What’s important to note about the ASSESS step within the NIST RMF for DoD Contractors?

The ASSESS step is where an organization undergoes an actual assessment by an independent third-party for regulatory compliance reporting.  Think FedRAMP, FISMA, eMASS, CMMC, DFARS NIST 800-171 - and more - these are all NIST RMF compliance reporting measures that are performed for assessing an organization’s controls.  Organizations can also choose to conduct their own internal assessment with qualified personnel, if they decide not to embark on any official compliance reporting.

Per NIST, assessors should be selected for their technical expertise related to the type of system or component they are assessing as well as for their experience in all steps of the Risk Management Framework, including the assessment and authorization steps and the tasks that support them.

Additionally, per NIST, assessor independence does not mean that assessors from outside of the organization are needed to conduct the assessment. Internal assessors who are not under the supervision and/or management of the owner of the system being assessed can be employed to conduct the assessment.

For NISP eMASS, the actual ASSESS measures are performed by Defense Counterintelligence and Security Agency (DCSA) personnel who conduct both onsite and virtual assessment procedures.

Trusted Providers of NIST RMF Services & Solutions 

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

• Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
• Scoping & Gap Assessments
• Policies & Procedures Development
• Program Documentation Development
• System Security Plans (SSP)
• Security Assessment Reports (SAR)
• Remediation Assistance
• ATO Assistance