Security Assessment Services
To conduct an assessment of the security controls employed by the system, there is a need for an independent assessor to conduct the security control assessment. The assessor must have a level of independence from the business unit that will not bias or interfere with the assessment of the targeted systems security controls.
KSG utilizes both our private sector and federal experience with Security Assessment and Authorizations (SA&A) to work with the system owner to get the contract and funding in place for the independent assessment. We have experience in both writing and reviewing responses to the request for quotes that are vital during this process.
Once the contract is in place, we conduct the kickoff meeting with the assessor to effectively convey the expectations of your office as it relates to the process. Always keep in mind that if the system is subject to operation via an active ATO, this assessment process is vital in that achievement. This is why a particular approach must be observed, based on NIST's special publications, that produces a complete and concise security assessment plan (SAP) that ensures proper system security control assessment.
Our guidance doesn't end with the kickoff of the assessment, in fact its just getting started. We oversee the process and ensure the predetermined SAP is fully executed, work with the business office to possibly mitigate any vulnerabilities prior to the assessor concluding their obligations, and ultimately develop and QA a complete SA&A package that will be signed off on by the Authorizing Official.
Our Documentation Philosophy
Proper system documentation should be technically complex yet simple to read and understand. Organizations should always remember the following about documentation:
-
Developers shouldn’t write NIST compliance related documentation.
Developers are generally interested in how system technology operates and how the internals specifically affect the operation. However, when it comes to the completion of system documentation there are very specific questions that must have technically sound descriptions in order to be in compliance.
-
Documentation is difficult to maintain, and must be continually updated.
Few system related documents would be considered “write it and forget it”. In fact many of the documents are either the crux of or an appendix to the SSP which is a living document. Additionally, control related policies need to be updated annually at minimum. Organization's that don't employ this approach risk exposing their systems to documentation vulnerabilities and eventual system POAMs.
-
There are no shortcuts to good documentation. While there are many aspects of an IT system that can be automated, proper documentation is not. The utilization of our templates are currently the industry standard for the federal government and are invaluable for maintaining documentation compliance. There are specific templates for NIST related publications like the contingency plan, but other pertinent items like risk assessments and baseline specific control sets require a more customized documentation approach.
For a listing of the documentation we prepare and maintain click HERE.
Continuous Monitoring Program
KSG knows that the Information System Continuous Monitoring (ISCM) program is a critical step in both the Federal and Private sector for an organization’s Risk Management Framework (RMF) in that it gives organizational officials access to security-related information on demand, enabling timely risk management decisions, including authorization decisions. This concept of monitoring information system security has long been recognized as sound management practice. In 1997, Office of Management and Budget (OMB) Circular A-130, Appendix III5 required agencies to review their information systems’ security controls and to ensure that system changes do not have a significant impact on security, that security plans remain effective, and that security controls continue to perform as intended.
The Federal Information Security Modernization Act (FISMA) of 2014 further emphasizes the importance of continuously monitoring information system security by requiring agencies to conduct assessments of security controls at a frequency appropriate to risk, but no less than annually.
The ISCM plan KSG will develop for your organization will call for us to perform updates to security plans, security assessment reports, plans of action and milestones, hardware and software inventories, and other system information of your choosing.
Ideally the ISCM can be most effective when automated mechanisms are employed where possible for data collection and reporting. Effectiveness is further enhanced when the output is formatted to provide information that is specific, measurable, actionable, relevant, and timely. You may already have automated mechanisms in place and not even realize it. We encourage automation but understand that this solution is not feasible for all organizations. Which is why having us take a look at your complete IT system infrastructure would be a good idea. A lack of automation is not an issue since we routinely have implemented a “blue collar” approach to performing the ISCM requirement as well.