On March 20 2020, DCSA issued a news bulletin discussing the challenges with COVID and measures that cleared contractors should be aware of regarding periods of system inactivity (i.e., hibernation). In short, if a facility plans to stop work for an extended period of time, an audit variance may be authorized, which will require a Standard Operating Procedure (SOP) to be in place that specifies how the system will be protected during a dormant state.
Here are some helpful tips and advice when it comes to the Assessment & Authorization (A&A) Process within eMASS for cleared contractors.
We are often asked how much time and effort it will take to submit a package within eMASS for the entire NIST RMF A&A process. That ultimately depends on the following factors that a cleared contractor should consider when beginning the NIST RMF A&A process:
It’s well-known that the two spreadsheets within eMASS for the Assessment & Authorization (AA) process require a tremendous amount of data to be inputted, with some of the information being similar on both. With that said, can they be combined to speed up the process?
DCSA personnel will want to gain a strong understanding of an organization’s continuous monitoring initiatives, which means cleared contractors need to have in place a documented and formalized continuous monitoring program (ConMon). Per a recent presentation by DCSA personnel:
The “Test Results” field is one of the most heavily scrutinized areas within the “TRExport” spreadsheet, and understandably so, as DCSA personnel want to know exactly what test procedures were performed for validating the control. With that said, you need to provide relevant, factual, detailed information.
One of the most notable issues when it comes to working towards the A&A process within eMASS for cleared contractors is completing the exportable spreadsheets that are not only extremely time-consuming, but also requires providing sufficient detail in a manner that’s acceptable to DCSA personnel.
Per Appendix P of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM), cleared industry is required to develop and document a contingency plan for the system. At Arlington, we offer more than 100 + NIST RMF policies, procedures, programs, and plan templates for helping cleared industry develop all required documentation, and that includes the much-needed contingency plan.
As stated in the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM), DoD & Cleared contractors in industry are required to perform, at a minimum, an annual risk assessment, and one that is specific to an actual ‘system’.