Cybersecurity Framework Support

Why Our Services are Important to You
atsec has extensive experience in information systems auditing and testing; and in security consulting including risk assessment and analysis. atsec is a good choice to provide FISMA consulting and assessment services for organizations in the critical infrastructure industries using SP 800-53 Revision 4 as their chosen basis in meeting the Cybersecurity Framework. Additionally, for any Federal agency requiring FISMA certification and accreditation, atsec can assist.

The NIST CyberSecurity Framework for Improving Critical Infrastructure Cybersecurity was first released in early 2014. The core of the framework includes references to NIST's SP 800-53 Revision 4. atsec can assist those intending to use the framework in meeting guidelines and requirements from the US government.

The FISMA process defined by NIST in SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, defines a security lifecycle to be followed which requires a wide range of multi-disciplinary IT security skills including:

  • Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization;
  • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system;
  • Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
  • Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks;
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
  • A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization;
  • Procedures for detecting, reporting, and responding to security incidents; and
  • Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.

What atsec Offers
atsec's consultants have a wide range of skills in the information security domain including completion of many projects involving risk management and a deep knowledge of security controls. We have performed many audits and assessments of security controls and developed monitoring systems for security controls. We have assisted organizations with a variety of tasks, including:

  • Providing training on the requirements of FISMA and NIST's risk management framework (RMF);
  • Providing expertise on specialized requirements such as FedRAMP (Federal Risk and Authorization Management Program) for assessing and authorizing (A&A) cloud computing services and products;
  • Developing risk management policies, procedures and methodologies including performing or assisting with risk assessments;
  • The development of policies and procedures that are based on the results of risk assessments;
  • Planning for providing information security controls for networks, facilities, information systems, or groups of information systems;
  • Providing security awareness training (either through preparing training materials for organizations to use or by performing that training on behalf of the organization);
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls under a variety of standards and schemes;
  • Supporting the resolution of remediation activities including planning, implementing, evaluating, and documenting remedial actions to address any identified deficiencies in the information security policies, procedures, and practices of the organization;
  • Developing procedures for detecting, reporting, and responding to security incidents;
  • Developing and reviewing existing plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization; and
  • Much more!

The overall approach to ensuring information security defined in FISMA presents a familiar framework to atsec. We are able to help with understanding the FISMA-required certifications for components, software and processes, including:

  • FIPS 140-2 and Cryptographic algorithm validation (e.g. AES),
  • Personal identity verification (FIPS 201),
  • (GSA) FIPS 201 Evaluation Program (EP),
  • The Common Criteria (CC) (ISO/IEC 15408),
  • Open Trusted Technology Provider Standard (O-TTPS),
  • Security Content Automation Protocol (SCAP),
  • The use and specification of Security Technical Implementation Guides (STIGs), and
  • The National Checklist Program (NCP).