Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

Have Questions?
We've Got Answers

Browse our comprehensive FAQ section and get the answers you need.

FAQ Categories

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Fisma Questions

What is FISMA?

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act essentially recognized the importance of information security to the economic and national security interests of the United States. In 2014, President Barack Obama signed into law the Federal Information Security Modernization Act, effectively amending the 2002 Federal Information Security Act. In short, FISMA is still called FISMA.

And while FISMA is the law, the all-important NIST SP 800-53 publication is the official standard to comply with FISMA.  And lastly, the NIST Risk Management Framework (RMF) is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle, for which organizations are to follow when working towards achieving FISMA compliance. 

FISMA also has three different IMPACT levels - HIGH, MODERATE, and LOW. Determining which IMPACT level, you need to comply with often begins by assessing your external compliance requirements - and more specifically - who is asking you to become FISMA compliant.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

As a federal contractor, what constitutes FISMA compliance?

An independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is the most time-consuming process in terms of earning FISMA compliance?

Documentation. Specifically, developing all required information security, cybersecurity, privacy, and operational-specific policies, procedures, programs, plans, AND authoring the System Security Plan (SSP).  Because FISMA utilizes the NIST SP 800-53 controls, federal contractors will need to spend a large amount of time writing comprehensive, well-written security documentation. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What are some of the key initiatives and best practices to incorporate when embarking on FISMA compliance?

Proper planning and gaining a strong understanding of what constitutes FISMA compliance is essential for federal contractors. With that said, keep these measures in mind:

  • A Scoping & Gap Assessment is Critical: As a federal contractor, if you’re new to the entire FISMA process, then an upfront scoping & gap assessment is absolutely essential. Even LOW impact designated systems for FISMA compliance will have a tremendously large number of controls to comply with, thus, you need to determine what gaps exist - and how to remediate them - before pressing forward with any other FISMA initiatives.
  • Policies & Procedures will Need to be Developed - and Implemented: Each of the twenty (20) control families within the NIST SP 800-53 publication - the very framework for which earning FISMA compliance is based on - requires a heavy dose of information security and privacy policies and procedures to be developed.
  • Programs & Plans will Need to be Developed - and Implemented: Along with policies and procedures, the NIST SP 800-53 publication also requires numerous ‘programs’ and ‘plans’ to be developed relating to incident response, insider threats, contingency planning, supply chain risk management, and more.
  • Security Tools & Solutions will Need to be Acquired - and Implemented: From two-factor authentication to vulnerability scanning, DLP, FIM, and more, complying with FISMA also means having a healthy set of security tools & solutions in place.
  • A System Security Plan (SSP) will Need to be Written: A well-written System Security Plan (SSP) can take a tremendous amount of time to author as most FISMA SSPs range from 75 - 100 + pages in length, sometimes even more.
  • A Security Assessment Report (SAR) will Need to be Conducted: If you’re being asked by a federal agency to validate FISMA compliance, then expect to have an independent, third-party assessment performed, with the results documented in a formal SAR.
  • A Continuous Monitoring Program will need to be Established: Key to maintaining FISMA compliance is developing and implementing a structured, well-documented continuous monitoring (ConMon) program.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Along with NIST SP 800-53, what other 800 Series Publications correlate with FISMA compliance?

While NIST SP 800-53 garners the lionshare of attention for FISMA, and rightfully so, the following NIST ‘Special Publications’ are also instrumental when it relates to FISMA compliance:

  • NIST SP 800-37: Risk Management Framework for Information Systems and Organizations - A System Life Cycle Approach for Security and Privacy
  • NIST SP 800-53A: Assessing Security and Privacy Controls in Information Systems and Organizations
  • NIST SP 800-53B: Control Baselines for Information Systems and Organizations
  • NIST SP 800-61 - Computer Security Incident Handling Guide

These are just a handful of the dozens of ‘Special Publications’ 800 series of documents that share a credible nexus with FISMA compliance. Visit the NIST Computer Security Resource Center at https://csrc.nist.gov/publications/sp800 to learn more.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.


NIST Risk Management Framework (RMF) Questions

What is the NIST Risk Management Framework (RMF)?

The NIST RMF is a comprehensive, flexible, risk-based approach and process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.  Additionally, the RMF is purposefully designed to be technology neutral so that the methodology can be applied to any type of information system without modification. As such, The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities.

There are seven (7) steps within the NIST RMF, which are the following:

  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor

DoD and other federal contractors providing services to governmental agencies have strict requirements for implementing the NIST RMF - and showcasing compliance - through a wide-range of regulatory reporting frameworks & mandates (DFARS NIST 800-171, CMMC, FISMA, FedRAMP, NISP eMASS, and more). 

