NISP eMASS DAAPM DCSA | Guidance on Hibernation Procedures
On March 20 2020, DCSA issued a news bulletin discussing the challenges with COVID and measures that cleared contractors should be aware of regarding periods of system inactivity (i.e., hibernation). In short, if a facility plans to stop work for an extended period of time, an audit variance may be authorized, which will require a Standard Operating Procedure (SOP) to be in place that specifies how the system will be protected during a dormant state.
NISP eMASS DAAPM DCSA | Tips and Advice on the Assessment & Authorization (A&A) Process
Here are some helpful tips and advice when it comes to the Assessment & Authorization (A&A) Process within eMASS for cleared contractors.
NISP eMASS DAAPM DCSA | Time and Effort Needed for A&A Process in eMASS
We are often asked how much time and effort it will take to submit a package within eMASS for the entire NIST RMF A&A process. That ultimately depends on the following factors that a cleared contractor should consider when beginning the NIST RMF A&A process:
NISP eMASS DAAPM DCSA | Guidance on eMASS Spreadsheets
It’s well-known that the two spreadsheets within eMASS for the Assessment & Authorization (AA) process require a tremendous amount of data to be inputted, with some of the information being similar on both. With that said, can they be combined to speed up the process?
NISP eMASS DAAPM DCSA | Guidance on the SLCM Fields Within the “ControlInfoExport” Spreadsheet
DCSA personnel will want to gain a strong understanding of an organization’s continuous monitoring initiatives, which means cleared contractors need to have in place a documented and formalized continuous monitoring program (ConMon). Per a recent presentation by DCSA personnel:
NISP eMASS DAAPM DCSA | Guidance on the "TRExport" Spreadsheet
The “Test Results” field is one of the most heavily scrutinized areas within the “TRExport” spreadsheet, and understandably so, as DCSA personnel want to know exactly what test procedures were performed for validating the control. With that said, you need to provide relevant, factual, detailed information.
NISP eMASS DAAPM DCSA | Guidance on the "ControlInfoExport" Spreadsheet
One of the most notable issues when it comes to working towards the A&A process within eMASS for cleared contractors is completing the exportable spreadsheets that are not only extremely time-consuming, but also requires providing sufficient detail in a manner that’s acceptable to DCSA personnel.
NISP eMASS DAAPM DCSA Requirements for Contingency Plan (Appendix P) - Download Toolkit Today
Per Appendix P of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM), cleared industry is required to develop and document a contingency plan for the system. At Arlington, we offer more than 100 + NIST RMF policies, procedures, programs, and plan templates for helping cleared industry develop all required documentation, and that includes the much-needed contingency plan.
NISP eMASS DAAPM DCSA Requirements for Risk Assessment Report (Appendix C) - Download Toolkit Today
As stated in the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM), DoD & Cleared contractors in industry are required to perform, at a minimum, an annual risk assessment, and one that is specific to an actual ‘system’.