HomeMission CentersCritical Technology ProtectionNISP Authorization Office (NAO)

NISP Authorization Office (NAO)


Federal agencies have adopted the National Institutes of Standards and Technology (NIST) Risk Management Framework (RMF) as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (IS). To enable information sharing within the federal government, NIST is required by law to create minimum requirements for the secure operation of systems processing classified information, including A&A processes. DCSA’s policies and procedures comply with these standards and align with the federal government’s approach to system security and the protection of information associated with classified contracts under the NISP.

The NISP Authorization Office (NAO) handles the execution of A&A process within the NISP. The NAO is accountable for DCSA’s timely, consistent policy implementation and A&A determinations nationwide, working closely with cleared defense industry, government contracting activities, and other DCSA industrial security personnel.

The NAO operates based on certain long-established A&A doctrines:

  1. Information systems must be authorized prior to processing classified information.
  2. The NISPOM and associated policy documents are the foundation for the review of all security plans and the associated accreditations.
  • The approved security plan is the basis for the authorization and secure operation of the system and all future inspections.

 

Beyond assessment and authorization, the NAO also:

  • Coordinates MOUs/MOAs between government agencies and cleared industry for NISPOM Certification and Accreditation (C&A) support.
  • Serves as the liaison between the Secret Internet Protocol Router Network (SIPRNET) Connection Approval Office (SCAO) and industry.
  • Provides international support to industry and other DCSA industrial security personnel by reviewing plans on secure communications between cleared industry and foreign governments.
  • Reviews information technology (IT) security measures that are proposed as a part of mitigation plans for U.S. cleared firms required to mitigate their foreign ownership, control or influence (FOCI) factors through a DoD approved agreement.
  • Reviews and makes recommendations regarding ISP policy implementation issues.
  • Develops tools to enhance ISSM’s ability to securely configure a system.
  • Evaluates security software and makes recommendations on usage by industry.
  • Provides recommendations for training and professional development.

DCSA Assessment & Authorization Process Manual (DAAPM)

Cleared contractors processing classified information under the cognizance of DCSA follow the guidance of the DCSA Assessment and Authorization Process Manual (DAAPM) to complete the RMF process and obtain IS authorization. The DAAPM provides new roles and responsibilities for cleared Industry Information System Security Managers (ISSM) as well as DCSA personnel. These changes are described in detail in the DAAPM. Some changes include:

  1. DCSA has adopted the NIST RMF standards as a common set of guidelines for the assessment and authorization of information systems to support contractors processing classified information as a part of the NISP.
  2. The DAAPM will identify implementation procedures for RMF, address system requirements, and contain the National Industrial Security Program (NISP) Cognizant Security Agency (CSA)/Cognizant Security Office (CSO) processes.

NISP Resources

The NISP Operating Manual provides relevant information on oversight of the NISP. The NISPOM was revised in 2016, and a summary of changes can be found here. For more information on NISP resources, click here.

 

Assessment and Authorization (A&A) Oversight and Management of Cleared Contractors’ Classified Computer Systems

 

Questions?

NAO is dedicating to providing up-to-date information and tools to DCSA and industry. Your comments and suggestions are welcome. Please send an email to dss.quantico.dss-hq.mbx.odaa@mail.mil. We may not be able to answer every question, but we'll answer as many as we can. Questions that we receive repeatedly may be added to the FAQ.

NAO Frequently Asked Questions (FAQ)

FAQs and not a substitute for the working relationship you have with DCSA personnel. Questions of a specific nature should be addressed to your local Industrial Security Representative (ISR) or Information Systems Security Professional (ISSP).

When should Industry submit for reauthorizations?

Industry reauthorization submissions should be submitted 90 days before the current Authorization to Operate (ATO) expires. DCSA personnel must: 1) Review the System Security Plan (SSP); 2) Conduct an assessment; 3) Allow for interaction with industry for potential corrections/updates to submitted SSPs. Note: DCSA’s goal is to make authorization decisions within 30 days.

 

Can industry continue to operate systems after an ATO expires?

No. Once an ATO expires, Industry must cease processing on that system. If industry submitted a complete reauthorization package 90 days prior to ATO expiration and DCSA was unable to process the package due to workload, then DCSA will determine if a short-term (Limited) ATO may be issued. Communication between the Information System Security Manager (ISSM) and the local DCSA Information Systems Security Professional (ISSP) is the key to successfully achieving an ATO reauthorization. Waiting until the day before an ATO expires to engage will ensure the process fails.

A short-term ATO is not automatic and will involve input from the local Regional Authorizing Official (AO) representatives. It is incumbent on industry to submit a timely and complete reauthorization package.

 

Are all POA&M items required to be closed out/completed prior to the system being granted an Authorization to Operate (ATO)?

