Reaccreditation after three years is mandatory. In case of the other changes, the ISSO should first
contact the DAA and find out if reaccreditation is required. The final decision on reaccreditation will
be mad by the DAA. The rule is "when in doubt, contact the DAA" The DAA would much prefer an
ISSO to notify him of any and every change, no matter how minor, than have the ISSO notify him that
here was a major security problem as a result of some change which had an impact on security.
Part Q: The Accreditation Statement
The difference between authorized access to classified information and compromise is a DD Form
873, Certificate of Clearance and/or Security Determination, issued by CCF. The difference between
your computer being accredited and you being in violation of AR 380-19, is an accreditation
statement issued by the DAA. Accreditation is effective when the DAA issues a formal, dated,
statement of accreditation. An accreditation statement is issued on initial accreditation and upon
reaccreditation.
Figure 3-1, AR 380-19, provides the format for the accreditation statement, and example of which is
shown on the following page.
The Department of Defense Security Institute (DoDSI) reports that one of the leading computer
security problems is "not operating as documented." Accreditation is not a unique Army procedure;
most Government agencies have a requirement for some kind of written authorization to use a
computer, and not operating in accordance with this authorization is a problem the DoDSI finds
frequently and in every agency.
IT0772
3-8
Previous Page
