System Scans in eMASS … Think Before You Upload!

By Kathryn M. Farrish, CISSP

eMASS, short for Enterprise Mission Assurance Support Service, is a comprehensive tool provided by DoD for managing the RMF life cycle. Among its well-known features and capabilities are generating security control baselines, managing RMF workflow, maintaining a repository of documentation artifacts, accepting system owner provided “self assessment” of security control implementation and compliance, accepting validation results from independent assessors, managing Plan of Action and Milestones (POA&M), and providing a variety of reports , including the System Security Plan and Security Assessment Report.

Now available in eMASS is a module called the Asset Manager. Using this capability, system owners can enter information about each asset (e.g., server,workstation, network device) comprising their system. The Asset Manager also offers the ability to “ingest” system scans from vulnerability scanners such as ACAS (Assurance Compliance Assessment Solution) and configuration compliance scanners such as SCC (SCAP Compliance Checker).

Before getting all excited about this capability, keep in mind the rather primitive access control in eMASS. At present, anyone with an eMASS account has readonly access to every record in the database. What this means is if you upload scans of your system that reveal technical vulnerabilities, you are in essence revealing those vulnerabilities to the entire eMASS user community!

Consider yourself warned.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.