Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

DoD | DCSA | DHS | Federal Agencies | NIST RMF Services & Solutions

DoD, DCSA, DHS, and federal agency support services for NIST Risk Management Framework (RMF) compliance.

Our Focus


At Arlington, we’re Dedicated to Defense®, focusing on America’s large and growing Defense Industrial Base (DIB). Yet because of expertise, we also work with federal contractors in the non-DoD space. Specifically, we work with the following governmental entities:

Department of Defense
(DoD)

It is DoD policy that the DoD will establish and use an integrated enterprise-wide decision structure for cybersecurity risk management (the RMF) that includes and integrates DoD mission areas (MAs) pursuant to DoD 8115.01 and the governance process prescribed in this instruction (i.e., 8510).

Defense Counterintelligence and Security Agency (DCSA) Cleared Contractors

U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. The Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP).

Department of Homeland Security Critical Infrastructure

President Trump issued Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure on May 11, 2017, to improve the Nation’s cyber posture and capabilities in the face of intensifying cybersecurity threats. EO 13800 focuses Federal efforts on modernizing Federal information technology infrastructure, working with state and local government and private sector partners to more fully secure critical infrastructure, and collaborating with foreign allies.

White House Cybersecurity Executive Orders

President Biden signed a National Security Memorandum (NSM) in January, 2022 to improve the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, as required in his Executive Order (E.O) 14028, Improving the Nation’s Cybersecurity. This NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cyber criminals.

Government Agencies re: NIST RMF

The National Institute of Standards and Technology Risk Management Framework (RMF) provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels.

Frequently Asked Questions


FISMA

What is FISMA?

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act essentially recognized the importance of information security to the economic and national security interests of the United States. In 2014, President Barack Obama signed into law the Federal Information Security Modernization Act, effectively amending the 2002 Federal Information Security Act. In short, FISMA is still called FISMA.

And while FISMA is the law, the all-important NIST SP 800-53 publication is the official standard to comply with FISMA.  And lastly, the NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle, for which organizations are to follow when working towards achieving FISMA compliance. 

FISMA also has three different IMPACT levels - HIGH, MODERATE, and LOW. Determining which IMPACT level, you need to comply with often begins by assessing your external compliance requirements - and more specifically - who is asking you to become FISMA compliant.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

As a federal contractor, what constitutes FISMA compliance?

An independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

NIST Risk Management Framework (RMF)

What is the NIST Risk Management Framework (RMF)?

The NIST RMF is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.  Additionally, the RMF is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system without modification. As such, The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities.

There are seven (7) steps within the NIST RMF, which are the following:

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor

DoD and other federal contractors providing services to governmental agencies have strict requirements for implementing the NIST RMF - and showcasing compliance - through a wide-range of regulatory reporting frameworks & mandates (DFARS NIST 800-171, CMMC, FISMA, FedRAMP, NISP eMASS, and more). 

To learn more about the NIST RMF, visit https://csrc.nist.gov/projects/risk-management/about-rmf

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the PREPARE step within the NIST RMF for DoD Contractors?

Per NIST, The PREPARE step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications.  As such, organizations may have already implemented many of the tasks in the Prepare step as part of organization wide risk management.

Without adequate risk management preparation at the organizational and system levels, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

NIST RMF eMASS

What exactly is eMAS?

Per the Defense Counterintelligence and Security Agency (DCSA), “eMASS is a government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management. Features include dashboard reporting, controls scorecard measurement, and the generation of a system security authorization package. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authorization decisions.”  Look at eMASS as the system of record for assessment and authorizations of industry classified systems.

Therefore, U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. As such, the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). The Enterprise Mission Assurance Support Service (eMASS) web-based application is thus the very vehicle for which cleared contractors use for Assessment and Authorization purposes.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Where are the family of controls within eMASS derived from?

The control requirements found within eMASS’ exportable spreadsheets come directly from the NIST SP 800-53 publication.  Because of this, federal contractors working to achieve authorization designation will need to have in place comprehensive policies and procedures. To be specific, cleared contractors will need to have a large number of policies, procedures, programs, and plans in place for achieving Authorization to Operate (ATO) as part of the NISP NIST RMF A&A process within eMASS. 

Over the years, developing NIST SP 800-53 specific security documents has been one of the most difficult, time-consuming, and challenging measures for cleared contractors.  To help speed the up the process greatly, we developed the Arlington Security Portal (ASP), an online repository of world-class, industry leading security policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on the NIST Risk Management Framework (RMF) 800 series of publications for information security, cybersecurity, and privacy control families.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Incident Response

Must all DoD Contractors have a documented Incident Response Plan in place?

Yes, contractors are required by various legal, regulatory, and contractual requirements within the broader defense industry to have a documented incident response plan in place. 

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is the window for reporting suspected or actual breaches to the DoD?

Because the DoD must respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities, contractors are to report any potential breaches to DoD within 72 hours of discovery of any incident.  Additionally, contractors must also cooperate with DoD to respond to security incidents, which means preserving and protecting all evidence and capturing as much information about the incident as possible.

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is CUI?

CUI is Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. 

More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information. 

Remember, CUI is not a classification. Therefore, information cannot be “classified as CUI;” rather, this type of information is designated as CUI. In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is corporate intellectual property considered CUI?

No, unless such IP was created for, or included in requirements, relating to a government contract.  Per DCSA, “This includes information and material related to or associated with the following categories when created specifically for the DoD:

  • A company’s products, business, or activities, including but not limited to financial information
  • Data or statements
  • Trade secrets
  • Product research and development
  • Existing and future product designs and
  • performance specifications
  • Marketing plans or techniques
  • Schematics
  • Client lists
  • Computer programs
  • Processes

Source: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf

Need to Implement a DoD CUI Program? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

FedRAMP

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for promoting the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FedRAMP has grown tremendously in recent years as Cloud Service Providers (CSP) continue to provide more and more services to federal agencies.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is FedRAMP a requirement for specific federal contractors?

Yes, FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.