R 101606Z JUL 25 MARADMIN 324/25 MSGID/GENADMIN/CMC DCI WASHINGTON DC//  SUBJ/TRANSITIONING SERVICE TOOL USED FOR SYSTEM CYBERSECURITY ASSESSEMENT AND AUTHORIZATION//  REF/A/DOC/DODI 8510.01/19 JUL 2022//  NARR/REF A IS THE DOD INSTRUCTION ON RISK MANAGEMENT FRAMEWORK FOR DOD SYSTEMS THAT DIRECTS DOD COMPONENTS TO MAINTAIN VISIBILITY OF ASSESSMENT AND AUTHORIZATION STATUS OF COMPONENT SYSTEMS THROUGH AUTOMATED ASSESSMENT AND AUTHORIZATION TOOLS//  POC/WILLIAM J.  BUSH /CIV/AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE (AODR)/COMM:703-693/-5773/EMAIL: [email protected]//  POC/RODDY.STATEN/CIV/CYBER STRATEGY/COMM:571-256-8875  EMAIL:[email protected]//  GENTEXT/REMARKS/1.  This message formally announces the Marine Corps’ plan to transition from the use of the Marine Corps Compliance and Authorization Support Tool (MCCAST) to the use of DoD’s Enterprise Mission Assurance Support System (eMASS) service for system cybersecurity assessment and authorization (A&A). eMASS will provide the Marine Corps with required Risk Management Framework (RMF) processing capabilities, not supported by MCCAST, that will improve the ability of Marine Corps users to categorize  assets, implement appropriate security controls, evaluate vulnerabilities and respond to emerging threats.   2.  Situation:  2.a.   Transitioning from MCCAST to eMASS will provide the Marine Corps with access to a fully compliant DoD enterprise RMF service able to support all procedures directed by ref (a).   2.b.   Users will cease use of both NIPR and SIPR MCCAST versions and transition to the use of eMASS NLT 11 Dec 2025.  Detail instructions for MCCAST data migration and new USMC eMASS user start dates will be provided via separate correspondence (SEPCOR) to include use of MCCAST email alerts.  2.c.  eMASS user training will be provided to all Marine Corps RMF implementers, prior to their transition to eMASS.    2.d.   For this message, the term “RMF Implementers” collectively refers to personnel performing the following RMF roles: Authorizing Official (AO), Authorizing Official Designated Representative (AODR), Security Control Assessor (SCA), Program Manager (PM), Information System Security Manager (ISSM), Information System Security Engineer (ISSE), Organization ISSMs, Organization Information System Security Officers (ISSO), Systems Owner, Marine Corps Fully Qualified Validator (MCFQV), G-6/G-6 Staff.  3.  Mission. To inform RMF implementers and their Commanders/ Officer-in-Charge about the need for this transition and its implementation approach.   3.a.  Transition Need:   3.a.1.  eMASS will replace MCCAST as the Marine Corps’ primary A&A tool and provide a DoD interoperable enterprise supported A&A solution that automates a broad range of services for comprehensive, fully integrated cybersecurity management.   3.a.2.  This transition will allow the Marine Corps to shift resources (i.e., funds and personnel) from conduct of MCCAST program management, to the procurement of a fully RMF compliant DoD enterprise Software as a Service (SaaS) that meets all Marine Corps’ cybersecurity A&A requirements.   3.a.3.   For MCCAST users, the transition to eMASS is an upgrade to a proven enterprise service, that is stable, reliable and able to provide faster access to RMF process improvements, such as automated security control inheritance, enterprise level visibility of reciprocity authorization packages, specially modified process overlays, and enterprise maintenance of security controls updated with industry standards (e.g., NIST Special Publication (SP) 800-53 Rev. 5).   3.b.  Transition Approach:   3.b.1. Funding.  3.b.1.a.  DISA eMASS Program Management Office (PMO) transition services and subsequent USMC eMASS instance operation and maintenance will be contracted using funding provided by Deputy Commandant for Information (DC I).    3.b.1.b. Contracted services will include eMASS in-person training planned in support of USMC MCCAST to eMASS user transition.   3.b.1.c.  DISA eMASS PMO has successfully supported USA, USAF, and USN eMASS transitions and currently provides in-person eMASS training for the Services.    3.b.2.  Data and User Migration Strategy.   3.b.2.a. Both automated and manual USMC RMF implementer data entry will be used to complete the transfer of MCCAST authorization package data to eMASS.  