• Industrial Security
• Field Operations
  • - Field Office Locations
  • - Facility Clearance Branch (FCB)
  • - ODAA
  • - Industry Tools
  • - NISPOM/ISLs (Security Library)
  • - Industry Programs
• Foreign Ownership, Control or Influence
• International Division
• Policy

Home + Industrial Security + Field Operations + ODAA + News

ODAA News

(10/03/11) Clarification on Implementation of the ISFO Process Manual v3.0

As we transition to the updated version of the ISFO Process Manual (Version 3.0) by December 31, 2011, the following will provide additional clarification in response to several questions we have received.

1. The guidance grants ISSMs the ability to continue to add workstations to a pre-existing accredited system if the workstation is/are configured to the previously approved settings; what if any limitations are there regarding this guidance?
   1. An ISSM with existing self-certification authority for a local area network (LAN) may continue to add workstations to the LAN as long as there are no other security relevant changes to the LAN.
   2. An ISSM with existing self-certification authority for multi-user stand-alone (MUSA) systems cannot self-certify a new profile under their existing authority unless he/she has demonstrated the ability to properly configure the operating system in accordance with the ISFO Process Manual (v3.0) using one of the three methods described in the implementation guidance found at http://www.dss.mil/isp/odaa/news.html.
2. We are aware we can use an ODAA NISP tool report to satisfy the requirement to validate an ISSM's capability without requiring an onsite validation visit for some operating systems. What about those operating systems not supported by the NISP tool?
   
   For operating systems not supported by the DSS ODAA NISP tool, an onsite visit by the ISSP is required to validate the ISSM's ability to implement the configuration settings. If the only security relevant changes to the system are due to implementing the updated guidance, this visit may be conducted prior to the System Security Plan (SSP) submission during an unrelated visit or as a step in the standard certification process. After the ISSP has visited the site and validated the ISSM's capability to configure the operating system and a successful desktop review of the SSP has been completed, the system can go straight to ATO without an additional site visit.
3. If an ISSM demonstrates the ability to configure an operating system to the new guidelines in a closed area, do I also need to demonstrate the ability to configure the operating system in a restricted area?
   
   Where the ISSM has an operating system in multiple environments, i.e. Closed area, Restricted Area, etc., the ISSP will validate only the first instance of the operating system's configuration, in either environment. It is not necessary for the ISSP to validate the same operating system in each environment.

If you have additional questions, please forward to .

(08/26/11) Transitioning to the ISFO Process Manual for Certification & Accreditation (Effective 12/31/2011)

The updated version of the ISFO Process Manual (Version 3.0) introduces a new baseline security configuration. Information systems (IS) created or updated on or after December 31, 2011, must meet the new baseline requirements and be submitted for accreditation using the new templates.

The following guidance is intended to ease the burden on both industry and DSS while transitioning to the new baseline.

Configuration changes (such as password length, lockouts, etc.) are considered security relevant changes if applied to previously accredited (including self-certified) systems. Therefore, updating to the new configuration must be considered for reaccreditation.

While Information Systems Security Manager (ISSM) self-certification authority does NOT automatically expire on December 31, 2011, the ISSM cannot self-certify any system to the new configuration settings until the ISSM has successfully demonstrated to the Information Systems Security Professional (ISSP) the capability to implement the new configuration.

ISSMs may continue to add workstations to a pre-existing accredited system if the workstation(s) is/are configured to the previously approved settings and the system profile is properly updated in the appropriate areas (hardware baseline, system diagrams, etc.). This action will not prompt the need for a reaccreditation or require the use of the new templates.

Systems under Master System Security Plan (MSSP) or System Security Plan (SSP) with a current Interim Approval To Operate (IATO) or Approval To Operate (ATO) are NOT required to implement the new requirements or templates until they are up for a three-year re-evaluation, or a reaccreditation is necessary due to a security relevant change.

Using the National Industrial Security Program (NISP) Tool and providing a copy of the NISP Tool report is highly encouraged and may be used as evidence of the ISSM's ability to configure the system to the new settings. If the NISP Tool report is provided when submitting new or updated M/SSP documentation, the ISSP on-site validation may not be required if there are no other security relevant changes. If the NISP Tool cannot be used to validate configuration settings, an on-site validation must be accomplished by the ISSP, who will review the system and recommend self-certification authorization.

The ISSM may also demonstrate the ability to configure the system in accordance with the new settings during an unrelated scheduled visit by the ISSP. Once the ISSP has validated the ISSM's ability to configure the system, the ISSM may self-certify like systems to the new settings and submit an updated MSSP using the new templates. The onsite validation step may be waived and the system will go straight to ATO as long as the desktop review is satisfactory and there are no additional security relevant changes to the system.

If a previously approved MSSP with a large number of associated self-certified systems is updated and reaccredited due to a change in an associated profile (or at a three-year re-evaluation), the ISSM may update one profile under the MSSP, document the plan/timeline for updating the remaining system profiles on a Plans of Actions and Milestones (POA&M), and submit the accreditation package to the Office of the Designating Approving Authority (ODAA), ISSP, and IS Rep. The POA&M shall reflect an appropriate timeframe for completing the transition of the remaining profiles, not to exceed their scheduled expiration dates.

Updating an IS profile authorized by an MSSP requires that the MSSP also be updated. A POA&M can then be used to outline the transition of other IS profiles previously associated with the MSSP.

(06/14/11) Updated ISFO Process Manual, Version 3 is available for Industry

Implementation of the updated Process Manual is effective September 12, 2011. Also available are System Security Plan (SSP) and Master System Security Plan (MSSP) Templates which align with the new ISFO Process Manual. The updated ISFO Process Manual and Templates can be requested by emailing , using the instructions under Industrial Security, ODAA, and Request for Documents.

(08/12/10) ISFO Process Manual Update

ISFO Process Manual, dated August 2010 has been released. The updated Process Manual may be requested from the following location http://www.dss.mil/isp/odaa/request.html#cert. A Summary of Changes will also be included with the request.