On January 19, 2022, President Biden signed National Security Memorandum-8, Improving Cybersecurity of National Security, DOD, and Intelligence Community Systems. This long awaited NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect the United States from sophisticated malicious cyber activity, from both nation-state actors and cyber criminals.
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance.
- All Non compliant security controls must be included on the POA&M.
- Items should include specific steps required in support of particular Milestone events.
- Realistic dates should be provided as supported by the underlying and documented steps. (Note: Don’t include items on the POA&M and simply set a date for three years from when it was entered.).
- POA&M items are approved as a part of the IS authorization package. A separate approval is not needed unless the POA&M needs revision.
- Continuous Monitoring (ConMon) is an important aspect of the overall security because it communicates to DCSA how controls are going to be assessed for continued effectiveness over time.
- ConMon strategies should include details related to steps that “will be” taken by the defined frequency to check on controls.
- Frequencies that differ from the recommended DAAPM Appendix A timeframes should be justified. Don’t expect to be able to make all checks an annual event.
- The ISSP will validate your documented ConMon activities against the verbiage in the SLCM during CMEs and eSVAs. Deviations from documented SLCM activities will likely result in vulnerabilities being documented/cited during the CME/eSVA.
Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA). They are designed to make device hardware and software as secure as possible, safeguarding the Department of Defense (DoD) IT network and systems.
Attention industry, don't forget that it is a strict requirement to contact the DCSA NAO eMASS System Administrators immediately if an individual with an active eMASS account leaves the company. Specifically, it is the responsibility of Industry to properly maintain their eMASS Containers and inform DCSA of any changes in personnel status (i.e., termination, retirement, military deployment, etc.).
Per DCSA, For purposes of streamlining the onsite validation of a system, DCSA will use the DISA STIG, associated benchmark and STIG Viewer to assess the controls documented within the system security authorization package.
NISP eMASS DAAPM DCSA Requirements for System and Services Acquisition - Download NIST 800-53 SA Policy Templates
NIST (National Institute of Standards and Technology) Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. Within NIST 800-53, the "System and Services Acquisition" (SA) control family focuses on controls related to the acquisition, development, and maintenance of information systems. The SA controls are designed to ensure that adequate security measures are incorporated into systems and services throughout their lifecycle.
NISP eMASS DAAPM DCSA Requirements for System and Communications Protection - Download NIST 800-53 SC Policy Templates
The NIST (National Institute of Standards and Technology) Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems and organizations. The controls are organized into families based on their related objectives. The SC control family within NIST 800-53 stands for "System and Communications Protection." It focuses on controls that are designed to protect the confidentiality, integrity, and availability of system communications and prevent unauthorized access to systems.