CNSSP-22: Information Assurance Risk Management for NSS

CNSSP-22 establishes the overarching risk management framework governing Information Assurance (IA) across National Security Systems (NSS) operated by the United States federal government. Issued by the Committee on National Security Systems (CNSS), the policy sets binding requirements for how federal departments and agencies assess, manage, and accept risk on systems that process classified information or are otherwise critical to national security. The policy occupies a distinct position in the NSS regulatory hierarchy, operating in parallel with — but separately from — frameworks such as NIST SP 800-37 that govern non-NSS federal systems.

Definition and scope

CNSSP-22 defines an IA risk management approach that applies specifically to NSS as designated under 44 U.S.C. § 3552(b)(6) and 10 U.S.C. § 2315. NSS are distinguished from ordinary federal information systems by two principal criteria: they carry classified information, or their function is so critical to military or intelligence operations that compromise would directly affect national security. This distinction is the foundational boundary separating CNSSP-22's scope from the broader FISMA-governed landscape administered by NIST and OMB.

The policy mandates that all federal departments, agencies, and contractors operating NSS implement a structured, continuous risk management process. The CNSS Secretariat, hosted within the National Security Agency (NSA), maintains and promulgates CNSSP-22 as a directive applicable to the entire NSS community. Compliance is not discretionary — agencies operating NSS must demonstrate adherence as a condition of system authorization.

CNSSP-22 is one of roughly 30 CNSS policies and instructions governing the NSS environment. Its specific focus on risk management differentiates it from CNSSI 1253, which prescribes security categorization and control selection, and from CNSSP-15, which governs the use of public standards for secure information systems. The Security Systems Listings resource provides further context on how these standards intersect within the NSS service landscape.

How it works

CNSSP-22 operationalizes risk management through a lifecycle framework aligned to — but not identical with — the NIST Risk Management Framework (RMF). The six primary phases under the policy are:

Categorize — Classify the NSS based on the potential impact of a security breach to national security, using criteria from CNSSI 1253 rather than FIPS 199, which applies only to non-NSS federal systems.
Select — Choose appropriate security controls from the NSS overlay of NIST SP 800-53, tailored to mission requirements.
Implement — Deploy and configure the selected controls across system components.
Assess — Evaluate whether controls are implemented correctly and operating as intended, conducted by independent assessors meeting CNSS-defined qualification standards.
Authorize — A designated Authorizing Official (AO) with explicit authority over the NSS issues an Authorization to Operate (ATO) based on documented residual risk.
Monitor — Continuous monitoring of control effectiveness, with defined reporting cadences back to the AO and the relevant security oversight body.

A critical structural distinction between CNSSP-22's application and standard RMF implementation concerns the role of the AO. For NSS, the AO must hold a security clearance commensurate with the classification level of the system — a requirement with no direct analog in civilian agency RMF implementations. The security-systems-directory-purpose-and-scope reference describes how these professional roles are organized across the NSS community.

Common scenarios

CNSSP-22 applies across a defined set of operational contexts that recur throughout the NSS community:

Intelligence community system accreditation — Agencies within the Intelligence Community (IC), including NSA, CIA, and DIA, apply CNSSP-22 when authorizing systems that process Sensitive Compartmented Information (SCI). IC-specific overlays supplement the baseline CNSSP-22 process through Intelligence Community Directive (ICD) 503.
Defense acquisition programs — Major defense acquisition programs (MDAPs) governed by the Department of Defense (DoD) must satisfy CNSSP-22 requirements under DoDI 8510.01, which integrates the RMF for DoD IT and explicitly addresses NSS categorization.
Cross-domain solutions (CDS) — Systems that transfer data between security domains of differing classification levels face a specialized application of CNSSP-22 risk management, requiring Unified Cross Domain Management Office (UCDMO) baseline approval in addition to standard ATO issuance.
Contractor-operated NSS — Defense contractors operating government-furnished NSS under facility security clearances must apply CNSSP-22 under oversight from the Defense Counterintelligence and Security Agency (DCSA), formerly DSS.

Each scenario involves a distinct Authorizing Official structure, different oversight chains, and in some cases additional overlay requirements that extend beyond the baseline CNSSP-22 text.

Decision boundaries

Understanding when CNSSP-22 applies — as opposed to standard FISMA/RMF requirements — requires applying the NSS designation test. A system meets the NSS threshold if it satisfies any of the following conditions established in statute:

The system is used or operated by a department or agency of the US government for intelligence activities.
The system is used for cryptologic activities related to national security.
The system is used for command and control of military forces.
The system involves equipment that is an integral part of a weapon or weapons system.
The system is critical to the direct fulfillment of military or intelligence missions (excluding routine administrative systems).

Systems that fail all five conditions fall under standard FISMA governance — not CNSSP-22. Systems that satisfy even one condition are NSS and must follow the CNSS policy framework regardless of the agency's broader IT governance posture. The how-to-use-this-security-systems-resource reference explains how these regulatory boundaries map to professional service categories in the NSS sector.

A secondary decision boundary separates CNSSP-22 from CNSSI 1253: CNSSP-22 governs the risk management process, while CNSSI 1253 governs the security categorization and control selection methodology. Practitioners must apply both documents in sequence — CNSSI 1253 for Step 1 (Categorize) and Step 2 (Select), and CNSSP-22 as the overarching policy authority governing all six phases.

References

📜 3 regulatory citations referenced · 🔍 Monitored by ANA Regulatory Watch · View update log