The first thing to understand is that the DAA is the only person who is authorized to issue an
accreditation statement. Also, the DAA is the only person who is authorized to change the statement.
If a unit receives a statement and there is an error in the statement, it must be returned to the DAA for
correction. If the statement was not dated, had the wrong room or computer identified, or was signed
by the wrong person, the ISSO must return it to the DAA for correction. The ISSO is not authorized to
make any "pen and ink" changes to the statement.
Reaccreditation is required in case of a change which will affect security or after three years. So, if
the unit has its computers in an unauthorized location, they must be reaccredited for the new
location. Until that is done, they must either move the computes back he authorized location or stop
processing. Reaccreditation is also the "fix" for an unauthorized computer, for an unauthorized level
of processing, or if the statement is more than three years old.
If a unit had an accreditation statement which was issued by anybody other than the DAA, the
commander and the ISSO would have to request accreditation from the DAA. This would require them
to resubmit the accreditation document/security plan to the DAA, long with he commanders request
If there is a problem and the commander and ISSO don't know how to "fix" that problem, they should
contact the DAA for guidance.
An accreditation matrix is shown in Figure 3-4.