The NISP Authorization Office (NAO) released the NISP Enterprise Mission Assurance Support Service (eMASS) Industry Operation Guide Version 1.0. The operation guide is designed to assist Industry users navigate eMASS. The operation guide is posted on the NISP eMASS Information and Resource Center (https://www.dss.mil/ma/ctp/io/nao/rmf/) under "Resources". If you have questions or concerns, please contact the NAO eMASS Mailbox at firstname.lastname@example.org.
The NISP Authorization Office has made the NISP Classified Configuration tool (NISP CC) available to download via the NISP eMASS instance. The NISP CC is intended to assist industry in initial and maintenance configuration of NISP authorized information systems. Detailed instructions regarding accessing, downloading, and applying the NISP CC can be found in the NISP CC in eMASS Job Aid, located here
Microsoft has announced that after January 14, 2020, they will no longer provide security updates or support for computers running Windows 7.
The NISP Authorization Office is encouraging industry partners to beginning working with government sponsors to adapt a strategy for migrating from Windows 7 to Windows 10 as soon as practical.
Microsoft has posted some questions and answers at: https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support.
The NISP instance of the Enterprise Mission Assurance Support Service (eMASS) is now the official system of record for Assessment and Authorization (A&A) actions. In addition to completing all the NISP eMASS Account prerequisites (SAAR, Cyber Awareness Challenge Training, and eMASS Computer Based Training), Industry users must complete the New User Registration in the NISP eMASS instance: https://emass-nisp.csd.disa.mil/. Once the New User Registration is complete, Industry user accounts can be activated. The NISP eMASS Account and Access Procedures Job Aid is posted on the NISP eMASS Information and Resource Center: https://www.dss.mil/ma/ctp/io/nao/rmf/. Note: DISA has identified an issue with New User Registration when accessing NISP eMASS via an ECA. DISA is implementing a patch that will resolve this issue by May 10th. If you have any questions or concerns, please contact the NAO eMASS Mailbox at: email@example.com
Consistent with the Executive Order signed on April 24, 2019, the Department of Defense (DoD) will begin a phased transition of the investigations conducted by the National Background Investigations Bureau (NBIB) to DoD. This action will include the transfer of personnel and resources from NBIB to DSS, as authorized by the president of the United States. The transfer of NBIB's operations, personnel, and resources to DoD will commence not later than June 24, 2019 with the transfer completed by Oct. 1, 2019. DSS will be renamed the Defense Counterintelligence and Security Agency (DCSA) and serve as the primary Federal entity for conducting background investigations for the Federal Government. DCSA will also serve as the primary Department of Defense component for the National Industrial Security Program and shall execute responsibilities relating to continuous vetting, insider threat programs, and any other responsibilities assigned to it by the Secretary of Defense. NBIB and DSS have and will continue to work in an integrated manner to minimize disruptions to existing missions while beginning the transfer process.
The NISP Authorization Office (NAO) has created a job aid for cleared industry partners interested in pursuing an authorized NISP Enterprise Wide Area Network (eWAN) for their organization. The job aid outlines the requirements for participation in the eWAN program, and provides guidance toward successful creation of an eWAN proposal, System Security Plan (SSP), and test and authorization planning. The job aid can be found on the NAO Risk Management Framework Site (https://www.dss.mil/ma/ctp/io/nao/rmf/) under "Resources.
The NISP Authorization Office (NAO) released theDSS Assessment and Authorization Process Manual (DAAPM) Version 2.0. The updated version is posted on the NAO Risk Management Framework site(https://www.dss.mil/ma/ctp/io/nao/rmf/) under "Policy and Guidance". DAAPM Version 2.0 becomes effective on May 6, 2019, and supersedes all previous versions of the DAAPM and ODAA Process Manuals. If you have questions or concerns, contact your assigned Information Systems Security Professional (ISSP). If you have specific questions about the format, content, or want to provide general comments, send those to dss.quantico.dss firstname.lastname@example.org
The DSS NISP Authorization Office (NAO) has postponed the eMASS transition until May 6, 2019. Cleared industry partners should continue to work with their ISSPs and Team Leads to complete the required eMASS training and request a NISP eMASS account to ensure readiness for the transition. Job aids are posted on the NISP eMASS Information and Resource Center.
With the postponement of the eMASS transition, the DSS Assessment and Authorization Process Manual (DAAPM) Version 2.0 will be delayed. The revised release date is April 8, 2019, with an effective date of May 6, 2019.
Industry partners should continue to submit all System Security Plans (SSP) and supporting artifacts via the ODAA Business Management System (OBMS).
Questions and inquiries regarding eMASS are handled through the NAO eMASS mailbox: email@example.com. Questions and inquiries regarding the DAAPM are handled through the NAO mailbox: firstname.lastname@example.org.
