Department of Defense (DoD) NIST RMF Cybersecurity & Compliance Experts

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act essentially recognized the importance of information security to the economic and national security interests of the United States. In 2014, President Barack Obama signed into law the Federal Information Security Modernization Act, effectively amending the 2002 Federal Information Security Act. In short, FISMA is still called FISMA.

And while FISMA is the law, the all-important NIST SP 800-53 publication is the official standard to comply with FISMA.  And lastly, the NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle, for which organizations are to follow when working towards achieving FISMA compliance. 

FISMA also has three different IMPACT levels - HIGH, MODERATE, and LOW. Determining which IMPACT level, you need to comply with often begins by assessing your external compliance requirements - and more specifically - who is asking you to become FISMA compliant.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Independent Security Assessment Reports (SAR)
• Continuous Monitoring (ConMon) Services

An independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Independent Security Assessment Reports (SAR)
• Continuous Monitoring (ConMon) Services

The NIST RMF is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.  Additionally, the RMF is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system without modification. As such, The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities.

There are seven (7) steps within the NIST RMF, which are the following:

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

DoD and other federal contractors providing services to governmental agencies have strict requirements for implementing the NIST RMF - and showcasing compliance - through a wide-range of regulatory reporting frameworks & mandates (DFARS NIST 800-171, CMMC, FISMA, FedRAMP, NISP eMASS, and more). 

To learn more about the NIST RMF, visit https://csrc.nist.gov/projects/risk-management/about-rmf

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

• Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
• Scoping & Gap Assessments
• Policies & Procedures Development
• Program Documentation Development
• System Security Plans (SSP)
• Security Assessment Reports (SAR)
• Remediation Assistance
• ATO Assistance

Per NIST, The PREPARE step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications.  As such, organizations may have already implemented many of the tasks in the Prepare step as part of organization wide risk management.

Without adequate risk management preparation at the organizational and system levels, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

• Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
• Scoping & Gap Assessments
• Policies & Procedures Development
• Program Documentation Development
• System Security Plans (SSP)
• Security Assessment Reports (SAR)
• Remediation Assistance
• ATO Assistance

Per the Defense Counterintelligence and Security Agency (DCSA), “eMASS is a government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management. Features include dashboard reporting, controls scorecard measurement, and the generation of a system security authorization package. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authorization decisions.”  Look at eMASS as the system of record for assessment and authorizations of industry classified systems.

Therefore, U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. As such, the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). The Enterprise Mission Assurance Support Service (eMASS) web-based application is thus the very vehicle for which cleared contractors use for Assessment and Authorization purposes.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services

The control requirements found within eMASS’ exportable spreadsheets come directly from the NIST SP 800-53 publication.  Because of this, federal contractors working to achieve authorization designation will need to have in place comprehensive policies and procedures. To be specific, cleared contractors will need to have a large number of policies, procedures, programs, and plans in place for achieving Authorization to Operate (ATO) as part of the NISP NIST RMF A&A process within eMASS. 

Over the years, developing NIST SP 800-53 specific security documents has been one of the most difficult, time-consuming, and challenging measures for cleared contractors.  To help speed the up the process greatly, we developed the Arlington Security Portal (ASP), an online repository of world-class, industry leading security policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on the NIST Risk Management Framework (RMF) 800 series of publications for information security, cybersecurity, and privacy control families.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services

Yes, contractors are required by various legal, regulatory, and contractual requirements within the broader defense industry to have a documented incident response plan in place. 

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Because the DoD must respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities, contractors are to report any potential breaches to DoD within 72 hours of discovery of any incident.  Additionally, contractors must also cooperate with DoD to respond to security incidents, which means preserving and protecting all evidence and capturing as much information about the incident as possible.

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

CUI is Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. 

More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information. 

Remember, CUI is not a classification. Therefore, information cannot be “classified as CUI;” rather, this type of information is designated as CUI. In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

• CUI Scoping & Gap Assessments
• CUI Policy Development
• CUI Identification
• CUI Contractual Language Review
• CUI Marking (Digital)
• CUI Marking (Physical)

No, unless such IP was created for, or included in requirements, relating to a government contract.  Per DCSA, “This includes information and material related to or associated with the following categories when created specifically for the DoD:

• A company’s products, business, or activities, including but not limited to financial information
• Data or statements
• Trade secrets
• Product research and development
• Existing and future product designs and
• performance specifications
• Marketing plans or techniques
• Schematics
• Client lists
• Computer programs
• Processes

Source: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf

Need to Implement a DoD CUI Program? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

• CUI Scoping & Gap Assessments
• CUI Policy Development
• CUI Identification
• CUI Contractual Language Review
• CUI Marking (Digital)
• CUI Marking (Physical)

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for promoting the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FedRAMP has grown tremendously in recent years as Cloud Service Providers (CSP) continue to provide more and more services to federal agencies.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• RFP Services
• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services
• Managing the official Security Assessment Audit
• System Security Plan (SSP) Development
• Continuous Monitoring Services

Yes, FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• RFP Services
• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services
• Managing the official Security Assessment Audit
• System Security Plan (SSP) Development
• Continuous Monitoring Services