1 1 00:00:00,000 --> 00:00:03,120 In this lesson, we're going to discuss eMASS. 2 2 00:00:03,120 --> 00:00:06,720 eMASS is the Enterprise Mission Assurance Support Service. 3 3 00:00:06,720 --> 00:00:09,510 eMASS is a government-owned web-based application 4 4 00:00:09,510 --> 00:00:11,580 that provides a wide range of fully integrated 5 5 00:00:11,580 --> 00:00:14,430 comprehensive cybersecurity management services. 6 6 00:00:14,430 --> 00:00:17,730 For example, eMASS provides a dashboard for reporting, 7 7 00:00:17,730 --> 00:00:19,500 control scorecard measurement, 8 8 00:00:19,500 --> 00:00:20,580 and the ability to conduct 9 9 00:00:20,580 --> 00:00:22,830 system security authorization packages 10 10 00:00:22,830 --> 00:00:25,170 all from within the eMASS system. 11 11 00:00:25,170 --> 00:00:28,050 This Government Off-The-Shelf Software, known as GOTS, 12 12 00:00:28,050 --> 00:00:30,360 allows for an easier and more automated method 13 13 00:00:30,360 --> 00:00:33,300 of gaining authorization for your RMF packages, 14 14 00:00:33,300 --> 00:00:35,490 as well as helping to minimize the risk 15 15 00:00:35,490 --> 00:00:36,780 and preventing cyber attacks 16 16 00:00:36,780 --> 00:00:39,000 by establishing process control mechanisms 17 17 00:00:39,000 --> 00:00:40,950 for obtaining the authorization decisions 18 18 00:00:40,950 --> 00:00:44,340 for government and military-based RMF packages. 19 19 00:00:44,340 --> 00:00:45,630 Now, the eMASS system 20 20 00:00:45,630 --> 00:00:49,200 was created by the Department of Defense, known as the DoD, 21 21 00:00:49,200 --> 00:00:50,940 and it is recommended as the tool 22 22 00:00:50,940 --> 00:00:52,830 for information system assessment 23 23 00:00:52,830 --> 00:00:55,950 and authorizations within a military context. 24 24 00:00:55,950 --> 00:00:58,470 Now, if you're working for the military in uniform, 25 25 00:00:58,470 --> 00:01:00,870 as a civilian, or as a contractor, 26 26 00:01:00,870 --> 00:01:02,490 you may be asked to use eMASS 27 27 00:01:02,490 --> 00:01:05,220 when building out your risk management framework packages 28 28 00:01:05,220 --> 00:01:08,670 or using older packages known as DIACAP. 29 29 00:01:08,670 --> 00:01:11,250 Now, a DIACAP package is an older format 30 30 00:01:11,250 --> 00:01:14,610 that is known as the DoD Information Assurance Certification 31 31 00:01:14,610 --> 00:01:16,290 and Accreditation Process 32 32 00:01:16,290 --> 00:01:19,440 and it was replaced in recent years by RMF packages. 33 33 00:01:19,440 --> 00:01:21,960 But if you're taking over an older system, 34 34 00:01:21,960 --> 00:01:24,930 you may be having to convert this old DIACAP package 35 35 00:01:24,930 --> 00:01:27,060 into the newer RMF style package, 36 36 00:01:27,060 --> 00:01:29,970 but both are supported with an eMASS. 37 37 00:01:29,970 --> 00:01:33,000 Now, the eMASS system is used by the cybersecurity workforce 38 38 00:01:33,000 --> 00:01:35,760 to create control requirements through linear workflows, 39 39 00:01:35,760 --> 00:01:36,870 integrated training, 40 40 00:01:36,870 --> 00:01:38,040 and the auto generation 41 41 00:01:38,040 --> 00:01:40,020 of security compliance package reports 42 42 00:01:40,020 --> 00:01:43,110 using the online web-based user interface. 