On March 20 2020, DCSA issued a news bulletin discussing the challenges with COVID and measures that cleared contractors should be aware of regarding periods of system inactivity (i.e., hibernation). In short, if a facility plans to stop work for an extended period of time, an audit variance may be authorized, which will require a Standard Operating Procedure (SOP) to be in place that specifies how the system will be protected during a dormant state.
As such, DCSA wants to see proof of documented Hibernation procedures, “if” an audit variance is ever requested. This means cleared contractors should develop a formalized - and documented - SOP for system hibernation and include it in their Contingency Plan, or as a stand-alone document. Hibernation beyond 180 days is permitted only with AO approval. Cleared contractors are to contact their assigned ISSP to determine requirements to obtain AO approval for the hibernation request.
Per the DAAPM, a system hibernation SOP is to include a process for protecting the system using physical security controls (e.g., seals, locks, alarms, and GSA-approved containers), technical controls (e.g., whole disk encryption, disabled accounts, and audit logs), and immediate patching/updates upon return to service.
100 + NIST 800-53 Templates Available for Download for Cleared Industry
The solution for cleared industry is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.
From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS
With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:
- Scoping & Gap (i.e., Readiness) Assessments
- Remediation Services (Policy and Procedures writing)
- Remediation Services (Technical and Operational)
- System Security Plan (SSP) Development
- Completion of eMASS Export Control Spreadsheets
- Continuous Monitoring (ConMon) Services
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.