No. POA&Ms are required when a control is not met. The ISSM must identify and mitigate any control that is not met or claimed as not being required. Open items do not prevent a system from being authorized. Some items may never be closed out, while others may be implemented at a later time. An example would be if the contractor system replicates or is supporting a fielded system that cannot be upgraded at the moment. Documentation should be provided detailing when the fielded item will be updated and that date reflected. The POA&M is reviewed under the continuous monitoring program.

Will DCSA publish a new list of Security Relevant Objects (SROs)?

No. DCSA will no longer publish a list of Security Relevant Objects (SROs) to be audited. The ISSM must work with the Information Owner (IO)/Information System Owner (ISO) to determine what files are most appropriate to audit in order to mitigate the specific threats and vulnerabilities unique to the system.

 

Can audit correlation controls be manual?

Yes. Audit correlation controls can be manual; they are meant to be a discussion between different security entities to determine if there is a pattern of security violations and insider threat concerns. Examples: 1) A pattern of similar software failures can point to a need to roll back a security patch; 2) Security violations from one individual in different areas might be correlated with Human Resource (HR) records.

 

What is the time period for audit retention?

Audit retention is for one year or one assessment cycle, whichever is longer. The SCG and other program requirements should be reviewed to determine how long audit information is required to be retained. Example: Audit logs for a system processing Top Secret data which supports a weapon system might require a 5-year retention period.

 

To fully comply with the spirit and intent of control CP-9 'Information System Backup', does the contractor have to perform a full backup of all software and data on the MUSA system weekly and record evidence they performed a weekly Continuous Monitoring (ConMon) audit to enable DCSA to confirm this action has been executed weekly by the user, system administrator or ISSM of Record?

CP-9 requires the organization to conduct the following: (1) Backups of user-level information contained in the information system weekly; (2) Backups of system-level information contained in the information system weekly; (3) Backups of information system documentation including security-related documentation as required by system baseline configuration changes in accordance with the contingency plan (4) Protect the confidentiality, integrity, and availability of backup information at storage locations. System-level information includes system-state information, operating system and application software, and licenses.

Backup plans should be developed for all systems and be included in your contingency planning policy. The backup plan should consider data loss risks. The areas of risk that should be identified and planned for include, but are not limited to: loss of power, loss of network connectivity, loss or corruption of data, and facility disruptions, such as loss of air conditioning, fire, flooding, etc.

Does DCSA NAO believe Change Request (CRs) must be populated and pre-approved in writing by the ISSM for 1) all uploaded vendor 'patch' updates to operating system or business/security relevant software noted in the AO approved 'Software Listing' and 2) all anti-virus 'signature file' updates uploaded periodically to the Information System (IS)?

Facilities must operate in accordance with their Configuration Management Plan. The plan will detail the roles, responsibilities, policies, and procedures that are applicable when managing the configuration of products and systems. The ISSM is responsible for ensuring the policies and procedures are followed and that all additions, changes or modifications to hardware, software, or firmware are documented and that security relevant changes are appropriately coordinated. If the Configuration Management Plan requires a CR for vendor OS patches; then a CR is required. If the plan addresses vendor patches as a "weekly system maintenance activity," then a CR may not be required if this activity is captured in a Maintenance log or other similar tracking document.

Is the ODAA Process Manual still effective?

No. As of January 1, 2018, the DCSA Assessment and Authorization Process Manual (DAAPM) Version 1.2 will be used for all classified systems seeking authorization and/or re-authorization.

 

All Information Systems (IS) requiring authorization or reauthorization must use the DAAPM version 1.2 and the RMF process. However, the DAAPM does not have overlays for WAN systems. If Industry must use the RMF process for “all” ISs, what control guidance is required on non-isolated systems?

RMF requires the facility to categorize the system and select the applicable controls. A DCSA Overlay will not be created for Wide Area Networks (WAN). An overlay was only created for Standalone Systems and Isolated LANs/Peer-to-Peer. Selecting security controls for WANs will start with the initial baseline (DAAPM Appendix A). The security controls listed in the initial baseline are not a minimum, but rather a proposed starting point from which controls may be removed or added based on tailoring. However, all controls must be addressed. Tailoring guidance is provided in DAAPM page 21 and NIST SP 800-53.

 

Does guidance and supporting policies exist for the classification of a system as a PIT (Platform Information Technology) versus an IS and a modified authorization process?

As detailed in the DAAPM Version 1.2 (Sections 6.1 and 6.2), the ISSM is required to define the system in the System Description section of the SSP. The ISSM will document the controls as appropriate for any system type. Controls that require tailoring out due to a lack of system capabilities will need to have documented justification(s) and/or mitigations within the SSP.

 

What are the "security markings" required by DAAPM and control MP-3?

The contractor is required to follow both the NISPOM and DAAPM. The DAAPM is the manual that provides the “additional security controls.