43 43 00:01:43,110 --> 00:01:44,010 By using this system 44 44 00:01:44,010 --> 00:01:46,770 to help automate the RMF package approval process, 45 45 00:01:46,770 --> 00:01:49,440 our cybersecurity professionals can now spend more time 46 46 00:01:49,440 --> 00:01:51,690 on securing the network and its systems 47 47 00:01:51,690 --> 00:01:53,610 instead of simply interpreting policy 48 48 00:01:53,610 --> 00:01:55,770 and filling out lots of paperwork. 49 49 00:01:55,770 --> 00:01:56,760 Now, this, in turn, 50 50 00:01:56,760 --> 00:01:59,550 leads to an improved level of cyber situational awareness 51 51 00:01:59,550 --> 00:02:02,430 because managers can now easily identify vulnerabilities 52 52 00:02:02,430 --> 00:02:03,390 and make their decisions 53 53 00:02:03,390 --> 00:02:05,580 about the cyber security resources needed 54 54 00:02:05,580 --> 00:02:07,470 by their networks and their programs 55 55 00:02:07,470 --> 00:02:10,500 in order to minimize the level of risk with their systems. 56 56 00:02:10,500 --> 00:02:13,080 Now, by using an automated system like eMASS, 57 57 00:02:13,080 --> 00:02:15,120 we're going to be able to improve our cycle time 58 58 00:02:15,120 --> 00:02:17,310 during the RMF approval process, 59 59 00:02:17,310 --> 00:02:18,930 and this allows everybody to work together 60 60 00:02:18,930 --> 00:02:22,020 during the RMF process using the centralized system 61 61 00:02:22,020 --> 00:02:23,880 to transfer information back and forth 62 62 00:02:23,880 --> 00:02:25,920 and get faster approvals. 63 63 00:02:25,920 --> 00:02:29,310 Now, the eMASS automated system has seven main capabilities 64 64 00:02:29,310 --> 00:02:30,900 that you need to be aware of. 65 65 00:02:30,900 --> 00:02:34,047 First, eMASS can be used to automatically generate DIACAP 66 66 00:02:34,047 --> 00:02:37,440 and RMF reports to support package approval. 67 67 00:02:37,440 --> 00:02:39,000 This automated capability 68 68 00:02:39,000 --> 00:02:41,280 is going to be aligned to the Secretary of Defense's 69 69 00:02:41,280 --> 00:02:43,320 Cybersecurity Scorecard Metrics 70 70 00:02:43,320 --> 00:02:44,460 that's also linked directly 71 71 00:02:44,460 --> 00:02:46,260 to the Enterprise Reporting Service 72 72 00:02:46,260 --> 00:02:47,490 to ensure that the current status 73 73 00:02:47,490 --> 00:02:49,860 is being reported up monthly. 74 74 00:02:49,860 --> 00:02:51,570 Second, eMASS can be used 75 75 00:02:51,570 --> 00:02:53,460 to create enterprise level visibility 76 76 00:02:53,460 --> 00:02:57,120 of all authorization packages within a given organization. 77 77 00:02:57,120 --> 00:02:57,953 This, in turn, leads 78 78 00:02:57,953 --> 00:03:00,690 to a more comprehensive organizational security posture 79 79 00:03:00,690 --> 00:03:02,190 because everything can be reviewed 80 80 00:03:02,190 --> 00:03:03,810 in one centralized system 81 81 00:03:03,810 --> 00:03:06,390 instead of being spread across numerous spreadsheets, 82 82 00:03:06,390 --> 00:03:08,400 PowerPoints, and documents. 83 83 00:03:08,400 --> 00:03:09,990 Third, eMASS can be used 84 84 00:03:09,990 --> 00:03:12,420 to manage all the cybersecurity compliance activities 85 85 00:03:12,420 --> 00:03:15,570 and automation throughout the workflow process. 86 86 00:03:15,570 --> 00:03:17,370 Now, this workflow process improvement 87 87 00:03:17,370 --> 00:03:20,670 is going to occur across the entire lifecycle of the system 88 88 00:03:20,670 --> 00:03:22,530 and its associated packages, 89 89 00:03:22,530 --> 00:03:24,330 going from our system registration 90 90 00:03:24,330 --> 00:03:27,630 all the way through system decommissioning and retirement. 