OBMS provides the Contractor Submitter Role the ability to archive Unique Identifiers (UID)s. The archive feature allows the contractor to remove older versions of UIDs and effectively manage OBMS records. In order to archive an UID, the contractor will need to conduct the following actions:
If the UID is in a DRAFT status, the contractor will not be able to archive the UID. The contractor will need to contact the DSS Knowledge Center and submit a request to have the DRAFT UIDs archived. The DSS Knowledge Center can be reached at (888) 282-7682 or via email at email@example.com.
If you have questions or concerns, please contact your assigned Information Systems Security Professional (ISSP). If you have specific questions about OBMS, please provide comments and questions to firstname.lastname@example.org.
Government programs sponsoring cleared contractor SIPRNet connections can now sponsor a contractor for tokens directly within the Secure-Defense Enrollment Eligibility Reporting System (S-DEERS). Sponsors are advised to obtain tokens for their cleared contractors as soon as possible.
Contractors with systems authorized to connect to a government sponsored SIPRNet connection are required to implement SIPRNet tokens in accordance with USCYBERCOM TASKORD J3-12-0863 by October 01, 2017 where technically feasible. Contractors will no longer be identified as 'Temporary Exception Users' after this date.
Systems without a domain environment must wait for the 90 meter software vendor to provide a local login solution; however tokens for web site authentication will be used when required by the site.
Additional information can be found at the DISA SIPRNet PKE webpage.
Note: Personnel who used DoD-approved 90meter Smart Card Manager products on DoD Networks must have a valid licensing agreement with 90meter. Due to licensing agreements, DoD cannot provide 90meter Smart Card Manager V1.4.32S on the IASE Website. Users may acquire DoD approved 90 meter products directly from email@example.com.
The DSS Assessment and Authorization Process Manual (DAAPM) originally scheduled for release August 1, 2016 has been postponed to later this month.
The phased implementation is still scheduled to begin on October 1, 2016.
In accordance with the Committee on National Security Systems Instruction (CNSSI) 7003, dated September 2015 (available on the DSS website), cleared contractors are required to have compliant PDS by September 30, 2018.
In an effort to transition from old guidance to new, cleared contractors should work with their assigned Information Systems Security Professional (ISSP) to assess their existing PDS configuration against the CNSSI 7003 requirements. A PDS Plan of Action and Milestones (POA&M) needs to be created to document when non-compliant PDSs issues will be remediated. The POA&M must be submitted to the NISP Authorization Office (NAO) (formerly ODAA) mailbox at firstname.lastname@example.org by September 30, 2016. Please include your assigned Information Systems Security Professional (ISSP) and Industrial Security Representative (ISR) on the email submission.
The CNSSI 7003 also requires the approval of PDS by the DSS Authorization Official (AO) (formerly the RDAA). Effective immediately, all PDS Installation Plans/PDS Request will be submitted to the NAO Mailbox noted above. Once the plan has been reviewed and validated by the ISSP, the AO will sign and forward an approval letter to the originator. As a note, the Facility PDS Installation Plan is approved separately from the Information System Authorizations (formerly C&A process). Once approved, the PDS Installation Plan/PDS Request and approval letter would then be uploaded into OBMS for each system Unique Identifier (UID) (that uses the PDS), as a supporting artifact to a System Security Plan (SSP).
Previously approved PDSs are authorized to continue in support of Information Systems (IS). However, any PDS that is not currently compliant could affect the expiration dates of ATOs (not to exceed September 30, 2018) for new or revised information systems. Please consult with your ISSP for questions concerning PDS.
Effective immediately, all PDS self-certification authorizations are hereby withdrawn.
Today DSS released the updated Office of the Designated Approving Authority (ODAA) Process Manual. Revision 3.2 reflects a significant re-write and consolidation of information into a format closely resembling information assurance instructions. Sections of the manual have been aligned and cross-referenced to enable translation to National Institute of Standards and Technology (NIST) guidance. Future revisions will bear an even stronger resemblance to NIST instructions in format and content for the purpose of reciprocity throughout the Department of Defense and the Federal government.
The Manual becomes effective on May 15, 2014, six months after issuance. This transition period allows time for familiarization and planning prior to implementation. During the transition period, Information Systems Security Mangers may choose to apply updated guidance to existing and/or new systems during the Certification and Accreditation process. Beginning on the published implementation date at the end of the six-month transition period, the manual and associated changes should be followed for all system accreditation activities.
ODAA thanks industry, field personnel, and everyone whose hard work and dedication have enabled the production of the Process Manual.
Please be advised there are significant changes to the Command Cyber Readiness Inspection (CCRI) scoring methodology starting October 1, 2013. Please work with your government sponsor to obtain the General Administration Message J3-13-0667 or send an email request as described below:
Request to: DISN@dss.smil.mil (SIPR)
Insert keywords in the subject: Request J3-13-0667
Provide the following information in the body of your email:
Company Name and address
Name of Requestor (FSO/ISSM/ISSO)
Requestor's SIPRNet email address
Reason for the request