  • NISPOM 8-101 states: The contractor will maintain an ISs security program that incorporates a risk-based set of management, operational, and technical controls, consistent with guidelines established by the CSA.
  • NISPOM 8-300 states: Additional security controls may be provided by the CSA to establish the baseline security control set required for each IS processing classified information.
  • NISPOM 4-200 states: Physically marking classified information with appropriate classification markings serves to warn and inform holders of the information of the degree of protection required. Other notations facilitate downgrading, declassification, and aid in derivative classification actions. Therefore, it is essential that all classified information and material be marked to clearly convey to the holder the level of classification assigned, the portions that contain or reveal classified information, the period of time protection is required, the identity (by name and position or personal identifier) of the classifier, the source(s) for derivative classification, and any other notations required for protection of the information.
  • NISPOM 8-302g.(1) states: Mark, label, and protect ISs media to the level of authorization until an appropriate classification review is conducted and resultant classification determination is made.
    The DAAPM (Appendix A) MP-3 Supplemental Guidance states that security markings refer “to the application/use of human readable security attributes.

Does DAAPM MP-3 require volatile hardware component security markings to include CLASSIFIED BY, DERIVED FROM, and DECLASSIFY ON?

MP-3 marking requirements include "distribution limitations, handling caveats, and applicable security markings (if any) of the information." In addition, the NISPOM must be referenced for additional media marking information. It is important to note that the intent of the markings is to ensure that the classification of the item is clear to the holder (NISPOM 4-200) so that proper protection can be provided.

DCSA recognizes forms of media as special types of material generally containing multiple files and coming in all shapes and sizes, which makes marking and labeling more difficult than for individual documents. Such media often contain both unclassified and classified documents and may include multiple categories of information and/or handling caveats. Therefore, the highest classification of any classified item contained within the media (overall marking) along with any and all associated categories/caveats (e.g., CNWDI, NATO) will be conspicuously marked (stamped, printed, etched, written, engraved, painted, or affixed by means of a tag, sticker, decal, or similar device) on the exterior of such material (or, if such marking is not possible, on documentation that accompanies the media) so it is clear to the holder (NISPOM 4-203).

If each document on a removable device contains all of the required information for that document, only the overall classification and associated caveats markings must be marked on the exterior of the device. Other notations such as names, addresses, subjects/titles, source of classification and declassification instructions are not necessary on the exterior of removable media. Additionally, unclassified media and systems located in areas approved by the CSA for classified processing must also be marked and labeled so that the overall classification and associated caveats are apparent to the user.

 

When can we expect to see the next update of the DAAPM?

NAO is in the process of releasing DAAPM 1.3 which will become effective on June 4, 2018. The DAAPM will be accessible from the RMF Resource Center.

In order to meet one of the security controls, the facility will follow an internal policy. Does the policy need to be uploaded in OBMS with the System Security Plan (SSP)?

Yes. The internal policy should be included with the SSP as an artifact with specific page numbers and/or sections referenced. If your policy refers to an internal policy that is proprietary or is too large to include as an artifact, it must be available for review during an assessment visit.

 

Can a facility create one policy that incorporates all the -1 controls?

Yes. Every security control family has a -1 control that requires a policy. It may be appropriate to roll all or some of the policies into a site IS Policy.

Are Data Transfer Agents (DTA) considered privileged users?

Yes. Privileged users include anyone who conducts data transfers, including low to high.

 

Is Industry required to review classification guidance when completing Risk Assessment Reports (RAR) and Plan of Action and Milestones (POA&M)?

Yes. Vulnerabilities identified in the Risk Assessment Report and/or the POA&M are subject to the Security Classification Guide (SCG) for that program. SCGs are required for every program per NISPOM 4-103 and 7-102.

 

Is encryption of data at rest always required regardless of the type of system? Some ISSPs are stating that it is a requirement while others are not.

No. The ISSP should be looking at the threats and overall security posture of the facility. This requirement may be met using alternate controls or methods. Each situation and system must be evaluated separately. For example, if it is a laptop that does not travel or create media and is stored in a container when not in use, this control could be mitigated and acceptable by using the container as a means of controlling access to data.

RISK MANAGEMENT FRAMEWORK (RMF)

The NIST Risk Management Framework (RMF) provides a holistic and strategic process for the risk management of systems, processes and procedures designed to develop trust and reciprocity across the federal government. Implementation of the RMF provides organizations with a disciplined, structured, flexible, and repeatable process for managing risk related to the operation and use of information systems.  

For RMF policies, resources, and training, click here.

Questions?

Please see the Risk Management Framework (RMF) FAQ - April 2018.

eMASS

The National Industrial Security Program (NISP) Enterprise Mission Assurance Support Service (eMASS) is a DCSA-managed application for the management of cleared contractor information technology system assessments and approvals. Under the NISP Risk Management Framework, DCSA assesses and approves cleared contractor information systems that process classified information.