Version 2.2 (31 August 2020) of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) mentions the phrase “access control" nineteen times, and for good reason.  Per the DAAPM, “U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information,” which can only happen when appropriate access control measures are put in place.  Regardless of the type of environment - MUSA, SUSA, LAN, WAN, etc., cleared industry needs well-written, comprehensive access control policies and procedures, and other supporting documentation, to be in place.

Version 2.2 (31 August 2020) of the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM) mentions the phrase "incident response” twenty-six times, and for good reason.  It is a strict requirement for cleared industry to have in place a number of critical measures relating to incident response. And while the DAAPM does provide a template via Appendix Q regarding incident response, what cleared industry needs is a thorough, comprehensive, easy-to-use incident response plan, and that’s exactly what we offer at the Arlington Security Portal (ASP).

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  

Per a recent presentation by DCSA personnel, the following vulnerabilities are being found regarding physical site for the Assessment & Authorization (A&A) process:

Per a recent presentation by DCSA personnel, the following deficiencies are being found in System Security Plans (SSP) within the eMASS Assessment & Authorization (A&A) process:

On March 20 2020, DCSA issued a news bulletin discussing the challenges with COVID and measures that cleared contractors should be aware of regarding periods of system inactivity (i.e., hibernation).  In short, if a facility plans to stop work for an extended period of time, an audit variance may be authorized, which will require a Standard Operating Procedure (SOP) to be in place that specifies how the system will be protected during a dormant state. 

Here are some helpful tips and advice when it comes to the Assessment & Authorization (A&A) Process within eMASS for cleared contractors.

We are often asked how much time and effort it will take to submit a package within eMASS for the entire NIST RMF A&A process. That ultimately depends on the following factors that a cleared contractor should consider when beginning the NIST RMF A&A process:

It’s well-known that the two spreadsheets within eMASS for the Assessment & Authorization (AA) process require a tremendous amount of data to be inputted, with some of the information being similar on both. With that said, can they be combined to speed up the process?

DCSA personnel will want to gain a strong understanding of an organization’s continuous monitoring initiatives, which means cleared contractors need to have in place a documented and formalized continuous monitoring program (ConMon).  Per a recent presentation by DCSA personnel: