Site Map | A-Z Index | Facebook | Twitter

• Home
• About Us
  • Director
  • Deputy Director
  • Executive Director
  • Vision and Mission
  • History
  • Electronic Reading Room
  • Locations
  • Press Room
  • Organizational Structure
  • Careers at DSS
  • Doing Business with DSS
  • Frequently Asked Questions
• Directorates
  • Industrial Security Field Operations (ISFO)
  • Industrial Security Integration & Application (IP)
  • Counterintelligence (CI)
  • Center for Development of Security Excellence (CDSE)
  • Defense Vetting Directorate (DVD)
• Services
  • Oversee and assist the defense industrial base
  • Provide counterintelligence support
  • Accredit information systems
  • Facilitate personnel security clearance for industry
  • Manage foreign ownership, control, or influence
  • Deliver security education and training
• Information Systems
  • Defense Central Index of Investigations (DCII)
  • Electronic Facility Clearance System (e-FCL)
  • Industrial Security Facilities Database (ISFD)
  • Joint Personnel Adjudication System (JPAS)
  • National Industrial Security Program (NISP) Central Access Information Security System (NCAISS)/DSS Applications
  • National Industrial Security Program (NISP) Contracts Classification System (NCCS)
  • National Industrial Security System (NISS)
  • ODAA Business Management System (OBMS)
  • Secure Web Fingerprint Transmission (SWFT)
  • Security Training, Education and Professionalization Portal (STEPP)
• Contact Us
  • Feedback on website
  • Acquisitions Office
  • Center for Development of Security Excellence
  • Knowledge Center
  • Office of Diversity and Equal Opportunity
  • FOIA and Privacy Office
  • Human Capital Management Office
  • Inspector General's Office
  • ISFO Field Office Locations
  • Legislative Affairs Office
  • Public Affairs Office
  • Mailing Addresses

Home + NISP Risk Management Framework (RMF) Information and Resources

Risk Management Framework Information and Resources

News

(06/19/2018) NISP Enterprise Mission Assurance Support Service (e-MASS) Job Aid for training guidance and system access
The NISP Authorization Office has created a job aid for cleared industry to obtain access and sponsorship to the NISP eMASS. These instructions will allow NISP partners to access and complete the required DISA computer-based training beginning on July 2, 2018. You can find the job aid here.

(05/24/18) Release of DAAPM 1.3
The DSS NISP Authorization Office (NAO) is announcing the upcoming release of the DSS Assessments and Authorization Process Manual (DAAPM) 1.3 in its continuing effort to provide users with the most up-to-date requirements of the Risk Management Framework (RMF) process. This version update revolves around two specific areas of interest and goes into effect on June 4, 2018. Version 1.3 supersedes all previous versions of the DAAPM.

First area of interest is the inclusion of a recommended 90 day submission period for RMF packages. This change is located at the beginning of Section 6, which has been renamed to "Assessment and Authorization Implementation Guidance." The rationale for the change is to ensure that both Industry and DSS allow time to sufficiently work the packages before and after submission.

Next area of interest is defining who (cleared Industry or DSS) has responsibility for each step of the process. Contained in Section 6 is a walk-through of each RMF step with tasks and who is responsible for those tasks. In summary, Industry is responsible for Step 1, Step 2, Step 3, the first part of Step 4 and the first part of Step 6. DSS is responsible for the second part of Step 4, Step 5 and the second part of Step 6. Additionally, the flowchart in Section 5 is updated to reflect ownership of each step. Finally, the Concurrence Form has been eliminated. The intent of these updates is to eliminate confusion.

(2/16/18) DSS Authorized Warning Banner
Industry indicated that the DSS Authorized Warning Banner does not display as shown in the DSS Assessment and Authorization Process Manual (DAAPM). The issue is due to the use of the semi-colons. In order to resolve this matter, Industry is authorized to use a comma in place of the semi-colon.
If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you have specific questions about the format or content of the DSS Authorized Warning Banner, please provide comments and questions to dss.quantico.dss-hq.mbx.odaa@mail.mil.

