defense security service industrial security field operations (isfo) office of the designated...

Defense Security Service

Industrial Security Field Operations (ISFO)

Office of theDesignated Approving Authority

(ODAA)

August 2010


Overview

• ODAA Documentation

• ISFO Process Manual (August 2010)

• Certification & Accreditation (C&A)

• Common Errors/Findings


ODAA Documentation

– NISPOM (Chapter 8) (February 2006)

– Industrial Security Letters (ISLs)

– ISFO Process Manual (August 2010)


ISFO Process Manual

• System Security Plans (SSP) Types

– Standalone

– Local Area Network (LAN)

– Wide Area Network (WAN)

– Network Security Plan (NSP)


ISFO Process Manual

• Stand Alone

– Single User Stand Alone (SUSA)• Only one general user• Physical security

– Closed area– Restricted area– Classification level

– Multi User Stand Alone (MUSA)• Two or more general users• Physical security



ISFO Process Manual

• Local Area Network (LAN)

– Peer to peer• Local user authentication


– Domain controlled• Central user authentication



ISFO Process Manual

• Wide Area Network (WAN)

– Unified WAN• RDAA of host node will accredit• IATO not allowed• Single unified network SSP

– Must include all nodes on the unified network

– Interconnected WAN• Separately accredited systems• Network Security Plan (NSP)• IATO may be issued


ISFO Process Manual

• Network Security Plan (NSP)

– Allows interconnection of separately accredited systems

– ATO/IATO will list nodes approved for connection

– Provides overall network view

– RDAA of host node will accredit

– Network ISSO is responsible


ISFO Process Manual

• Self Certification

– Authority granted in MSSP/Profile, Approval to Operate (ATO)

– Allows ISSM to self certify like systems• Specific to system type and similar operations

– Only systems that are NISPOM compliant may be self certified

– Documentation for self certified systems

– Notify IS Rep, ISSP and ODAA


Certification & Accreditation (C&A)

• Plan Submission

– Must use approved SSP/MSSP/NSP templates

– Assign Unique Identifier (UID)• Once assigned, UIDs never change

– Email to ODAA• CC ODAA, IS Rep and ISSP• Email subject line• Email body


Table E-1 Subject Line Requirements for Plan Submissions

Unique Identifiers

¹ Use the facility's 5 character Cage Code

² Use the date on the SSP or MSSP

³ Use a number from 00001 - 99999. Each plan must use a unique number.

4 Use a number from 00001 - 99999. Each plan must use a unique number.

Variables

MSSP Use MSSP when the plan is a Master Security Plan

REV Use Rev when the plan has been resubmitted after the Contractor has made revisions as required by the ODAA.

SIPR Use when the IS seeking accreditation has a connection to the SIPRNet.

TERM Use when the IS is no longer used for classified processing

INT Use INT for SSPs with International connections

NSP Use NSP for Network Security Plans

DIB Use DIB for DIBCS System Security Plans

Region PLAN Unique Identifier IS # Identifier Variables

XXXXX-YYYYMMDD-XXXXX

CapitalNorthernSouthernWestern

CageCode¹ YYYYMMDD² XXXXX³ XXXXX4 See Variables


Certification & Accreditation (C&A)

• Process

– Email plan to ODAA

– ODAA accepts or rejects plan

– Once accepted, ISSP performs desktop review

– RDAA can deny or issue IATO

– If required ISSM resubmits corrections

– ISSP will perform on site verification

– RDAA issues ATO


C&A Common Errors

• Missing or incomplete UID • Not using approved DSS templates• Missing signed IS Security Package Submission and Certification

Statement• Missing signed DSS Form 147• Missing ISSM System Certification Test Checklist• Missing GCA risk acceptance letter for variances• Missing MOU if required• Missing published and promulgated IS Security Policy addressing

the classified processing environment • ISSM fails to submit required corrections


Common Errors

– Passwords

– SSPs not properly updated (Hardware list, software list, configuration diagram not accurate)

– Changing the security posture of the system without authorization


Audit Issues

– References: NISPOM 8-602, ISL 2007-01 items 44 & 45

– Security Relevant Objects (SRO), file, and folder permission & auditing

– System auditing


Questions & Answers

defense security service industrial security field operations (isfo) office of the designated...

Documents