To learn more about the NIST RMF, visit https://csrc.nist.gov/projects/risk-management/about-rmf

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the PREPARE step within the NIST RMF for DoD Contractors?

Per NIST, The PREPARE step was incorporated to achieve more effective, efficient, and cost-effective security and privacy risk management processes. Tasks in the Prepare step directly support subsequent RMF steps and are largely derived from guidance in other NIST publications.  As such, organizations may have already implemented many of the tasks in the Prepare step as part of organization wide risk management.

Without adequate risk management preparation at the organizational and system levels, security and privacy activities can become too costly, demand too many skilled security and privacy professionals, and produce ineffective solutions.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the CATEGORIZE step within the NIST RMF for DoD Contractors?

Per NIST, Security categorization provides a structured way to determine the criticality of the information being processed, stored, and transmitted by a system. The purpose of the CATEGORIZE step is to inform organizational risk management processes and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.

Technically speaking, the information owner/system owner or an individual designated by the owner is responsible for categorizing a system.  Yet even with that said, regulatory compliance mandates from outside your organization will often determine the IMPACT LEVEL (HIGH, MODERATE, LOW) to comply with for purposes of FedRAMP, FISMA, etc. 

To learn more about impact levels and control baselines for NIST RMF, please access Control Baselines for Information Systems and Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf).  This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The control baselines can be implemented by any organization that processes, stores, or transmits information (e.g., federal, state, local, and tribal governments, as well as private sector organizations).

As for NISP eMASS, per the National Industrial Security Program Enterprise Mission Assurance Support Service (eMASS) Industry Operation Guide, "eMASS will automatically populate the recommended C-I-A levels for some of the Information Type as established by NIST SP 800-60 Vol. 2...", which "MODERATE" being the recommended CIA IMPACT LEVEL.

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the SELECT step within the NIST RMF for DoD Contractors?

Once the system has been appropriately categorized, (HIGH, MODERATE, LOW), the applicable security and privacy controls from NIST SP 800-53 will then be appropriately assigned.  Per NIST, Security controls are the safeguards or countermeasures employed within an organizational system to protect the confidentiality, integrity, and availability of the system and its information. Privacy controls are administrative, technical, and physical safeguards employed within an organization to protect an individual, ensure compliance with applicable privacy requirements, and manage privacy risks.

As discussed earlier, regulatory compliance mandates from outside your organization will often determine the IMPACT LEVEL (HIGH, MODERATE, LOW) to comply with for purposes of FedRAMP, FISMA, etc.), which in turn determine the actual number of NIST SP 800-53 controls that will be in scope.

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the IMPLEMENT step within the NIST RMF for DoD Contractors?

Per NIST, it is important that the controls are implemented correctly and operate as expected to protect the system. The Implement step focuses on the implementation of the security and privacy controls. This is where a large part of the work must be done in terms of the overall NIST RMF steps as policies, procedures, and processes needed to be formalized and documented, with security, technical, and operational controls implemented. 

Federal contractors often quickly realize that a large amount of remediation work must be done as control gaps and weaknesses become apparent when walking through the selection of control families from the NIST SP 800-53 publication.  Simply stated, an organization cannot (and should not) advance to the next NIST RMF step (ASSESS) and undertake an independent assessment by a third-party without remediating control gaps.

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the ASSESS step within the NIST RMF for DoD Contractors?

The ASSESS step is where an organization undergoes an actual assessment by an independent third-party for regulatory compliance reporting.  Think FedRAMP, FISMA, eMASS, CMMC, DFARS NIST 800-171 - and more - these are all NIST RMF compliance reporting measures that are performed for assessing an organization’s controls.  Organizations can also choose to conduct their own internal assessment with qualified personnel, if they decide not to embark on any official compliance reporting.

Per NIST, assessors should be selected for their technical expertise related to the type of system or component they are assessing as well as for their experience in all steps of the Risk Management Framework, including the assessment and authorization steps and the tasks that support them.

Additionally, per NIST, assessor independence does not mean that assessors from outside of the organization are needed to conduct the assessment. Internal assessors who are not under the supervision and/or management of the owner of the system being assessed can be employed to conduct the assessment.

For NISP eMASS, the actual ASSESS measures are performed by Defense Counterintelligence and Security Agency (DCSA) personnel who conduct both onsite and virtual assessment procedures.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the AUTHORIZE step within the NIST RMF for DoD Contractors?

Per NIST, federal systems must be authorized before being promoted to production (i.e., becoming operational). Therefore, the purpose of the Authorize step is to provide organizational accountability by requiring a senior management official (authorizing official) to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets is acceptable, based on the operation of a system or the use of common controls. If you’re required to seek ATO for your service offering to a federal agency, then the AUTHORIZE step is essential.

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

  • Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
  • Scoping & Gap Assessments
  • Policies & Procedures Development
  • Program Documentation Development
  • System Security Plans (SSP)
  • Security Assessment Reports (SAR)
  • Remediation Assistance
  • ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What’s important to note about the MONITOR step within the NIST RMF for DoD Contractors?

Per NIST, continuous monitoring programs allow an organization to maintain the authorization of a system over time in a highly dynamic operating environment where systems adapt to changing threats, vulnerabilities, technologies, and mission and business processes. Per NIST SP 800-137, Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

Moreover, any effort or process intended to support ongoing monitoring of information security across an organization begins with leadership defining a comprehensive ISCM strategy encompassing technology, processes, procedures, operating environments, and people.

Many of today’s federal compliance mandates, such as FISMA, FedRAMP, eMASS, and more - all require organizations to implement continuous monitoring (ConMon) programs for their environments.  Per NIST, a well-defined and well-executed ConMon program should be built on the following measures:

  • Define an ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
  • Establish an ISCM program determining metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
  • Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting. Automate collection, analysis, and reporting of data where possible.
  • Analyze the data collected and Report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.
  • Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
  • Review and Update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities, further enable data-driven control of the security of an organization’s information infrastructure, and increase organizational resilience.

Trusted Providers for NIST RMF Continuous Monitoring Program Development

Arlington offers the following Information security continuous monitoring (ISCM) services & solutions for helping federal contractors design and implement industry leading continuous monitoring (ConMon) programs:

  • Ready-to-Use ConMon Program Toolkit for download based on NIST SP 800-53 controls.
  • Customized ConMon Program Development, Implementation, and Testing
  • ConMon as a Service (CMaaS)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.


NIST RMF eMASS Questions

What exactly is eMAS?

Per the Defense Counterintelligence and Security Agency (DCSA), “eMASS is a government owned web-based application with a broad range of services for comprehensive fully integrated cybersecurity management. Features include dashboard reporting, controls scorecard measurement, and the generation of a system security authorization package. eMASS provides an integrated suite of authorization capabilities and prevents cyber-attacks by establishing strict process control mechanisms for obtaining authorization decisions.”  Look at eMASS as the system of record for assessment and authorizations of industry classified systems.

Therefore, U.S. Government policy is that all classified information must be appropriately safeguarded to assure the confidentiality and integrity of that information, as well as its availability when required by contract. As such, the Defense Counterintelligence and Security Agency (DCSA) Assessment and Authorization Process Manual (DAAPM) is intended for use by cleared contractors participating in the National Industrial Security Program (NISP). The Enterprise Mission Assurance Support Service (eMASS) web-based application is thus the very vehicle for which cleared contractors use for Assessment and Authorization purposes.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Where are the family of controls within eMASS derived from?

The control requirements found within eMASS’ exportable spreadsheets come directly from the NIST SP 800-53 publication.  Because of this, federal contractors working to achieve authorization designation will need to have in place comprehensive policies and procedures. To be specific, cleared contractors will need to have a large number of policies, procedures, programs, and plans in place for achieving Authorization to Operate (ATO) as part of the NISP NIST RMF A&A process within eMASS. 

Over the years, developing NIST SP 800-53 specific security documents has been one of the most difficult, time-consuming, and challenging measures for cleared contractors.  To help speed the up the process greatly, we developed the Arlington Security Portal (ASP), an online repository of world-class, industry leading security policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on the NIST Risk Management Framework (RMF) 800 series of publications for information security, cybersecurity, and privacy control families.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Can you provide guidance and some specific examples of how the critically important fields within the “ControlInfoExport” spreadsheet should be completed, especially the “implementation narrative” field?

This is one of the biggest challenges when it comes to eMASS for cleared contractors as completing the exportable spreadsheets is not only extremely time-consuming, but also requires providing sufficient detail in a manner that’s acceptable to DCSA personnel.  For the “ControlInfoExport” spreadsheet, DCSA now requires a detailed answer for the “Implementation Narrative” field.  Please note that a 2021 update to NISP eMASS replaced the “Comments” field with the “Implementation Narrative” field.

With that said, for example, for AC-2, Account Management, you’ll need to describe how the control is actually implemented. An excellent example answer would be the following:

Control implemented by establishing defined user groups within Group Policy, which includes account creation for System Administrators, Data Transfer Agents, and General User Accounts. Furthermore, system event log monitoring has been established for automated alerting, and the Weekly Security Event Log Analysis report is reviewed each week to determine if any access rights discrepancies have been found. Additionally, an Account Request Form is used for provisioning new users.

Another example for the “implementation narrative” field would be the following, for IR-3, Incident Response Testing.

Control implemented by performing regularly scheduled tabletop exercises (TTE) to determine the DoD Incident Response Plan's effectiveness and the organization's readiness to execute the plan. Results of the TTE are provided to all relevant stakeholders. The TTE exercises are to be reviewed annually to determine if desired results are satisfactory and if any needed changes/corrective actions are required.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Can you provide guidance and some specific examples of how the critically important fields within the “TRExport” spreadsheet should be completed, especially the “test results” field?

The “Test Results” field is one of the most heavily scrutinized areas within the “TRExport” spreadsheet, and understandably so, as DCSA personnel want to know exactly what test procedures were performed for validating the control. With that said, you need to provide relevant, factual, detailed information. But remember, DCSA personnel do not want to read a novel - as they often object to overly long, multi-paragraph, wordy answers just as much as they do to short and/or templated answers.  Also, per a recent presentation by DCSA personnel:

  • “Test Results are not Implementation Narrative details or ConMon.”
  • “Test Results are a summary of the actions that have already taken place to validate that controls have been effectively implemented.”

For example, for MP-2.1, Media Protection, you’ll need to describe how the control was actually tested. An excellent example answer would be the following:

The ABC Company ISSM validated that a Media Protection Policy and Procedures document is in place, reviewed and updated as needed on an annual basis. The document contains all necessary information pertaining to defining personnel roles and responsibilities. ISSM also conducted physical inspection of the information system to confirm that the only types of media allowed are external USB Drives and external optical drives, both of which are secured at all times. Also, ISSM confirmed through physical inspection that there are hardware plugs on vacant ports, only authorized personnel can handle media, and if necessary, media will be destroyed per DoD guidelines.

Another example for the “test results” field would be the following, for SC-18-1, System and Communications Protection regarding Mobile Code:

The ABC Company ISSM validated through system settings inspection that Java mobile code is used on the information system as part of the ManageEngine Vulnerability Manager Plus vulnerability scanning and patching tool.  The software tool is written in Java and runs on an Apache Web Server that is installed by the program.  The tool compares vulnerabilities information in its database against security patch information that is imported into the database.  The resulting comparison shows patches that have not been installed.  Patches can then be downloaded and imported into the program to automate patching of the laptops that ManageEngine Vulnerability Manager Plus is installed on.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Can you provide guidance on the SLCM fields within the “ControlInfoExport” spreadsheet in terms of how to best address “System Level Continuous Monitoring” requirements for eMASS reporting?

DCSA personnel will want to gain a strong understanding of an organization’s continuous monitoring initiatives, which means cleared contractors need to have in place a documented and formalized continuous monitoring program (ConMon).  Per a recent presentation by DCSA personnel:

  • “Continuous Monitoring (ConMon) is an important aspect of the overall security because it communicates to DCSA how controls are going to be assessed for continued effectiveness over time.”
  • “ConMon strategies should include details related to steps that “will be” taken by the defined frequency to check on controls.”

Therefore, a well-developed ConMon program should include the following:

  • Control Number Listing
  • Control Title
  • Security Control Designation
  • Continuous Monitoring Program Frequency
  • Continuous Monitoring Strategy
  • Listing of Tools Used for Verification
  • Listing of Personnel Responsible for Performing ConMon Tests
  • A Detailed Test Schedule

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What does DCSA expect to be in place for an Incident Response Plan (IRP) for eMASS reporting?

An Incident Response Plan (IRP) is one of the most fundamentally important documents to have in place, and DCSA will want to thoroughly review your IRP. With that said, you’ll need to have in place a company-wide approved IRP, one that includes required DoD guidelines, and that covers the in-scope information system. If you do not have an IRP in place, or, if your company-wide IRP does not include coverage for the in-scope Information system, DCSA recommends (and more realistically, “expects”), cleared contractors to follow the DAAPM Appendix Q for IRP. Additionally, your IRP should contain specific measures relating to Spills (Appendix R) and Sanitization (Appendix S).

Per a recent presentation by DCSA personnel,

  • “IRPs are approved in conjunction with the Information System unless a separate one was submitted and approved at the corporate level.”
  • “Do your processes involve remote cleanup with remote workers? Remote aspects of your cleanup should be clear in the submitted IRP.”
  • “DCSA expects cleanup to follow DAAPM guidance at a minimum as documented in your IRP.”

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What does DCSA expect to be in place for Risk Assessments for eMASS reporting?

First and foremost, from a scope perspective, the Risk Assessment Report (RAR) must be an actual assessment performed on the specific “system”. Therefore, do not try to use an organizational-wide, or some type of corporate-wide risk assessment or similar report, as this will not provide sufficient detail - or will often completely omit - the “system” that is in scope.  It’s thus best to use the Appendix C: Risk Assessment Report Template found within the DCSA Assessment and Authorization Process Manual Version 2.2 (August 31, 2020). 

The Risk Assessment Report Template lists three (3) types of threat sources - Adversarial, Structural, and Environmental. To be clear, these three (3) sources require cleared contractors to provide sufficient examples of credible threats under the “Threat Event” column for each of the respective three (3) sources. DCSA will expect cleared contractors to provide a healthy list of “Threat Events”, so please keep this in mind when completing the RAR.  Listing just a few “Threat Event” examples for each of the three (3) types of threat sources will NOT suffice, resulting in your RAR being rejected, so be advised.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What does DCSA expect to be in place for “Testing” regarding an Incident Response Plan (IRP)?

While you hope to never have a critical incident that could impact the system, DCSA does want assurances that cleared contractors are prepared, and can respond accordingly.  With that said, tabletop exercises are an excellent way to illustrate compliance with Incident Response Testing (IR-3).  The tabletop exercise should include different scenarios and detailed responses to each scenario. 

Additionally, tabletop exercises should mirror potential real-world situations for your actual environment. For example, if your system in scope for eMASS is identified as Multi-User Standalone (MUSA) or Single-User Standalone (SUSA), then perform tabletop exercises reflecting such environments.   Providing DCSA with tabletop exercise results for a Wide Area Network (WAN) when you operate in a Standalone environment shows little value, if any.

Visit the Arlington Security Portal (ASP) and gain access to our industry leading Incident Response Testing Toolkit containing comprehensive, real-world tabletop exercises you can perform for eMASS reporting.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What does DCSA expect to be in place for “Testing” regarding a Contingency Plan (CP)?

For testing regarding a Contingency Plan, DCSA is very clear in that they want a detailed description of the actual test procedures to be performed, and the results of such testing. With that said, a few things to consider for Contingency Plan testing:

  • First, the procedures should be for the in-scope system. Therefore, do not try to use an organizational-wide, or some type of corporate-wide contingency plan test procedures and results, as this will not provide sufficient detail - or will often completely omit - the “system” that is in scope.
  • Second, it is important to formally document the test procedures to be performed. Page 112 of the DAAPM (Version 2.2 | August 31, 2020) provides clear instructions with excellent examples of test procedures that should be performed, and ultimately, documented in your Contingency Plan.
  • Third, unlike Incident Response testing, where tabletop exercises have been found to be sufficient evidence for eMASS reporting, contingency plan testing requires carrying out the actual documented test procedures themselves, and, according to the DAAPM, contractors can also “Perform tabletop exercises to test various possible contingency situations.” In short, you need to perform the actual procedures as relying on just tabletop exercises will generally not suffice for DCSA.

Visit the Arlington Security Portal (ASP) and gain access to our industry leading Contingency Plan Toolkit containing comprehensive, real-world tabletop exercises you can perform for helping with eMASS reporting.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Are system “Hibernation Procedures” required for eMASS?

Yes, they are.  On March 20 2020, DCSA issued a news bulletin discussing the challenges with COVID and measures that cleared contractors should be aware of regarding periods of system inactivity (i.e., hibernation).  In short, if a facility plans to stop work for an extended period of time, an audit variance may be authorized, which will require a Standard Operating Procedure (SOP) to be in place that specifies how the system will be protected during a dormant state.  

As such, DCSA wants to see proof of documented Hibernation procedures, “if” an audit variance is ever requested. This means cleared contractors should develop a formalized - and documented - SOP for system hibernation and include it in their Contingency Plan, or as a stand-alone document.  Hibernation beyond 180 days is permitted only with AO approval. Cleared contractors are to contact their assigned ISSP to determine requirements to obtain AO approval for the hibernation request.

Per the DAAPM, a system hibernation SOP is to include a process for protecting the system using physical security controls (e.g., seals, locks, alarms, and GSA-approved containers), technical controls (e.g., whole disk encryption, disabled accounts, and audit logs), and immediate patching/updates upon return to service.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.


Incident Response Questions

Must all DoD Contractors have a documented Incident Response Plan in place?

Yes, contractors are required by various legal, regulatory, and contractual requirements within the broader defense industry to have a documented incident response plan in place. 

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is the window for reporting suspected or actual breaches to the DoD?

Because the DoD must respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities, contractors are to report any potential breaches to DoD within 72 hours of discovery of any incident.  Additionally, contractors must also cooperate with DoD to respond to security incidents, which means preserving and protecting all evidence and capturing as much information about the incident as possible.

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Where do DoD contractors report security incidents to?

To report cyber incidents that affect covered defense information or that affect the contractor’s ability to perform requirements designated as operationally critical support, the Contractor shall conduct a review for evidence of compromise and rapidly report cyber incidents to DoD at https://dibnet.dod.mil via an incident collection form (ICF).

