Page 1 of 47
CHAPTER 8
STEP 6 CREATE THE PMO
ASSESSMENT AND PPP
Page 2 of 47
Contents
Purpose ... 3
Using this Guide ... 3
ASM Step by Step Process (You are here) ... 3
Create the PMO Assessment by Copying from Baseline Assessment ... 4
Exporting the Countermeasures to Excel (SIPR) ... 10
SIPR vs. NIPR ... 11
Parent – Child Questions ... 12
Navigate Back to Countermeasures Page ... 12
Upload Responses ... 15
Finish and Lock Assessment ... 17
Create the Program Protection Plan in the PMO Assessment... 18
Return to Profile Page 1 and add Program Protection Plan ... 18
PPP Naming convention ... 19
Important When completing the Program Protection Plan: ... 22
Upload PPP Related Images and Files ... 23
Navigate to Assessment ... 26
Other PPP Button Functions ... 27
Create a PPP Outside of an Assessment ... 28
Associate and Existing PPP with a PMO Assessment ... 32
Update the PPP ... 34
Update PPP Using Manage Survey Responses ... 34
Update the PPP via Assessment... 37
Update the PMO Assessment ... 39
Use Export/Upload Functionality to Update Countermeasures ... 43
Basic Analysis, Mitigation and Submission ... 44
Reading the Risk Bar Graph ... 44
Compliance Tab ... 44
Other Risk Tab/Compliance Tab Button Functions ... 46
Submission Tab ... 47
Page 3 of 47
CHAPTER 8
STEP 6 CREATE THE PMO ASSESSMENT AND PPP
This chapter covers the steps for creating the Program Management Office assessment including the creation of the Program Protection Plan. It also covers updating the PMO assessment and updating the
Program Protection Plan.
Purpose
The Program Management Office assessment is used to assess security within the Program Management Office. It is also the assessment where the Program Protection plan is added. The Program Protection plan is associated with this assessment. As the PPP is updated, it is also updated as part of the assessment.
The assessment for the PMO is created using a copy of the Baseline assessment.
Using this Guide
This guide matched the steps in the job aids located on the ASM Help page.
(http://eprmhelp.countermeasures.com/asm.html). Whenever you see numbers in the diagrams, they correspond to the steps in the job aids. No numbers indicate optional steps.
ASM Step by Step Process (You are here)
The figure on the following page shows where you are at in the Step by Step process.
Page 4 of 47
Create the PMO Assessment by Copying from Baseline Assessment
The work of scoping the program and identifying the assets and threats has been completed. Now you can create the PMO assessment by copying from an existing assessment.
Login to ASM.
a. Go to: https://eprm.csd.disa.smil.mil/
b. Insert your SIPR token.
c. Select your email.
d. Enter Pin.
e. Put a checkmark in agreement of terms.
f. Click Login.
After logging in, click on Manage Assessments.
Once you click on Manage Assessments, click on Create a New Assessment.
Figure 1: ASM login
2. Click on Manage Assessments
Figure 2: ASM Main Page
3. Click on Create a New Assessment
Figure 3: Manage Assessments Home page.
1. Login to ASM
Figure 1 ASM login screen.
Page 5 of 47 This brings you to the New Assessment Page. Complete the information. Disregard the assessment name and the date due.
Click Continue to get you take you assessment creation options.
5. Select your node (three-digit program).
You may need to click on the plus sign to expand the hierarchy.
5. Select Acquisition Security as the objective
5. Disregard the due date 6. Select Acquisition Security as the objective.
7. Click Continue.
4. Disregard the Assessment Name.
5. Select the node. You may need to click on the “+” sign to expand the hierarchy to find your program.
Figure 4: Assessment information page
Page 6 of 47 Select Create from copy of existing assessment then confirm you want to continue with copy and click continue.
Previously created assessments are listed in the bottom grid of the screen. Locate the Baseline assessment created in Step 1 and double click to open.
Figure 5: Assessment creation options
3. Select Copy from existing assessment.
3. Click on Continue with Copy
Figure 6: Selecting the Baseline assessment
9. Select the Baseline assessment created in STEP 1.
You can also double click on the row to open.
10. Click Continue.
Page 7 of 47 This opens a new assessment based on the data copied from the Baseline assessment. On the first Profile page (Describe the Organization), change the assessment type to PMO.
11. Update the Profile Organization page (Describe the organization).
11a. Change assessment type (question 2) to “PMO”.
11b. Verify Information provided by (question 3) is Program Office.
Figure 7: Profile page 1 – Describe the Organization
Page 8 of 47 This is also a good time to add additional contract numbers, location and CAGE codes. Once completed, click on Next Section/Tab to Continue.
11c. Add additional contract numbers, CAGE codes and locations (if applicable).
12. Click on Next Section/Tab to continue.
Figure 8: Adding contract numbers, CAGE codes and other information.
Page 9 of 47 Since the work has already been done in Step 1 of the process, you can click on Next Section/Tab on the next three pages. The Profile page 2 (Describe the Operating Environment, the Assets page and the Threats page. This will bring you to the Countermeasures page.
13. Click on Next
Section/Tab to continue to Assets page.
14. Click on Next
Section/Tab to continue to Threats page.
15. Click on Next
Section/Tab to continue to Countermeasures page.
Figure 9: Click on Next Section/Tab to get to countermeasures page.
Page 10 of 47
Exporting the Countermeasures to Excel (SIPR)
The figure below shows the steps to export the countermeasure file on SIPR.
If you use the unclassified list from the ASM Help page, you can bypass the Export to Excel step since you have already downloaded and completed the countermeasure list in the NIPR environment.
16i. Click on the Export to Excel button on the countermeasures page.
16ii. Save the file.
The Excel file has all the functionality of Excel. Items shown in red are required questions.
16iii. Answer the questions in Excel.
16. Answer all assessment questions on the Countermeasures page.
Page 11 of 47 Complete the countermeasure questions for the Program Office. Select “Yes” for the countermeasures in place and “No” for those not in place.
Often it takes time to go through and ensure the required measurements are in place. It may also involve several people. Using the Export/Upload functionality will make this process more efficient. You can also work from the unclassified full list available on the ASM Help page. See next section for more details.
SIPR vs. NIPR
If you are working in a pure SIPR Environment, you can use the Export function to create an export file.
This file has the recommended countermeasures for the specific program. Documents created on SIPR will automatically be marked as Secret.
As an alternative, you can work in the NIPR environment. A complete list of ALL countermeasures is located on the ASM Help Page under Training and Resources. This list is unclassified and can be shared with a working group, offers, etc. You can download a copy of this file and answer the applicable questions. Go to http://eprmhelp.countermeasures.com/asm.html
When working in your working group, you can use this downloaded file to answer the questions in Excel.
You will answer “Yes” to the countermeasures you want included in the Statement of Work and “No” to those which do not need to be included. This completed file can be uploaded into SIPR.
The NIPR file will always have all countermeasures since it not specific to a program. For example if you answered “No” to the program having Top Secret information, the countermeasure question “Are personnel properly cleared for Top Secret access?” would not be included in the list of questions for the Baseline assessment but it will be listed in the downloaded file.
Figure 10: ASM Help page – Training Resources page.
Page 12 of 47 You can adjust the list to match the exact countermeasures on SIPR, but this is not required. When uploading the full list, ASM will only match and answer those identified as applicable to the program by your Baseline assessment.
Parent – Child Questions
Some countermeasure questions, when answered “Yes”, will prompt other questions. These are parent questions. When the parent question is answered “Yes”, the resultant questions are called child questions. Child questions are not available until the parent questions are answered “yes”.
Navigate Back to Countermeasures Page
Once the questions are complete, you can use the Upload Responses button to upload the completed Excel sheet. When uploading responses, you will need to locate the PMO assessment then navigate to the countermeasures page.
Here’s how:
Login to ASM.
iv. Return to ASM
Question # CLASSIFIED – Foreign Nationals – 01 is the parent question and 01.a is the child question.
Figure 11: Parent child questions
Figure 12: Login
Page 13 of 47 Click on Manage assessments to find the PMO assessments. Use the filter to quickly find it in the name.
Click on Data Collection.
viii. Click on Data Collection
v. Click on Manage Assessments
Figure 13: Manage Assessments
vii. Double click to open the assessment.
PMO was added to filter to find faster.
vi. Locate the PMO assessment
Figure 14: Locate the assessment.
Figure 15: Data Collection icon
Page 14 of 47 Click on Conduct Assessment.
