By Lon J. Berman, CISSP, RDRP at BAI.
The Defense Security Service (DSS) serves as an interface between the government and cleared industry. DSS administers and implements the National Industrial Security Program (NISP) by providing oversight and assistance to cleared contractor facilities to ensure protection of classified information. In short, if your company maintains cleared personnel and/or processes classified information at your premises on behalf of a government customer, DSS will be part of your life.
Classified Information Systems (IS) at cleared contractor facilities are subject to Assessment and Authorization (A&A) in accordance with RMF. DSS has developed its own “flavor” of RMF that is tailored to best meet the needs of the cleared contractor community. The DSS Assessment and Authorization Program Manual (DAAPM) is the governing publication.
For the most part, DAAPM delineates the customary RMF roles and responsibilities – Authorizing Official (AO), Security Control Assessor (SCA), Information System Owner (ISO), Information System Security Manager/Officer (ISSM/ISSO), etc. Some of the role assignments are unique to DSS. For example, DSS Information System Security Professionals (ISSPs) are assigned the SCA role. DAAPM defines the role of Data Transfer Agent (DTA) with responsibility for secure transfer of information to and from the system. Additionally, there are specific training requirements for ISSMs, selected from the DSS Center for Development of Security Excellence (CDSE) catalog.
DAAPM specifies the customary six step RMF process – Categorize, Select, Implement, Assess, Authorize, Monitor – and, again, there is some DSS-specific tailoring. For example, the system categorization for Confidentiality is limited to Moderate or High, due to the presence of classified information (Integrity and Availability categorization can still be Low, Moderate or High). To serve the needs of most customers, DSS publishes a security control baseline spreadsheet for a Moderate-Low-Low categorization, including the Classified overlay.
DAAPM also includes DSS-specific overlays that deal with three types of systems: Single User Standalone (SUSA), Multi User Standalone (MUSA) and Isolated LAN. Because of their limited connectivity, many controls have been removed from the system baselines by these overlays.
In the area of documentation, DAAPM provides a template for the System Security Plan (SSP) and the required appendices. The eMASS tool is not used, however DSS does provide the Office of the Designated Approving Authority Business Management System (OBMS) to facilitate submittal of completed RMF packages for DSS approval.
Overall, the DSS RMF process is largely similar to the standard RMF for DoD IT process, so “standard” RMF training is a good starting point. You can also visit www.dss.mil/rmf for additional information from DSS.