Iraq Site Information Assurance Analysts II

Department of the Army

XXX

 

Insert Date

 

To:

XXX

Insert Walter’s Designation/Rank

Insert Address

 

Re: COMPLAINT BY IRAQ SITE INFORMATION ASSURANCE ANALYSTS REGARDING ASSIGNMENT OF NON-CONTRACTUAL DUTIES BY SENIOR COMMAND

 

On the fourth day of May this year, senior command issued a Vulnerability Management Standing Operating Procedure (hereinafter referred to as the “SOP”). At page 6 of the SOP, the Compliance Reporting section states in pertinent part as follows: “Network Enterprise Centers (NEC) and Local Network Enterprise Centers (LNEC) will provide weekly and monthly compliance reports tom their respective ISSMs in an excel spreadsheet format. The spread sheets will be configured and provided by the ISSMs to ensure uniformed reporting.” 

 

On the first day of July this year ,XXX Commander, issued an Information Assurance Vulnerability Management Policy. At page 4 of the Policy, the above Compliance Reporting section has been reiterated word for word.

 

Such reporting falls outside the scope of the job description included in the Analysts’ contracts. Analysts are not involved in performing duties relating to some of the items they are required to fill in the weekly and monthly reports. Analysts have tried to contact senior management to clarify and resolve some issues but senior management has frustrated them and informed them that they are required to perform those duties, when it is clear they are not since they do not fall within the job description included as part of their contracts. 

 

Analysts have sought clarification from senior management on the following issues to no avail:

  1. Which sections are responsible for which tabs of weekly/monthly reports?
  2. Analysts will be pulling information from reports generated by NOC-K. Why isn’t NOC-K responsible for filling that section of the weekly/monthly reports? It is only fair that NOC-K assist Iraq Site IA’s to do the reporting.
  3. Workload required for the reporting task will require more personnel or more working hours. Which steps have been taken to increase the number of personnel for the reporting task or working hours for existing personnel?
  4. The reporting task would be efficiently performed if automated. However, Analysts do not have PowerShell scripting skills. It will be difficult for them to do the reporting task manually in addition to their already-existing responsibilities.
  5. First Friday of the month RMF/eMass is due for Iraq Site IA’s. Are AJ Site IA’s responsible for RMF?
  6. The SOP requires varied team members to assist with the reporting task and not Iraq Site IA’s. Why are Iraq Site IA’s required to perform reporting tasks when the SOP requires varied team members to assist with that task?
  7. The following tabs are outside the scope of Iraq Site IA’s responsibilities: RFI NIPR Unmitigated IAVM-STIGs, RFI SIPR Unmitigated IAVM-STIGs. Why have Iraq Site IA’s been assigned to report tasks outside the scope of their responsibilities?
  8. The checklist on the weekly report is mostly created from reports sent from NOC-K. Does the role of Iraq Site IA’s involve checking yes/no as if they actually identified the task mentioned?
  9. The site name dashboard on the weekly and monthly report is mostly created from reports sent from NOC-K. Does the role of Iraq Site IA’s involve checking yes/no on reports generated from NOC-K?
  10. ACAS Dashboard does not show Top 10 Vulnerabilities. Is it the responsibility of Iraq Site IA’s to obtain this information? If affirmative, where are Iraq Site IA’s required to obtain such information?
  11. Which department is responsible for gathering information related to Non-Compliant Network Devices & VTCs?
  12. Which department is responsible for gathering information related to Non-Compliant Servers?
  13. Which department is responsible for gathering information related to NIPR DHCP IP Range Changes?
  14. Which department is responsible for gathering information related to SIPR DHCP IP Range Changes?
  15. Is it the responsibility of Iraq Site IA’s to obtain information regarding Benchmarks Used?
  16. Which department is responsible for gathering information related to RFI NIPR Unmitigated IAVM-STIGs? Aren’t RFI NIPR Unmitigated IAVM-STIGs POAM items? Are Iraq Site IA’s responsible for POAMs?
  17. Which department is responsible for gathering information related to NIPR Tier II Critical Assets – STIGs?
  18. Which department is responsible for gathering information related to RFI SIPR Unmitigated IAVM-STIGs? Aren’t RFI SIPR Unmitigated IAVM-STIGs POAM items? Are Iraq Site IA’s responsible for POAMs?
  19. Which department is responsible for gathering information related to SIPR Tier II Critical Assets – STIGs?
  20. Which department is responsible for gathering information related to Risk Accepted – STIGs?

 

Iraq Site IA’s would like clarification on the above issues which are beyond the scope of the responsibilities of Information Assurance Analyst I which are listed in part as follows: “Responsible for ensuring the appropriate DoD RMF (Risk Management Framework) process is met and the adequate input of documentation such as ACAS scans, STIGs, HW/SW List and Network Diagrams are updated monthly into eMass to meet the continuous monitoring requirements.” The responsibilities of Information Assurance Analyst II are listed in part as follows: “Works with the Enterprise Mission Assurance Support Service (EMASS) application to upload, manage, and maintain all RMF control input, and network artifacts.”

 

The entities responsible for completing the tasks listed from a-t such as NOC-K were supposed to have completed them years ago. As a result of pressure exerted on them to complete the tasks, senior command deemed it fit to delegate the tasks to Iraq Site IAs despite the fact that they have had no involvement with them and they fall outside the scope of their responsibilities. This assignment of tasks is an alteration of the contractual obligations and responsibilities of Iraq Site IAs, which is solely a mandate of the appropriate government contracting office. The SOP does the exact opposite of what it states in the Review section at page 8 which stipulates in relevant thus: “This SOP does not have the authority to direct and/or alter contractual obligations and no information contained in this SOP shall be construed as direction to do so. All contractual agreements, commitments, or modifications shall be made only by the appropriate government contracting office.”

 

Information Assurance Analysts I were directed to work things with Information Assurance Analysts II on matters that were not tech-to-tech. information Assurance Analysts I were informed that RMF in general are not in their contacts, so they do not do POAMs. The NTO cannot address Information Assurance Analysts I systems as it only addresses systems relating to Information Assurance Analysts II. 

 

Iraq Site IAs would like you to revoke the assignment of the above tasks to Iraq Site IAs since they fall outside the scope of their responsibilities as outlined in their job descriptions. Iraq Site IAs are confident that you can resolve the above issues in a prompt manner without further authoritative involvement. However, Iraq Site IAs are not under any circumstances, waiving any legal rights they have presently, or future legal remedies by sending this Complaint letter.

 

Representatives of Iraq Site IAs are open to meeting you to clarify and discuss any issue at a date and time of your convenience. Thank you for taking the time to read this complaint letter. We hope to resolve the issues herein as quickly as possible.

 

Thank you for taking the time to read this complaint letter. We hope to resolve the issues herein as quickly as possible.

 

Yours Sincerely,

 

_________________________

Representative’s Name

At Legal writing experts, we would be happy to assist in preparing any legal document you need. We are international lawyers and attorneys with significant experience in legal drafting, Commercial-Corporate practice and consulting. In the last few years, we have successfully undertaken similar assignments for clients from different jurisdictions. If given this opportunity, The LegalPen will be able to prepare the legal document within the shortest time possible. You can send us your quick enquiry ( here )