This takes you the countermeasure page where you can upload the completed Excel sheet. Click on Upload Responses.
ix. Click on Conduct Assessment
Figure 16: Conduct Assessment icon
x. Click on Upload Responses.
Figure 17: Upload Responses button
Page 15 of 47
Upload Responses
Once the Excel file is complete, you can upload the file into ASM on the countermeasures page.
Once the file has been uploaded, it shows as loaded successfully. You can see in the blue section of the screen where the countermeasure answers were updated.
Click on Browse to locate the file.
Locate the file. Click Open or double click to open.
The file will show next to the Browse button. Click on Upload to process the file.
Once complete, you will see the file was uploaded successfully. The blue section shows the countermeasures were updated. Click on the Back button to reurn to the countermeasure page.
NOTE: The name of the file does not matter so long as you select the correct file. ASM matches the actual questions within the assessment. If questions
are unanswered in the Excel sheet, they will show as unanswered in ASM.
xi. Click on Browse.
Figure 18: Locating the completed countermeasures file
xii. Locate the file and double click.
Figure 19: Locating the countermeasures file on your computer.
xiii. Click on Upload.
Filename shows here.
Figure 10: Upload completed countermeasures file
Page 16 of 47 Once Excel file has been uploaded, the countermeasures will show as answered.
At this point, you can return to the profile page and add your Program Protection Plan, or you can Finish and Lock the assessment and add the Program Protection Plan later.
Upload is successful.
Countermeasures uploaded xiv. Click on Back to get to countermeasures page.
Figure 11: Uploaded countermeasures
NOTE: If you make an error in the upload, you can correct the error in Excel and use the upload responses to re-upload.
Answered questions show
here.
Figure 12: Uploaded countermeasures
Page 17 of 47
Finish and Lock Assessment
Once assessment is complete, click on Next Section Tab to get to Assessment main menu then click on the Finish and Lock Assessment to complete the assessment.
Click on the Finish and Lock icon.
Figure 13: Complete assessment
17. Click on Next Section/Tab to get to assessment main menu. If there are unanswered questions, you can use the Answer No to All Unanswered button to answer the remaining questions “No”.
18. Click on Finish and Lock icon.
Figure 14: Finish and Lock
This completes the creation of the PMO assessment.
Page 18 of 47
Create the Program Protection Plan in the PMO Assessment
Return to Profile Page 1 and add Program Protection Plan
If you would like to add your Program Protection Plan from the assessment, click on Profile Organization from the main assessment screen.
Click on the Program Protection Plan button on Profile page 1.
NOTE: The PPP can be added to any assessment, locked or unlocked.
Click on Profile Organization.
Figure 15: Get to the Profile organization page to add the PPP as part of the assessment.
1. Click on Program Protection Plan button.
Figure 16: Program Protection Plan button
Page 19 of 47 When clicked, a pop-up window will ask if you would like to Create and associate a new Program Protection Plan or Associate an existing Program Protection Plan. Since this is a new Program Protection Plan, select the first option and click Continue.
This takes you the new survey page. In ASM, compliance only questionnaires are referred to as surveys.
It is understood the PPP IS NOT a survey.
PPP Naming convention
PPP naming is automated with the syntax:
ASM- DATE (YYYYMMDD) – PROGRAM NAME - PPP
For example, ASM -20201006 – FIREBIRD-PPP is the PPP created on October 6, 2020 for the Firebird program.
You can disregard the PPP name.
2. Select Create and associate a new Program Protection Plan.
3. Click Continue.
When created from within the assessment, the Program Protection Plan is associated with the PMO assessment. Every PPP should be associated with a PMO assessment.
This is important for reporting.
Page 20 of 47 The node and the objective are pre-selected since these were identified in the assessment. Disregard the due date. Click Continue to get to the PPP main menu.
4. Disregard PPP name. This is auto populated.
8. Click Continue.
7. Disregard the date.
5. Verify the correct node is selected.
6. Verify the correct objective is selected.
ASM-20201010 – FIREBIRD - PPP
If there is a mistake in a PPP or assessment name, you can always rename it. See Chapter 2, ASM Overview – Program Protection for more information on renaming.
Figure 17: PPP information page
Page 21 of 47 This is the Survey (PPP) main page. Click on Page 1 (where the yellow “Click here” indicates).
This takes you to the PPP.
