Are there common areas that DCSA see as deficiencies and vulnerabilities within a cleared contractor’s documentation, along with conducting site visits for NIST RMF assessment & authorization activities?

DCSA has noted the following deficiencies with cleared contractors System Security Plans (SSPs):

• Incomplete and/or missing attachments
• Inaccurate or incomplete configuration diagram
• Sections in general procedures contradict controls
• Integrity & Availability not properly addressed
• SSP was not tailored to the specific system

Additionally, DCSA has noted the following vulnerabilities during site visits:

• Inadequate auditing controls
• Security relevant objects not being protected
• Inadequate configuration management
• Improper session controls
• Identification & Authentication control vulnerabilities

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Service