NISP Authorization Office (NAO)
Federal agencies have adopted the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (IS). To enable information sharing within the federal government, NIST is required by law to create minimum requirements for the secure operation of systems processing classified information, including A&A processes. DCSA’s policies and procedures comply with these standards and align with the federal government’s approach to system security and the protection of information associated with classified contracts under the NISP.
The NISP Authorization Office (NAO) handles the execution of A&A process within the NISP. The NAO is accountable for DCSA’s timely, consistent policy implementation and A&A determinations nationwide, working closely with cleared defense industry, government contracting activities, and other DCSA industrial security personnel.
The NAO operates based on certain long-established A&A doctrines:
- Information systems must be authorized prior to processing classified information.
- The 32 CFR Part 117 NISPOM and associated policy documents are the foundation for the review of all security plans and the associated accreditations.
- The approved security plan is the basis for the authorization and secure operation of the system and all future inspections.
Beyond assessment and authorization, the NAO also:
- Coordinates MOUs/MOAs between government agencies and cleared industry for NISPOM Certification and Accreditation (C&A) support.
- Serves as the liaison between the Classified Connection Approval Office (CCAO) and industry.
- Provides international support to industry and other DCSA industrial security personnel by reviewing plans on secure communications between cleared industry and foreign governments.
- Reviews information technology (IT) security measures that are proposed as a part of mitigation plans for U.S. cleared firms required to mitigate their foreign ownership, control or influence (FOCI) factors through a DoD approved agreement.
- Reviews and makes recommendations regarding ISP policy implementation issues.
- Develops tools to enhance ISSM’s ability to securely configure a system.
- Evaluates security software and makes recommendations on usage by industry.
- Provides recommendations for training and professional development.
DCSA Assessment & Authorization Process Manual (DAAPM)
Cleared contractors processing classified information under the cognizance of DCSA follow the guidance of the DCSA Assessment and Authorization Process Manual (DAAPM) to complete the RMF process and obtain IS authorization. The DAAPM provides new roles and responsibilities for cleared Industry Information System Security Managers (ISSM) as well as DCSA personnel. These changes are described in detail in the DAAPM. Some changes include:
- DCSA has adopted the NIST RMF standards as a common set of guidelines for the assessment and authorization of information systems to support contractors processing classified information as a part of the NISP.
- The DAAPM will identify implementation procedures for RMF, address system requirements, and contain the National Industrial Security Program (NISP) Cognizant Security Agency (CSA)/Cognizant Security Office (CSO) processes.
On February 24, 2021, 32 Code of Federal Regulations (CFR) Part 117, National Industrial Security Program Operating Manual (NISPOM) became effective. 32 CFR part 117 NISPOM provides relevant information on oversight of the NISP. For more information on NISP resources, click here.