1 1 00:00:00,270 --> 00:00:02,610 One of the things about eMASS 2 2 00:00:02,610 --> 00:00:07,320 is it holds all its data in a centralized location. 3 3 00:00:07,320 --> 00:00:10,380 With centralized data comes benefits 4 4 00:00:10,380 --> 00:00:13,470 like better reporting and analysis, 5 5 00:00:13,470 --> 00:00:16,410 but also there's increased risk, 6 6 00:00:16,410 --> 00:00:18,573 and to make the situation more challenging, 7 7 00:00:19,429 --> 00:00:21,510 eMASS is also web-based, 8 8 00:00:21,510 --> 00:00:24,960 and it's available over the open internet. 9 9 00:00:24,960 --> 00:00:27,600 From a cyber risk manager's perspective, 10 10 00:00:27,600 --> 00:00:31,170 you might be thinking, "Okay, eMASS has a list 11 11 00:00:31,170 --> 00:00:35,910 of all my systems, all of the software, their versions, 12 12 00:00:35,910 --> 00:00:40,910 IP addresses, boundary diagrams, ports, protocols, services, 13 13 00:00:41,945 --> 00:00:45,390 how I'm authenticating my users, which encryption I'm using, 14 14 00:00:45,390 --> 00:00:46,497 and on and on and on." 15 15 00:00:47,370 --> 00:00:50,190 In fact, all of us, eMASS users, 16 16 00:00:50,190 --> 00:00:52,260 are putting every single design 17 17 00:00:52,260 --> 00:00:54,900 and system security engineering aspect 18 18 00:00:54,900 --> 00:00:57,780 into one web-based application, 19 19 00:00:57,780 --> 00:01:02,400 which in itself creates some vulnerabilities. 20 20 00:01:02,400 --> 00:01:06,900 You possibly now have all your DOD systems located 21 21 00:01:06,900 --> 00:01:11,070 in one place, identifying the hardware, software, 22 22 00:01:11,070 --> 00:01:13,710 and vulnerabilities that you identified 23 23 00:01:13,710 --> 00:01:16,110 throughout the RMF process. 24 24 00:01:16,110 --> 00:01:19,563 It becomes an adversary's treasure chest. 25 25 00:01:20,910 --> 00:01:23,700 The nature of the eMASS systems architecture 26 26 00:01:23,700 --> 00:01:26,730 also suggests it could suffer downtime 27 27 00:01:26,730 --> 00:01:29,310 should a centralized component fail, 28 28 00:01:29,310 --> 00:01:31,320 and that would stop you in your tracks, 29 29 00:01:31,320 --> 00:01:35,430 in terms of getting your ATO done on time and on budget. 30 30 00:01:35,430 --> 00:01:37,657 We think it's reasonable for you to ask, 31 31 00:01:37,657 --> 00:01:41,700 "How do we know eMASS is secure for our use?" 32 32 00:01:41,700 --> 00:01:44,850 For all these reasons, the very question of using eMASS 33 33 00:01:44,850 --> 00:01:48,900 becomes a risk-based decision for organizations. 34 34 00:01:48,900 --> 00:01:52,500 Are the risks worth using it or not? 35 35 00:01:52,500 --> 00:01:55,170 We can't make that decision for you 36 36 00:01:55,170 --> 00:01:57,270 nor do we have a recommendation. 37 37 00:01:57,270 --> 00:02:00,060 In part, this is because we have no visibility 38 38 00:02:00,060 --> 00:02:03,930 into how the cybersecurity of eMASS is managed. 39 39 00:02:03,930 --> 00:02:07,740 We also don't know anything about your specific situation, 40 40 00:02:07,740 --> 00:02:09,030 but we do want to encourage you 41 41 00:02:09,030 --> 00:02:11,340 to speak with your approving official 42 42 00:02:11,340 --> 00:02:14,880 if you have any security concerns about using eMASS 43 43 00:02:14,880 --> 00:02:17,700 or any other automated system 44 44 00:02:17,700 --> 00:02:19,533 with the risk management framework.