Just as facilities and individuals require a clearance to gain access to classified information, cleared contractor Information Systems (IS) must be assessed and authorized prior to processing classified information.
DCSA serves as the CSO and the Authorizing Official (AO) for contractor IS. The NISP Authorization Office (NAO) develops, coordinates, and publishes guidance for industry to properly manage and protect against unauthorized disclosure of classified information. NAO does this through established policy, the Committee on National Security Systems (CNSS) 1253, and the National Institute of Technology and Standards (NIST) Special Publication 800-37, known as the Risk Management Framework (RMF). The NAO guidance provides industry risk management principles for incorporating security controls throughout the IS life cycle, including continuous risk assessment, monitoring, and vulnerability and incident management, ensuring risk is maintained at acceptable levels. The NAO also executes Memorandum of Understandings (MOU), when requested, to allow connection of authorized contractor IS to classified networks authorized by other government organization AOs.
The DCSA Information Systems Security Professional (ISSP) is the principal interface with contractor IS security staff under the NISP. Similar to the ISR, the ISSPs are spread across the United States in four geographic regions and 26 field locations. They work in partnership with the contractor’s IS security staff to ensure the protection of classified IS under contractual obligations or research and development efforts. DCSA ISSPs are certified cybersecurity professionals in accordance with DoD Manual 8570, “Information Assurance Workforce Improvement Program,” and DoDI 8140, “Reporting of Cybersecurity Workforce.” DCSA is responsible for approximately 6,000 classified IS registered within its database of record, the NISP Enterprise Mission Assurance Support System (eMASS).
ISSPs also play key roles in other NISP missions. For example, the ISSPs review inquiries or security incidents involving IS, such as information spillage of classified information onto an unclassified IS within the NISP. The ISSPs will review each inquiry and determine if the appropriate mitigation actions were taken or provide additional guidance as appropriate. Contributing to FOCI mitigation, the ISSP reviews IT security measures that are proposed as a part of a mitigation plan for U.S. cleared firms required to mitigate their FOCI factors through a DoD approved agreement.
In addition to the assessment and authorization of cleared contractor IS, the NAO has established Command Cyber Readiness Inspection (CCRI) teams, consisting of ISSPs and ISRs certified by the United States Cyber Command in accordance with the Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 6211.02D. DCSA has partnered with DoD for the execution of CCRIs on any government sponsored cleared contractor IS with approval to connect to the Defense Information Systems Network (e.g. SIPRNet), providing senior leader visibility into key cyber vulnerabilities within the network environment.
DCSA Assessment & Authorization Process Manual (DAAPM)
Cleared contractors processing classified information under the cognizance of DCSA follow the guidance of the DCSA Assessment and Authorization Process Manual (DAAPM) to complete the RMF process and obtain IS authorization. The DAAPM provides new roles and responsibilities for cleared Industry Information System Security Managers (ISSM) as well as DCSA personnel.
The 32 Code of Federal Regulations Part 117, National Industrial Security Program Operating Manual, provides relevant information on oversight of the NISP. The 32 CFR Part 117 or NISPOM Rule replaced the NISPOM previously issued as a DOD policy (DOD 5220.22-M) on Feb. 24, 2021. Explore 32 CFR Part 117 NISPOM for more help.
The National Industrial Security Program (NISP) Enterprise Mission Assurance Support Service (eMASS) is used to automate the RMF process for cleared contractors under the cognizance of the DCSA. To effectively manage all security authorizations for systems under their purview, Industry users are required to obtain and maintain a NISP eMASS account. To request a NISP eMASS user account, cleared Industry must complete the following:
- DISA eMASS Computer Based Training (CBT)
- Cyber Awareness Challenge (CAC) Training
- DCSA System Authorization Access Request (SAAR) Form
- NISP eMASS User Registration
In order to ensure successful completion of all the NISP eMASS user account prerequisites, follow the guidance in the NISP eMASS User Account Request Guide. For additional information, please contact the assigned Information Systems Security Professional (ISSP) and/or the DCSA NAO eMASS Team at firstname.lastname@example.org.
NISP eMASS User Account Request Guide
Industry SAAR Form
Field Office Facilities
Once a NISP eMASS account is established, Industry can access DCSA manuals, artifact templates, job aids, and guides on the NISP eMASS Help page.
eMASS User Account Inactivity
The NISP eMASS user accounts are automatically deactivated after a period of inactivity (no log-in). Ten days prior to deactivation and three days prior to deactivation, eMASS will send the user a reminder notification e-mail. If the user does not log-in, eMASS will automatically deactivate the account and send an e-mail notifying the user of the account deactivation.
Inactive users will receive a warning message when accessing eMASS after account deactivation. When inactive users select [Click Here] within the application, an account reactivation request is sent to the DCSA NAO eMASS Team (NISP eMASS system administrators). When a deactivated user account is reactivated, the user will receive an e-mail notifying them of the account reactivation.
If a NISP eMASS user’s last login date is greater than 90 days, the user must resubmit all NISP eMASS user account prerequisites. In order request reactivation, NISP eMASS users must conduct the following actions:
1. Complete an Initial Industry SAAR Form. The SAAR will be completed in accordance with the instructions outlined in the NISP eMASS User Account Request Guide.
2. Complete the required training outlined in the NISP eMASS User Account Request Guide (i.e., eMASS CBT and Cyber Awareness Challenge). Training certificate completion dates cannot be greater than one year of the reactivation request.
3. Email the NISP eMASS user account prerequisites to the DCSA NAO eMASS Team at email@example.com
. Use the following e-mail subject line: “Reactivation of an Existing NISP eMASS User Account”.
The DCSA NAO eMASS Team will validate and process the reactivation request. Once processed, the NISP eMASS user’s account will be reactivated.
For assistance with policy interpretations, frequently asked questions or other policy-related concerns, email NAO at firstname.lastname@example.org.