If an accreditation decision is approaching its Authorization Termination Date (ATD), the DAA must reinitiate the C&A process and issue a new accreditation decision. Ideally, the new ATO/IATO will be issued and an updated CAP package forwarded to the CAO a minimum of 30-days prior to the expiration of the current ATC/IATC.

The expiration date of an ATC/IATC is usually the same as (and will never go beyond) the expiration date of the associated ATO/IATO. In some instances, the results of the CAO or DSAWG risk assessment may warrant the issuance of an ATC/IATC with a validity period shorter than that of the associated ATO/IATO. An expired ATC/IATC will prompt a review by USCYBERCOM, and may possibly result in an order to disconnect the IS/enclave from the DISN network/service.

The DAA could decide that planned changes to an IS/enclave are significant enough to warrant reinitiating the full C&A process, with subsequent issuance of a new accreditation decision inside the normal 3-year ATO (or 180-day IATO) cycle. If no physical reconfiguration of the DISN circuit is needed to effect the planned changes, such modifications to an IS/enclave (even if significant enough to warrant a new accreditation decision) do not need to be coordinated with the corresponding DISN Service Manager (SM). However, the planned events may have a significant impact on the IA status of the IS/enclave, and consequently on the risk the IS/enclave poses to the DISN community at large. Such cases prompt a requirement for the partner/sponsor to coordinate with the CAO prior to partner implementation of the change.

There may be occasions when a component may experience high impact events and pre-coordination with the CAO would be useful to expedite partner reaccreditation:

Examples of high-impact event:

• Deployment of a cross domain solution (CDS)
• Deployment of a major Automated Information System (AIS) application, even if the application is already accredited by the IS/enclave DAA
• Deployment of a UC product enhancing the capability of the enclave (i.e., Soft Switch VoIP, VoSIP, CVVoIP,), even if the application is already accredited by the IS/enclave DAA
• Rehoming of a reaccreditated enclave to a new DEMARC; such as moving to a new facility where a new CCSD(s) is issued by DITCO.

NOTE: The deployment to a partner enclave of an AIS accredited by the DISA DAA for DISN/GIG Enterprise deployment generally does not trigger a requirement for pre-coordination with the CAO prior to deployment.

Examples of medium-impact events that pose a lesser risk to the DISN are:

• Deployment of additional workstations with new hardware and new approved/accredited software
• Deployment of new VoIP phones requiring a new VLAN segment within the enclave
• Deployment of new VTC (UC APLITS approved) products
• Changes in the IP address range assigned to the IS/enclave
• DISA transport re-homing actions that change entry points and DISN, not the partner's reaccreditation enclave where the enclave remains at the same facility.
• Upgrade of bandwidth service

The Mission Partner reaccreditation requests are submitted to the CAO in the form of a CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the existing ATC/IATC expiration date.

The following documents are minimum requirements for the CAO to analyze a CAP package (see the appropriate network/service appendix for additional requirements):

• Non-DoD Partner reaccreditation to the DISN requires the completion of a C&A process. In all cases, C&A document and artifact submissions must provide IA status information equivalent to the DIACAP Executive Package.
• DIACAP Executive Package (DIACAP Scorecard) or equivalent
• System Identification Profile (SIP)
• IT Security POA&M, if required
• Detailed Topology Diagram (not a DIACAP artifact, however it is required for Connection Approval)
• DoD contractor connection to DISN:
• For Unclassified connections, use DIACAP (the sponsoring DoD component has responsibility for all DAA actions)
• For Classified connections, use DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), 28 February 2006 (ref p) ; the Defense Security Service (DSS) has responsibility for all DAA actions; see the DSS-DISA MOA for further specifics regarding non-DoD classified connections.
• For non-DoD and non-IC federal departments and agencies:
• For an IS not categorized as a National Security System (NSS), use National Institute of Standards and Technology (NIST) SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010 (ref r)
• For an IS categorized as an NSS, and IAW CNSS Instruction No. 1253 Security Categorization and Control Selection for National Security Systems, October 2009 (ref o), refer to CNSSI 4009 National Information Assurance Glossary, June 2006, for the definition of an NSS.

NOTE: For other non-DoD entities, the C&A process requirements and inputs will be reviewed on a case-by-case basis. Coalition and allied mission partners will follow an established national C&A process. (For instructions on how to complete these requirements, see DIACAP and the DIACAP Knowledge Service at https://diacap.iaportal.navy.mil/login.htm.)

At the completion of the C&A process, the DAA makes a reaccreditation decision. An ATO decision has a maximum validity period of 3 years, while the IATO has a maximum validity period of 180 days. In accordance with the DIACAP, consecutive IATOs shall not exceed 360 consecutive days (unless approved in writing by the DoD component CIO).

Non-DoD mission sponsors are required to update the system of record registration for the Information System using one of the following processes.

• The NIPRNet SNAP NIPR module to update their registrations and submit their updated DIACAP executive package artifacts for unclassified connections to the DISN.
• The NIPRNet SNAP DSN module to update their registrations and submit their updated DIACAP executive package artifacts for their voice switch connections.
• The NIPRNet SNAP Waiver module to update their registrations and submit their updated briefing for ISP GIG Waiver.
• The SIPRNet SGS GIAP module to update their registrations and submit their updated DIACAP executive package artifacts for classified connections to the DISN.

The Mission Partner reaccreditation requests are submitted to the CAO in the form of a CAP package. This package provides the CAO the information necessary to make a connection approval decision. CAP packages should be submitted at least 30 days prior to the existing ATC or IATC date to ensure service continuity.

