One of the most notable issues when it comes to working towards the A&A process within eMASS for cleared contractors is completing the exportable spreadsheets that are not only extremely time-consuming, but also requires providing sufficient detail in a manner that’s acceptable to DCSA personnel.
For the “ControlInfoExport” spreadsheet, DCSA now requires a detailed answer for the “Implementation Narrative” field. It is important to note that a 2021 update to NISP eMASS replaced the “Comments” field with the “Implementation Narrative” field.
With that said, for example, for PS-3, Personnel Screening, you’ll need to describe how the control is actually implemented. An excellent example answer would be the following:
Control implemented in that authorized personnel are screened to confirm the user has the appropriate security clearance and special access briefings. Once the screening process has been completed, an account request form will be processed for allowing personnel access to the information system. Once the user has an approved IS User Request, with the proper level of security clearance, Need-To-Know (NTK), and all applicable briefings and training completed, they are granted access to the fabrication area and the information system. Additionally, all users are properly screened in-advance prior to having access to any classified systems.
Another example for the “implementation narrative” field would be the following, for IR-3, Incident Response Testing.
Control implemented by performing regularly scheduled tabletop exercises (TTE) to determine the DoD Incident Response Plan's effectiveness and the organization's readiness to execute the plan. Results of the TTE are provided to all relevant stakeholders. The TTE exercises are to be reviewed annually to determine if desired results are satisfactory and if any needed changes/corrective actions are required.
From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS
With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:
- Scoping & Gap (i.e., Readiness) Assessments
- Remediation Services (Policy and Procedures writing)
- Remediation Services (Technical and Operational)
- System Security Plan (SSP) Development
- Completion of eMASS Export Control Spreadsheets
- Continuous Monitoring (ConMon) Services
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.