By Lon J Berman, CISSP, RDRP
The Enterprise Mission Assurance Support Service (eMASS) is a DoD system that serves as an information repository and workflow manager for the Risk Management Framework (RMF) process. The history of eMASS can be traced back to a project called Digital DITSCAP at the Defense Logistics Agency (DLA) in the early 2000’s. From those humble beginnings, eMASS has grown to become the de facto standard for RMF support across DoD. While not every DoD agency uses eMASS, it is by far the most prevalent support tool for DoD RMF. The functionality of eMASS has grown as well, as numerous new subsystems and features have been added to better support DoD organizations and system owners. Through a combination of formal training and on-the-job experience, the eMASS user community is becoming more adept at working with this tool and fully utilizing its broad range of functionality. Here are some ways in which the role of eMASS is continuing to expand:
Asset Manager. This eMASS subsystem enables system owners to record asset information on servers, workstations, network devices, etc., and upload applicable scans and Security Technical Implementation Guide (STIG) checklists. eMASS automatically applies a “mapping” of STIG items to security controls such that any STIG item that is not implemented will result in a corresponding security control being labeled as non-compliant. Use of Asset Manager has been on the increase for some time. Many DoD organizations now require at least a “sample” of each system’s assets to be recorded in Asset Manager, with scans and STIG checklists applied as appropriate.
Assess-Only. DoD Instruction 8510.01 identifies two distinct RMF processes. “Assess and Authorize” is the traditional RMF process, leading to ATO, and is applicable to systems such as enclaves, major applications and PIT systems. “Assess Only” is a simplified process that applies to IT “below the system level”, such as hardware and software products. Several DoD components have begun using the Assess Only process as a successor to their legacy Certificate of Networthiness or Approved Products List programs.
Defense Security Service (DSS). DSS has embraced eMASS as its standard support tool for RMF within the National Industrial Security Program (NISP). eMASS has been customized to support the classified contractor community, including specific security control baselines and overlays for various IT configurations, including Single-user Standalone (SUSA), Multi-user Standalone (MUSA), etc. Classified contractors are now required to use NISP eMASS to document their compliance, build their RMF packages and submit to DSS for approval (ATO).
FISMA. System owners are required to record certain FISMA items, such as ATO expiration dates, contingency plan test dates, etc. eMASS has always provided “place holders” for this type of information, but traditionally, each DoD component’s IT Program Registry or Portfolio Management System has been the authoritative repository. Of late, however, DoD organizations are beginning to rely on eMASS as the authoritative source for the information from which their FISMA metrics are derived.
Expansion beyond DoD. Probably the most interesting … and surprising … expansion of eMASS has been its adoption by the Department of Veterans Affairs (VA). This represents the first significant use of eMASS outside of DoD. It will be interesting to see if this is the start of a trend. Could widespread adoption of eMASS among civil agencies or the intelligence community be in our future? Only time will tell.