Overview

Federal agencies have adopted the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) as a common set of guidelines for the Assessment and Authorization (A&A) of Information Systems (IS). “Per the Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual (DAAPM), “U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract.”.

Furthermore, The DAAPM implements RMF processes and guidelines from NIST SP 800-53, and other National Institute of Standards and Technology (NIST) Special Publications (SP).

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Learn More

Reporting Requirements

Within NIST SP 800-53, the very publication used for eMASS reporting on controls for cleared contractors, every control family begins with a strict requirement to develop written policies and procedures for that very specific control. With twenty (20) control families within NIST SP 800-53, revision 5, the importance of information security and privacy policies and procedures is quite clear. Additionally, each of the twenty (20) control families have requirements for additional policies, procedures, programs, and plans - even furthering the need for well-written NIST RMF documentation.

Key Elements of a Successful Set of NIST RMF Security and Privacy Policies and Procedures

The current NIST SP 800-53 (rev 5) publication has twenty (20) control families, and depending upon the scope of your NIST RMF/eMASS requirements, you may very well have to develop policies for not only the top category control families, but also for many other supporting controls within these very control categories. That’s quite a bit of policy writing – to say the least – yet with Arlington, our expertise will save you an immense amount of time and money.

Our NIST RMF/eMASS policy writing services - and our industry leading NIST RMF temples, available at Arlington Security Portal (ASP) - includes the following:

NIST SP 800 Driven Approach: The NIST SP 800-53 publication is without question the foremost InfoSec publication in the world. With the DoD and all other federal agencies adopting NIST, our development of security policies is centered around NIST SP 800-53. The end result is high-quality, relevant, and compliant oriented information security policies and procedures for NIST RMF/eMASS.
One-for-One Match to Control Families: NIST SP 800-53 (rev 5) publication has twenty (20) control families – and numerous supporting controls for each respective control family. Therefore, it’s essential to develop policies that match and map directly to the actual control families. Arlington’s policy development methodology follows a strict adherence to mapping to all NIST SP 800-53 control families.
Policy Writing for Additional Control Requirements: A significant number of control families within the NIST RMF/eMASS framework require additional supporting policies to be in place. Knowing this, and knowing which policies to develop comes from years of DoD compliance expertise and working with the NIST framework. Arlington can drill down and develop all primary control family policies, along with all supporting policies.
Highly Customized Policies: As a DoD contractor, your business is unique to you, and so should your information security policies and procedures. Arlington uses a proven methodology for quickly and comprehensively developing highly customized NIST RMF/eMASS security documentation.
Testing Plans and Programs: The NIST RMF/eMASS requirements call for much more than just policies. Specifically, a number of control families requires that “Programs” and “Plans” be in place for areas such as Incident Response, Contingency Planning, Insider Threat, and more. Developing such documents can be incredibly time-consuming and complex, yet with Arlington, our proven methodology saves DoD contractors an immense amount of time and money.
Speed and Efficiency: We’ve been working within the broader Defense Industrial Base (DIB) for decades, helping DoD contractors from coast to coast. Whatever the rules or regulations mandated upon your business, you can be sure that Arlington has the knowledge and manpower for developing your NIST RMF/eMASS policies and procedures in an efficient manner. Time is money – something we more than understand.

And regardless of industry, size, or sector, DoD cleared contractors that must report on their controls within the eMASS portal and submission process will need to have in place significant documentation relating to incident response, configuration management, contingency planning, data privacy and more. Development of such programs can often require an immense amount of time - all the more reason for using our industry leading NIST RMF information security and privacy policies and procedures.

How to Get Started

Start by downloading our world-class NIST RMF Security and Privacy Policies and Procedures templates at the Arlington Security Portal (ASP).

How Arlington Can Help

We have years of experience working within the broader federal agency apparatus in helping federal contractors develop high-quality, well-written, policies and procedures and additional NIST RMF information security and privacy materials. Our NIST RMF information security and privacy policies, procedures, programs, and plans have been used by thousands of federal contractors in helping organizations develop customized documentation for their growing security and compliance needs.