By Lon J. Berman, CISSP, RDRP
Organizations performing classified work for DoD (aka. Cleared Contractor Facilities) are governed by the National Industrial Security Program (NISP). NISP is administered by the Defense Counterintelligence and Security Agency (DCSA), formerly known as the Defense Security Service (DSS). In general, companies covered by NISP engage in one or more of the following activities:
- Maintaining cleared personnel
- “Safeguarding” printed classified material on their premises
- Operating classified information systems on their premises
All classified contractors maintain personnel clearances, and for many companies, that is as far as it goes – all cleared personnel are working “on site” at DoD or prime contractor facilities and no classified information is present at the company’s own location(s). The subset of classified contractors who actually operate classified information systems on their own premises are subject to Assessment and Authorization (A&A) and therefore must comply with RMF requirements.
The DCSA Assessment and Authorization Program Manual (DAAPM) is the governing document for RMF that applies to the classified contractor community. While closely resembling the “generic” RMF process as described in DoD and NIST publications (e.g., DoDI 8510.01, NIST SP 800-37), DCSA has “tailored” the process to best fit the needs of the community. Here are some examples:
- The Security Control Assessor (SCA) role is assigned to DCSA Information System Security Professionals (ISSPs).
- The role of Data Transfer Agent (DTA) has been added.
- Information System Security Managers (ISSMs) are subject to specific training requirements selected from the DCSA Center for the Development of Security Excellence (CDSE).
- System categorization levels for Confidentiality are limited to High and Moderate categorization of Low is not permitted due to the presence of classified material. Categorization levels for Integrity and Availability can still be High, Moderate or Low.
- DCSA has developed Overlays to address three types of systems in common use at cleared contractor facilities: Single User Standalone (SUSA), Multi User Standalone (MUSA) and Isolated LAN. Because of their limited connectivity many controls have been removed from the customary RMF baselines with these overlays.
As is the case for most DoD organizations, cleared contractors are now using the Enterprise Mission Assurance Security Service (eMASS) tool to build their RMF documentation package. A specific “version” of eMASS called “NISP eMASS” has been developed for classified contractors and is accessible at https://nisp.emass.apps.mil. NISP eMASS is configured with the roles, categorization limitation and overlays as described above. Other “unique features” of NISP eMASS include:
- NISP eMASS is Unclassified. eMASS Asset Manager module is not used in NISP eMASS, since scans, checklists and other technical artifacts will contain classified information. Additionally, users are cautioned not to upload any other system artifacts that are Classified.
- The Approval Chains have been customized to reflect the DCSA roles and responsibilities. For example, step 2 in the Control Approval Chain is assigned to the DCSA ISSP.
- NISP eMASS is accessible with an External Certificate Authority (ECA) certificate – other eMASS versions require a DoD Common Access Card (CAC).