91 91 00:03:27,630 --> 00:03:29,670 Fourth, eMASS can also be used 92 92 00:03:29,670 --> 00:03:32,400 to maintain the enterprise baseline for security controls 93 93 00:03:32,400 --> 00:03:35,220 by storing them inside of the eMASS repository. 94 94 00:03:35,220 --> 00:03:37,950 And we'll continually update them with any modern 95 95 00:03:37,950 --> 00:03:41,610 or approved industry standards as we update our packages. 96 96 00:03:41,610 --> 00:03:44,880 Fifth, eMASS can be used to fully automate inheritance 97 97 00:03:44,880 --> 00:03:45,750 by allowing the systems 98 98 00:03:45,750 --> 00:03:48,750 to inherit security control statuses, artifacts, 99 99 00:03:48,750 --> 00:03:51,120 test results, and system security postures 100 100 00:03:51,120 --> 00:03:54,420 from other organizations and their RMF packages. 101 101 00:03:54,420 --> 00:03:56,310 Sixth, eMASS can be integrated 102 102 00:03:56,310 --> 00:03:58,800 with a Continuous Monitoring Risk Scoring system, 103 103 00:03:58,800 --> 00:04:00,810 known as CMRS. 104 104 00:04:00,810 --> 00:04:03,210 Now, the CMRS system is going to be used 105 105 00:04:03,210 --> 00:04:04,890 to automatically populate the device 106 106 00:04:04,890 --> 00:04:08,310 and scan result data into eMASS's asset module 107 107 00:04:08,310 --> 00:04:10,770 to help us prioritize the asset management actions 108 108 00:04:10,770 --> 00:04:13,350 within the overall RMF process. 109 109 00:04:13,350 --> 00:04:16,500 And seventh, eMASS can allow product teams, testers, 110 110 00:04:16,500 --> 00:04:18,090 and security control assessors 111 111 00:04:18,090 --> 00:04:21,150 to effectively collaborate and execute security assessments 112 112 00:04:21,150 --> 00:04:23,340 from geographically dispersed locations 113 113 00:04:23,340 --> 00:04:26,460 all within using this Integrated Project Team Environment 114 114 00:04:26,460 --> 00:04:27,990 inside of eMASS. 115 115 00:04:27,990 --> 00:04:29,700 So, as you can see, 116 116 00:04:29,700 --> 00:04:31,950 eMASS comes with a lot of great capabilities 117 117 00:04:31,950 --> 00:04:34,290 to increase the overall security of our systems 118 118 00:04:34,290 --> 00:04:36,390 and minimize our risk pod truth. 119 119 00:04:36,390 --> 00:04:38,130 As you begin to work with eMASS, 120 120 00:04:38,130 --> 00:04:40,890 you're going to find that it's very access control-oriented 121 121 00:04:40,890 --> 00:04:42,840 and this means it has pretty tight restrictions 122 122 00:04:42,840 --> 00:04:44,520 around the different permissions that are needed 123 123 00:04:44,520 --> 00:04:47,370 to be able to access different parts of the eMASS system 124 124 00:04:47,370 --> 00:04:49,920 and all that information that it contains. 125 125 00:04:49,920 --> 00:04:52,950 That being said, if you work in a small organization, 126 126 00:04:52,950 --> 00:04:54,060 you may have some people 127 127 00:04:54,060 --> 00:04:56,537 who are going to be assigned multiple roles within eMASS 128 128 00:04:56,537 --> 00:04:59,910 'cause each person will be performing multiple job functions 129 129 00:04:59,910 --> 00:05:03,270 with an eMASS inside of your smaller organizations. 130 130 00:05:03,270 --> 00:05:05,130 Now, as you begin to work in eMASS, 131 131 00:05:05,130 --> 00:05:07,050 it's going to help you move throughout the seven steps 132 132 00:05:07,050 --> 00:05:08,700 of the RMF process. 