaccreditation request is denied, the CAO will provide the partner a list of corrective actions required before the connection can be approved.