NISP Tips on eMASS DCSA “TRExport” Spreadsheet Information

The “Test Results” field is one of the most heavily scrutinized areas within the “TRExport” spreadsheet, and understandably so, as DCSA personnel want to know exactly what test procedures were performed for validating the control. With that said, you need to provide relevant, factual, detailed information. But remember, DCSA personnel do not want to read a novel - as they often object to overly long, multi-paragraph, wordy answers just as much as they do to short and/or templated answers.  Also, per a recent presentation by DCSA personnel:

• “Test Results are not Implementation Narrative details or ConMon.”
• “Test Results are a summary of the actions that have already taken place to validate that controls have been effectively implemented.”
• For example, for MP-2.1, Media Protection, you’ll need to describe how the control was actually tested. An excellent example answer would be the following:

The ABC Company ISSM validated that a Media Protection Policy and Procedures document is in place, reviewed and updated as needed on an annual basis. The document contains all necessary information pertaining to defining personnel roles and responsibilities. ISSM also conducted physical inspection of the information system to confirm that the only types of media allowed are external USB Drives and external optical drives, both of which are secured at all times. Also, ISSM confirmed through physical inspection that there are hardware plugs on vacant ports, only authorized personnel can handle media, and if necessary, media will be destroyed per DoD guidelines.

From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services

100 + NIST 800-53 Templates Available for Download for Cleared Industry

The solution for cleared industry is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5. 

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com