133 133 00:05:08,700 --> 00:05:10,380 First, you're going to prepare, 134 134 00:05:10,380 --> 00:05:13,020 and then you're going to move into categorization. 135 135 00:05:13,020 --> 00:05:14,727 Now, when you're categorizing your system 136 136 00:05:14,727 --> 00:05:16,650 and the information it processes, 137 137 00:05:16,650 --> 00:05:17,490 it's going to be important 138 138 00:05:17,490 --> 00:05:21,090 to use the NIST Special Publication 800-60. 139 139 00:05:21,090 --> 00:05:22,020 Now, this is known 140 140 00:05:22,020 --> 00:05:24,330 as the Guide for Mapping Types of Information 141 141 00:05:24,330 --> 00:05:27,420 and Information Systems to Security Categories. 142 142 00:05:27,420 --> 00:05:28,470 Luckily for us, 143 143 00:05:28,470 --> 00:05:31,020 eMASS is going to use those exact same categories 144 144 00:05:31,020 --> 00:05:32,580 within the eMASS system, 145 145 00:05:32,580 --> 00:05:34,440 and therefore, it's relatively easy 146 146 00:05:34,440 --> 00:05:36,600 to categorize your systems against the different 147 147 00:05:36,600 --> 00:05:39,990 NIST Special Publication 800-60 categories 148 148 00:05:39,990 --> 00:05:42,090 that are provided in that document. 149 149 00:05:42,090 --> 00:05:44,610 Now, after you categorize your system in eMASS, 150 150 00:05:44,610 --> 00:05:46,530 you're then going to select all of your controls, 151 151 00:05:46,530 --> 00:05:48,060 you'll perform your implementation, 152 152 00:05:48,060 --> 00:05:50,190 and you'll assess the control effectiveness. 153 153 00:05:50,190 --> 00:05:52,890 And many of these controls can be tested and validated 154 154 00:05:52,890 --> 00:05:54,330 using automated scans, 155 155 00:05:54,330 --> 00:05:55,650 and the results of those scans 156 156 00:05:55,650 --> 00:05:57,480 can then be uploaded into eMASS 157 157 00:05:57,480 --> 00:05:59,370 to link against the selected controls 158 158 00:05:59,370 --> 00:06:01,800 and produce a scorecard measurement and report, 159 159 00:06:01,800 --> 00:06:02,880 along with a dashboard 160 160 00:06:02,880 --> 00:06:05,760 that your authorizing official can review it any time. 161 161 00:06:05,760 --> 00:06:08,700 All right, let's take another quick look at how eMASS works 162 162 00:06:08,700 --> 00:06:09,540 and how it can help you 163 163 00:06:09,540 --> 00:06:12,030 when you're walking through the RMF process. 164 164 00:06:12,030 --> 00:06:13,620 First, you're going to need to start out 165 165 00:06:13,620 --> 00:06:16,590 by inputting all of your data into the eMASS system. 166 166 00:06:16,590 --> 00:06:18,540 This includes things like your hardware list, 167 167 00:06:18,540 --> 00:06:19,440 your software list, 168 168 00:06:19,440 --> 00:06:22,800 and the results of your most recent vulnerability scans. 169 169 00:06:22,800 --> 00:06:24,870 Second, you're going to find the baseline 170 170 00:06:24,870 --> 00:06:27,720 for your hardware and software of that proposed system. 171 171 00:06:27,720 --> 00:06:29,100 For example, you might say 172 172 00:06:29,100 --> 00:06:32,040 that this is a Dell R690 brack-matted server 173 173 00:06:32,040 --> 00:06:34,410 that's running Windows Server 2019. 174 174 00:06:34,410 --> 00:06:35,700 Then, you're going to notate 175 175 00:06:35,700 --> 00:06:38,490 that it's running this window server 2019 system. 