NIST Special Publication 800-53, Revision 5 (SP 800-53 Rev. 5), provides security and privacy controls for federal information systems and organizations. Within SP 800-53 Rev. 5, the "AU" control family addresses the requirements related to Audit and Accountability. These controls focus on establishing mechanisms for audit trail generation, review, analysis, and reporting to support the detection, investigation, and response to security incidents.

Version 2.2 (31 August 2020) of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) clearly state how “Federal agencies have adopted the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (IS).”

DoD & Cleared contractors in industry are required to perform, at a minimum, an annual risk assessment, and one that is specific to an actual ‘system’. While the DCSA DAAPM, and other related DoD documentation provides examples of a risk assessment (i.e., Risk Assessment Report – Appendix C of the DAAPM), they do not provide detailed information – and examples – of the threat sources. Developing and documenting such information can be time-consuming.

NIST Special Publication 800-53 provides guidelines and controls for securing federal information systems in the United States. One of the control families within NIST 800-53 is the "Awareness and Training" family (AT). The AT controls focus on establishing and implementing an effective security awareness and training program to educate personnel on their security roles and responsibilities.

Per DCSA, organizations must submit a CCP plan (CAGE Code-CCP-System Name) within eMASS.  A CCP plan will thus enable an organization to document their common controls, which will ensure consistency and streamline assessment and authorization processes.  The CCP package will be used to identify the common controls and all the associated procedures and artifacts, along with specifying if the common controls provide the required protection fully or in hybrid fashion.  

Version 2.2 (31 August 2020) of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) mentions the phrase “access control" nineteen times, and for good reason.  Per the DAAPM, “U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information,” which can only happen when appropriate access control measures are put in place.  Regardless of the type of environment - MUSA, SUSA, LAN, WAN, etc., cleared industry needs well-written, comprehensive access control policies and procedures, and other supporting documentation, to be in place.

Version 2.2 (31 August 2020) of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) mentions the phrase "incident response” twenty-six times, and for good reason.  It is a strict requirement for cleared industry to have in place a number of critical measures relating to incident response. And while the DAAPM does provide a template via Appendix Q regarding incident response, what cleared industry needs is a thorough, comprehensive, easy-to-use incident response plan, and that’s exactly what we offer at the Arlington Security Portal (ASP).

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  

Per a recent presentation by DCSA personnel, the following vulnerabilities are being found regarding physical site for the Assessment & Authorization (A&A) process:

Per a recent presentation by DCSA personnel, the following deficiencies are being found in System Security Plans (SSP) within the eMASS Assessment & Authorization (A&A) process: