Presentation is loading. Please wait.

Presentation is loading. Please wait.

RMF Process in the NISP eMASS

Published byWilliam Cobb Modified over 6 years ago

Similar presentations

Presentation on theme: "RMF Process in the NISP eMASS"— Presentation transcript:

1 RMF Process in the NISP eMASS

2 What is eMASS? Web-based system of record that automates a broad range of services for comprehensive, fully integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) eMASS provides an integrated suite of authorization capabilities and reduces cyber attacks by establishing strict process control mechanisms for obtaining authorization to operate decisions.

3 Why eMASS? Benefits Capabilities eMASS has Direct Correlation to RMF
Simplifies the Management of the Entire Assessment & Authorization Process Provides Workflow Automation Standardizes the Exchange of Information Monitors System Security During the Entire System Life Cycle Reports on Cybersecurity Compliance Provides Real-Time Metrics on Authorization Activities Overlays and Artifacts are Easily Accessible Provides Management an Accurate and Timely Dashboard on Risk Health Data Driven – Policy and Validation Security Controls Can Be Easily Updated Across Enterprise or Tailored Provides a Collaborative Space for Solving Authorization Problems and Sharing Cybersecurity Principles Enterprise level visibility of all authorization packages offering comprehensive organizational security postures. Management of all cybersecurity compliance activities and automation of the workflow process from system registration through system decommissioning. Maintenance of an enterprise baseline for security controls, which is stored in the eMASS repository and updated with industry standards. Fully automated inheritance allows systems to inherit security control statuses, artifacts, test results, and view system security postures from other systems. Allows product teams, testers, and security control assessors to effectively collaborate and execute security assessments from geographically dispersed locations with Integrated Project Teams.

4 Obtaining an eMASS Account
Requirements In order to obtain an eMASS account, ALL users must: Acquire DoD or DSS ECA sponsorship to obtain access to RMF Knowledge Service (KS) Complete eMASS Computer Based Training (CBT) on RMF KS (completion certificate required) Complete DoD Cyber Awareness Challenge Training (completion certificate required) Complete SAR 2875 form* Submit artifacts to DSS Knowledge Center * See “NISP-eMASS Job Aid” for guidance on eMASS Training, ECA sponsorship and System Access on the RMF website. *Guidance on Process and Procedures are TBD.

5 Roles in eMASS Workflow
Control Approval Chain (CAC) CAC-1 (Industry): The eMASS CAC-1 role is the primary vehicle through which security controls are evaluated. The following events will define a control cycle: Categorization of controls Selection of controls Testing and assessment of Controls Review and submission of the Controls. Independent Validation & Verification (IV&V) of Controls Users with the first role in the CAC will have the ability to submit Controls (either individually or aggregated through Bulk Processing) into the CAC for review and approval. In order to actually submit a given control, all associated Assessment Procedures must be assessed with at least one test result. CAC-2 (SCA): Controls will remain in an unofficial state (e.g., “Compliant Unofficial”, “Non-Compliant Unofficial”, or “Not Applicable Unofficial”) until they have been submitted to the CAC-2 and approved. Users with the second role in the CAC will be able to review and approve any submitted control. The user with the second role in the CAC will also have the option of returning a control for rework if additional updates or adjustments are required prior to final validation.

6 Roles in eMASS Workflow contd.
Package Approval Chain (PAC) (DSS) The eMASS PAC is the primary vehicle through which an Information System (IS) will be assessed and authorized. After all appropriate assessment and validation activities have been completed, the user in the first step of the PAC may create a static snapshot of security posture for a System at a given point in time, known as a “package.” The package will be passed through the approval chain and each group of users in each step of the approval chain will make recommendations and approval decisions to coordinate the assessment and authorization determination for the IS.