176 176 00:06:38,490 --> 00:06:42,330 It has X, Y, and Z as its security patches. 177 177 00:06:42,330 --> 00:06:43,530 As you put all that information 178 178 00:06:43,530 --> 00:06:45,930 about your system's current state into eMASS, 179 179 00:06:45,930 --> 00:06:47,970 you can then fully build out the entire hardware 180 180 00:06:47,970 --> 00:06:48,960 and software list 181 181 00:06:48,960 --> 00:06:52,080 for every part and component of this overall system. 182 182 00:06:52,080 --> 00:06:55,470 Third, we're then going to create our authorization boundary. 183 183 00:06:55,470 --> 00:06:57,210 Now, this authorization boundary 184 184 00:06:57,210 --> 00:06:58,770 is used to define the components, 185 185 00:06:58,770 --> 00:07:00,990 hardware, software, firmware, 186 186 00:07:00,990 --> 00:07:03,060 and other pieces that are going to be connected 187 187 00:07:03,060 --> 00:07:04,770 to create your overall system. 188 188 00:07:04,770 --> 00:07:06,660 You'll also list out your configurations, 189 189 00:07:06,660 --> 00:07:08,430 open ports, and any protocols 190 190 00:07:08,430 --> 00:07:10,590 that you plan to use with that system. 191 191 00:07:10,590 --> 00:07:13,350 Fourth, you're going to need to apply all the requirements 192 192 00:07:13,350 --> 00:07:14,940 and controls from your STIGs, 193 193 00:07:14,940 --> 00:07:15,773 which are known as 194 194 00:07:15,773 --> 00:07:17,880 your Security Technical Implementation Guides 195 195 00:07:17,880 --> 00:07:21,360 for that specific hardware, software, or firmware. 196 196 00:07:21,360 --> 00:07:24,960 And fifth, once you have all that data inside of eMASS, 197 197 00:07:24,960 --> 00:07:27,150 you're going to start working on getting your ATO, 198 198 00:07:27,150 --> 00:07:28,800 which is your Authority to Operate, 199 199 00:07:28,800 --> 00:07:30,150 and then moving yourself 200 200 00:07:30,150 --> 00:07:32,550 into that final step of continuous monitoring 201 201 00:07:32,550 --> 00:07:36,420 of your approved RMF package and its associated systems. 202 202 00:07:36,420 --> 00:07:39,270 Now, the final thing we need to discuss in terms of eMASS 203 203 00:07:39,270 --> 00:07:42,390 is what is expected of you as a cybersecurity professional 204 204 00:07:42,390 --> 00:07:44,790 when you're asked to take over the RMF process 205 205 00:07:44,790 --> 00:07:46,770 within your current organization. 206 206 00:07:46,770 --> 00:07:48,930 If you take a new job with an organization 207 207 00:07:48,930 --> 00:07:49,860 and you're asked to update 208 208 00:07:49,860 --> 00:07:52,050 or review your current RMF packages, 209 209 00:07:52,050 --> 00:07:53,250 you're going to need to realize 210 210 00:07:53,250 --> 00:07:56,370 that you are now smacked at in the middle of step seven 211 211 00:07:56,370 --> 00:07:58,020 of this RMF process, 212 212 00:07:58,020 --> 00:08:00,540 and this is known as the monitoring step. 213 213 00:08:00,540 --> 00:08:02,220 Now, during this monitor step, 214 214 00:08:02,220 --> 00:08:04,680 which I like to refer to as continuous moderate, 215 215 00:08:04,680 --> 00:08:07,020 you're going to be focused on reviewing the security controls 216 216 00:08:07,020 --> 00:08:08,700 at predefined times. 217 217 00:08:08,700 --> 00:08:10,470 Now, these times could be weekly, 218 218 00:08:10,470 --> 00:08:12,690 monthly, quarterly, annually, 219 219 00:08:12,690 --> 00:08:15,390 or every couple of years depending on your system, 220 220 00:08:15,390 --> 00:08:16,620 your available resources, 221 221 00:08:16,620 --> 00:08:19,230 and the requirements for that given system. 