top of page

Services

01. Technology Adoption, Governance & Compliance

Assisting with Digital Transformation, Digitalization, Systems Engineering, Security, and Life Cycle Integration for both private and public entities in Energy, Education, and Health Care.

NIST 800-53 Revision 5

NIST Special Publication 800-53, Revision 5, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). Stateof-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.

The security and privacy controls in Special Publication 800-53, Revision 5, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

These include:

  • Assumptions relating to security control baseline development

  • Expanded, updated, and streamlined tailoring guidance

  • Additional assignment and selection statement options for security and privacy controls

  • Descriptive names for security and privacy control enhancements

  • Consolidated tables for security controls and control enhancements by family with baseline allocations

  • Tables for security controls that support development, evaluation, and operational assurance

  • Mapping tables for international security standard ISO/IEC 15408 (Common Criteria)

FISMA Compliance

The National Institute of Standards and Technology (NIST) plays an important role in the FISMA Implementation Project launched in January 2003, which produced the key security standards and guidelines required by FISMA. These publications include FIPS 199, FIPS 200, and the NIST 800 series.

The top FISMA requirements include:

  • Information System Inventory: Every federal agency or contractor working with the government must keep an inventory of all the information systems utilized within the organization. In addition, the organization must identify the integrations between these information systems and other systems within their network.

  • Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” defines a range of risk levels within which organizations can place their various information systems.

  • System Security Plan: FISMA requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.

  • Security Controls: NIST SP 800-53 outlines an extensive catalog of suggested security controls for FISMA compliance. FISMA does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.

  • Risk Assessments: Risk assessments are a key element of FISMA’s information security requirements. NIST SP 800-30 offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.

  • Certification and Accreditation: FISMA requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve FISMA Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.

OMB A-11 Assistance

Assistance in OMB Circular budgeting for executive branch agencies. Includes the preparation, submission and execution of the budget. This preparation includes consultation and assistance with the following:

i. Preparation and Submission of Budget Estimates

  • General Policies and Requirements

  • Budget Submission

  • MAX Data and Other Materials Required (budget data systems, baseline estimates)

ii. Selected Actions Following Transmittal of Budget

iii. Instructions on Budget Execution

  • Apportionment and Reapportionments

  • Budget Execution Reports

  • Other Reports

iv. Federal Credit

v. Strategic Plans, Annual Performance Plans, Performance Reviews and Annual Program Performance Reports

Go where you want to grow.

Go where you want to grow.

Request a Consultation

Let us help your organization accomplish crucial milestones and maintain consistent growth. Request a consultation and one of our professionals will reach out and schedule a time to discuss your unique needs and develop a customized service plan to move forward. 

bottom of page