7 RMF/eMASS Correlation Walk Through - STEP 1: Categorize IS
RMF Step 1: Perform a Risk Assessment and ensure a Risk Assessment Report (RAR) is completed. Categorize the IS based on the impact due to a loss of confidentiality (low/moderate/high), integrity (low/moderate/high), and availability (low/moderate/high) of the information or IS according to the RAR which includes information provided by the Information. Owner/Government Contracting Activity (GCA). (Note: Absent any discrepancies or contractual requirements, Industry may use the DSS baseline directed in the NISPOM). Document the description, including the system/authorization boundary. Assign qualified personnel to RMF roles. eMASS Action: Industry will register the system in the NISP eMASS instance. During system registration, the following details will be documented: System Overview Authorization Information Assigned Roles eMASS Role Assignment : Information Assurance Manager (IAM)/Industry; CAC-1 Reference(s): NIST SP Revision 1.0, NIST FIPS-199, NIST SP , CNSSI 1253, DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 7

8 RMF/eMASS Correlation Walk Through – Step 2: Select Security Controls
RMF Step 2: Select the security control baseline applicable to the IS. The selection is based upon the results of the categorization. Tailor the controls as needed by supplementing, modifying, or tailoring out controls to effectively manage risk for any unique system conditions. Develop a strategy for continuous monitoring of security control effectiveness. eMASS Action: Industry will select the registered system and populate information not entered during System Registration. During this process, the following details will be documented under System Details: System Information Authorization Information Business External Security Services Categorization Overlays Managing Security Controls eMASS Role Assignment: Information Assurance Manager (IAM)/Industry; CAC-1 Reference(s): CNSSI 1253, NIST SP , NIST SP , DSS Assessment and Authorization Process Manual (DAAPM), DAAPM (Security Controls (M-L-L) and DSS Overlays), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 8

9 RMF/eMASS Correlation Walk Through – Step 3: Implement Security Controls
RMF Step 3: Implement security controls as determined in Step 2. Document the security control implementation. Provide a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs) and include any additional information necessary to describe how the security capability is achieved at the level of detail sufficient to support control assessment. Start a Plan of Action and Milestones (if applicable). Conduct an initial assessment to facilitate early identification of weaknesses and deficiencies. eMASS Action: Industry will navigate to the Controls section within eMASS and follow the DSS NISP eMASS Instructions. During this process, the following information will be documented under Implementation Plan: Critical Implementation Status Security Control Designation Estimated Completion Date System-Level Continuous Monitoring (SLCM) Strategy Frequency Method SLCM Comments Responsible Entities eMASS Role Assignment: Information Assurance Manger (IAM)/Industry; CAC-1 Reference(s): CNSSI 1253, NIST SP , NIST SP A, NIST SP , NIST FIPS 199, DSS Assessment and Authorization Process Manual (DAAPM), DAAPM (Security Controls (M-L-L) and DSS Overlays), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 9

10 RMF Process Walk Through – Step 4a: Assess Security Controls
RMF Step 4a: Industry will conduct an assessment of the security controls. This process is conducted to ensure the security controls are implemented correctly, operating as intended, and meet the security requirements. Industry will review applicable Security Classification Guide (SCG) and verify classification level of all artifacts. If supporting artifacts are deemed classified, contact assigned ISSP for guidance. Industry will finalize the package in eMASS to reflect the actual state of the security controls, as required, based on the vulnerabilities of the security control assessment, reassessment, and completion of any remediation actions taken. Industry will submit the final package to DSS. eMASS Action: Industry will navigate to the Controls section of eMASS and ensure the following information is populated: Control Applicability Assessment Procedures assigned to a Security Control are tested and the test results applied Supporting Artifacts (unclassified) Implementation Plan and Risk Assessment information POA&M line item, if applicable eMASS Role Assignment: Information Assurance Manger (IAM)/Industry; CAC-1 Reference(s): NIST SP A, DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 10

