ODAA Update Overview July 2014

Defense Security Service
ODAA Update
July 2014
ODAA Update Agenda
• ODAA Business Management System
(OBMS) Deployment
• SIPRnet Program Oversight
• Command Cyber-Readiness Inspection
(CCRI) Program
• ODAA Process Guide
• Questions and Discussion
OBMS Deployment
ODAA Business Management System (OBMS)
• OBMS deployment is scheduled for July 15, 2014.
• System users will need Public Key Infrastructure (PKI) or
External Certificate Authority (ECA) credentials to access OBMS.
• OBMS Training is available through STePP and is listed under
course number CS120.16 for the OBMS External “Submitter”
• Users will first establish Single Sign On (SSO) accounts and
then request access to OBMS using the individual SSO account.
• Problems or questions should be directed to the assigned
Information System Security Professional (ISSP)/Industrial
Security Specialist (ISR) or may be sent to the ODAA mailbox
(ODAA@DSS.MIL) with a courtesy copy to the ISSP/ISR.
After OBMS Deployment
ODAA Business Management System (OBMS)
• A six month transition period from OBMS deployment to ODAA
ending the email submission process.
• After transitioning a CAGE to OBMS, use only OBMS for security
plan submissions (not both email and OBMS from same CAGE)
• ISSMs should transition to an “Interconnected” Master System
Security Plan (MSSP) for interconnected systems.
• Some previously submitted under Multi-User or Local Area
Network (LAN) MSSPs
• OBMS will not allow submission of an interconnected system
under a LAN or Multi-User System MSSP.
SIPRNet Program
• SIPRNet nodes should meet applicable DoD requirements from
the time of initial accreditation, not just for CCRIs
• SIPRNet circuits may not be extended into other facilities or sites
(i.e. from Gov’t sponsor to Contractor site)
• Government sponsors of SIPRNet (and a few NIPRNet) nodes at
contractor sites are responsible for providing and/or funding
• Computer Network Defense Service Provider (CNDSP)
• Host Based Security System (HBSS)
• SIPRNet email, and/or DNS services, etc required for
program support
• Sponsors should also provide appropriate DoD IA tools
• NISP Sites are Doing well on CCRI Overall
• Planning, coordination, and partnering have been key
• The DoD SIPRNet compliance and oversight program is evolving
• Enhanced requirements and scoring
• Compliance throughout the lifecycle of a system
• DSS is still transitioning the NISP CCRI program from DISA
• Training and certification of staff ongoing
• DSS has conducted several “DSS Only” CCRIs
• Will still see joint CCRI teams with DISA and DSS
• DSS expects 40 – 50 contractor sites to undergo CCRI in
FY15 with some conducted by DSS, others by DISA
• Begin planning for Phase IV scoring and transition to
ACAS vice Retina scanner.
ODAA Manual and Templates
• Revision 3.2 of the manual has been effective since May 2014.
• Most significant change was removable media controls
• Format and structure of the manual also changed
• The National Industrial Security Program Operating
Manual (NISPOM) conforming change 2 is in coordination.
• As currently drafted will significantly change NISPOM
Chapter 8
• Language redirects many requirements to “CSA provided
guidance” which is the ODAA manual
• Updated security plan templates were issued
• Received feedback for updates to implement