eMASS, the True Story Todays Presenter: Rebecca Onuskanich, - - PowerPoint PPT Presentation

Moderator: Steve Warzala swarzala@quanterion.com

eMASS, the True Story

Today’s Presenter: Rebecca Onuskanich, Cybersecurity Consultant June 29, 2017

https://www.csiac.org/

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

STEP 2: Select Security Controls

• The number of CCI’s managed in eMass is overwhelming. Step away from the

computer!

• Identify the security controls that are provided by the organization as

common and document in Security Plan.

• Select the security controls, apply overlays, and tailor accordingly
• Develop a strategy for the continuous monitoring of security control

effectiveness and any proposed/actual changes to the information system and environment of operation.

• Review and approve the Security Plan and ConMon Strategy

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

STEP 2: Select Security Controls

• The number of CCI’s managed in eMass is overwhelming. Step away from the

computer!

• Identify the security controls that are provided by the organization as

common and document in Security Plan.

• Select the security controls, apply overlays, and tailor accordingly
• Develop a strategy for the continuous monitoring of security control

effectiveness and any proposed/actual changes to the information system and environment of operation.

• Review and approve the Security Plan and ConMon Strategy

STEP 3: Implement Security Controls

• Evidence and artifacts are uploaded. Managing these artifacts can

become a Configuration Management headache!

• Implement the security controls specified in the security plan in

accordance with DoD implementation guidance found on the KS.

• Document the security control implementation in accordance with

DoD implementation guidance in the Security Plan

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

STEP 2: Select Security Controls

• The number of CCI’s managed in eMass is overwhelming. Step away from the

computer!

• Identify the security controls that are provided by the organization as

common and document in Security Plan.

• Select the security controls, apply overlays, and tailor accordingly
• Develop a strategy for the continuous monitoring of security control

effectiveness and any proposed/actual changes to the information system and environment of operation.

• Review and approve the Security Plan and ConMon Strategy

STEP 3: Implement Security Controls

• Evidence and artifacts are uploaded. Managing these artifacts can

become a Configuration Management headache!

• Implement the security controls specified in the security plan in

accordance with DoD implementation guidance found on the KS.

• Document the security control implementation in accordance with

DoD implementation guidance in the Security Plan

STEP 4: Assess Security Controls

• Conducted by the SCA. The control status will be changed to “OFFICIAL”
• Develop and approve Security Assessment Plan (SAP)
• The Security Controls Assessor (SCA) will assess security controls as

defined in SAP.

• Complete Security Assessment Report (SAR) (prepared by Security

Control Assessor (SCA)

• Conduct initial remediation actions

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

STEP 2: Select Security Controls

• The number of CCI’s managed in eMass is overwhelming. Step away from the

computer!

• Identify the security controls that are provided by the organization as

common and document in Security Plan.

• Select the security controls, apply overlays, and tailor accordingly
• Develop a strategy for the continuous monitoring of security control

effectiveness and any proposed/actual changes to the information system and environment of operation.

• Review and approve the Security Plan and ConMon Strategy

STEP 3: Implement Security Controls

• Evidence and artifacts are uploaded. Managing these artifacts can

become a Configuration Management headache!

• Implement the security controls specified in the security plan in

accordance with DoD implementation guidance found on the KS.

• Document the security control implementation in accordance with

DoD implementation guidance in the Security Plan

STEP 4: Assess Security Controls

• Conducted by the SCA. The control status will be changed to “OFFICIAL”
• Develop and approve Security Assessment Plan (SAP)
• The Security Controls Assessor (SCA) will assess security controls as

defined in SAP.

• Complete Security Assessment Report (SAR) (prepared by Security

Control Assessor (SCA)

• Conduct initial remediation actions

STEP 5: Authorize System

• Authorization is submitted through eMass to the AO. MUST communicate with your

chain to ensure they are aware of the incoming/pending request.

• Prepare the Plan of Action and Milestones (POA&M)
• Submit Security Authorization package (Security Plan, SAR, RAR, POA&M) to

Authorizing Official (AO)

• AO to determine the risk to organizational operations (including mission,

functions, image, or reputation), organizational assets, individuals, other

• rganizations, or the Nation.
• AO makes authorization decision (ATO, IATT, DATO

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

The Risk Management Framework Process

Step 1: Categorize Step 2: Select Step 3: Implement Step 4: Assess Step 5: Authorize Step 6: Continuous Monitoring

STEP 1: Categorize System

• No linkage to NIST 800-60 Vol II or guidance in eMass on categorizing.
• Categorize the System in accordance with the CNSS 1253
• Initiate the Security Plan – define system description and boundary
• Register system with DoD Component Cybersecurity Program
• Assign qualified personnel to RMF roles.

STEP 2: Select Security Controls

• The number of CCI’s managed in eMass is overwhelming. Step away from the

computer!

• Identify the security controls that are provided by the organization as

common and document in Security Plan.

• Select the security controls, apply overlays, and tailor accordingly
• Develop a strategy for the continuous monitoring of security control

effectiveness and any proposed/actual changes to the information system and environment of operation.

• Review and approve the Security Plan and ConMon Strategy

STEP 3: Implement Security Controls

• Evidence and artifacts are uploaded. Managing these artifacts can

become a Configuration Management headache!

• Implement the security controls specified in the security plan in

accordance with DoD implementation guidance found on the KS.