If discovered and isolated in connection with a reported cyber incident, the contractor/ subcontractor shall submit the malicious software to the DoD Cyber Crime Center (DC3). Also, https://dibnet.dod.mil

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What, specifically, constitutes reporting to the federal government in terms of a “cyber incident”?

Per the Department of Homeland Security (DHS), a cyber incident is an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.  Per the DFARS 7012, a “Cyber incident” means actions taken using computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.  Therefore, report all cyber incidents that may:

  • Result in a significant loss of data, system availability, or control of systems.
  • Impact a large number of victims.
  • Indicate unauthorized access to, or malicious software present on, critical information technology systems.
  • Affect critical infrastructure or core government functions; or
  • Impact national security, economic security, or public health and safety.

Need a Documented Incident Response Plan? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Does Arlington offer a high-quality Incident Response Plan that meets all DoD requirements?

Yes, we do, please visit the Arlington Security Portal (ASP), our online repository of world-class, industry leading security policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on the NIST 800 series publications for information security, cybersecurity, and privacy control families.

Need a Documented Incident Response Plan? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place a well-documented incident response plan. With Arlington, we offer two (2) options. We can develop a customized incident response plan for your organization, or you can simply visit the Arlington Security Portal (ASP) and download our industry leading incident response plan template for DoD contractors, along with dozens of other high-quality NIST RMF policies, procedures, programs, plans – and other highly essential documents & templates.

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.


CUI Questions

What is CUI?

CUI is Controlled Unclassified Information (CUI). CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. Although this type of information is not considered “classified,” it is still sensitive, important, and requires protection. 

More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information. 

Remember, CUI is not a classification. Therefore, information cannot be “classified as CUI;” rather, this type of information is designated as CUI. In some cases, CUI designations replace For Official Use Only (FOUO) and Sensitive but Unclassified (SBU) designations and markings.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is corporate intellectual property considered CUI?

No, unless such IP was created for, or included in requirements, relating to a government contract.  Per DCSA, “This includes information and material related to or associated with the following categories when created specifically for the DoD:

  • A company’s products, business, or activities, including but not limited to financial information
  • Data or statements
  • Trade secrets
  • Product research and development
  • Existing and future product designs and
  • performance specifications
  • Marketing plans or techniques
  • Schematics
  • Client lists
  • Computer programs
  • Processes

Source: https://www.dcsa.mil/Portals/91/Documents/CTP/CUI/21-10-13%20CUI%20FAQ%20FINAL.pdf

Need to Implement a DoD CUI Program? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What actual policies govern CUI?

Currently, the following four (4) main policies govern CUI:

  1. Executive Order 13556 “Controlled Unclassified Information” (https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information) assigns policy responsibilities, and prescribes procedures for CUI throughout the DoD.
  2. 32 CFR Part 2002 “Controlled Unclassified Information” Part 2002 (https://www.govinfo.gov/content/pkg/CFR-2018-title32-vol6/pdf/CFR-2018-title32-vol6-part2002.pdf) establishes the CUI Program throughout the Federal Government and describes the roles, responsibilities, along with other essential provisions of the CUI program.
  3. DoDI Instruction 5200.48 “Controlled Unclassified Information” (https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520048p.PDF) This order effectively establishes a uniform program for managing information that requires safeguarding or dissemination controls throughout the Federal Government.
  4. NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf) This publication identifies the baseline for CUI system security requirements as “The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.”

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Where can I find a listing of CUI Categories?

Please see the following two (2) CUI Registries for both DoD and non-DoD federal contractors regarding government-approved CUI categories and groupings.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

How is CUI Marked?

At a minimum, CUI markings for unclassified DoD documents are to include the acronym “CUI” in the banner and footer of the document. Furthermore, marking requirements apply to documents, emails and forms of media that are designated as CUI. Furthermore, marking labels are available for physical media - specifically - USB sticks, hard drives, and CD ROMs, etc. so as to alert holders to the presence of CUI stored on the device in accordance with CUI Notice 2019-01.

Please refer to the Controlled Unclassified Markings Guide (September 3, 2020) for more information: https://www.dodcui.mil/Portals/109/Documents/Desktop%20Aid%20Docs/20-S-2093%20cleared%20training%20guide-13_oct-20.pdf

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Who is allowed to actually create CUI?

Legally speaking, anyone is allowed to create CUI, so long as it is generated for, or on behalf of, an Executive Branch agency for a specific contract that falls into one of the many (over 100) prescribed CUI categories for the DoD.

Need to Implement a DoD CUI Program? Talk to Arlington 

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Per DoDI 5200.48, what specific requirements are there for DoD contractors?