222 222 00:08:19,230 --> 00:08:20,340 Let's say, for example, 223 223 00:08:20,340 --> 00:08:21,990 I have some systems that are required 224 224 00:08:21,990 --> 00:08:24,360 to have a weekly vulnerability scan conducted, 225 225 00:08:24,360 --> 00:08:26,760 as well as a monthly review of some of their controls, 226 226 00:08:26,760 --> 00:08:29,160 annual reviews of its access control rosters, 227 227 00:08:29,160 --> 00:08:30,750 and then once every three years, 228 228 00:08:30,750 --> 00:08:33,180 I'm also going to check the entire RMF package 229 229 00:08:33,180 --> 00:08:35,850 and all of its security controls and policies. 230 230 00:08:35,850 --> 00:08:38,730 As you can see, we're not doing everything all the time, 231 231 00:08:38,730 --> 00:08:41,040 but we're doing some things some of the time 232 232 00:08:41,040 --> 00:08:42,600 throughout this three-year cycle. 233 233 00:08:42,600 --> 00:08:44,070 And at the end of the three-year cycle, 234 234 00:08:44,070 --> 00:08:46,620 we then go through the entire package again. 235 235 00:08:46,620 --> 00:08:48,927 Now, since all of our systems are sitting in eMASS 236 236 00:08:48,927 --> 00:08:52,050 and we can upload our vulnerability scans into eMASS, 237 237 00:08:52,050 --> 00:08:54,150 we can then use that to automate the process 238 238 00:08:54,150 --> 00:08:56,160 of identifying any security controls 239 239 00:08:56,160 --> 00:08:58,050 that are not being implemented properly 240 240 00:08:58,050 --> 00:09:00,750 because this can allow us to detect the vulnerabilities 241 241 00:09:00,750 --> 00:09:02,610 using those vulnerability scan results 242 242 00:09:02,610 --> 00:09:04,890 and linking those to the different pieces or parts 243 243 00:09:04,890 --> 00:09:07,680 of your overall system inside of eMASS. 244 244 00:09:07,680 --> 00:09:09,690 Now, eMASS is not going to actually write 245 245 00:09:09,690 --> 00:09:12,870 all your identification and authentication details for you, 246 246 00:09:12,870 --> 00:09:16,530 but you can use it to notify you of any software or controls 247 247 00:09:16,530 --> 00:09:18,240 that are considered noncompliant 248 248 00:09:18,240 --> 00:09:19,800 based on your listed baseline 249 249 00:09:19,800 --> 00:09:21,540 and your current vulnerability scans 250 250 00:09:21,540 --> 00:09:24,090 that you took from a tool like Nessus, QualysGuard, 251 251 00:09:24,090 --> 00:09:27,270 OpenVAS, or another type of SCAP scanner. 252 252 00:09:27,270 --> 00:09:30,180 Now, as you can see, the eMASS system is really useful 253 253 00:09:30,180 --> 00:09:32,220 when you're working in the Department of Defense 254 254 00:09:32,220 --> 00:09:35,070 when you're working inside of this RMF process. 255 255 00:09:35,070 --> 00:09:36,630 It can help you to identify controls 256 256 00:09:36,630 --> 00:09:37,740 that are properly implemented 257 257 00:09:37,740 --> 00:09:39,570 during your continuous monitoring phase, 258 258 00:09:39,570 --> 00:09:41,130 but it also can help walk you 259 259 00:09:41,130 --> 00:09:42,900 through the RMF process as a whole 260 260 00:09:42,900 --> 00:09:45,060 and help you gain your initial Authority to Operate 261 261 00:09:45,060 --> 00:09:46,610 from your authorizing official.