11 RMF Process Walk Through – Step 4b: Assess Security Controls (DSS)
RMF Step 4b (DSS): DSS reviews the final package. Any weaknesses and/or deficiencies will be documented in the Security Assessment Report (SAR). If the package is not acceptable and the documentation is insufficient, DSS will either return the package or recommend a Denial of Authorization to Operate (DATO). If the package is acceptable and the documentation fully addresses all system security controls and security configurations, an on-site assessment will be scheduled. In rare circumstances, an on-site assessment may be waived. DSS conducts an on-site assessment. Based on the results of the assessment, DSS will prepare the security authorization package, which includes a risk based recommendation. eMASS Action: Once the Security Controls have been submitted for review, the 2nd Role of the CAC/SCA (DSS) will follow instructions provided in the DSS NISP eMASS Instructions and validate the controls. The SCA has two options: Continue the Approval Process or add a test result before approving. This action will reveal the Approve/Return screen. The SCA has two options: “Approve” or “Return for Rework.” “Return for Rework” returns the package back to the first role of the CAC/IAM (Industry). Both options require the SCA to complete the “Comments” text field. eMASS Role Assignment: SCA- CAC-2 Reference(s): NIST SP , NIST SP , NIST , NIST SP (Section 3.5), NISPOM DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 11

12 RMF Process Walk Through – Step 5: Authorize (DSS)
RMF Step 5 (DSS): DSS assembles and submits the security authorization package to the Authorizing Official (AO). DSS is responsible for verifying that the security authorization package is complete and is submitted for final review to the AO. DSS will ensure the information needed by the AO to make a risk-based decision is included in the authorization package. The explicit acceptance of risk is the responsibility of the AO. The AO will issue an authorization decision for the IS and the common controls inherited by the system after reviewing all of the relevant information, and where appropriate, consulting with other organizational officials. eMASS Action: SCA will submit the package via the Package Approval Chain (PAC) for review and approval. PAC users reviewing a package can “Approve,” “Disapprove and Move Forward,” or “Return for Rework.” The SCA role will assess the package, enter the “Security Controls Assessor Executive Summary” describing the overall System cybersecurity risk and provide an “Assessment Date” to the SAR. When complete, the SCA will submit the package to the next role in the approval chain (AO). When a package is submitted to the AO role, eMASS will generate a Workload Task notification. AO will apply an authorization decision. The automated Authorization Letter will be generated in eMASS. eMASS Role Assignment: SCA- PAC, AO-PAC References: NIST SP A, DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 12

13 RMF Process Walk Through – Step 6a: Monitor
RMF Step 6a: Industry will assess all technical, management, and operational security controls employed within and inherited by the system in accordance with the organization’s Continuous Monitoring Strategy. The frequency of monitoring is based on the Continuous Monitoring Strategy developed by Industry or Common Control Provider (CCP) and approved by the AO. Conduct any necessary remediation actions based on findings discovered during ongoing monitoring activities, assessment of risk, and outstanding PO&M items (if applicable). Ensure IS security documentation is updated and maintained based on continuous monitoring results. Report continuous monitoring activities to DSS. As necessary, develop and implement an IS decommissioning strategy. eMASS Action: Users assigned to a package updates the live System following the instructions provided in the DSS NISP eMASS Instructions. These updates include the following: System Details Controls Artifacts POA&M (unclassified) eMASS Role Assignment: Information Assurance Manger (IAM)/Industry; CAC-1 Reference(s): NIST SP , NIST SP , NIST , NIST SP (Section 3.5), NISPOM DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 13

14 RMF Process Walk Through – Step 6b: Monitor (DSS)
RMF Step 6b (DSS): DSS will review/assess the reported security status of ISs under his/her purview, including the effectiveness of security controls employed within and inherited by the systems, in accordance with the approved Continuous Monitoring Strategy. Upon receipt of a decommissioning request, DSS will review and forward the request to the AO. The AO will formally decommission the system. During the next DSS Security Vulnerability Assessment (SVA) or contact/engagement, DSS will verify that all security controls addressing system removal and decommissioning were implemented and that storage media, memory, peripherals, etc. associated with the system were properly sanitized. eMASS Action: Users within the Package Approval Chain (PAC) Select Updates to System from the Package Status screen and the following will be available: The Updates to Current System pop-up window will display a count of POA&M Items (grouped by Completion Status) that have been added to the live System since package creation. Updated Controls displayed with a list of any changes to control compliance status since package creation eMASS Role Assignment: SCA-PAC, AO-PAC Reference(s): NIST SP , NIST SP , NIST , NIST SP (Section 3.5), NISPOM DSS Assessment and Authorization Process Manual (DAAPM), DISA eMASS User Guide, DSS NISP eMASS Instructions, and DSS RMF Information and Resources Webpage. 14