The program must meet DoD and AF regulatory requirements and follow the USAF Weapons System PPP/SSE guidebook. In addition to SCG requirements, there are 21 regulatory requirements for PPP sufficiency. The Program Office must identify PPP completed areas and the status for unmet
requirements. Not all of these regulatory requirements are calculated into the overall program risk or protection suitability score.
10. Click on Page 1.
NOTE: If you exited and are coming back in through the assessment, you may need to click on Data collection first to get to this page. (# 9 in Step 6 Job aid).
Figure 18: PPP main menu
11. Complete all PPP questions.
This question requires additional information.
All questions have areas for remarks.
Figure 19: PPP
Page 22 of 47 All PPP questions can be answered “yes”, “no”, or “Scheduled” and allow you to make remarks. Some PPP questions require additional information such as approval dates and document submission.
Once all questions are answered, Click Continue.
Click on Finish and Lock icon to complete the PPP.
Important When completing the Program Protection Plan:
• Answer every question. (You will be unable to finish and lock without completing).
• Always Finish and Lock the plan (this ensures the data will be included in reports).
• Create the plan through the PMO assessment.
• Update the plan through Manage Survey Responses (this is being updated to be able to edit from the assessment).
12. Click Continue.
Figure 20: Remarks field
13. Click Finish and Lock.
Figure 21: Finish and lock the PPP.
Page 23 of 47
Upload PPP Related Images and Files
When applicable files are ready, you can upload them to the PPP from the main page.
Click on File/Image Upload.
NOTE ON FILE UPLOADS Maximum upload file size: 10MB Allowed file types: GIF - Graphics Interchange Format, JPEG - Joint Photographic Experts Group graphics file format, PNG - Portable Network Graphics, PJPEG - Joint Photographic Experts Group graphics file format, CSV -
Comma Separated Value, TXT - Plain Text Format, XLS - Microsoft Excel 1997- 2003 format, XLSX - Microsoft Excel post 2003 format, PPT - Microsoft PowerPoint Presentation 1997-2003 format, PPTX - Microsoft PowerPoint post
2003 format, DOCX - Microsoft Word 2007 Office Open XML Format, DOC - 14. Click File /Image Upload.
Figure 32: Upload files and images for PPP
Page 24 of 47 Browse for the file you want to upload.
Double click on the file to upload.
15. Click Browse to locate file.
Figure 33: Browse for files to upload.
16. Double click on the located file.
Figure 34: Locate files on your computer.
Page 25 of 47 File shows in the dark blue area. Click on Upload.
File load shows as successful. It is now listed in the Uploaded files section at the lower part of the page.
17. Click on Upload.
File name shows here.
File upload shows as successful.
Uploaded files show in the lower part of screen.
Figure 35: File upload screen
Figure 36: Successful file upload
Page 26 of 47 Click on Back to Survey to get to main page.
Navigate to Assessment
You can navigate back to assessment by clicking on the Navigate to Assessment button on the main PPP page.
17b. Click on Back to Survey to get back to main page.
Figure 37: Use Back to Survey to return to main menu.
You can Navigate back and forth between the assessment and the PPP.
18. Click on Navigate to Assessment to get back to assessment page.
Figure 38: Use Navigate to Assessment button to return to the PMO assessment.
Page 27 of 47 Notice now the PPP is associated with this assessment.
Other PPP Button Functions
In addition to navigating back and forth between the PPP and the associated assessment, other functions on the Survey Home screen are shown below.
Button Function Used for
Navigate to Assessment Navigate back to assessment To return to assessment so you can update both more efficiently Open for Editing Unlock this survey for editing Updating the PPP
Rename Change the name of this survey Program name change or error in name
Share this Survey Share this survey with other users
Share with a supervisor or other ASM user for review
Change Owner Give responsibility for this survey to another user
When program responsibility changes
Delete Permanently Delete this survey Uncorrectable errors in a PPP or when a new PPP is requested File/Image Upload Upload files or images When required documentation is
required Export to Excel Export to Excel for Offline
Processing
Complete the questions in Excel and upload to ASM for more efficiency or when multiple people need to provide input.
Upload Responses Upload Responses from Excel Adding the completed PPP information into ASM more efficiently.
Reports Generate reports and survey aids Run reports (No reports available at this time).