A DAA Appointment Letter must be included if there is a new DAA or if the information is not already on file in the Connection Approval Office (CAO).  The letter must appoint an official specifically by name, not the office to which the managerial official is assigned.  If the DAA has delegated signature authority to an authorized official, written evidence of a delegation action must be provided to the CAO prior to the acceptance of any CAP package documentation.

CAP Package document requirements are listed in the applicable service appendix.

Account Registration for the SNAP (Unclassified) and SGS (Classified) Database

CAP packages for connections will be uploaded by the partner in the SNAP (unclassified) or SGS (classified) database.  In order to submit a CAP package, you must register for an account.

SNAP (Unclassified)

• Request a SNAP account
• Go to  https://snap.dod.mil/gcap/home.cfm
• Click on “request a SNAP account”
• Upload a completed signed DD Form 2875 System Authorization System Request (SAAR). The 2875 can be downloaded from SNAP.
• Complete section 13 of the 2875, “Justification for Access” by specifying the SNAP module and user role for your CC/S/A.
• Complete your profile data, asterisked item are required fields.
• Click “Submit Request” for approval

 
SGS (Classified)

• For classified connections go to https://giap.disa.smil.mil/gcap/home.cfm
• Click on “request a SGS account”
• Upload a completed signed DD Form 2875 SAAR.  The 2875 can be downloaded from the SGS website.
• Complete section 13 of the 2875, “Justification for Access” by specifying the  SGS module and user role for your CC/S/A.
• Complete your profile data, asterisked items are required fields.
• Click “Submit Request” for approval
• Once the account is approved, proceed with the creation/registration of the connection to include the submittal/upload of the DIACAP executive package artifacts once your local DIACAP C&A is completed.

Registration and Submittal Process for Unclassified and Classified Packages

SNAP (Unclassified)

• Logon to SNAP: https://snap.dod.mil/gcap/home.cfm
• Hover the mouse over "NIPR" and select "New Registration" 
• Complete all required fields of Sections0-6 of the NIPR Checklist (Sections with a locked icon are reserved for use by CAO Analyst).
• Upload Attachments for your DIACAP executive package artifacts in Sections 7.1 through 7.6 as applicable.  Please note: Only Sections 7.1 through 7.5 require the upload of attachments.
• Once all sections are completed,  a submit button at the bottom of the screen will be available in order to submit the entire registration.

NOTE: For 24/7 SNAP assistance; contact the DISN Global Support Center – (800) 554-3476

SGS (Classified)

• Logon to SGS: https://giap.disa.smil.mil/gcap/home.cfm
• Hover the mouse over "GIAP" and select "New Registration" 
• Complete all required fields of Sections 0-9 of the GIAP Checklist (Sections with a locked icon are reserved for use by CAO Analyst).
• Upload Attachments for your DIACAP executive package artifacts in Sections 9.1 through 9.10 as applicable.
• Once all sections are completed, a submit button at the bottom of the screen will be available in order to submit the entire registration.

Upon receipt of the CAP package, the CAO reviews the contents for completeness. In the event an incomplete package is received by the CAO, the package will be rejected and no CAO tracking number assigned. The partner will receive notification of a rejected package to include what documentation is missing from the package. Typically, when all the connection approval requirements are met an ATC or IATC will be issued within eight (8) business days.

As an integral part of the process, the CAO assesses the level of risk the partner's IS or network enclave poses to the specific DISN network/service and to the GIG community at large. The identification of IA vulnerabilities or other non-compliance issues and the responsiveness of the affected enclave in implementing appropriate remediation or mitigation measures against validated vulnerabilities will have a direct impact on the risk assessment, and subsequently on the connection approval decision.

The following are some of the indicators that would contribute to the assessment of an elevated risk:

• Missing, incomplete, or inaccurate CAP package input (because unknowns lead to a lower level of confidence in the IA status of the partner IS/enclave).
• Unsatisfactory results during remote compliance monitoring/vulnerability assessment where policy compliance is reviewed.

If the risk is "low" or "medium," the CAO will issue an ATC or IATC. A "medium" risk assessment will cause the CAO to monitor more closely the IA status of the IS/enclave during the connection life cycle. "Low" risk assessments will not affect a new connection request.

An ATC/IATC will normally authorize the partner to connect to the DISN network/service defined in the connection approval, up to the accreditation decision ATD. The results of the risk assessment may warrant the issuance of a connection approval decision with a validity period shorter than that of the accreditation decision ATD. In such cases, the CAO will provide justification to the DAA for the shorter validity period.

If the CAO assesses a "high" risk, it will provide the DAA the justification for the assessment and inform the DAA that current guidance (i.e., policy, DSAWG decision, STIGs, etc.) from DISN/GIG DAAs precludes the issuance of an ATC without additional review of the IS/enclave IA status by the community accreditation bodies.

Once the CAO makes a connection decision, the partner is notified.

Connection Approval

If the reaccreditation request is approved, the partner is issued an ATC or IATC. The connection approval validity period is specified in the ATC/IATC letter. The DAA must notify the CAO of significant changes, such as architecture changes requiring re-accreditation, movement of the IS enclave to a new location, changes in risk posture, etc., that may cause a modification in the IA status of the system/enclave or if the connection is no longer needed.

Denial of Approval to Connect

If the reaccreditation request is denied, the CAO will provide the partner a list of corrective actions required before the connection can be approved.