Site Map | A-Z Index | Facebook | Twitter

• Home
• About Us
  • Director
  • Deputy Director
  • Vision and Mission
  • History
  • Electronic Reading Room
  • Locations
  • Press Room
  • Organizational Structure
  • Careers at DSS
  • Doing Business with DSS
  • Frequently Asked Questions
• Directorates
  • Industrial Security Field Operations (ISFO)
  • Industrial Security Integration & Application (IP)
  • Counterintelligence (CI)
  • Center for Development of Security Excellence (CDSE)
• Services
  • Oversee and assist the defense industrial base
  • Provide counterintelligence support
  • Accredit information systems
  • Facilitate personnel security clearance for industry
  • Manage foreign ownership, control, or influence
  • Deliver security education and training
• Information Systems
  • Defense Central Index of Investigations (DCII)
  • Electronic Facility Clearance System (e-FCL)
  • Industrial Security Facilities Database (ISFD)
  • Joint Personnel Adjudication System (JPAS)
  • National Industrial Security Program (NISP) Central Access Information Security System (NCAISS)/DSS Applications
  • National Industrial Security Program (NISP) Contracts Classification System (NCCS)
  • National Industrial Security System (NISS)
  • ODAA Business Management System (OBMS)
  • Secure Web Fingerprint Transmission (SWFT)
  • Security Training, Education and Professionalization Portal (STEPP)
• Contact Us
  • Feedback on website
  • Acquisitions Office
  • Center for Development of Security Excellence
  • Knowledge Center
  • Equal Employment Opportunity Office
  • FOIA and Privacy Office
  • Human Capital Management Office
  • Inspector General's Office
  • ISFO Field Office Locations
  • Legislative Affairs Office
  • Public Affairs Office
  • Mailing Addresses

Home + NISP Risk Management Framework (RMF) Information and Resources

Risk Management Framework Information and Resources

News

(09/29/16) DSS & NISP Partners Transition To Risk Management Framework
Effective October 3, 2016, all NISP partners and cleared industry will transition to Risk Management Framework. All expiring accreditations and requests of new accreditations for stand-alone systems must be submitted to DSS using RMF guidelines.

The DSS RMF is promulgated in the DSS Assessments and Authorization Process Manual (DAAPM). The DAAPM provides guidance, templates, security controls, System Security Plan (SSP) Templates and other artifacts necessary for the RMF transition and necessary to meeting mandated implementation timelines.

This RMF Information and Resource center provides implementation guidance and procedures for the management of all facilities, networks and systems under DSS cognizance. Contact your regional Authorizing Official (AO) with questions.

(08/25/16) DSS Authorization and Assessment Process Manual (DAAPM) Release
The release of the DAAPM begins our transition of the National Industrial Security Program (NISP) Certification and Accreditation (C&A;) process to Risk Management Framework (RMF). This transition will align our authorization process for cleared Industry’s classified systems with other Federal Agencies, the Intelligence Community and the Department of Defense. The intent of RMF is to improve information security, improve our risk management processes and to promote reciprocity.

Current authorizations are grandfathered and systems can continue to process under existing authorizations until expiration. See transition timeline below:

System Accreditation Status	Transition Timeline / Instructions
System Security Plan (SSP) /Master System Security Plan (MSSP) submitted prior to October 3, 2016.	Continue using current C&A; process with the latest version of the ODAA Process Manual. The ATO will last no greater than 18 months starting October 3, 2016. Within six months of authorization, develop a Plan of Action and Milestones (POA&M;) for transition to RMF.
Standalone (MUSA/SUSA) SSPs/MSSPs after October 3, 2016.	Execute RMF Assessment and Authorization through the DAAPM. Standalones are no longer allowed to be self-certified under the C&A; process.
Local Area Network (LAN), Wide Area Network (WAN) or Interconnected System after October 3, 2016.	Phase 1: Cleared contractors continue using the current C&A; process with the latest version of the ODAA Process Manual. ATO will last no greater than 18 months starting October 3, 2016. Within six months of authorization, develop a POA&M; for transition to RMF. LANs/WANs may continue to be self-certified as authorized under the C & A process. Phase 2: Execute RMF Assessment and Authorization process through the DAAPM. (Timeline TBD.)

Everyone is encouraged to review DAAPM, templates and job aids below in preparation for the transitioning of Single User and Multi-User Standalones to RMF effective October 3, 2016.

Policy and Guidance

• National Industrial Security Program Operating Manual
• NIST 800-53 Security & privacy Controls for Federal Information Systems and Organizations
• ODAA Process Manual
• JSIG Guidance for Special Access Programs (SAP)
• DSS Assessments and Authorization Process Manual
• Committee on National Security Systems Instruction (CNSSI) 1253 (March 2014)
• DoD 8510.01 Risk Management Framework for DoD Information Technology

Resources

• Getting Started with Risk Management Framework (October 2016)
• NISPOM to NIST 800-53v4 Security Control Mapping (May 2016)
• Plan of Action and Milestones (POA&M) Job Aid
• Plan of Action and Milestones (POA&M)
• SCAP Compliance Checker & DISA STIG Viewer
• DISA STIG Viewer
• System Security Plan Template (October 2016)
• System Security Plan Template Appendices (August 2016)
• Technical Assessment Guide for Windows 7 Operating Systems
• Technical Assessment Guide for Windows 10 Operating Systems
• Technical Assessment Guide for Windows Server 2012 Operating Systems
• Technical Assessment Guide for RHEL 6
• ISSM-ISSO Appointment Letter Template
• National Industrial Security Program Authorization Office (NAO) Homepage
• Risk Assessment Report Template (September 2016)

Training

• CDSE
• Introduction to the Risk Management Framework
• Getting Started with the SCAP compliance checker and STIG Viewer
• Applying the Risk Management Framework to Federal Information Systems
• DSS RMF Training Slides (August 2016)

Toolkits

• SCAP Compliant Tools and Products