Industrial Security Field Operations

1 Defense Security Service Industrial Security Field Operations National Industrial Security Program authorization Office Defense Security Service (DSS) assessment and authorization Process Manual (DAAPM). Version May 6, 2019. Defense Security Service assessment and authorization Process Manual EXECUTIVE SUMMARY. The policy of the Government is that all classified information must be appropriately safeguarded to assure the confidentiality of that information, as well as the integrity and availability of that information when required by contract. This Defense Security Service (DSS). assessment and authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP).

2 Federal agencies, to include the Department of Defense (DoD), Special Access Program (SAP), and Intelligence communities, are adopting common guidelines to streamline and build reciprocity into the assessment and authorization (A&A) process, formerly known as Certification and Accreditation (C&A). The DAAPM transitions the DSS C&A processes to the Risk Management Framework (RMF) made applicable to cleared contractors by DoD M, Change 2, National Industrial Security Program Operating Manual (NISPOM), issued on May 18, 2016. The DAAPM implements RMF processes and guidelines from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy, NIST SP 800-53, Version 4, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations, the Committee on National Security Systems (CNSS) Instruction No.

3 1253, Security Categorization and Control Selection for National Security Systems, and Committee on National Security Systems Directive (CNSSD) 504, Directive on Protecting National Security Systems From Insider Threat. The DAAPM also incorporates Insider Threat minimum requirements defined in the NISPOM, which are consistent with the requirements of Executive Order ( ) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing of Classified Information, and the Presidential Memorandum, National Insider Threat Policy and Minimum Standards for Executive Branch Threat Programs. Changes to these core documents will be incorporated through the Change Management Process outlined in Section 2 of this manual.

4 This process manual is not intended to be relied upon or construed to create any right or benefit, substantive or procedural, enforceable at law against the United States, its agencies, officers or employees. The Federal Government reserves the right and has the obligation to impose any Security method, safeguard, or restriction it believes necessary to verify that unauthorized access to classified information is effectively precluded and that performance of classified contracts is not adversely affected. This DAAPM supersedes all previous versions of the DAAPM and ODAA Process Manuals. Page i TABLE OF CONTENTS. EXECUTIVE SUMMARY .. I. 1 .. 1. Background 1. Applicability and Reciprocity 1.

5 References 1. Changes in Terminology 2. 2 .. CHANGE MANAGEMENT PROCESS .. 3. 3 .. ROLES AND RESPONSIBILITIES .. 4. Authorizing Official (AO) 4. Security Control Assessor (SCA) 5. Common Control Provider (CCP) 5. Information Owner (IO) 6. Information System Owner (ISO) 6. Information System Security Manager (ISSM) 7. Information System Security Officer (ISSO) 10. Facility Security Officer (FSO) 11. Privileged User 12. General User 13. 4 .. Security TRAINING .. 14. Privileged User Training 14. General User Training 14. Data Transfer Agent (DTA) Training 15. 5 .. RISK MANAGEMENT FRAMEWORK .. 15. Introduction to the Risk Management Framework (RMF) 16. Fundamentals of the RMF 18. 6 .. ENTERPRISE MISSION ASSURANCE SUPPORT SERVICE (EMASS).

6 18. eMASS Workflow 18. eMASS Approval Chain 19. 7 .. assessment AND authorization IMPLEMENTATION GUIDANCE .. 19. Prepare 20. Prepare Step Tasks 20. Prepare Step Supporting Information 22. Prepare Step Outputs 22. Page ii Prepare Step References and Resources 22. Categorize 23. Categorize Step Tasks 25. Categorize Step Outputs 26. Categorize Step References and Resources 26. Select 27. Select Step Tasks 27. Select Step Outputs 29. Select Step References and Resources 29. Implement 30. Implement Tasks 30. Implement Step Outputs 31. Implement Step References and Resources 31. Assess 32. Assess Step Tasks 32. Assess Step Outputs 38. Assess Step References and Resources 38. Authorize 38.

