Presentation is loading. Please wait.

Presentation is loading. Please wait.

Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010.

Published byRussell Allison Modified over 9 years ago

Similar presentations

Presentation on theme: "Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010."— Presentation transcript:

1 Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010

2 Overview ODAA Documentation ISFO Process Manual (August 2010)
Certification & Accreditation (C&A) Common Errors/Findings

3 ODAA Documentation NISPOM (Chapter 8) (February 2006)
Industrial Security Letters (ISLs) ISFO Process Manual (August 2010) ISL ISL DSS ODAA Baseline Standards (March 2009) NISP Tool for Windows Version (March 2010) System Security Plan (SSP) Templates (August 2009) Network Security Plan (NSP) Template (November 2008)

4 ISFO Process Manual System Security Plans (SSP) Types Standalone
Local Area Network (LAN) Wide Area Network (WAN) Network Security Plan (NSP)

5 ISFO Process Manual Stand Alone Single User Stand Alone (SUSA)
Only one general user Physical security Closed area Restricted area Classification level Multi User Stand Alone (MUSA) Two or more general users

6 ISFO Process Manual Local Area Network (LAN) Peer to peer
Local user authentication Closed area Restricted area Classification level Domain controlled Central user authentication

7 ISFO Process Manual Wide Area Network (WAN) Unified WAN
RDAA of host node will accredit IATO not allowed Single unified network SSP Must include all nodes on the unified network Interconnected WAN Separately accredited systems Network Security Plan (NSP) IATO may be issued

8 ISFO Process Manual Network Security Plan (NSP)
Allows interconnection of separately accredited systems ATO/IATO will list nodes approved for connection Provides overall network view RDAA of host node will accredit Network ISSO is responsible An NSP must be written for any interconnection between two or more separately accredited information systems including two or more systems owned by the same ISSM at the same facility or campus (cage code.)

9 ISFO Process Manual Self Certification
Authority granted in MSSP/Profile, Approval to Operate (ATO) Allows ISSM to self certify like systems Specific to system type and similar operations Only systems that are NISPOM compliant may be self certified Documentation for self certified systems Notify IS Rep, ISSP and ODAA An IS Profile under an MSSP is written for a system type (Single-User Non-networked, Multiuser Non-networked and Peer to Peer LAN, or Domain Controlled LAN) and similar operations (Trusted Downloads, Periods Processing, Mobile System, etc). Each IS Profile must be accredited by the CSA before the ISSM can self-certify a similar system. Master plans will not be written for any system requiring a variance or waiver. Only those systems that are NISPOM compliant may be self-certified.

10 Self Certification Issues
NISPOM 8-202g, ISL Item 14, ISFO Process Manual Appendix F MSSP vs. SSP What can be self certified? Expiration or cancelation of the MSSP profile Submitting self certified paperwork to ODAA Self certified documentation not maintained with the system MSSP Tracking Forms What cannot be self certified Profiles with variance to NISP Requirements Profiles accredited prior to the release of ISL

11 Certification & Accreditation (C&A)
Plan Submission Must use approved SSP/MSSP/NSP templates Assign Unique Identifier (UID) Once assigned, UIDs never change to ODAA CC ODAA, IS Rep and ISSP subject line body

12 PLAN Unique Identifier
Table E-1 Subject Line Requirements for Plan Submissions Region PLAN Unique Identifier IS # Identifier Variables XXXXX-YYYYMMDD-XXXXX Capital Northern Southern Western CageCode¹ YYYYMMDD² XXXXX³ XXXXX4 See Variables Unique Identifiers Use the facility's 5 character Cage Code Use the date on the SSP or MSSP Use a number from Each plan must use a unique number. 4 Variables MSSP Use MSSP when the plan is a Master Security Plan REV Use Rev when the plan has been resubmitted after the Contractor has made revisions as required by the ODAA. SIPR Use when the IS seeking accreditation has a connection to the SIPRNet. TERM Use when the IS is no longer used for classified processing INT Use INT for SSPs with International connections NSP Use NSP for Network Security Plans DIB Use DIB for DIBCS System Security Plans

13 Certification & Accreditation (C&A)
Process plan to ODAA ODAA accepts or rejects plan Once accepted, ISSP performs desktop review RDAA can deny or issue IATO If required ISSM resubmits corrections ISSP will perform on site verification RDAA issues ATO

14 C&A Common Errors Missing or incomplete UID
Not using approved DSS templates Missing signed IS Security Package Submission and Certification Statement Missing signed DSS Form 147 Missing ISSM System Certification Test Checklist Missing GCA risk acceptance letter for variances Missing MOU if required Missing published and promulgated IS Security Policy addressing the classified processing environment ISSM fails to submit required corrections

15 Common Errors Passwords
SSPs not properly updated (Hardware list, software list, configuration diagram not accurate) Changing the security posture of the system without authorization Built-in admin password set never to expire BIOS Password not set Test Equipment with an operating system not included in a plan System audit review not being conducted on a weekly basis Weekly audit review not conducted during long holiday periods Dormant procedures implemented without authorization

16 Audit Issues References: NISPOM 8-602, ISL 2007-01 items 44 & 45
Security Relevant Objects (SRO), file, and folder permission & auditing System auditing Operating system executables Operating system configuration System management and maintenance executables Audit data/Audit review logs Security related software (Anti Virus, System/Network Scanners)

17 Questions & Answers

Download ppt "Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) August 2010."

Similar presentations

For Security Professionals

For Security Professionals
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards.

1 Beyond Standards. Standards ISFO Manual Threats Case Study Future 2 Beyond Standards.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS

ODAA Workshop December 2012 Charles Duchesne, DSS Tiffany Snyder, DSS
What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,

What’s the path to a SSP? Information System Profile Contractor: Lockheed Martin, Missiles and Fire Control Address: 1701 W. Marshall Dr. Grand Prairie,
1 Office of the Designated Approving Authority (ODAA) April 2008.

1 Office of the Designated Approving Authority (ODAA) April 2008.
ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov 2013 1 Nov 2013.

ISFO – ODAA Defense Security Service Industrial Security Field Operations (ISFO) Office of the Designated Approving Authority (ODAA) Nov Nov 2013.
SITS:Vision Annual the Hilton Deansgate Hotel, Manchester Mike Fisher – Technical Services Team Leader Security and Hosting 12-13 July 2011.

SITS:Vision Annual the Hilton Deansgate Hotel, Manchester Mike Fisher – Technical Services Team Leader Security and Hosting July 2011.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
PROCESSING YOUR THESIS Distance Learning Students Thesis Processing Office of the Dean of Research Naval Postgraduate School 1.

PROCESSING YOUR THESIS Distance Learning Students Thesis Processing Office of the Dean of Research Naval Postgraduate School 1.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Public Vouchers Further information is available in the Information for Contractors Manual under Enclosure 5 The views expressed in this presentation are.

Public Vouchers Further information is available in the Information for Contractors Manual under Enclosure 5 The views expressed in this presentation are.
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.

Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
ODAA Update Agenda ODAA Business Management System (OBMS) Deployment

ODAA Update Agenda ODAA Business Management System (OBMS) Deployment

Similar presentations

Ads by Google