What does DCSA expect to be in place for Risk Assessments for eMASS reporting?

First and foremost, from a scope perspective, the Risk Assessment Report (RAR) must be an actual assessment performed on the specific “system”. Therefore, do not try to use an organizational-wide, or some type of corporate-wide risk assessment or similar report, as this will not provide sufficient detail - or will often completely omit - the “system” that is in scope.  It’s thus best to use the Appendix C: Risk Assessment Report Template found within the DCSA Assessment and Authorization Process Manual Version 2.2 (August 31, 2020). 

The Risk Assessment Report Template lists three (3) types of threat sources - Adversarial, Structural, and Environmental. To be clear, these three (3) sources require cleared contractors to provide sufficient examples of credible threats under the “Threat Event” column for each of the respective three (3) sources. DCSA will expect cleared contractors to provide a healthy list of “Threat Events”, so please keep this in mind when completing the RAR.  Listing just a few “Threat Event” examples for each of the three (3) types of threat sources will NOT suffice, resulting in your RAR being rejected, so be advised.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services