View POCs View points of contact Request for POC on a program
Figure 40: Other PPP buttons and functions
This PPP is now associated with this PMO assessment.
Figure 39: Associated PPP
Page 28 of 47
Create a PPP Outside of an Assessment
You can create a PPP directly through Manage Survey Responses then later associate it with an assessment. Once the PPP is created, it can be standalone as a PPP. This is especially helpful when documenting the PPP for legacy programs.
Later, the PPP can be associated with a PMO assessment by clicking on the Program Protection Plan button in an assessment and selecting Associate an Existing PPP.
To create a PPP directly, Click on Manage Survey Reponses icon from the ASM home page.
Click on Start a New Survey to get to the survey information page.
Complete the survey information.
PPP Name
PPPs are named automatically using the syntax ASM- DATE(YYYYDDMM)- PROGRAM NAME- PPP. You can disregard the PPP name field.
PPP can also be created directly through Manage Survey Responses
Figure 41: Use Manage Survey Responses to create a new PPP directly.
Click on Start a New Survey icon.
Figure 42: Start a New Survey icon
Page 29 of 47 Select the node, select Program Protection Plan as the objective and disregard the date. Click Continue.
Disregard Survey Name (this is automated).
Select the applicable node.
Select Program Protection Plan (PPP) as the objective.
Disregard Due Date
Click Continue.
Figure 43: Survey (PPP) information page
Page 30 of 47 Click on Data Collection.
Click on Page 1.
Answer ALL Questions and click Continue.
Click Continue.
Figure 44: Data collection of PPP
Click Page 1.
Figure 45: Page 1 of PPP
Click Continue.
Answer all questions.
Figure 46: Complete the PPP
Page 31 of 47 Finish and Lock the PPP. You can now exit or click on the Home link (breadcrumbs menu) to associate it the PPP with the PMO assessment.
Figure 47: Finish and Lock
Click Finish and Lock.
Exit ASM or Click Home page link to get to ASM Main menu.
This completes the creation of the Program Protection Plan.
Page 32 of 47
Associate and Existing PPP with a PMO Assessment
If the PPP was done before the PMO assessment, you can associate it with the PMO assessment when the PMO assessment is created. To associate an existing PPP to a PMO assessment, click on the Program Protection Plan button on the Profile page of the PMO Assessment. In the pop-up window, select Associate an existing Program Protection Plan.
Select the PPP you would like to associate. Click Continue.
Figure 48: Associating a PPP
Click Program Protection Plan button on the PMO assessment Describe the Organization page.
Select Associate an existing Program Protection Plan.
Figure 49: Locate the PPP
Locate the Program Protection Plan.
Click Continue.
Page 33 of 47 The PPP now shows as associated in the assessment.
Figure 50: Associated PPP
Page 34 of 47
Update the PPP
The PPP can be updated as often as needed as requirements are met. You can navigate back and forth from the PPP to the assessment or use Manage Survey Responses to update it.
Update PPP Using Manage Survey Responses
To update the PPP directly, login into ASM and click on Manage Survey Responses. Locate the PPP you wish to update and double click to open.
Click on Start a New Survey
Once PPP is created, it can be associated with an assessment.
1. Click on Manage Survey Responses
2. Locate and select the previously created survey in the list at the bottom of the screen.
Figure 51: Locate the PPP to update.
3. Double click to open.
Page 35 of 47 Once the PPP is opened, Click Open for Editing to update.
4. Click on Open for Editing.
Until the PPP is opened for editing, it will show as read only. Click on Open for Editing to unlock and make updates.
5. Click on Data Collection. (PPP is no longer read only.)
6. Click on Page 1 to open PPP for editing.
Figure 22: Update the PPP
Page 36 of 47 Once the PPP is open, make edits and Click Continue.
7. Make edits to the PPP.
8. Click Continue.
9. Finish and Lock
Figure 53: Make edits to PPP then Finish and Lock.
Page 37 of 47
Update the PPP via Assessment
If the PPP has been associated with the PMO assessment, you can also update it from the Describe the Organization screen within the PMO assessment.
To do this, login to ASM and click on Manage Assessments. Locate the applicable PMO assessment and double click to open.
1. Click Manage Assessments
2. Locate the applicable PMO Assessment
3. Double click to open
Figure 54: Locate the PMO assessment.
