Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

Department of Defense (DoD) NIST RMF Cybersecurity & Compliance Experts

Department of Defense (DoD) RMF cybersecurity and compliance services for federal contractors working within North America’s Defense Industrial Base (DIB).

With a Broad Range of Expertise & Experience

Our expertise is multi-faceted, offering industry leading services for a wide-range of Department of Defense (DoD) rules and regulations. Defense contractors are being hit hard with a laundry list of information security, cybersecurity, and data privacy reporting requirements, and Arlington offers unmatched services and solutions for helping the more than 400,000 + organizations within the broader Defense Industrial Base (DIB).
Our personnel hold numerous data privacy and cybersecurity certifications, but more than that, we bring to the table decades of experience working in various areas within the DoD and America’s intelligence apparatus.
From designing cloud-based solutions to performing third-party security assessment reports – and more – Arlington’s expertise is well-known within the DoD landscape. Harnessing the skills of proven experts, then delivering results to our clients – on time and within budget – is how business is done when working with our firm.
From coast to coast, defense contractors turn to us for assistance, and Arlington delivers.

Decades of Defense Expertise


With Arlington as your trusted advisor, you’ll be aligned with a firm that’s Dedicated to Defense®, offering proven services and solutions to DoD contractors. Services offered from our trusted professionals include the following: 

Compliance Frameworks

Our expertise covers a wide-range of DoD compliance rules, regulations, and frameworks, including, but not limited to: NIST RMF/eMASS, NIST 800-171, CMMC, FISMA, FedRAMP, and more.

NIST DoD InfoSec Policy Writing

Essential for many DoD contractors in fulfilling a combination of compliance and contractual requirements is documentation. Arlington has been an industry leader in developing NIST SP 800 specific information security policies and procedures for two decades. DoD contractors quickly realize the importance – and huge time commitments – it takes to develop policy documentation, and it’s why they turn to us for assistance.

Risk Assessments

Assessing organizational risk is an important component for long-term survival, growth and profits in today’s competitive DoD landscape. Additionally, assessing risk is often a strict contractual and compliance requirement for DoD contractors. Arlington has developed comprehensive, efficient, and measurable risk assessment & risk management techniques that bring true value to organizations.

Incident Response Programs

One of the most fundamentally important measures any DoD contractor must have in place is a comprehensive, well-written incident response plan. While ensuring the safety and security of organizational assets is critical during an incident, so is reporting to the DoD within a 72-hour window. Arlington has helped hundreds of defense contractors in developing customized incident response plans for any type of environment imaginable – and scenario.

Contingency Planning Programs

Proper disaster recovery and contingency planning often is the difference between organizations that survive disasters and those that don’t recover. Arlington offers expert BCDRP/CP services, ranging from customized plans to using our ready-made templates.

Insider Threat Programs

Another strict requirement for DoD contractors is implementing an Insider Threat Program. We have years of experience in building and launching Insider Threat Programs for DoD contractors all throughout North America.

Tabletop Exercises

Testing one’s incident response plan and BCDRP/CP plan is a must – and also a strict compliance requirement. Arlington has developed hundreds of tabletop exercises over the years, many of them available from our repository of templates.

Continuous Monitoring

Need your environment monitored regularly? We offer DoDConMon-as-a-Service solutions for DoD contractors through our virtual compliance officer and virtual CISO offerings.

Additional Program and Plan Development

With the enhancement of NIST SP 800-53, Revision 5 that now includes twenty (20) control families, there’s now additional requirements for developing various program and plan documents. Arlington can assist, as we’re experts when it comes to NIST RMF.

Frequently Asked Questions


FISMA

What is FISMA?

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act essentially recognized the importance of information security to the economic and national security interests of the United States. In 2014, President Barack Obama signed into law the Federal Information Security Modernization Act, effectively amending the 2002 Federal Information Security Act. In short, FISMA is still called FISMA.

And while FISMA is the law, the all-important NIST SP 800-53 publication is the official standard to comply with FISMA.  And lastly, the NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle, for which organizations are to follow when working towards achieving FISMA compliance. 