7 Authorize Step Tasks 38. Authorize Step Supporting Information 40. Authorize Step Outputs 41. Authorize Step References and Resources 41. Monitor 42. Monitor Step Tasks 42. Monitor Step Outputs 46. Monitor Step References and Resources 46. 8 .. authorization BOUNDARIES .. 47. 9 .. TYPES OF SYSTEMS .. 48. Standalone Systems 48. Local Area Network (LAN) 48. Wide Area Network (WAN) 48. Enterprise Wide Area Network (eWAN) 49. Unified Wide Area Network (WAN) 49. Interconnected Systems 49. International Interconnections 53. Federal Information Systems 54. Page iii Proposal Systems 57. Special Categories 58. Tactical, Embedded, Data-Acquisition, Legacy, and Special-Purpose Systems 58. Mobile Systems 58.

8 Diskless Workstation 59. Multifunction Devices 59. Virtualization 59. Test Equipment 60. Video Teleconference (VTC) 60. Peripherals 60. 10 .. DEPARTMENT OF DEFENSE INFORMATION NETWORK (DODIN) .. 61. 11 .. CROSS DOMAIN SOLUTION (CDS) .. 62. 12 .. AUDIT VARIANCE .. 62. 13 .. TYPE authorization .. 63. APPENDIX A: Security CONTROLS (DSS ORGANIZATIONAL VALUES).. 64. APPENDIX B: DSS OVERLAYS .. 65. APPENDIX C: RISK assessment REPORT (RAR) TEMPLATE .. 83. APPENDIX D: POA&M TEMPLATE .. 90. APPENDIX E: RMF SYSTEM Security PACKAGE SUBMISSION AND. CERTIFICATION STATEMENT .. 91. APPENDIX F: ISSM APPOINTMENT LETTER .. 92. APPENDIX G: HARDWARE LIST .. 93. APPENDIX H: SOFTWARE 94. APPENDIX I: SYSTEM DIAGRAM/NETWORK TOPOLOGY.

9 95. APPENDIX J: RECORD OF CONTROLLED AREA .. 96. APPENDIX K: IS ACCESS authorization AND BRIEFING FORM .. 97. APPENDIX L: IS PRIVILEGED ACCESS authorization AND BRIEFING. APPENDIX M: UPGRADE/DOWNGRADE PROCEDURE RECORD .. 103. APPENDIX N: Security SEAL LOG .. 104. APPENDIX O: MAINTENANCE, OPERATING SYSTEM, & Security SOFTWARE. CHANGE APPENDIX P: DATA TRANSFER PROCEDURES .. 106. APPENDIX Q: CONTINGENCY PLAN TEMPLATE .. 115. APPENDIX R: INCIDENT RESPONSE PLAN TEMPLATE .. 123. Page iv APPENDIX S: CLASSIFIED SPILL CLEANUP PROCEDURES .. 129. APPENDIX T: MEDIA SANITIZATION .. 134. APPENDIX U: MOBILITY SYSTEM PLAN TEMPLATE .. 141. APPENDIX V: FEDERAL IS REQUEST TEMPLATE .. 147. APPENDIX W: GOVERNMENT-TO-CONTRACTOR ISA TEMPLATE.

10 149. APPENDIX X: WARNING BANNER .. 153. APPENDIX Y: ACRONYMS .. 154. APPENDIX Z: 160. APPENDIX AA: REFERENCES .. 166. Page v Defense Security Service assessment and authorization Process Manual 1 INTRODUCTION. Background Federal agencies have adopted the NIST RMF as a common set of guidelines for the assessment and authorization (A&A) of Information Systems (ISs). In an effort to streamline and build reciprocity into the DSS processes, DSS have adopted these standards as well, so that all cleared contractor systems that process classified information as part of the NISP are authorized under the RMF A&A process. The RMF focuses on a more holistic and strategic process for the risk management of systems, and on processes and procedures designed to develop trust across the Federal Government.