Can you provide guidance and some specific examples of how the critically important fields within the “ControlInfoExport” spreadsheet should be completed, especially the “implementation narrative” field?

Arlington Security Portal - Show on: Side Bar

This is one of the biggest challenges when it comes to eMASS for cleared contractors as completing the exportable spreadsheets is not only extremely time-consuming, but also requires providing sufficient detail in a manner that’s acceptable to DCSA personnel. For the “ControlInfoExport” spreadsheet, DCSA now requires a detailed answer for the “Implementation Narrative” field. Please note that a 2021 update to NISP eMASS replaced the “Comments” field with the “Implementation Narrative” field.

With that said, for example, for AC-2, Account Management, you’ll need to describe how the control is actually implemented. An excellent example answer would be the following:

Control implemented by establishing defined user groups within Group Policy, which includes account creation for System Administrators, Data Transfer Agents, and General User Accounts. Furthermore, system event log monitoring has been established for automated alerting, and the Weekly Security Event Log Analysis report is reviewed each week to determine if any access rights discrepancies have been found. Additionally, an Account Request Form is used for provisioning new users.

Another example for the “implementation narrative” field would be the following, for IR-3, Incident Response Testing.

Control implemented by performing regularly scheduled tabletop exercises (TTE) to determine the DoD Incident Response Plan's effectiveness and the organization's readiness to execute the plan. Results of the TTE are provided to all relevant stakeholders. The TTE exercises are to be reviewed annually to determine if desired results are satisfactory and if any needed changes/corrective actions are required.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:

Scoping & Gap (i.e., Readiness) Assessments
Remediation Services (Policy and Procedures writing)
Remediation Services (Technical and Operational)
System Security Plan (SSP) Development
Completion of eMASS Export Control Spreadsheets
Continuous Monitoring (ConMon) Services

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Learn More

DoD Strategy & Advisory

FedRAMP for DOD Contractors

TPRM & Supply Chain

NISP eMASS DCSA

Cybersecurity

Config. Mgmt.

NIST 800-171

Data Privacy

DoD Cloud Security

CMMC

vCO & vCISO

Awareness / Threat Training

Risk Assessments

FISMA

CP & IR

Non-DoD NIST RMF

About Arlington

Expertise

Focus

Values

DoD Briefs

Case Studies

FAQ's

Can you provide guidance and some specific examples of how the critically important fields within the “ControlInfoExport” spreadsheet should be completed, especially the “implementation narrative” field?

Arlington Security Portal

SERVICES

RESOURCES

ABOUT