Cyber Security — it is a big job. It pays to ask lots of questions. How vulnerable is your information infrastructure? How does your system security measure up? What if the unthinkable happens and there is a breach (and would you even know)? What if there is a fire, flood or other disaster? When there is a computer security failure, how will you handle it? Are your personnel equipped to keep your organization’s information secure?
At STG, our team includes Certified Information System Security Professionals and Certified Information Security Managers. We will bring your operations into compliance and your personnel up to speed.
It is a balancing act: determining an acceptable level of risk weighed against the life-cycle costs of security operations. At STG, we use a defined set of safeguards to find the right balance and ensure that your operation is fully NIST and DIACAP compliant.
Our security engineering experts perform a comprehensive evaluation of your IT systems and site. The C&A process analyzes physical environment, personnel, administrative processes, information, information systems and data communications. Deliverables include the following:
- Certification Timeline (including Weekly Status Reports)
- Threat/Vulnerability Assessment Report
- C&A Plan
- System Security Categorization Recommendation
- System Security Plan
- Security Assessment Report
- Memorandum of Agreement/Service Level Agreements
- Plans of Action with Milestones (POA&M)
- Certification Letters
- Accreditation Letters
Knowing what you have determines how you protect it. As part of the C&A process, STG experts help you put together complete asset identification and inventories that follow the Office of Management and Budget (OMB) Project Matrix format. The agencies that received the highest commendations during the 2003 FISMA review were those that correctly and consistently identified their assets and systems. STG will ensure that your system inventory is complete, consistent and coordinated with agency business process reporting requirements, OMB 300 submissions and federal enterprise architectural efforts.
There are always risks, but sorting credible threats from the unlikely ones takes knowledge and experience. When your information system is at stake, you do not want the second-best security plan.
As part of the C&A process, STG creates system security plans. A system security plan is a roadmap for implementing the security controls needed to protect your information system. Our security engineering experts will document the security requirements and controls for your information systems. We will provide essential information for the security C&A process. Security plans typically include other important security-related documents, such as:
- Contingency Plans
- Configuration Management Plans
- Risk Assessments
- Incident Response Plans
- System Interconnection Agreements to Facilitate the Security Accreditation Process
- Privacy Impact Assessments
- System Rules of Behavior
- Configuration Checklists
- System Interconnection Agreements
- System Security Training Plans
STG ensures that system security plans produced for federal customers are fully compliant with NIST SP 800-18 and fully integrated with the system C&A process.
We provide the independent services necessary to aid in obtaining a Federal Authority to Operate (ATO), demonstrating compliance with NIST, FISMA, DIACAP and other industry standards. The overall process is commonly called a Certification and Accreditation (C&A) while the independent audit is called a Security Control Assessment (SCA). In addition to aiding in achieving an ATO, we perform these services to organizations that want to validate or improve their information security posture.
Our experienced team has performed these tasks successfully for many major customers, including the Department of Veterans Affairs, NOAA, DoD and others.
Our experts can help you properly identify your assets, assess their vulnerabilities and report industry-recommended solutions to mitigate them. We can arrange these reports by technology (e.g., separate reports for routers, servers, policies, etc.) so you may provide them directly to your IT staff, saving you hours of time sorting though the results. During testing, your users will be minimally impacted — we work around your staff's schedule as we examine your organization's policies and test critical systems using noninvasive tools. The key result is a comprehensive report that serves as your mitigation road map, showing what needs to be performed to obtain the desired level of information assurance.
The modular design of our services assures accurate assessment outcomes no matter where you are in the security program life cycle. Modules include the following:
- Security Policy Review
- System Security Architecture Review
- Automated Vulnerability Assessments
- Security Control Assessment, including recommended mitigations
- Management In-Briefs and Out-Briefs.
STG is capable of providing these services to organizations that are just beginning their security programs or already have a mature and developed program.
Can you be sure your agency’s assets are safe? Have all the security controls been properly implemented? Can you monitor and get verification of your security status on any given day? Continuous monitoring is an important part of C&A.
STG can provide agency assessment reports from a database of continuously accumulated audit results. Agencies can demonstrate assessment execution and compliance as often as desired. Easily generated, these time-saving reports range from the executive-level compliance and remediation progress to detailed reports showing network- and host-level compliance.
STG also provides complete remediation management. We can provide a complete POA&M and processes to review historical data, track closing policy violations and vulnerabilities, and monitor improvements in security policy compliance and remediation economies.
Does your security performance measure up to the security controls you have planned? Are your server rooms fortified against break-ins? Are visitors to sensitive areas being logged? Are your firewalls robust?
As part of the C&A process, STG addresses security program performance. We help customers improve their FISMA rating and security posture through continuous security program performance monitoring. This includes real-time traffic performance monitoring to allow for early detection of anomalous network behavior backed up with known-threat detection and total OSI layer filtration from layered Intrusion Protection Devices and firewalls. STG provides the technical expertise to install and manage omni-directional cyber defense and certifies that configurations conform to national defense and commercial industry standards.
The Federal Information Security Management Act: What You Need to Know
The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to assess, manage and report the security status of their nonclassified information systems. To help your organization achieve successful FISMA compliance, STG offers the following pre-packaged services:
- Asset Identification and Inventory Matrix
- System Security Plans
- Security Assessment and Reporting
- Certification and Accreditation (C&A)
- Security Reporting and Compliance
- Security Program Performance