National Industrial Security Program Authorization Office (NAO) (Formerly known as ODAA)

Assessment and Authorization (A&A) oversight and management of cleared contractor's classified computer systems

The Defense Security Service (DSS) National Industrial Security Program (NISP) Authorization Office (NAO) (formerly known as Office of the Designated Approving Authority (ODAA)) was established in 2004 as an initiative resulting from the DSS overall agency transformation to improve timeliness and consistency through centralized management and de-centralized execution of the assessment and authorization (A&A) process (formerly known as the certification and accreditation (C&A) process). The NAO is accountable for timely, consistent policy implementation and A&A determinations nationwide by DSS. The NAO works closely with cleared defense industry, government contracting activities and other DSS Industrial Security personnel.

The NAO operates based on certain long established DSS A&A doctrines. They are:

  1. Information systems must be authorized prior to processing classified information.
  2. The NISPOM and associated policy documents are the foundation for the review of all security plans and the associated accreditations.
  3. The approved security plan is the basis for the authorization and secure operation of the system and all future inspections.

The current DSS Assessment & Authorization Process Manual (DAAPM) is a major shift from prior practice in the way System Security Plans are processed at DSS, and provides new roles and responsibilities for cleared Industry Information System Security Managers (ISSM) as well as DSS personnel. These changes are described in detail in the DAAPM. Some changes include:

  1. In preparation for the adoption of NIST RMF as a common set of guidelines for the assessment and authorization of information systems, DSS has adopted these standards, as well, to support the authorization of contractor's information systems processing classified information as a part of the NISP.
  2. The DAAPM will identify implementation procedures for RMF, address system requirements, and contain the National Industrial Security Program (NISP) Cognizant Security Agency (CSA)/Cognizant Security Office (CSO) processes.

The NAO is involved in much more than just A&A. The NAO also:

  • Coordinates MOUs/MOAs between government agencies and cleared industry for NISPOM C&A support
  • Serves as the liaison between the Secret Internet Protocol Router Network (SIPRNET) Connection Approval Office (SCAO) and industry.
  • Provides international support to industry and other DSS Industrial Security personnel by reviewing plans regarding secure communications between cleared industry and foreign governments
  • Reviews information technology security measures that are proposed as a part of mitigation plans for those U.S. cleared firms required to mitigate their foreign ownership, control or influence (FOCI) factors through a DoD approved agreement
  • Reviews and makes recommendations regarding ISP Policy implementation issues
  • Develops tools to enhance the ISSM ability to securely configure a system
  • Evaluates security software and makes recommendations on usage by Industry
  • Provides recommendations for training and professional development

The NAO website is a communication vehicle to provide information and tools to DSS and Industry. Your comments and suggestions are welcomed by sending an email to