Per DoDI 5200.48, what specific requirements are there for DoD contractors?

  • Contractors must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance.
  • Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls are to be articulated in the contract, grant, or other legal agreement, as appropriate.
  • DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information.
  • DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.
  • DoD personnel and contractors are to submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09.
  • All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities.

Source: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf 

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What are the legacy information requirements under the provisions for CUI with DoDI 5200.48?

There is no requirement for redacting or re-marking of documents bearing legacy markings. However, for any new document created with information derived from legacy material, it then must be marked as CUI if the information qualifies as CUI.  Additionally, DoD legacy information does not automatically become CUI because it must first be reviewed by the owner of the information for determining if it meets the CUI requirements.

Source: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Per DoDI 5200.48, What is the Defense Counterintelligence and Security Agency’s (DCSA) role regarding CUI?

DCSA has the following eight (8) cleary mandated responsibilities:

  1. Administering the DoD CUI Program for contractually established CUI requirements for contractors in classified contracts.
  2. Assessing contractor compliance with NISP in accordance with 32 CFR 2003 and NIST SP 800-171.
  3. Establishing and maintaining a process to notify the DoD CIO, USD (R&E), and USD(A&S) of threats related to CUI for further dissemination to DoD Components and contractors.
  4. Providing security education, training, and awareness to DoD personnel and contractors through the CDSE.
  5. Providing security assistance and guidance to the DoD Components on the protection of CUI when DoD Components establish CUI requirements in DoD classified contracts for NISP contractors falling under DCSA security oversight.
  6. Serving as the DoD-lead to report Unauthorized Disclosure (UD) of CUI, except for the reporting of cyber incidents in accordance with Section 252.204-7012, associated with contractually established CUI system requirements in DoD classified contracts for NISP contractors falling under DCSA oversight.
  7. Coordinating with the DoD Chief Information Officer (CIO) regarding the implementation of uniform security requirements when the information systems or network security controls for unclassified and classified information are included in DoD classified contracts for NISP contractors falling under DCSA oversight.
  8. Consolidating DoD Component input on the oversight of CUI protection requirements in DoD classified contracts for NISP contractors under DCSA security oversight.

Source: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What are the destruction requirements under the provisions for CUI with DoDI 5200.48?

When destroying CUI, including in electronic form, agencies must do so in a manner making it unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy specifies a method of destruction, agencies must use the method prescribed.  All federal contractors should employ media sanitization techniques as prescribed within NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization.

Source: https://www.dodcui.mil/Portals/109/Documents/Policy%20Docs/DoDI%205200.48%20CUI.pdf

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Will DCSA perform random CUI inspections on DoD contractors?

At this time, DCSA will not perform CUI-related compliance inspections. However, industry is urged to implement the CUI safeguards immediately.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What if FCI?

FCI is Federal Contract Information.  FCI is information not intended for public release as it is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. As such, all CUI in possession of a government contractor is FCI, but not all FCI is CUI.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is CDI?

CDI is Covered Defense Information.  CDI means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government wide policies, and is— (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Please note the following:

The Department of Defense (DoD) on October 4, 2016, issued a rule finalizing cyber reporting regulations applicable to DoD contractors and subcontractors set forth in 32 CFR Part 236. The rule finalizes an interim rule DoD issued on October 2, 2015 and addresses cyber incident reporting obligations for DoD prime contractors and subcontractors.

Notably, the final rule clarifies the by now well-known definition of the term ‘covered defense information’ (“CDI”). This same term is used in DFARS 252.204-7012. This DFARS clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export-controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.

Given the similarities of this final category to the definition of controlled unclassified information (“CUI”) promulgated in connection with the National Archives and Records Administration’s (NARA) rule, we have understood this latter category to include CUI identified by NARA pursuant to its efforts under EO 13556. The DoD’s new final rule provides support for this understanding because it narrows the definition of CDI to only two categories: (1) CTI and (2) CUI. This modification accordingly appears to make clear that the “catch-all” category of CDI contained in DFARS 252.204-7012 was intended to align with NARA’s CUI efforts.

As such, consider the following:

  • NIST 800-171 refers to “Controlled Unclassified Information”, but was dated before the new rules were put in place.
  • Unclassified Controlled Technical Information” was the original term in DFAR 252.204-7012 (pre-NIST 800-171 pronouncement).
  • Covered Defense Information is a new term that encompasses all of the above, as well as new types of information, thus CDI is the core definition and concept to grasp.

So, what then is CDI?

  • Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or
  • Unclassified information, which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Thus, it is:

  • Controlled technical information (Military)
  • Export controlled information (commodities, tech, software etc.)
  • Critical information (DoD Directive, OPEC, etc.)
  • ‘Catch All’ (privacy or proprietary business information)
  • Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is UCTI?

