Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

What does DCSA expect to be in place for “Testing” regarding a Contingency Plan (CP)?

  • Arlington Security Portal - Show on: Side Bar

For testing regarding a Contingency Plan, DCSA is very clear in that they want a detailed description of the actual test procedures to be performed, and the results of such testing. With that said, a few things to consider for Contingency Plan testing:

  • First, the procedures should be for the in-scope system. Therefore, do not try to use an organizational-wide, or some type of corporate-wide contingency plan test procedures and results, as this will not provide sufficient detail - or will often completely omit - the “system” that is in scope.
  • Second, it is important to formally document the test procedures to be performed. Page 112 of the DAAPM (Version 2.2 | August 31, 2020) provides clear instructions with excellent examples of test procedures that should be performed, and ultimately, documented in your Contingency Plan.
  • Third, unlike Incident Response testing, where tabletop exercises have been found to be sufficient evidence for eMASS reporting, contingency plan testing requires carrying out the actual documented test procedures themselves, and, according to the DAAPM, contractors can also “Perform tabletop exercises to test various possible contingency situations.” In short, you need to perform the actual procedures as relying on just tabletop exercises will generally not suffice for DCSA.

Visit the Arlington Security Portal (ASP) and gain access to our industry leading Contingency Plan Toolkit containing comprehensive, real-world tabletop exercises you can perform for helping with eMASS reporting.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Completion of eMASS Export Control Spreadsheets
  • Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Learn More