Can you provide guidance and some specific examples of how the critically important fields within the “TRExport” spreadsheet should be completed, especially the “test results” field?

The “Test Results” field is one of the most heavily scrutinized areas within the “TRExport” spreadsheet, and understandably so, as DCSA personnel want to know exactly what test procedures were performed for validating the control. With that said, you need to provide relevant, factual, detailed information. But remember, DCSA personnel do not want to read a novel - as they often object to overly long, multi-paragraph, wordy answers just as much as they do to short and/or templated answers.  Also, per a recent presentation by DCSA personnel:

• “Test Results are not Implementation Narrative details or ConMon.”
• “Test Results are a summary of the actions that have already taken place to validate that controls have been effectively implemented.”

For example, for MP-2.1, Media Protection, you’ll need to describe how the control was actually tested. An excellent example answer would be the following:

The ABC Company ISSM validated that a Media Protection Policy and Procedures document is in place, reviewed and updated as needed on an annual basis. The document contains all necessary information pertaining to defining personnel roles and responsibilities. ISSM also conducted physical inspection of the information system to confirm that the only types of media allowed are external USB Drives and external optical drives, both of which are secured at all times. Also, ISSM confirmed through physical inspection that there are hardware plugs on vacant ports, only authorized personnel can handle media, and if necessary, media will be destroyed per DoD guidelines.

Another example for the “test results” field would be the following, for SC-18-1, System and Communications Protection regarding Mobile Code:

The ABC Company ISSM validated through system settings inspection that Java mobile code is used on the information system as part of the ManageEngine Vulnerability Manager Plus vulnerability scanning and patching tool.  The software tool is written in Java and runs on an Apache Web Server that is installed by the program.  The tool compares vulnerabilities information in its database against security patch information that is imported into the database.  The resulting comparison shows patches that have not been installed.  Patches can then be downloaded and imported into the program to automate patching of the laptops that ManageEngine Vulnerability Manager Plus is installed on.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services