(11/17/17) DSS Assessment and Authorization Process Manual (DAAPM) Version 1.2 Released
On November 17, 2017, the DSS NISP Authorization Office (NAO) released the DAAPM Version 1.2. The updated version is posted under the "Policy and Guidance" section.
If you have questions or concerns, contact your assigned Information System Security Professional (ISSP). If you have specific questions about the format, content, or want to provide general comments, send those to dss.quantico.dss-hq.mbx.odaa@mail.mil.

(08/02/17) NCMS 2017 - Questions and Answers
The NISP Authorization Office has provided responses to the most frequently asked questions at this year's NCMS conference. The content provided will answer many of the most common and pressing questions industry has regarding the transition of their classified information systems to the Risk Management Framework (RMF). To access the document, please scroll down to the bottom of this page under "Resources" and click on the "NCMS 2017 Questions & Answers" link.

(06/05/17) Windows Configuration Toolkit GPO
The NISP Authorization Office (NAO) has released the Windows Configuration Toolkit GPO to assist industry in the baseline technical configuration of systems using the Windows 10 operating system. The tool can be accessed and downloaded via OBMS and is located in the Headquarters section of the ODAA Bulletin Board, alongside the SCAP and STIG resources. For more detailed instructions, please reference the Job Aid titled "NAO Configuration Toolkit Job Aid" located on this webpage under the "Toolkits" section.

(05/19/17) Risk Management Framework - Phase 2
Effective January 1, 2018, all NISP partners and cleared industry will fully transition to Risk Management Framework. All Information Systems (IS) authorizations must be executed via the RMF Assessment and Authorization process. The RMF Assessment and Authorization process is promulgated in the DSS Assessments and Authorization Process Manual (DAAPM).

If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP).

(04/07/17) RMF Information System (IS) OBMS Submissions
Effective immediately - Submissions for IS that are updating from NISPOM regulations to NIST RMF regulations are new submissions. Industry should submit in OBMS as a new system. If Industry submits as a re-submission, DSS will reject the re-submission and direct the ISSM to submit as a new system.

(03/31/17) NAO Windows Configuration Toolkit now available
NAO has released the Windows Configuration Toolkit GPO to assist industry in the baseline technical configuration of systems using the Windows 7 (x86/x64) operating system. The tool can be accessed and downloaded via OBMS and is located in the Headquarter section of the ODAA Bulletin Board, alongside the SCAP and STIG resources. For more detailed instructions, please reference the Job Aid titled "NAO Configuration Toolkit Job Aid" located on this webpage under the "Toolkits" section.

(03/31/17) DSS Assessment and Authorization Process Manual (DAAPM) V1.1 Released
The NISP Authorization Office (NAO) has released the updated DSS Assessment and Authorization Process Manual (DAAPM) v1.1 effective 31 March 2017. The updated document is located on this webpage under the "Policy and Guidance" section.

(03/02/17) NAO discontinues emailing authorization decision status updates
Effective immediately, the NISP Authorization Office (NAO) will discontinue sending emails to contractors for authorization decision updates. Industry is reminded to check OBMS for status updates and copies of the authorization decision supporting artifacts.

(02/23/17) DSS makes SCAP content available to industry via OBMS
The DSS NISP Authorization Office (NAO), in collaboration with the Defense Information Systems Agency and the Space and Naval Warfare Systems Command, has made the Security Content Automation Protocol (SCAP) Compliance Checker available to industry via OBMS. Installation files for the SCAP Compliance Checker are posted in the "ODAA Bulletin Board" section of OBMS for all supported operating systems. For additional information, please view the updated SCAP Job Aid posted on the DSS Risk Management Framework website. Applying for sponsorship through MAX.gov is no longer necessary as all PKI-protected SCAP content is available within OBMS.

If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you encounter issues accessing the SCAP content on OBMS, contact DSS NAO at dss.quantico.dss-hq.mbx.odaa@mail.mil.

(01/23/17) DSS Automated System Security Plan (SSP)
On January 23, 2017, DSS has released the new System Security Plan (SSP) template in Excel format for RMF plan submissions.

(09/29/16) DSS & NISP Partners Transition To Risk Management Framework
Effective October 3, 2016, all NISP partners and cleared industry will transition to Risk Management Framework. All expiring accreditations and requests of new accreditations for stand-alone systems must be submitted to DSS using RMF guidelines.