A DC I IC4 (CY) transition team will provide detail instructions for data migration and eMASS registration during several planned virtual Town-Hall transition conferences.    3.b.2.b.  The transition of all MCCAST authorization packages (data) to eMASS, and the changing-over of all users to eMASS will be carried out in a phased approach. The total work effort (i.e., migrating all data between A&A tools and changing over MCCAST users to the new tool) will be broken into three groupings across three designated time frames to minimize implementation risk.    3.b.2.c. An initial set of 16 systems will be piloted through the transition process to test and confirm the effectiveness of initial planning. On-going transition will be modified as necessary, based on post-transition pilot observations.  3.b.2.d.  Planned Transition Phases.   3.b.2.d(1) Jun – Jul 2025: Phase 1 (1/3 of systems and user transition); includes pilots.     3.b.2.d(2) Aug 2025: Phase 2 (1/3 of systems and user transition)     3.b.2.d(3) Sep 2025: Phase 3 (1/3 of systems and user transition)     3.b.2.d(4) Both Marine Corps NIPR and SIPR eMASS instances are expected to reach Final Operational Capability (FOC) by Oct 2025.  4. Execution: Commander’s intent. To inform USMC RMF implementers, and their Commanders/Officers-in-Charge, of planned transition activities.   5. Concept of Operations. The Marine Corps Authorizing Official Designated Representative (DC I IC4 ICC-Y) and a team of RMF subject matter experts will host on-going MCCAST to eMASS Town Hall meetings (i.e., virtual conferencing sessions) for the RMF implementer workforce (CONUS and OCONUS), via Microsoft 365 Teams. These  sessions will provide users with guidance for continuation of system A&A operations during the transition, deliver general information about the eMASS A&A tool, communicate transition instructions, and identify projected eMASS training opportunities.  6.  Tasks:  6.a.  Marine Corps Authorizing Official Designated Representative (AODR)/IC4 Deputy Compliance Branch Head (Cybersecurity).   6.a.1.  Marine Corps AODR is the Director Information Command, Control, Communication and Computers, Deputy Commandant for Information (Dir IC4, DC I) lead for the MCCAST to eMASS transition planning and execution.  6.a.2.  An IC4 ICC CY Transition Team will provide USMC RMF implementers with MCCAST data migration and eMASS registration instructions during scheduled MCCAST to eMASS Town Hall Meetings (Town Hall date/time sent via MCCAST email notification to users).   6.b.  DISA’s eMASS Program Management Office (PMO).  6.b.1.  Will establish and maintain the Marine Corps NIPR and SIPR eMASS instances according to contracted service agreements. 6.b.2.  Provide in-person eMASS user training.   6.b.3.  Use MCCAST email notifications as an additional means of communications to provide current MCCAST RMF implementers with transition action alerts and instructions throughout the transition process. 6.c.  RMF Implementers.  6.c.1.  RMF Implementers (i.e., PMs and ISSM/ISSE/ISSOs) will work together to ensure their NIPR and SIPR MCCAST authorization package data is migrated to eMASS as instructed by the IC4/DISA eMASS PMO Transition Team. 6.c.2.  RMF Instructions for authorization package data migration and eMASS user registration will be provided during the scheduled Town Hall meetings.   7.  Administration and logistics: eMASS Projected Training Locations and Dates.  7.a.  All eMASS users must complete both foundational and in-person training.   7.a.1.  eMASS Foundational Training - eMASS Computer-Based Training (CBT) online at: https://cybersecurityks.osd.mil/rmfresources/ eMASS/CBT/index.html.  7.a.2.  eMASS In-Person Training   July 2025: eMASS In-Person Training (East), MCB Quantico, and Camp Lejeune.  Aug 2025: eMASS In-Person Training (West), Camp Pendleton.  Sep 2025: eMASS In-Person Training (MARFORPAC), MCB Hawaii.  Oct 2025: MCCES, MCAGCC.    8.  Command relationships. Marine Corps Authorizing Official Designated Representative (AODR)/Deputy Compliance Branch Head (Cybersecurity) is Director Information Command, Control, Communication and Computers, Deputy Commandant for Information’s (Dir IC4, DC I) lead for the MCCAST to eMASS transition. 9.  Release authorized by Lieutenant General M. G. Carter, Headquarters Marine Corps, Deputy Commandant for Information.//