Top Ten—Things You Should Know about eMASS
By Lon J. Berman, CISSP
The Enterprise Mission Assurance Support Service, or eMASS, is a web-based Government off-the-shelf (GOTS) solution that automates a broad range of services for comprehensive, fully-integrated cybersecurity management, including controls scorecard measurement, dashboard reporting, and the generation of Risk Management Framework (RMF) package reports.
If you’re not yet using eMASS to support your RMF activities, here are 10 things you probably need to know. If you’re already using eMASS, please read on; you’ll probably learn a few new things!
- eMASS is not a single, integrated system. There are actually separate eMASS “instances” (i.e., databases) for each DoD component (e.g., Army, Navy, Air Force, DISA, NGB, DHRA, DAU, etc.). There is limited ability for one database to “reach across” to another (e.g., to implement control inheritance).
- A few DoD components are not currently using eMASS because they have “standardized” on a different tool for RMF support. Even within DoD components that are “standardized” on eMASS, there may be individual commands or programs that are not participating.
- Each DoD component has its own process for access approval. In most cases, a DD 2875 form is required, along with evidence of completion of DISA eMASS training (see below).
- DISA provides a short online eMASS training course that is required in order to obtain an account, as well as limited classroom training. Commercial training providers offer various in-depth online and classroom training programs.
- Access to eMASS requires a DoD Common Access Card (CAC) – no exceptions!
- Most eMASS databases are accessible from NIPRNET only (not internet). This can be problematic for contractors who typically work off-site. In those cases, the DoD customer needs to provide some sort of “remote access” solution (e.g., VPN, Citrix, VDI) that enables off-site contractors to get “virtual” NIPRNET access. A few of the eMASS databases (e.g., Navy, DHRA) are directly accessible to off-site contractors from internet.
- In addition to the eMASS account itself, users must be assigned to specific “roles” within the various “systems” that give them permission to read and/or write information in the record. In general, an eMASS user can only “see” systems in which he/she has been assigned a role. (Note: at least one of the eMASS “instances” had less restrictive permissions in which all users had read access to all systems; to the best of our knowledge, that is no longer the case.)
- eMASS now requires all users to log in at least once every 35 days; accounts left “dormant” for more than 35 days are automatically deactivated. If you have an account on more than one eMASS “instance” (e.g., Army and Air Force), you will need to log in at least once every 35 days on each instance.
- eMASS also enforces an “inactivity timeout” for logged-in users. If you do not click on anything or type anything for 30 minutes, your session is terminated and you will have to log into eMASS again in order to continue your work.
- If you have an eMASS account, you should periodically receive e-mail messages from DISA informing you of planned outages, system upgrades, etc. Please read these carefully. NOTE: Do not access eMASS during any announced outage period; you may be able to successfully log in, but information you enter may not be saved!