For the “ControlInfoExport” spreadsheet, DCSA now requires a comprehensive answer for the “Implementation Narrative” field. Please note that a 2021 update to NISP eMASS replaced the “Comments” field with the “Implementation Narrative” field.
For example, for AC-2, Account Management, cleared industry must describe how the control is actually implemented. A great example for an answer would be the following:
Control implemented by establishing defined user groups within Group Policy, which includes account creation for System Administrators, Data Transfer Agents, and General User Accounts. Furthermore, system event log monitoring has been established for automated alerting, and the Weekly Security Event Log Analysis report is reviewed each week to determine if any access rights discrepancies have been found. Additionally, an Account Request Form is used for provisioning new users.
Another example for the “implementation narrative” field would be the following, for IR-3, Incident Response Testing.
Control implemented by performing regularly scheduled tabletop exercises (TTE) to determine the DoD Incident Response Plan's effectiveness and the organization's readiness to execute the plan. Results of the TTE are provided to all relevant stakeholders. The TTE exercises are to be reviewed annually to determine if desired results are satisfactory and if any needed changes/corrective actions are required.
From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS
With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO. Core services and solutions offered include the following:
Scoping & Gap (i.e., Readiness) Assessments
Remediation Services (Policy and Procedures writing)
Remediation Services (Technical and Operational)
System Security Plan (SSP) Development
Completion of eMASS Export Control Spreadsheets
Continuous Monitoring (ConMon) Services
100 + NIST 800-53 Templates Available for Download for Cleared Industry
The solution for cleared industry is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.
How Arlington Can Help
We have years of experience working within the broader federal agency apparatus in helping federal contractors develop high-quality, well-written, policies and procedures and additional NIST RMF information security and privacy materials. Our NIST RMF information security and privacy policies, procedures, programs, and plans have been used by thousands of federal contractors in helping organizations develop customized documentation for their growing security and compliance needs.
We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more atarlingtonintel.com.