The DSS RMF is promulgated in the DSS Assessments and Authorization Process Manual (DAAPM). The DAAPM provides guidance, templates, security controls, System Security Plan (SSP) Templates and other artifacts necessary for the RMF transition and necessary to meeting mandated implementation timelines.

This RMF Information and Resource center provides implementation guidance and procedures for the management of all facilities, networks and systems under DSS cognizance. Contact your regional Authorizing Official (AO) with questions.

(08/25/16) DSS Authorization and Assessment Process Manual (DAAPM) Release
The release of the DAAPM begins our transition of the National Industrial Security Program (NISP) Certification and Accreditation (C&A) process to Risk Management Framework (RMF). This transition will align our authorization process for cleared Industry’s classified systems with other Federal Agencies, the Intelligence Community and the Department of Defense. The intent of RMF is to improve information security, improve our risk management processes and to promote reciprocity.

Current authorizations are grandfathered and systems can continue to process under existing authorizations until expiration. See transition timeline below:

System Type	Transition Timeline / Instructions
Multi-User Standalone (MUSA)/ Single-User Standalone (SUSA)	Execute RMF Assessment and Authorization through the Defense Assessment and Authorization Process Manual (DAAPM). Standalones are no longer allowed to be self-certified under the C&A Process. Be Proactive and Plan Ahead. RMF is a new process for both ISSPs/SCAs and ISSMs. Therefore, RMF Authorizations may take additional time depending on RMF training, knowledge, and tools.
Local Area Network (LAN)/ Wide Area Network (WAN)	Phase 1: Continue using the current C&A process with the latest version of the ODAA Process Manual. ATO will last no greater than 18 months starting October 3, 2016. Phase 2: Effective January 1, 2018, execute RMF Assessment and Authorization process through the DAAPM.

Everyone is encouraged to review DAAPM, templates and job aids below in preparation for the transitioning of Single User and Multi-User Standalones to RMF effective October 3, 2016.

Policy and Guidance

• DSS Assessment and Authorization Process Manual (DAAPM) Version 1.3 (Effective June 4, 2018)
• Summary of Changes to the DSS Assessment and Authorization Process Manual (DAAPM) Version 1.3
• DAAPM Appendix A Security Controls Version 1.2
• National Industrial Security Program Operating Manual
• NIST 800-53 Security & privacy Controls for Federal Information Systems and Organizations
• JSIG Guidance for Special Access Programs (SAP)
• Committee on National Security Systems Instruction (CNSSI) 1253 (March 2014)
• DoD 8510.01 Risk Management Framework for DoD Information Technology

Resources

• NCMS 2018 Frequently Asked Questions (FAQ)
• NISP Enterprise Mission Assurance Support Service (e-MASS) Job Aid
• Risk Management Framework (RMF) FAQ - April 2018
• Federal IS Request Template (November 2017)
• RMF Workflow Process with Associated Artifacts
• NCMS 2017 Questions and Answers
• Risk Management Framework (RMF) FAQ - April 2017
• System Security Plan Excel Version 1.2 - NOV17
• National Industrial Security Program Authorization Office (NAO) Homepage
• Getting Started with Risk Management Framework (October 2016)
• NISPOM to NIST 800-53v4 Security Control Mapping (May 2016)
• Plan of Action and Milestones (POA&M)
• SCAP Compliance Checker & DISA STIG Viewer
• DISA STIG Viewer
• System Security Plan Appendices Template Version 1.2 - NOV17
• System Security Plan Word Version 1.2 - NOV17
• ISSM-ISSO Appointment Letter Template
• Risk Assessment Report Template (November 2017)
• Gain Control with RMF Version 1

Training

• CDSE
• Introduction to the Risk Management Framework
• Getting Started with the SCAP compliance checker and STIG Viewer
• Applying the Risk Management Framework to Federal Information Systems
• DSS RMF Training Slides (August 2016)
• NIST - Applying the Risk Management Framework to Systems
• IASE - Cybersecurity Boot Camp (*DoD PKI Cert Required)
• IASE - DoD Cybersecurity Policy
• FedVTE - Cyber Risk Management for Technicians
• DISA - eMASS/RMF (Instructor-led Courses)

Toolkits

• NAO Configuration Toolkit Job Aid
• SCAP Compliant Tools and Products
• ISSM Toolkit