Our Approach and Methodology
click image to enlarge
Phase 1 – Proposed Methodology (RFP B.1.3.1):
The Federal Government requires any system that impacts the Federal
Network to be subject to certification of government standard: IE FISMA,
DIACAP, NIACAP, etc. These processes require a great deal of expertise and
knowledge of the process itself as well as general security. The following
phases are those included in FISMA and the embedded steps of NIST 800-37
process.
Phase 2 - Initiation/ Definition:
The Initiation Phase consists of preparation, notification and resource
identification, as well as system security plan development, analysis,
update, and acceptance. Some of the tasks that will be performed during this
phase include, but are not limited to:
- A risk assessment in accordance with NIST 800-30
- Development of Systems Security Plan
- Review FIPS 199 security categorization (Moderate) and Select
Controls leveraging NIST 800-53
- Review configurations in accordance with FIPS 200 and NIST 800-53
- Conduct a Privacy Impact Assessment
- Review ISA and MOA/MOU
- Review Incident Response Plan in accordance with NIST 800-61
The following steps will be completed during this phase:
Step 1: Categorize the information system and the information
processed, stored, and transmitted by that system based on an impact
analysis. SecureState will review the FIPS-199 risk assessment to confirm
rating.
Step 2: Select an initial set of baseline security controls for
the information system based on the security categorization; tailoring and
supplementing the security control baseline as needed based on organization
assessment of risk and local conditions. SecureState leverages the use of
NIST 800-53 Recommended Security Controls for Federal Information Systems
and Organizations.
Step 3: Implement the security controls and document how the
controls are deployed within the information system and environment of
operation.
Phase 3 – Certification/Verification:
The Security Certification Phase consists of two tasks: security control
assessment and security certification documentation. Some the tasks that
will be performed during this phase include, but are not limited to:
- Development of Security Test & Evaluation (ST&E)
- Update of Risk Assessments Report
- Update of System Security Plan
Step 4: Assess the security controls using appropriate procedures
to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements.
Phase 4 – Accreditation/Validation:
The Security Accreditation Phase consists of a security accreditation
decision and security accreditation documentation. Some of the tasks that
will be performed during this phase include, but are not limited to:
- Final preparation of the C&A package
The following step will be completed during this phase:
Step 5: Authorize information system operation based upon a
determination of the risk to organizational operations and assets,
individuals, other organizations and the Nation; resulting from the
operation of the information system and the decision that this risk is
acceptable.
Phase 5 – Continuous Monitoring:
The Continuous Monitoring Phase consists of configuration management and
control, security control monitoring; and status reporting and
documentation. The following step will be completed during this stage:
Step 6: Monitor and assess selected security controls in the
information system on an ongoing basis; including assessing security control
effectiveness, documenting changes to the system or environment of
operation, conducting security impact analyses of the associated changes,
and reporting the security state of the system to appropriate organizational
officials.