COMDTINST 5230.67
ST&E) of a system or activity. The CA submits the accreditation package to the DAA for
approval. The CA is equivalent to the Certifying Official.
n. Information System Security Program Officer (ISSPO). The ISSPO shall be assigned to each
C4&IT system. The ISSPO is a government employee responsible to the DAA for ensuring the
security of a system or activity throughout its life cycle. An ISSPO is a staff assignment at the
Area, MLC, District, or Headquarters unit.
o. Information Systems Security Officer (ISSO). The ISSO develops and executes the system's
security plan. The ISSO is either government or contractor personnel. Where an ISSO is
assigned, the ISSO is responsible for assisting the ISSPO in performing the day-to-day duties of
safeguarding information in support of the IA program and the cognizant ISSPO.
p. Alternate Information Systems Security Officer (AISSO). The AISSO is either government or
contractor personnel with an appropriate security clearance. Where an ISSO is assigned, the
AISSO assists the ISSO and also performs the day-to-day duties of safeguarding information in
support of the ISSO.
q. Information System Security Manager (ISSM). The ISSM is the Coasts Guard's principal
advisor on information security matters. The ISSM is responsible for development and
maintenance of IA policies and practices.
5. IMPLEMENTATION. IA practices establish the actions necessary to implement the IA program.
All Coast Guard organizations involved in the planning, acquisition, production, deployment,
support, operation, and disposition of C4&IT systems shall follow IA practices. CG-6 charters and
delegates the primary development, maintenance, and review responsibility for IA practices to the
IA Policy Review Board. CG-6 has final approval authority for these practices. The IA practices
provide the procedures and process for the following:
a. Certification and Accreditation. Procedures to complete certification and accreditation of major
applications and general support systems are described in National Institute of Standards and
Technology Special Publication 800-series, Guidelines for the Security Certification and
Accreditation of Federal Information Technology Systems, Security Self-Assessment Guide for
Information Technology Systems, and the Department of Defense, DoD 8510 series, Department
of Defense Information Technology Security Certification and Accreditation Process
(DITSCAP) or successor.
b. Security Management. Security Management describes various practices needed to manage
information security throughout the life cycle of C4&IT systems.
c. Information Assurance Architecture. The IA Architecture is the framework that ensures the
integration of Enterprise Architecture, the SDLC, and Configuration Management practices with
IA policies and practices. This framework supports certification and accreditation activities and
determination of risk acceptability.
6
Previous Page
