Implementation Guidance on User Access Management for Civilian Human Resources Information Systems
This MARADMIN announces forthcoming policy and provides interim guidance on user access management for Civilian Human Resources Information Systems (c-HRIS). It establishes immediate requirements for access control based on "need to know" and "least privilege" principles, including mandatory annual training, formal access requests, semi-annual reviews, and timely account deactivation procedures. The guidance applies to the Total Force and aims to balance legitimate access needs with risk mitigation for sensitive HR data.
Issued: April 29, 2026
1. Purpose. To announce forthcoming policy for Civilian Human Resources Information Systems (c-HRIS) User Access Management and provide interim guidance. This guidance will ensure that controls are in place to balance legitimate access needs with the mitigation of risks associated with access vulnerabilities as required by ref (a). 2. Background. Per ref (a), the United States Marine Corps (USMC) is committed to ensuring that civilian Human Resources (HR) data is maintained and available to authorized users throughout the Department of War (DoW). Access management is essential for managing a secure, compliant, and efficient operational environment, as well as for protecting sensitive data and maintaining confidentiality. 3. Situation. Effective immediately, the following guidance and responsibilities for managing access to c-HRIS are in effect: 3.a. Access will be granted based on the principles of "need to know" and "least privilege," which allows, as identified in ref (b), only authorized accesses for users that are necessary to accomplish assigned organizational tasks. Access rights will be formally documented, approved, and reviewed at least semi-annually. 3.b. To gain access, all users will complete annual security awareness and Personally Identifiable Information (PII) training. A System Authorization Access Request (SAAR) form (DD2875) or equivalent must be submitted for approval. 3.c. Supervisors will validate that users have a "need to know," ensure required training is completed, and submit requests to deactivate accounts within 24 hours of a user's change in status (e.g., termination, job change). 3.d. HR Directors will monitor and audit c-HRIS accounts on a semi-annual basis and process revocations for account holders who fail to complete required annual training or are no longer authorized access to sensitive HR data.3.e. Access will be terminated when a user separates or no longer. 4. This MARADMIN does not supersede or replace established DoW, Department of the Navy (DoN), or Marine Corps guidance or requirements that are more restrictive or prescriptive in nature. 4.a. This MARADMIN applies to the Total Force. Commanders will ensure all Marines and Civilians are aware of the forthcoming policy changes. 5. This MARADMIN is cancelled upon its incorporation into a Marine Corps Order. 6. Release authorized by Brigadier General Lauren S. Edwards, Director, Manpower Plans and Policy Division, Manpower and Reserve Affairs.