Page Content Site Navigation. Use the excel file template for a DoD data incident. September 3, AT — Awareness and Training 1 file s downloads. June 20, AU — Audit and Accountability 1 file s downloads.
CA — Security Assessment and Authorization 1 file s downloads. CM — Configuration Management 1 file s downloads. This new approach addresses risk-related concerns while providing a consistent, disciplined, and structured process integrating risk management activities into the system development life cycle SDLC.
RMF serves a federal mandate for agencies and organizations handling federal data and associated information. It focuses on selecting and implementing security and privacy controls to include ongoing continuous monitoring to assess the effectiveness of the controls. RMF allows for Cybersecurity Reciprocity, which serves as the default for Assessment and Authorization of an IT System that presumes acceptance of existing test and assessment results.
This eMASS tool provides a central location for managing all documentation, controls, and the like for working through the RMF process. The intent is to eliminate redundancy and unnecessary testing for streamlining all aspects of cyber security management. When systems are evaluated, they are not certified; instead, they are assessed. After the Designated Accrediting Authority DAA signs off for the system to go live or be allowed to remain operational, the system is authorized, not accredited.
The purpose of this approach was to avoid confusion as to what security a system needs. A system could be allowed to have two consecutive IATOs. Is there any automatic interaction with eMASS, etc. There is no automatic interaction with eMass at the moment; you will still have to upload the required documentation into either SNAP or SGS separately. Question: On the scorecard, are you still accepting the digital signature?
Answer : Yes, either physical, electronic, or eMass signature. Question: If I upload a new package and hit submit, who does it go to?
Answer : Once a package is submitted it gets assigned to an analyst for processing. Question: Why have we not received a confirmation e-mail notifying us that our SGS account has been created? Answer : One reason why you might not have received an e-mail confirming the creation of your SGS account is because your request has been rejected.
Please confirm that all the items in the request form were filled out. The other reason could be because your email address is incorrect.
Question: What types of roles are currently available within SGS? Answer : There are four types of roles. One is the Organizational role — that will allow the individual to view all CCSDs in the SGS for that specific organization; the Validator role — which allows the individual to validate the package being submitted for our approval; the User role — which allows the individual to register and modify registration and the Global Read Only role — which allows the individual to view all CCSDs in SGS.
Question: Section Answer : SGS is designed to capture all types of connect request, therefore it must list all the different items a connect request could be required to have. Question: Where can I find a more detailed outline of the Topology Requirements? Answer : Customers are to include a video switch in their enclave for accreditation. Question: When including both voice and video in our enclave, do we separate them or combine them?
Answer : Separating both the voice and video in the enclave makes the Topology more simplistic to understand and analyze. Answer : Yes, the package must be resubmitted with the changes being done because this can affect the security posture of the network. Question: In an independent phase, is it required to show the internal piece of the external connection even though the connection is not owned by the requestor? Answer : No, it is not required.
Question: Do we need to show every item and device in the Topology? Answer : No, showing the IP scan should be sufficient. Question: Are Kiosk type systems acceptable as part of the connection package? Question: Are we supposed to encrypt the IP Addresses from the high side or low side? Answer : We receive the IP Addresses on both the high and the low side. Answer : No, they do not need to mirror the templates; the templates are merely to show the necessary information that is required in the Topology diagram.
0コメント