• Document the security control implementation in accordance with

DoD implementation guidance in the Security Plan

STEP 4: Assess Security Controls

• Conducted by the SCA. The control status will be changed to “OFFICIAL”
• Develop and approve Security Assessment Plan (SAP)
• The Security Controls Assessor (SCA) will assess security controls as

defined in SAP.

• Complete Security Assessment Report (SAR) (prepared by Security

Control Assessor (SCA)

• Conduct initial remediation actions

STEP 5: Authorize System

• Authorization is submitted through eMass to the AO. MUST communicate with your

chain to ensure they are aware of the incoming/pending request.

• Prepare the Plan of Action and Milestones (POA&M)
• Submit Security Authorization package (Security Plan, SAR, RAR, POA&M) to

Authorizing Official (AO)

• AO to determine the risk to organizational operations (including mission,

functions, image, or reputation), organizational assets, individuals, other

• rganizations, or the Nation.
• AO makes authorization decision (ATO, IATT, DATO

STEP 6: Monitor Security Controls

• Alert emails will drive you BONKERS!!!
• Determine impact of changes to the system and environment
• Assess selected controls annually
• Conduct needed remediation's
• Update Security Plan, SAR and POA&M
• Report security status to AO
• Implement systems decommissioning strategy

*Derived from requirements in NIST SP 800-37, Rev. 1 and DoDI 8510.01

eMASS is pretty helpful!

 The Help manual is pretty awesome  Repository for artifacts  Allows me to have multiple folks working on the A&A

at once

 Keeps track of who makes what changes  Provides an avenue to ensure systems flow through the

process

Tabs Don’t Necessarily Share Information

Tabs Don’t Necessarily Share Information

Migrating DIACAP Systems

Migrating from DIACAP to RMF

 When you migrate a system from DIACAP to RMF, you

can’t start a new system with a new Information Technology Investment Portfolio System (ITIPS) number as you will receive an error.

 Maintains the EITDR number and you can’t update this.

 The wizard isn’t a wizard. Not all of the information

transitions.

 NO 1:1 DIACAP-RM control mapping  If you don’t transfer all documentation and POA&M

items, they can still be found by the SCA’s

Inheritance

 The AF has a policy “system” that you can inherit.  If you inherit a control that is defined as Non-Compliant

and your system is compliant, you can’t change this status.

 To be fielded systems in development:

 Not-applicable,  non-compliant or  create a manual association.

Overlays

 If a Security Control is set to be removed due to the

application of an Overlay, it will be automatically marked “NAO” and is un-editable by users.

 A control is deemed “Not Applicable” per an applied

Overlay.

 Previously associated vulnerabilities for that control will

be archived.

Overlays

 If a Security Control is set to be removed due to the

application of an Overlay, it will be automatically marked “NAO” and is un-editable by users.

 A control is deemed “Not Applicable” per an applied

Overlay.

 Previously associated vulnerabilities for that control will

be archived.

Adding Assets and Scans

Adding Assets and Scans

Adding Assets and Scans

Test Results Uploads

 Uploading STIG CMRS files, Nessus files, ACAS or HBSS scan results does not

tie the vulnerabilities to CCI’s every time.

 Extremely manual.

 When using the Test Results Import/Export this helps keep things in a slightly

easier format to read.

 Once you upload, it will import the information that you completed in the

columns.  No ability to tie specific STIG vulnerability to CCI automatically.

 Cyber Technology Maturation Framework (CTMF) Program working on

automating this  Conflicts – as the A&A SME, if I have defined a CCI as N/A and the DB SME

reviews the STIG and marks the control as NC in STIG viewer a conflict appears in eMass.

 Can’t go back and change this annotation in eMass for the STIG.  Requires that a new STIG be uploaded and overwrites the previous.  Must remember to close out POA&Ms developed.

POA&M

 N/C controls do not automatically drive you to create a

POA&M.

 This requires you to continuously to check the status.

 Large, complex systems will have possibly hundreds of

• pen items in eMass from the STIG and ACAS uploads.

POA&M Template

Overall: Its Progressing nicely and I look forward to continuous addition of features!

Back-up Slides

Assess Only

Moderate, Low, Low baseline for an “Assess Only” system begins with 6 Security Controls and 58 Security Controls Assessment Procedures before any tailoring as outlined in eMASS and adopted from CNSSI 1253 and NIST SP 800-53R4.

AF Assess Only Flow Chart

Generate AF Information Technology (IT) Categorization and Selection Checklist Authorizing Official (AO)/ AODR and Program Manager (PM) approval Register AF IT in Enterprise IT Database Repository (EITDR) Air Force and Space AO Assess Only site/URL DoDI 8510.01 AFI 17-101 DoD RMF KS

RMF Assess Only

Enterprise Mission Support service (eMASS) Registration

Assess Only Artifacts

Security Control Assessor (SCA)

Approve Disapprove Returned to RMF team for re-work

Information System Security Manager (ISSM)

POA&M for ISSM Signature Approve Disapprove Returned to The SCA for re-work Signed POA&M and other artifacts certifying process completion uploaded to eMASS RMF Authorization Decision

The Air Force (AF) Assess Only process = 4 STEPS (1) CATEGORIZE, (2) SELECT, (3) IMPLEMENT, and (4) ASSESS

Conflict

Conflict

Conflict

Import/Export Template