FISMA also has three different IMPACT levels - HIGH, MODERATE, and LOW. Determining which IMPACT level, you need to comply with often begins by assessing your external compliance requirements - and more specifically - who is asking you to become FISMA compliant.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

As a federal contractor, what constitutes FISMA compliance?

An independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

NIST Risk Management Framework (RMF)

What is the NIST Risk Management Framework (RMF)?

The NIST RMF is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.  Additionally, the RMF is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system without modification. As such, The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities.

There are seven (7) steps within the NIST RMF, which are the following:

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor

DoD and other federal contractors providing services to governmental agencies have strict requirements for implementing the NIST RMF - and showcasing compliance - through a wide-range of regulatory reporting frameworks & mandates (DFARS NIST 800-171, CMMC, FISMA, FedRAMP, NISP eMASS, and more). 

To learn more about the NIST RMF, visit https://csrc.nist.gov/projects/risk-management/about-rmf

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the PREPARE step within the NIST RMF for DoD Contractors?

Per NIST, The PREPARE step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications.  As such, organizations may have already implemented many of the tasks in the Prepare step as part of organization wide risk management.

Without adequate risk management preparation at the organizational and system levels, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

NIST RMF eMASS

What exactly is eMAS?

Per the Defense Counterintelligence and Security Agency (DCSA), “eMASS is a government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management. Features include dashboard reporting, controls scorecard measurement, and the generation of a system security authorization package. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authorization decisions.”  Look at eMASS as the system of record for assessment and authorizations of industry classified systems.

Therefore, U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. As such, the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). The Enterprise Mission Assurance Support Service (eMASS) web-based application is thus the very vehicle for which cleared contractors use for Assessment and Authorization purposes.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Where are the family of controls within eMASS derived from?

The control requirements found within eMASS’ exportable spreadsheets come directly from the NIST SP 800-53 publication.  Because of this, federal contractors working to achieve authorization designation will need to have in place comprehensive policies and procedures. To be specific, cleared contractors will need to have a large number of policies, procedures, programs, and plans in place for achieving Authorization to Operate (ATO) as part of the NISP NIST RMF A&A process within eMASS. 

Over the years, developing NIST SP 800-53 specific security documents has been one of the most difficult, time-consuming, and challenging measures for cleared contractors.  To help speed the up the process greatly, we developed the Arlington Security Portal (ASP), an online repository of world-class, industry leading security policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on the NIST Risk Management Framework (RMF) 800 series of publications for information security, cybersecurity, and privacy control families.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Incident Response

Must all DoD Contractors have a documented Incident Response Plan in place?

Yes, contractors are required by various legal, regulatory, and contractual requirements within the broader defense industry to have a documented incident response plan in place. 

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is the window for reporting suspected or actual breaches to the DoD?

Because the DoD must respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities, contractors are to report any potential breaches to DoD within 72 hours of discovery of any incident.  Additionally, contractors must also cooperate with DoD to respond to security incidents, which means preserving and protecting all evidence and capturing as much information about the incident as possible.

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is CUI?

CUI is Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. 

More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information. 

Remember, CUI is not a classification. Therefore, information cannot be “classified as CUI;” rather, this type of information is designated as CUI. In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is corporate intellectual property considered CUI?

No, unless such IP was created for, or included in requirements, relating to a government contract.  Per DCSA, “This includes information and material related to or associated with the following categories when created specifically for the DoD:

  • A company’s products, business, or activities, including but not limited to financial information
  • Data or statements
  • Trade secrets
  • Product research and development
  • Existing and future product designs and
  • performance specifications
  • Marketing plans or techniques
  • Schematics
  • Client lists
  • Computer programs
  • Processes

Source: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf

Need to Implement a DoD CUI Program? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

FedRAMP

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for promoting the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FedRAMP has grown tremendously in recent years as Cloud Service Providers (CSP) continue to provide more and more services to federal agencies.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is FedRAMP a requirement for specific federal contractors?

Yes, FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.