Part S: Interim Approval to Operate Before Accreditation
When we discussed initial accreditation, you found out that all computers must be formally
accredited, in writing, before operation. Sometime, however, a unit might get a new computer and
have to use it right away. For example, if a unit got a new computer the day it was leaving on
Operation Desert Shield, they probably had a lot of stuff on the agenda besides computer security.
Sometimes, operations must take precedence over security.
With such a situation in mind, AR 380-19 provides for "interim approval to operate before
accreditation," which is a "temporary waiver of formal accreditation." This provision allows a new
computer to be used before the accreditation document/security plan can be developed.
A DAA (and only the DAA) may grant interim approval to operate before accreditation, provided the
following conditions are met.
Security survey: A security survey is performed and the DAA determines that there are
adequate security measures to protect the information to be processed. If the unit has other
computers already in use, existing security will probably be adequate.
Accreditation date: A definite accreditation date is established and agreed on. Both the unit
and the DAA must agree that by a certain date formal accreditation must be completed, or the interim
approval expires.
Specific time period: Interim approval will be for a specific time period, not to exceed 90 days.
One additional 90-day extension may be granted, but the total length of interim approval will not
exceed 180 days (Figure 3-3). That's the maximum time allowed by AR 380-19, but the DAA will
probably grant interim approval for less time.
IT0772
3-12
Previous Page