15 eMASS Workflow w/ Embedded Approval & RMF Processes
RMF 2/3/4A RMF 4B Initiate NISP-eMASS Process E1.0 Register System E2. 0 Complete System Details E3. 0 Complete Categorization E4. 0 Manage Controls System Record IAM SCA CAC – 1 Tasks CU CAC – 2 Tasks E5. 0 Complete System Record E6. 0 Conduct Assessment E7.0 Conduct Authorization Analysis Initiate Continuous Monitoring Create Package Authorization Decision SCA SCA SCA Team Lead AO CV CAC – 2 Tasks PAC – 1 Tasks PAC – 2 Tasks PAC – 3 Tasks PAC – 4 Tasks RMF 5 RMF 6 CO

16 NISP eMASS in the RMF RMF Steps eMASS Actions System Registration
Role/Workflow 1. CATEGORIZE (Industry) System Registration Assign Roles Input System Details IAM/CAC-1 2. SELECT Baseline Security Control Selection Overlay Selection Input of Additional System Details 3. IMPLEMENT Input of: Implementation Plan System-Level Continuous Monitoring (SLCM) Strategy 4. ASSESS (4a. Industry 4b. DSS) 4a. Self-Assessment of Security Controls 4a. Generation of Automated POA&M 4a. Review of finalized package 4a. Submission of Final Package to SCA 4b. Review and Validation of Security Controls within Finalized Package 4b. Document Weaknesses and/or Deficiencies in SAR 4b. Approve/Return Package for Rework 4b. Submission of Finalized Package to the Package Approval Chain (PAC) 4a. IAM/CAC-1 4b. SCA/CAC-2 5. AUTHORIZE (DSS) SCA Generates Security Assessment Report Executive Summary SCA Recommends Authorization Decision to AO AO Inputs Authorization Decision Automated Authorization Letter is Generated SCA/PAC AO/PAC 6. MONITOR (Industry & DSS) Technical, Management, and Operational Security Controls are Assessed, Modified and Submitted for Approval According to Continuous Monitoring Strategy (CMS) POA&M Remediation/Mitigation Items are Updated, Reviewed and Submitted to SCA for Approval SCA Reviews Updated Security Controls and POA&M items in accordance to CMS IAM/PAC

17 Resources Available DSS RMF Information Resource Center
eMASS Computer Based Training DSS NAO eMASS Mailbox RMF Knowledge Service ECA Sponsorship Guidance

18 Questions?

Download ppt "RMF Process in the NISP eMASS"

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.
4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.

4/29/2009Michael J. Cohen1 Practical DIACAP Implementation CS526 Research Project by Michael J. Cohen 4/29/2009.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,

Information Assurance (IA) - Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Management Framework

Risk Management Framework
Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.

Florida Industrial Security Workgroup Self-Inspections What are Self-Inspections Why should Self-Inspections be conducted When should Self-Inspections.
Configuration Management

Configuration Management
NIST SP 800-37, Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Chapter 17 Acquiring and Implementing Accounting Information Systems

Chapter 17 Acquiring and Implementing Accounting Information Systems
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Configuration Management, Logistics, and Universal CM Issues Larry Bauer Boeing Commercial Airplanes NDIA Conference Miami March 4-5, 2005

Configuration Management, Logistics, and Universal CM Issues Larry Bauer Boeing Commercial Airplanes NDIA Conference Miami March 4-5, 2005
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.

Similar presentations

Ads by Google