UCTI is Unclassified Controlled Technical Information.  “Controlled technical information” means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F (per, http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm) using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.

The term does not include information that is lawfully publicly available without restrictions. Thus, “technical information” means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Noncommercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract.

Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Need to Implement a DoD CUI Program? Talk to Arlington

DoD contractors - and other contractors providing services to federal agencies - need to have in place established policies, procedures, and processes regarding CUI that’s resident within their information systems. What federal contractors need is a CUI Program. Arlington can help, as we offer the following CUI services and solutions:

  • CUI Scoping & Gap Assessments
  • CUI Policy Development
  • CUI Identification
  • CUI Contractual Language Review
  • CUI Marking (Digital)
  • CUI Marking (Physical)

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.


FedRamp Questions

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program for promoting the adoption of secure cloud services across the federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  FedRAMP has grown tremendously in recent years as Cloud Service Providers (CSP) continue to provide more and more services to federal agencies.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Is FedRAMP a requirement for specific federal contractors?

Yes, FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate, and High-risk impact levels.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is the difference between FISMA and FedRAMP

FedRAMP is essentially “FISMA for the Cloud”.  Per FISMA, the National Institute of Standards and Technology (NIST) is responsible for establishing “policies which shall set the framework for information technology standards for the Federal Government.” Specifically, both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters, and guidance above the NIST baseline that address the unique elements of cloud computing.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What entities are responsible for cloud security controls regarding FedRAMP?

The responsibility is shared, that is, both cloud service providers (CSPs) and agencies (customers) assume any number of important roles for ensuring the safety and security of data resident in cloud systems.  It is important to note that CSPs are required to submit a Control Implementation Summary (CIS) workbook as an attachment to their System Security Plan (SSP).  Specifically, per FedRAMP, “The CIS workbook identifies security controls that the CSP is responsible for implementing, security controls that the agency (customer) is responsible for implementing, security controls where there is a shared CSP/agency responsibility…”.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What specific listings are granted to Cloud Service Providers (CSPs) on the FedRAMP Marketplace?

As of 2022, there are three (3) listing designations - FedRAMP Ready, In Process, and Authorized.

  • FedRAMP Ready indicates that a Third-Party Assessment Organization (3PAO) has attested to a CSP’s readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP Program Management Office (PMO).
  • In Process is a designation provided to CSPs that are actively working toward a FedRAMP Authorization with either the Joint Authorization Board (JAB) or a federal agency.
  • The Authorized designation is provided to CSPs that have successfully completed the FedRAMP Authorization process with the JAB or a federal agency.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What FedRAMP services does Arlington provide?

We provide extensive, industry leading advisory and consulting services for Cloud Service Providers (CSPs) in getting their organization ready to successfully achieve FedRAMP certification.  From performing gap assessments to developing security policies and procedures, drafting System Security Plans (SSPs), undertaking tabletop exercises - and much more - we are one of the very few firms in North America specifically dedicated to such solutions.

Because of this, and to maintain our independence, we have opted to not become a 3PAO, rather, we work side-by-side with 3PAO’s in getting their clients ready for FedRAMP.  The upfront, heavy lifting is often much more time-consuming than the actual FedRAMP certification process.

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What is arguably the most time-consuming process in terms of earning FedRAMP designation?

Documentation. Specifically, developing all required information security, cybersecurity, and operational-specific policies, procedures, programs, plans, AND authoring the System Security Plan (SSP).  Because FedRAMP designation is aligned directly with the NIST SP 800-53 controls, Cloud Service Providers (CSPs) will need to spend a large amount of time writing comprehensive, well-written security documentation. 

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

What are some of the major documentation and program requirements for earning FedRAMP designation?

Cloud Service Providers (CSPs) will need to develop a (1). well-written incident response plan, a (2). contingency planning program, an (3). insider threat program, (4). threat awareness program, along with performing a (5). risk assessment, (6). testing both the incident response plan and the contingency plan - and (5). much more (i.e., NIST SP 800-53 domain specific policies and procedures). Bottom line, a tremendous amount of documentation is needed for earning FedRAMP designation.

Also, there are security requirements that must be met. Specifically, “...a FedRAMP-accredited Third-Party Assessment Organization (3PAO) must perform an announced penetration test as part of the assessment/testing process for Moderate and High systems.”

From Beginning to End, Complete Project Management for FedRAMP

With Arlington, we can manage your entire FedRAMP authorization process from beginning to end (i.e., from the initial FedRAMP scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • RFP Services
  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services
  • Managing the official Security Assessment Audit
  • System Security Plan (SSP) Development
  • Continuous Monitoring Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.