• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CSIAC Webinar – eMASS, the True Story – Chat Log

CSIAC Webinar – eMASS, the True Story – Chat Log

This is the edited chat log from the CSIAC Webinar, “eMASS, the True Story“.

Notice: This content may contain personal or third-party views and opinions not associated with the government.
Please see our terms of use located here: https://www.csiac.org/csiac-terms-of-use/

 

Cragin S: I think the foot stomp here is that eMASS is NOT RMF… it is a record keeping and workflow system supporting part of the RMF process

Samuel A: great point Cragin

John B: can contractors get an emass account?

Jerry S: Yes, contractors can get an emass account. Refer to your CC/S/A for their process.

John B: Thanks. We’re a .com and not coming from a .mil domain

Cragin S: Contractors can use eMASS from outside the DODIN with a CAC if the eMASS hosting location allows it.

Cragin S: I use the DHA hosted eMASS from a .org

Cragin S: other organizations use the dot.mil/dot.gov filter and external contractors cannot use theirs.

Lawrence T: Do you foresee contractors subject to DFARS 252.704-7021 (NIST 800-171 r1) eventually being required to use eMAAS as well?

Cameron C: The number of CCIs and Assessment Procedures is defined by DoD policy and guidance not by eMASS. eMASS shows users all relevant CCIs based on that policy and system categorization.

Cameron C: Overlays do not remove Security Controls from a system’s baseline. They tailor out Security Controls by marking them as Not Applicable.

Frederick E: https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

Mike P: NIST.SP.800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations

Amber B: On Overlays…not all them are in eMASS such as CDS

Cragin S: you can also remove controls form a mandatory overlay by explaining why a particular control is n/a in your specific system

Amber B: you have manually put them in and right now there are about 80

Cragin S: if you are declaring a control as inherited, you leave it in the list and show how it is inherited

Cameron C: The CDS Overlay is not finalized for the NIST SP 800-53 Revision 4 Control Set. eMASS does not support Overlays that were created based off of NIST SP 800-53 Revision 3.

Jerry B: When do you load your technical STIG results?

Amber B: I am aware of this but a lot of people that I have talked to were not. So just an FYI.

Jerry S: That’s coming up in the presentation.

Mohammed R: STIGs are loaded during Implementation of Security Controls

Amber B: Step 3

Matthew W: Did I hear correctly all security controls must be analyzed annually?

Cameron C: eMASS User Profile allows users to set the frequency when email notifications are sent. Users can set notifications to never, immediately, 24 hours, 48 hours, or weekly.

Matthew W: ok thanks Cameron!

Jerry S: Analyzed != Assessed & Authorized

Mohammed R: FISMA is annually. However, your ConMon should define what you review monthly, quarterly, semi-annually, etc.

Cragin S: ConMon = Continuous Monitoring

Brian D: not to jump the gun, but are there any webinars for STIGs?

Mohammed R: …DISA has a “How To” on STIGs if needed immediately.

Mohammed R: well, more so STIGViewer

Jerry S: Are there going to be further Tiers in eMASS than just Tier 1?

Cameron C: The number of Security Controls and CCIs that are included in a system record are defined by DoD Policy, not decided by eMASS.

Cameron C: Jerry, certain organizations manage Tier 2 Common Controls through policy records that organizational systems inherit from using the Common Control Provider inheritance construct.

Jerry S: Thank you, Cameron.

Debra B: Nancy… https://rmfks.osd.mil/rmf/General/SecurityControls/Pages/ControlsExplorer.aspx

Nancy L: got them from above thanks!

Cameron C: That link is to the RMF KS

Michelle: I usually do all my inheritance first, so they are automatically annotated on the Implementation Plan.

Angela T: same here, Michelle.

Cameron C: Users have the ability to update that information after a migration is complete. Users do have to fill out the new RMF requirements when migrating from DIACAP to RMF. All applicable DIACAP information is automatically populated by eMASS.