Page 38 of 47 Once the PMO assessment is open, click on Data Collection icon. It may read, “Read only” but you can still navigate to the PPP.
Click on Profile Organization to get to the Program Protection Plan options.
Click on Navigate to PPP button.
This will take you to the PPP associated with this assessment. Follow the steps in the previous section to edit. Remember to finish and lock once edits are complete.
Figure 55: Data Collection icon
Figure 56: Profile Organization icon
Figure 57: Navigate to PPP from the Describe the Organization page in a PMO assessment.
4. Click Data Collection
5. Click Profile Organization
5. Click Navigate to PPP
Page 39 of 47
Update the PMO Assessment
After the initial PMO assessment is complete, changes in countermeasure proposal and implementation can be updated in ASM. This is done through Basic Analysis, Mitigation and Submission icon on a completed assessment.
Updating the assessment shows risk change over time. The original PMO assessment will have a calculated risk based on the number of countermeasures in place at the time of the assessment. Over time, more countermeasures can be proposed and implemented. To capture the changes in risk over time, the PMO is updated using Basic Analysis, Mitigation and Submission.
To get started, first locate the assessment to update. To get there, login to ASM, click on Manage Assessments and locate the PMO assessment. Double click to open it.
Click on Manage Assessments to find the PMO assessments. Use the filter to quickly find it in the name.
1. Login to ASM
Figure 58: Login screen
2. Click on Manage Assessments
4. Double click to open the assessment.
3. Locate the PMO assessment
Figure 59: Locate the PMO assessment
Page 40 of 47 Click on Basic Analysis, Mitigation and Submission icon.
Click on a row to update then click on Manage Countermeasure Status.
Note the Risk Red Wt column shows the amount of risk reduced by implementing the countermeasure.
Click on the column label to sort ascending or descending. You can also use the filter boxes to find only those not implemented. To do this, enter the text “Not” in the filter box above status.
Make the appropriate selection to update the countermeasure.
6. Select a countermeasure to manage.
7. Click Manage Countermeasure Status. Risk Red Wt is the amount of risk reduced when this countermeasure is implemented.
Figure 61: Manage Countermeasure Status
5. Click Basic Analysis, Mitigation and Submission icon.
Figure 60: Basic Analysis, Mitigation and Submission icon
Page 41 of 47 In this case, the countermeasure status is being changed from “Not Implemented” to “Proposed and assigned to an EPRM user”. A date is assigned when this is expected to be complete.
The following table provides a description of each of the Manage Countermeasure status choices.
Selection Function Use When
Mark as unproposed
Changes a previously proposed countermeasure to unproposed and increases planned risk in the risk bar graph.
When making changes to proposed countermeasure.
Mark as Proposed without assigning
Changes countermeasure status to Proposed and reduces planned risk in the risk bar graph. No due date is required.
When proposing a countermeasure but unsure of who it will be assigned to. You can update the
countermeasure and assign it later.
Mark as Proposed and assign to an EPRM user
Changes countermeasure status to Proposed and reduces planned risk in the risk bar graph. A drop down of EPRM users allows you to select the assignee.
When proposing a countermeasure and assigning it to an EPRM user.
The assignee will receive an email indicating they have been assigned a countermeasure to implement.
Figure 62: Manage countermeasure status screen
7. Select an option.
8. Save
Page 42 of 47
Selection Function Use When
Mark as Proposed and assign to external personnel
Changes countermeasure status to Proposed and reduces planned risk in the risk bar graph. A text field for adding an email allows you to select the assignee. Assigner must update countermeasure once implemented since assignee does not have access.
When proposing a countermeasure and assigning it to a non - EPRM user.
The assignee will receive an email indicating they have been assigned a countermeasure to implement.
To be completed on When assigning a proposed
countermeasure to someone, adds a date the countermeasure should be implemented.
When adding a deadline to when the countermeasure should be
implemented.
Mark as Implemented
Changes countermeasure status to Implemented and is reflected in current risk in the risk bar graph.
When a countermeasure has been fully implemented.
Implemented on Adds the date the countermeasure was implemented.
Adding the date the countermeasure was implemented.
Figure 63: Manage countermeasure status options
Once a countermeasure is proposed and assigned, it will reflect a new status. In addition, the risk bar now shows a yellow section representing PLANNED risk level.
