Electronic Control Plan
When an entity is under FOCI mitigation (Voting Trust, Proxy Agreement, Special
Security Agreement and Security Control Agreement) the NISPOM requires an
electronic control plan (ECP) to be developed and implemented within 45 days of
the FOCI mitigation.
ECPs must include a detailed network description and configuration diagrams
delineating which networks will be shared and which will be protected from
foreign access, while also addressing firewalls, remote administration,
monitoring, and separate e-mail servers, as applicable. DSS is responsible for
determining the needed for an ECP and approval of the plan.
Effective September 1, 2010, companies under existing FOCI mitigation agreements
that require an ECP are required to be compliant with the new ECP rules by the
date of their next annual DSS security inspection. The DTM 09-019, September 2,
2009, (incorporating change 1, June 8, 2010) provides additional guidance
regarding the content of the Electronic Communication Plans (ECP) that companies
are required to adopt.
DISCLAIMER: The Appearance of non-government information does not constitute endorsement by the U.S. Army