This is the edited chat log from the CSIAC Webinar, “eMASS, the True Story“.
Cragin S: I think the foot stomp here is that eMASS is NOT RMF… it is a record keeping and workflow system supporting part of the RMF process
Samuel A: great point Cragin
John B: can contractors get an emass account?
Jerry S: Yes, contractors can get an emass account. Refer to your CC/S/A for their process.
John B: Thanks. We’re a .com and not coming from a .mil domain
Cragin S: Contractors can use eMASS from outside the DODIN with a CAC if the eMASS hosting location allows it.
Cragin S: I use the DHA hosted eMASS from a .org
Cragin S: other organizations use the dot.mil/dot.gov filter and external contractors cannot use theirs.
Lawrence T: Do you foresee contractors subject to DFARS 252.704-7021 (NIST 800-171 r1) eventually being required to use eMAAS as well?
Cameron C: The number of CCIs and Assessment Procedures is defined by DoD policy and guidance not by eMASS. eMASS shows users all relevant CCIs based on that policy and system categorization.
Cameron C: Overlays do not remove Security Controls from a system’s baseline. They tailor out Security Controls by marking them as Not Applicable.
Mike P: NIST.SP.800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations
Amber B: On Overlays…not all them are in eMASS such as CDS
Cragin S: you can also remove controls form a mandatory overlay by explaining why a particular control is n/a in your specific system
Amber B: you have manually put them in and right now there are about 80
Cragin S: if you are declaring a control as inherited, you leave it in the list and show how it is inherited
Cameron C: The CDS Overlay is not finalized for the NIST SP 800-53 Revision 4 Control Set. eMASS does not support Overlays that were created based off of NIST SP 800-53 Revision 3.
Jerry B: When do you load your technical STIG results?
Amber B: I am aware of this but a lot of people that I have talked to were not. So just an FYI.
Jerry S: That’s coming up in the presentation.
Mohammed R: STIGs are loaded during Implementation of Security Controls
Amber B: Step 3
Matthew W: Did I hear correctly all security controls must be analyzed annually?
Cameron C: eMASS User Profile allows users to set the frequency when email notifications are sent. Users can set notifications to never, immediately, 24 hours, 48 hours, or weekly.
Matthew W: ok thanks Cameron!
Jerry S: Analyzed != Assessed & Authorized
Mohammed R: FISMA is annually. However, your ConMon should define what you review monthly, quarterly, semi-annually, etc.
Cragin S: ConMon = Continuous Monitoring
Brian D: not to jump the gun, but are there any webinars for STIGs?
Mohammed R: …DISA has a “How To” on STIGs if needed immediately.
Mohammed R: well, more so STIGViewer
Jerry S: Are there going to be further Tiers in eMASS than just Tier 1?
Cameron C: The number of Security Controls and CCIs that are included in a system record are defined by DoD Policy, not decided by eMASS.
Cameron C: Jerry, certain organizations manage Tier 2 Common Controls through policy records that organizational systems inherit from using the Common Control Provider inheritance construct.
Jerry S: Thank you, Cameron.
Nancy L: got them from above thanks!
Cameron C: That link is to the RMF KS
Michelle: I usually do all my inheritance first, so they are automatically annotated on the Implementation Plan.
Angela T: same here, Michelle.
Cameron C: Users have the ability to update that information after a migration is complete. Users do have to fill out the new RMF requirements when migrating from DIACAP to RMF. All applicable DIACAP information is automatically populated by eMASS.
Cragin S: you are not supposed to try to map from DIACAP to RMF… they are different processes
Andrew S: the last mapping I did was less than 50% of DIACAP controls mapped to RMF
Cameron C: If there were a DoD approved mapping between the 8500.2 Controls and the NIST SP 800-53 Rev 4 Controls automation would be possible.
Cragin S: if you rely on a migration and mapping gactoin, you are still in DIACAP checklist mode and not doing risk management
Jerry S: There’s no way to reliable map all of DIACAP to RMF. There are too many differences.
Cameron C: Agreed, Jerry.
Pablo R: Good comment Cragin!
Andrew S: The mapping is just to get a rough idea of what has already been done so you don’t have to do EVERYTHING from scratch.
Jerry S: Right, Andrew.
Sheri C: Any idea if they are going to create an actual ICS overlay from the NIST 800-82 doc?
Cameron C: Sheri, if a DOD ICS overlay is created from the NIST 800-82, it could be implemented in eMASS.
John B: what stig tool are you using to import?
Cameron C: STIGs and IAVMs are available in eMASS to support Asset management.
Andrew S: STIG Viewer: http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx
Jerry S: Looking forward to the STIG to CCI mapping!
Andrew S: STIGs are also available at: http://iase.disa.mil/stigs/
Cameron C: eMASS correlates scan results to DoD APs through STIG CCI mappings. Not all DISA STIGs have CCI mappings currently. Once they do eMASS will be able to correlate the asset scan result information.
Debra B: Slide 26 is also blank in the PDF
Brian D: I am working on our controls in eMASS. We are wrapping up step 2, and heading into step 3.
Jerry B: Security Plan and Assessment & Authorization. The DoD eMASS course (3 days) did not address first creating a SP in eMASS, getting it approved, then going through the A&A process. Is this the process you are following?
Mark W: Is there a list of eMASS SMEs available or a POC that this forum can point me to for an Army inventory project?
Jerry S: Two things: 1) I hear DISA is working on a DoD CCP to provide to eMASS for us to inherit from. 2) Be careful, some of those “automatically compliant” CCIs still require additional action from your CC/S/A or program.
Kevin C: eMASS instructor led training is provided monthly by DISA hosted in the National Capital Region. Users may sign up on the DISA IASE website at https://disa.deps.mil/ext/cop/iase/classroom_training/Registration/Pages/index.aspx
Robert R: Should every control and sub-control be addressed or should each agency tailor the controls to meet their unique needs?
Jerry S: My recommendation is that each CC/S/A should tailor the controls to meet their unique needs.
Andrew S: You can get multiple roles. I did.
Robert R: As determined by whom, the AO or SISO?
Jerry S: If you have a knowledgeable SISO, I would think its their role to create the plan.
Cameron C: There is currently a DoD-level Focus Group working to determine the risk assessment/scoring approach for the DoD. As they finalize the approach/implementation guidance, eMASS will follow suit.
Andrew S: Thank you!
Mike P: 53A4 Assessing Security and Privacy Controls in Federal Systems and Organizations
Sheri C: Thank you
Kyle C: Thank you!
Rebecca Onuskanich: Thanks Cameron.
Orlando T: Thank You.
Debra B: Many thanks for your time and agility!
Rebecca Onuskanich: Thanks all! Have a fabulous day!