ODAA Update July 2014

1. ODAA Update July 2014

2. ODAA Update Agenda • ODAA Business Management System (OBMS) Deployment • SIPRnet Program Oversight • Command Cyber-Readiness Inspection (CCRI) Program • ODAA Process Guide • Questions and Discussion

3. OBMS Deployment • ODAA Business Management System (OBMS) • OBMS deployment is scheduled for July 15, 2014. • System users will need Public Key Infrastructure (PKI) or External Certificate Authority (ECA) credentials to access OBMS. • OBMS Training is available through STePPand is listed under course number CS120.16 fortheOBMSExternal “Submitter” role. • Users will first establish Single Sign On (SSO) accounts and then request access to OBMS using the individual SSO account. • Problems or questions should be directed to the assigned Information System Security Professional (ISSP)/Industrial Security Specialist (ISR) or may be sent to the ODAA mailbox (ODAA@DSS.MIL) with a courtesy copy to the ISSP/ISR.

4. After OBMS Deployment • ODAA Business Management System (OBMS) • A six month transition period from OBMS deployment to ODAA ending the email submission process. • After transitioning a CAGE to OBMS, use only OBMS for security plan submissions (not both email and OBMS from same CAGE) • ISSMs should transition to an “Interconnected” Master System Security Plan (MSSP) for interconnected systems. • Some previously submitted under Multi-User or Local Area Network (LAN) MSSPs • OBMS will not allow submission of an interconnected system under a LAN or Multi-User System MSSP.

5. SIPRNet Program • SIPRNetnodes should meet applicable DoD requirements from the time of initial accreditation, not just for CCRIs • SIPRNetcircuits may not be extended into other facilities or sites (i.e. from Gov’t sponsor to Contractor site) • Government sponsors of SIPRNet (and a few NIPRNet) nodes at contractor sites are responsible for providing and/or funding • Computer Network Defense Service Provider (CNDSP) • Host Based Security System (HBSS) • SIPRNet email, and/or DNS services, etc required for program support • Sponsors should also provide appropriate DoD IA tools

6. CCRI UPDATE • NISP Sites are Doing well on CCRI Overall • Planning, coordination, and partnering have been key • The DoD SIPRNet compliance and oversight program is evolving • Enhanced requirements and scoring • Compliance throughout the lifecycle of a system • DSS is still transitioning the NISP CCRI program from DISA • Training and certification of staff ongoing • DSS has conducted several “DSS Only” CCRIs • Will still see joint CCRI teams with DISA and DSS • DSS expects 40 – 50 contractor sites to undergo CCRI in FY15 with some conducted by DSS, others by DISA • Begin planning for Phase IV scoring and transition to ACAS vice Retina scanner.

7. ODAA Manual and Templates • Revision 3.2 of the manual has been effective since May 2014. • Most significant change was removable media controls • Format and structure of the manual also changed • The National Industrial Security Program Operating Manual (NISPOM) conforming change 2 is in coordination. • As currently drafted will significantly change NISPOM Chapter 8 • Language redirects many requirements to “CSA provided guidance” which is the ODAA manual • Updated security plan templates were issued • Received feedback for updates to implement

8. Questions And Discussion