Templates and Checklists

The Templates and Checklists are the various forms needed to create an RMF package and artifacts that support the completion of the eMASS registration. In addition to the Templates and Checklists, refer to the Cyber Commissioning and the Resources and Tools pages to review and download the Unified Facility Criteria and the Unified Facility Guide Specifications. While the templates and checklists are labeled DoD, ESTCP or Navy, they are fairly organization agnostic and any organization can modify them to suit their own use.

Product	Date Posted
DFARS CUI Cyber Incident Report Form CRMP Template	Feb 2019
NIST SP 800-171 CRMP Checklist NIST SP 800-171 Cyber Risk Management Plan Checklist (03-26-2018)	Feb 2019
Security Audit Plan (SAP) Use the modified NIST template.	July 2018
DFARS Incident Response Form Use the excel file template for a DoD data incident.	July 2018
US-CERT Incident Response Form Use the excel file template for a non-DoD data incident.	July 2018
Event/Incident Response Plan (EIRP) Use the modified FedRAMP templates.	July 2018
Event/Incident Communications Plan (EICP) Use the modified FedRAMP template (ESTCP EICP Graphics).	July 2018
System Security Plan (SSP) Recommend using the CSET tool/template or DoD Core Authorization Package excel file.	July 2018
Security Assessment Report (SAR) ESTCP does not require a SAR, however, many insurance companies or AO’s may require a SAR. An organization can use the modified FedRAMP template.	July 2018
Plan of Action & Milestones (POAM) Use the modified FedRAMP templates (GSA and DoD provided) (POAM Template).	July 2018
NIST SP 800-53 R4 and 800-82 R2 Merged Example The complete security controls listed with the IT portion and the OT Supplemental Guidance added.	July 2018
NIST SP 800-82 ICS Overlay Security Controls An excel file that adds/removes security controls from the IT baseline for OT FRCS.	July 2018
NAVFAC ICS Checklist	July 2018
NAVFAC Control System Inventory	July 2018
FRCS Pentest Checklist A checklist for FRCS to ensure the OS and vendor software, physical networks (firewalls, routers, devices, etc.) are properly hardened and configured to the JIE requirements.	July 2018
FRCS FAT and SAT Checklist A checklist for FRCS to ensure the OS and vendor software, physical networks (firewalls, routers, devices, etc.) are properly hardened and configured to the JIE requirements.	July 2018
FRCS RMF ATO WBS This cost template is for investigators to use when preparing their full cost proposal and breaks down the 6 Steps of the RMF into distinct cost line items. The IE or ESTCP office will provide a Subject Matter Expert (SME) to assist the teams to prepare the documents and submittals.	May 2018
ESTCP Information Technology Policies and Procedures A generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions.	July 2018
DoD RMF Core Security Authorization Package (replica of eMASS) The RMF Families of Security Controls (NIST SP 800-53 R4 and NIST SP 800-82R2) that must be answered to obtain an ATO on the DoDIN.	July 2018