When the assignee implements the task, the status can be updated to reflect “Implemented”. Proposed tasks show as planned risk. Only implemented countermeasures reflect current risk.
Repeat the process for all changes in countermeasures. Exit ASM once complete.
Figure 64: Proposed and assigned countermeasure
Risk bar now shows planned risk.
Countermeasure shows as assigned.
Page 43 of 47
Use Export/Upload Functionality to Update Countermeasures
If you are making a lot of changes or need an update from the Prime or Subs, you can use the Export to Excel and Upload Responses functionality. Export to Excel creates a file which can be updated the uploaded. This can only be done on SIPR.
Only countermeasures not implemented or proposed can be updated. Those marked “In place” cannot change. In addition, you cannot assign countermeasures. Assignment is done using the Manage Countermeasures button.
Figure 65: Managing Countermeasure Status with Excel
Page 44 of 47
Basic Analysis, Mitigation and Submission
Reading the Risk Bar Graph
As the status of countermeasures are changed, the risk bar graph will reflect changes. The most up to date risk bar graph of an assessment will show in reports.
Compliance Tab
The compliance tab shows the percent of countermeasures implemented verses the total number of countermeasures. It also shows how countermeasures are directly related to specific sources.
Label Description As a Result of
Original Risk (green)
Risk at the time the assessment was completed and locked. The lower the number the less the risk.
Answers provided in assessment.
Planned Risk (yellow)
What risk would be if the countermeasures proposed are implemented.
Proposing
countermeasures.
Current Risk (green)
Current risk. Implementing
countermeasures.
Figure 67: Risk bar graph definitions Figure 66: Risk bar graph
Figure 68: Compliance Tab
Page 45 of 47 Countermeasures can be updated on this tab or the Risk tab. The buttons (Export to Excel, Add/Edit Comment, etc.) with the function the same on the risk tab and the compliance tab. (See page 47).
An additional feature on the compliance tab is the ability to filter by specific reference to see the status of each countermeasure relative to the source(s) driving it. For example, if you wanted to see your compliance with DoD 5200.22, you could filter for the reference NIST and see the status of the countermeasures relative to 5200.22.
Compliance with a specific reference shows here.
Reference for the countermeasure
compliance
Use the drop down to select a specific reference
Figure 69: Compliance Tab – compliance with a specific reference
Page 46 of 47
Other Risk Tab/Compliance Tab Button Functions
The following table shows the functions of each of the buttons on the Risk Tab. The buttons have the same function on the Compliance tab. (next section).
Button Function Used for
Export to Excel
Exports the list of
countermeasures and the current status into a customized Excel file.
Completing the
countermeasure questions in Excel (to improve efficiency).
This is also the file sent to offerors to complete as part of their RFP response.
Upload Responses Uploads an updated countermeasure file.
Improving efficiency when answering countermeasures.
Add/View Comment Pop up screen to add or view comment on an asset
Add or view a comment on a selected countermeasure.
Manage Countermeasure Status
Change the status of a
countermeasure. For example, from “Not implemented” to
“Proposed”.
Propose, implement and/or assign a countermeasure. Only those implemented will affect risk.
Propose all countermeasures
Changes the status of any countermeasure Not
implemented to “Proposed” or
“Implemented”
Applying the same changes to all unimplemented
countermeasures.
Apply countermeasure Cost
Allows the user to input cost associated with implementing this countermeasure
Used in trade space analysis to determine cost of security.
When costs are entered, the risk reduction per $ will populate. (This functionality not currently being used).
Export to Excel
Exports the list of
countermeasures and the current status into a customized Excel file.
Completing the
countermeasure questions in Excel (to improve efficiency).
This is also a file which can be sent to offerors to update their countermeasure status as part of their RFP response.
Upload Responses Uploads an updated countermeasure file.
Improving efficiency when answering and updating countermeasures.
Figure 70: Table of button functions for the Risk and Compliance Tabs
Page 47 of 47
Submission Tab
The submission tab allows a user to submit their assessment to the next level up in the hierarchy. This is an optional step. Once submitted, supervisors can pass an assessment and/or ask for a re-assessment with a specific date. Assessment and Inspection results show in the Show Assessment/Inspection Results tab.
Figure 71: Submitting an assessment.
Once submitted, approvers can mark as Adequate or Not Adequate and suggest a re-
assessment date. (This is an optional step).
