NAO News

(6/19/2108) NISP Enterprise Mission Assurance Support Service (e-MASS) Job Aid for training guidance and system access
The NISP Authorization Office has created a job aid for cleared industry to obtain access and sponsorship to the NISP eMASS. These instructions will allow NISP partners to access and complete the required DISA computer-based training beginning on July 2, 2018. You can find the job aid here.

(2/16/18) DSS Authorized Warning Banner
Industry indicated that the DSS Authorized Warning Banner does not display as shown in the DSS Assessment and Authorization Process Manual (DAAPM). The issue is due to the use of the semi-colons. In order to resolve this matter, Industry is authorized to use a comma in place of the semi-colon.
If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you have specific questions about the format or content of the DSS Authorized Warning Banner, please provide comments and questions to

(10/02/17) DSS provides guidance on the removal of Kaspersky Labs software/hardware from DSS authorized information systems in cleared industry
Effective immediately, all NISP contractor facilities possessing classified information systems (IS) under DSS cognizance and authorization are directed to remove all Kaspersky Labs software or hardware from the authorized IS. Click here to read the guidance.


OBMS provides the Contractor Submitter Role the ability to archive Unique Identifiers (UID)s. The archive feature allows the contractor to remove older versions of UIDs and effectively manage OBMS records. In order to archive an UID, the contractor will need to conduct the following actions:

  1. Log into OBMS, Contractor Submitter Module, and Certification and Accreditation Module
  2. Select Edit an Accreditation
  3. Click the Radio Button next to the selected UID
  4. Click Archive Accreditation Package
  5. A pop-up will appear asking "Are you sure you want to archive the selected accreditation?" Click Submit. The UID will be permanently archived and removed from the queue.

If the UID is in a DRAFT status, the contractor will not be able to archive the UID. The contractor will need to contact the DSS Knowledge Center and submit a request to have the DRAFT UIDs archived. The DSS Knowledge Center can be reached at (888) 282-7682 or via email at

If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you have specific questions about OBMS, please provide comments and questions to

(04/01/17) Updated SIPRNet Public Key Enabling (PKE) Guidance

Government programs sponsoring cleared contractor SIPRNet connections can now sponsor a contractor for tokens directly within the Secure-Defense Enrollment Eligibility Reporting System (S-DEERS). Sponsors are advised to obtain tokens for their cleared contractors as soon as possible.

Contractors with systems authorized to connect to a government sponsored SIPRNet connection are required to implement SIPRNet tokens in accordance with USCYBERCOM TASKORD J3-12-0863 by October 01, 2017 where technically feasible. Contractors will no longer be identified as 'Temporary Exception Users' after this date.

Systems without a domain environment must wait for the 90 meter software vendor to provide a local login solution; however tokens for web site authentication will be used when required by the site.

Additional information can be found at the DISA SIPRNet PKE webpage.

Note: Personnel who used DoD-approved 90meter Smart Card Manager products on DoD Networks must have a valid licensing agreement with 90meter. Due to licensing agreements, DoD cannot provide 90meter Smart Card Manager V1.4.32S on the IASE Website. Users may acquire DoD approved 90 meter products directly from

(03/02/17) NAO discontinues emailing authorization decision status updates

Effective immediately, the NISP Authorization Office (NAO) will discontinue sending emails to contractors for authorization decision updates. Industry is reminded to check OBMS for status updates and copies of the authorization decision supporting artifacts.

(02/23/17) Memorandum of Understanding template available in OBMS

The DSS NISP Authorization Office provides a template for Memorandums of Understanding to facilitate connections between government and contractor systems. This template has the appropriate signature block and references, and is the most up-to-date approved version. The template can be found in the ODAA Bulletin Board within OBMS, under "Headquarters Bulletin Board." Industry is not required to use the DSS template; however, doing so may expedite the coordination and approval process.

(08/01/16) DSS National Industrial Security Program (NISP) Risk Management Framework (RMF) Implementation Update

The DSS Assessment and Authorization Process Manual (DAAPM) originally scheduled for release August 1, 2016 has been postponed to later this month.

The phased implementation is still scheduled to begin on October 1, 2016.

(07/01/16) Industry Protected Distribution System (PDS) transition guidance

In accordance with the Committee on National Security Systems Instruction (CNSSI) 7003, dated September 2015 (available on the DSS website), cleared contractors are required to have compliant PDS by September 30, 2018.

In an effort to transition from old guidance to new, cleared contractors should work with their assigned Information Systems Security Professional (ISSP) to assess their existing PDS configuration against the CNSSI 7003 requirements. A PDS Plan of Action and Milestones (POA&M) needs to be created to document when non-compliant PDSs issues will be remediated. The POA&M must be submitted to the NISP Authorization Office (NAO) (formerly ODAA) mailbox at by September 30, 2016. Please include your assigned Information Systems Security Professional (ISSP) and Industrial Security Representative (ISR) on the email submission.

The CNSSI 7003 also requires the approval of PDS by the DSS Authorization Official (AO) (formerly the RDAA). Effective immediately, all PDS Installation Plans/PDS Request will be submitted to the NAO Mailbox noted above. Once the plan has been reviewed and validated by the ISSP, the AO will sign and forward an approval letter to the originator. As a note, the Facility PDS Installation Plan is approved separately from the Information System Authorizations (formerly C&A process). Once approved, the PDS Installation Plan/PDS Request and approval letter would then be uploaded into OBMS for each system Unique Identifier (UID) (that uses the PDS), as a supporting artifact to a System Security Plan (SSP).

Previously approved PDSs are authorized to continue in support of Information Systems (IS). However, any PDS that is not currently compliant could affect the expiration dates of ATOs (not to exceed September 30, 2018) for new or revised information systems. Please consult with your ISSP for questions concerning PDS.

Effective immediately, all PDS self-certification authorizations are hereby withdrawn.

(04/13/16) DSS Transition Timeline to Risk Management Framework (RMF)

DSS Transition Timeline to Risk Management Framework (RMF) for Cleared Contractors
DSS is scheduled to release the DSS Assessment and Authorization Process Manual in support of RMF in July 2016. Please click here to view.

(11/15/13) ODAA Process Manual Release

Today DSS released the updated Office of the Designated Approving Authority (ODAA) Process Manual. Revision 3.2 reflects a significant re-write and consolidation of information into a format closely resembling information assurance instructions. Sections of the manual have been aligned and cross-referenced to enable translation to National Institute of Standards and Technology (NIST) guidance. Future revisions will bear an even stronger resemblance to NIST instructions in format and content for the purpose of reciprocity throughout the Department of Defense and the Federal government.

The Manual becomes effective on May 15, 2014, six months after issuance. This transition period allows time for familiarization and planning prior to implementation. During the transition period, Information Systems Security Mangers may choose to apply updated guidance to existing and/or new systems during the Certification and Accreditation process. Beginning on the published implementation date at the end of the six-month transition period, the manual and associated changes should be followed for all system accreditation activities.

ODAA thanks industry, field personnel, and everyone whose hard work and dedication have enabled the production of the Process Manual.

(09/24/13) Notice to ISSMs

Please be advised there are significant changes to the Command Cyber Readiness Inspection (CCRI) scoring methodology starting October 1, 2013. Please work with your government sponsor to obtain the General Administration Message J3-13-0667 or send an email request as described below:

Request to: (SIPR)

Insert keywords in the subject: Request J3-13-0667

Provide the following information in the body of your email:

Company Name and address
Cage Code
Name of Requestor (FSO/ISSM/ISSO)
Requestor's SIPRNet email address
Reason for the request