Cragin S: you are not supposed to try to map from DIACAP to RMF… they are different processes

Andrew S: the last mapping I did was less than 50% of DIACAP controls mapped to RMF

Cameron C: If there were a DoD approved mapping between the 8500.2 Controls and the NIST SP 800-53 Rev 4 Controls automation would be possible.

Cragin S: if you rely on a migration and mapping gactoin, you are still in DIACAP checklist mode and not doing risk management

Jerry S: There’s no way to reliable map all of DIACAP to RMF. There are too many differences.

Cameron C: Agreed, Jerry.

Pablo R: Good comment Cragin!

Andrew S: The mapping is just to get a rough idea of what has already been done so you don’t have to do EVERYTHING from scratch.

Jerry S: Right, Andrew.

Sheri C: Any idea if they are going to create an actual ICS overlay from the NIST 800-82 doc?

Cameron C: Sheri, if a DOD ICS overlay is created from the NIST 800-82, it could be implemented in eMASS.

John B: what stig tool are you using to import?

Cameron C: STIGs and IAVMs are available in eMASS to support Asset management.

Andrew S: STIG Viewer: http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx

Jerry S: Looking forward to the STIG to CCI mapping!

Andrew S: STIGs are also available at: http://iase.disa.mil/stigs/

Cameron C: eMASS correlates scan results to DoD APs through STIG CCI mappings. Not all DISA STIGs have CCI mappings currently. Once they do eMASS will be able to correlate the asset scan result information.

Debra B: Slide 26 is also blank in the PDF

Brian D: I am working on our controls in eMASS. We are wrapping up step 2, and heading into step 3.

Jerry B: Security Plan and Assessment & Authorization. The DoD eMASS course (3 days) did not address first creating a SP in eMASS, getting it approved, then going through the A&A process. Is this the process you are following?

Mark W: Is there a list of eMASS SMEs available or a POC that this forum can point me to for an Army inventory project?

Jerry S: Two things: 1) I hear DISA is working on a DoD CCP to provide to eMASS for us to inherit from. 2) Be careful, some of those “automatically compliant” CCIs still require additional action from your CC/S/A or program.

Kevin C: eMASS instructor led training is provided monthly by DISA hosted in the National Capital Region. Users may sign up on the DISA IASE website at https://disa.deps.mil/ext/cop/iase/classroom_training/Registration/Pages/index.aspx

Robert R: Should every control and sub-control be addressed or should each agency tailor the controls to meet their unique needs?

Jerry S: My recommendation is that each CC/S/A should tailor the controls to meet their unique needs.

Andrew S: You can get multiple roles. I did.

Robert R: As determined by whom, the AO or SISO?

Jerry S: If you have a knowledgeable SISO, I would think its their role to create the plan.

Cameron C: There is currently a DoD-level Focus Group working to determine the risk assessment/scoring approach for the DoD. As they finalize the approach/implementation guidance, eMASS will follow suit.

Andrew S: Thank you!

Mike P: 53A4 Assessing Security and Privacy Controls in Federal Systems and Organizations

Sheri C: Thank you

Kyle C: Thank you!

Rebecca Onuskanich: Thanks Cameron.

Orlando T: Thank You.

Debra B: Many thanks for your time and agility!

Rebecca Onuskanich: Thanks all! Have a fabulous day!

sidebar

CSIAC Webinar –
eMASS, the True Story

Presenter: Rebecca Onuskanich

This webinar covers the realities of the Enterprise Mission Assurance Support Service (eMASS): what works well, what does not work, and how to best make it work for you.

The webinar discusses how to categorize your system, select applicable controls, and leverage eMASS to assist in this process. Two specific topics that are covered are how inheritance works in eMASS (and does not work) and the tricky business of uploading STIGs/CKLs (and the painful lessons associated with doing it the wrong way). For those attending who don’t have eMASS access but will have systems being added to eMASS in the future, we discuss how to best prepare your system for import into eMASS. There are some tricks to the trade that will make life easier for everyone on the project!

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.