Protecting data is no longer an option. Government regulations such as FISMA, OMB A-130, and the Computer Security Act require federal agencies to develop, test, and monitor internal controls to protect their data and ensure its confidentiality, availability, and integrity.
As part of its Regulatory Assessment Program, C5i has developed a detailed security assessment methodology based on NIST and FIPS standards that can help federal agencies and organizations comply with the myriad of federal computer security regulations. This methodology provides a logical, comprehensive approach for ensuring that organizations comply with all applicable laws and guidelines and maintain adequate protection of their electronic data.
Examples of C5i's Regulatory Assessment Program evaluations that apply to governemnt agencies and organizations include:
Under C5i's Regulatory Assessment Program, not only will you receive an evaluation and easy-to-read scorecard of your current security posture relative to the applicable federal regulations and industry best practices, but you will also receive recommendations for closing any security gaps that are identified. C5i can help you select and even implement cost-effective security controls to mitigate any identified risk.
FISMA Evaluations and Self-Assessments
Because of increased concerns about attacks on information systems in the commercial sector and apparent weaknesses in Government IT systems, Congress passed the Federal Information Security Management Act (FISMA) in 2002. FISMA requires greater management responsibility and reporting requirements for information security.
But as with many information security tasks, federal agencies are finding that they just don't have the manpower, expertise, or resources to ensure every inch of their IT systems conforms to government standards, laws, and directives. Many of these agencies have turned to C5i for help. As IT security experts, C5i can help Government agencies with all phases of the FISMA process. From planning and budgeting a new FISMA project to performing FISMA evaluations to managing and tracking POA&Ms, C5i will ensure that your FISMA projects are completed on time and in accordance with federal regulations.
C5i's Information Assurance experts ensure that your critical systems comply with every applicable Government standard, including:
- NIST standards, such as NIST SP 800-26 and SP 800-53
- FIPS Pubs, such as 140-2, 199, 200, and 201
- OMB 130-A
- Computer Security Act
- FISCAM
Using a team of experts, industry best practices, and standardized processes and tools, C5i can deliver FISMA results that ensure that the confidentiality, integrity, and availability of your IT assets and information are appropriately protected. C5i can perform the annual FISMA evaluation for your selected systems, including:
- Review all required security documentation
- Perform interviews, inspections, and tests (including penetration tests and vulnerability scans if necessary)
- Create the final FISMA report with findings and recommendations
By using a comprehensive FISMA process developed and executed by top IT security experts, you can be assured that your IT data and assets are effectively protected and your systems show significant improvement on the next federal security report card.
Certification and Accreditation (C&A)
As FISMA-mandated IT security evaluations become a way of life in the Government, agencies are finding that they just don't have the manpower, expertise, or resources to perform every required task. Many of these agencies have turned to C5i for help. As IT security experts, C5i can help Government agencies with all phases of the C&A process. From planning and budgeting a new C&A initiative to performing certification reviews to packaging and presenting the results, C5i will be with you every step of the way.
C5i's Information Assurance experts ensure that your C&A effort complies with every applicable Government standard, including:
- OMB A-130
- Computer Security Act
- NIST standards, such as SP 800-37 and 800-53
- FIPS Pubs 199, 200, and 201
- FISCAM
Acting as the certification agent for your C&A project, C5i security experts will follow the NIST SP 800-37 process and:
- Review and evaluate all required documentation, especially the system's security plan and risk assessment
- Develop the ST&E plan based on the system's security plan and NIST SP 800-53
- Perform tests, interviews, and inspections (including penetration tests and vulnerability scans)
- Create the final assessment report and certification letter recommending full or interim approval to operate (ATO/IATO)
Using a team of experts, industry best practices, and standardized processes and tools, C5i can deliver C&A results that ensure your IT systems, networks, and data are appropriately protected.
OMB A-123 and A-127 Assessments
C5i can also assist agencies with their OMB A-123 or A-127 assessments to help ensure that internal control activities such as segregation of duties, safeguarding of records, and physical and logical access controls are adequate to provide reasonable assurance of the reliability of the agency's financial reporting.
ISO 17799 Audits
C5i security experts have extensive experience assisting inspector general (IG) offices by performing IT audits of their agency's major applications and critical systems. All IG audits are performed according to GAO's Yellow Book in addition to all applicable federal IT standards and guidelines.
