Risk Management Framework Information and Resources


(03/02/17) NAO discontinues emailing authorization decision status updates
Effective immediately, the NISP Authorization Office (NAO) will discontinue sending emails to contractors for authorization decision updates. Industry is reminded to check OBMS for status updates and copies of the authorization decision supporting artifacts.

(02/23/17) DSS makes SCAP content available to industry via OBMS
The DSS NISP Authorization Office (NAO), in collaboration with the Defense Information Systems Agency and the Space and Naval Warfare Systems Command, has made the Security Content Automation Protocol (SCAP) Compliance Checker available to industry via OBMS. Installation files for the SCAP Compliance Checker are posted in the "ODAA Bulletin Board" section of OBMS for all supported operating systems. For additional information, please view the updated SCAP Job Aid posted on the DSS Risk Management Framework website. Applying for sponsorship through MAX.gov is no longer necessary as all PKI-protected SCAP content is available within OBMS.

If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you encounter issues accessing the SCAP content on OBMS, contact DSS NAO at dss.quantico.dss-hq.mbx.odaa@mail.mil.

(01/23/17) DSS Automated System Security Plan (SSP)
On January 23, 2017, DSS has released the new System Security Plan (SSP) template in Excel format for RMF plan submissions.

(09/29/16) DSS & NISP Partners Transition To Risk Management Framework
Effective October 3, 2016, all NISP partners and cleared industry will transition to Risk Management Framework. All expiring accreditations and requests of new accreditations for stand-alone systems must be submitted to DSS using RMF guidelines.

The DSS RMF is promulgated in the DSS Assessments and Authorization Process Manual (DAAPM). The DAAPM provides guidance, templates, security controls, System Security Plan (SSP) Templates and other artifacts necessary for the RMF transition and necessary to meeting mandated implementation timelines.

This RMF Information and Resource center provides implementation guidance and procedures for the management of all facilities, networks and systems under DSS cognizance. Contact your regional Authorizing Official (AO) with questions.

(08/25/16) DSS Authorization and Assessment Process Manual (DAAPM) Release
The release of the DAAPM begins our transition of the National Industrial Security Program (NISP) Certification and Accreditation (C&A) process to Risk Management Framework (RMF). This transition will align our authorization process for cleared Industry’s classified systems with other Federal Agencies, the Intelligence Community and the Department of Defense. The intent of RMF is to improve information security, improve our risk management processes and to promote reciprocity.

Risk Management Framework (RMF) Transition Plan

Current authorizations are grandfathered and systems can continue to process under existing authorizations until expiration. See transition timeline below:

System Type Transition Timeline / Instructions
Multi-User Standalone (MUSA)/ Single-User Standalone (SUSA)
  • Execute RMF Assessment and Authorization through the Defense Assessment and Authorization Process Manual (DAAPM).
  • Standalones are no longer allowed to be self-certified under the C&A Process.
  • Be Proactive and Plan Ahead. RMF is a new process for both ISSPs/SCAs and ISSMs. Therefore, RMF Authorizations may take additional time depending on RMF training, knowledge, and tools.
Local Area Network (LAN)/ Wide Area Network (WAN) Phase 1: Continue using the current C&A process with the latest version of the ODAA Process Manual. ATO will last no greater than 18 months starting October 3, 2016.

Phase 2: Execute RMF Assessment and Authorization process through the DAAPM. (Timeline TBD.)

Everyone is encouraged to review DAAPM, templates and job aids below in preparation for the transitioning of Single User and Multi-User Standalones to RMF effective October 3, 2016.

Policy and Guidance