Industrial Security 

The Defense Security Service (DSS) Office of the Designated Approving Authority (ODAA) was established in 2004 as an initiative resulting from the DSS overall agency transformation to improve timeliness and consistency through centralized management and de-centralized execution of the certification and accreditation (C&A) process. The ODAA is accountable for timely, consistent policy implementation and C&A determinations nationwide by DSS. The ODAA works closely with cleared defense industry, government contracting activities and other DSS Industrial Security personnel.

The ODAA operates based on certain long established DSS C&A doctrines. They are:

1. Information systems must be accredited prior to processing classified information.

2. The NISPOM and associated policy documents are the foundation for the review of all security plans and the associated accreditations.

3. The approved security plan is the basis for the certification and secure operation of the system and all future inspections.

The current ODAA Process for C&A is a major shift from prior practice in the way System Security Plans are processed at DSS, and provides new roles and responsibilities for cleared Industry Information System Security Managers (ISSM) as well as DSS personnel. These changes are described in detail in the ODAA Process Guide. Some changes include:

1. All system security plans will be submitted to the ODAA for centralized review and approval to enhance consistency and to aid in developing metrics for performance improvement.

2. The ODAA will be the sole accreditation authority for cleared industry’s collateral classified information systems under the NISPOM.

3. A common format for security plans will be strongly recommended. Though not required by NISPOM, we strongly recommend that plans be submitted in the Florida Association of IS Security Representatives (FAISSR) format. Use of this format ensures that all NISPOM requirements are addressed.

4. The use of expanded Master Systems Security Plans (MSSP) is encouraged. The broadest of applications should be included in the Master Plan, and necessary detail should be included in the associated Protection Profiles.

The ODAA is involved in much more than just C&A. The ODAA also:

• Coordinates MOUs/MOAs between government agencies and cleared industry for NISPOM C&A support
• Serves as the liaison between the Secret Internet Protocol Router Network (SIPRNET) Connection Approval Office (SCAO) and industry.
• Provides international support to industry and other DSS Industrial Security personnel by reviewing plans regarding secure   communications between cleared industry and foreign governments
• Reviews information technology security measures that are proposed as a part of mitigation plans for those U.S. cleared firms required to mitigate their foreign ownership, control or influence (FOCI) factors through a DoD approved agreement
• Reviews and makes recommendations regarding ISP Policy implementation issues
• Develops tools to enhance the ISSM ability to securely configure a system
• Evaluates security software and makes recommendations on usage by Industry
• Provides recommendations for training and professional development

The ODAA Web site is a communication vehicle to provide information and tools to DSS and Industry. Your comments and suggestions are welcomed by sending an e-mail to ODAA@dss.mil.