Home > Federal > Certification & Accreditation > Security Test and Evaluation

Certification & Accreditation

Security Test and Evaluation


Security Test and Evaluation (ST&E) is the Independent Verification and Validation (IV&V) of a security control on a system to determine if it was properly implemented, and if it is working correctly. While providing this service, organizations must leverage a variety of standards such as NIST 800-115, to properly perform the testing. Depending on the type of control being tested, there are several assessments that can be performed including:

  • Penetration Testing
  • Vulnerability Assessment
  • Documentation Reviews
  • Observations
  • Interviews


Security Test and Evaluation (often times referred to as Certification Test & Evaluation) is a requirement within all C&A processes including DIACAP, FISMA, DCID and DODIIS. Additionally, having a ST&E performed periodically throughout the year, allows for an organization to maintain a strong security posture and proactively identify and remediate threats and vulnerabilities.


SecureState has years of experience in conducting Penetration Tests. Many of our Team Members come from a military background and have extensive experience in conducting and building physical security assessment programs for very complex organizations. Additionally, our staff members have professional experience with bypassing locks, alarms and other physical security control; and use some of the most covert, high tech tools for this security assessment. Furthermore, SecureState uses social engineering techniques to gain access to your company. We realize humans play the most important role in securing your company’s data; however they are usually the weakest link.

Did You Know?

  • Security Test & Evaluation is required on at least an annual basis
  • NIST 800-115 provides a uniform methodology for security assessments
  • ST&E is performed during the Certification phase of FISMA and DIACAP
  • The Security Assessment Report (SAR) contains ST&E findings
  • Mitigation activities are tracked in the POA&M

Our Approach and Methodology

SecureState provides a comprehensive assessment of organizations’ Certification and Accreditation (C&A) packages with specific emphasis on requirements. During this phase, the team will complete the following tasks:

  • Assessment of C&A packages for application systems
  • Preparation of C&A supporting documents including program assessment report that meets FISMA compliance
  • Provide recommendations for improvements to the IT security program, including specific actions that will result in successful implementation of those recommendations, and as needed, implementation of those recommendations/actions from the previous task
  • Identify existing and/or potential IT security weaknesses

SecureState specializes in providing comprehensive assessments of C&A packages. Depending on the control, the team will perform a variety of the following types of assessments:

  • Internal and External Penetration Test
  • Vulnerability Scans
  • Documentation Review
  • Observations
  • Interviews

Penetration Testing:

Our Penetration Testing Methodology has four phases. It is based on NIST Special Publication 800-115 “Technical Guide to Information Security Testing and Assessment. (September 2008).” The four phases are as follows:

  1. Planning phase:
    Rules are identified, management approval is finalized, and the testing goals are set. No actual testing occurs in the planning phase. The planning phase is one week long. A kickoff meeting will be conducted with the PSC management and system/network administration personnel and the Penetration Test Team. In the planning phase, rules of engagement, test plans, and written permission are developed and signed. If desired, The client may prioritize highest valued assets or trophies which SecureState can focus its efforts.
  2. Discovery phase:
    Vulnerability analysis of services, applications, and operating systems of scanned hosts are compared against vulnerability databases (for vulnerability scanners this process is automatic).
  3. Attack phase:
    Previously identified potential vulnerabilities are verified by attempting to exploit them. If an attack is successful, the vulnerability assessment is verified and safeguards are identified to mitigate the associated security exposure. Additional analysis or testing is required to determine the true level of risk for the network.
  4. Reporting Phase:
    The reporting phase occurs simultaneously with the other three phases of the Penetration Test. In the discovery and attack phase, written logs are usually kept and periodic reports are made to system administrators and/or management, as appropriate. At the end of the test an overall testing report is developed to describe the identified vulnerabilities, provide a risk rating, and to give guidance on the mitigation of the discovered weaknesses.


SecureState leverages hundreds of tools throughout the course of our Penetration Test. From custom developed exploitation tools, to open source tools such as the Back-Track distribution, and market leading scanning tools, such as Qualys, SecureState looks to leverage the right blend of automated tools and manual expertise to identify and exploit known and unknown vulnerabilities within your client’s systems. A sample of tools that could be leveraged through the testing may include:

  • Metasploit
  • Burp-Pro
  • NMAP
  • FastTrack (The Fast-Track tool set within Back-Track was by SecureState security consultants).
  • FOCA
  • Maltego
  • A variety of tools from the Back-Track Suite

Vulnerability Assessment:

SecureState’s Vulnerability Assessment combines the latest industry leading scanning engines for networks, operating systems, web servers, and web applications and combines them into one overall cost effective solution for our customers.

The vulnerability is a focused and controlled vulnerability analysis of the client’s internal and external presence. The analysis consists of deploying multiple vulnerability scanning engines to identify potential security exposures within internet facing systems. Vulnerability Assessments are typically “health checks” for most organizations to ensure that a mature security program is being maintained and continuously updated.

Most organizations that have current Vulnerability Assessment solutions completely miss multiple layers of security, mostly from the web application security aspect. SecureState focuses heavily on all aspects of your external perimeter to ensure all layers are covered. It is estimated that over eighty percent of all breaches are occurring from the web application layer, yet it is often overlooked and not assessed.

Vulnerability scanners are notorious for outputting numerous false positives that are not applicable to a given environment. SecureState engineers manually review most scanner outputs and customize a detailed report that is applicable only to your environment.

Lastly, SecureState does not perform Denial of Service activities unless specifically requested. All SecureState External Vulnerability Assessments ensure that Denial of Service activities are not performed. However, Vulnerability Assessments can increase internet based traffic and bandwidth usage. SecureState generally recommends that these Assessments be performed off hours although the impact on performance is generally low.

Documentation Review:

SecureState will review of the documented policies, procedures and plans that are currently in place. These documents will be reviewed in accordance with NIST 800-53 Rev. 2 and Rev. 3.


SecureState will perform a visual test/exam of policies, procedures and plans that are in operation to determine its compliance. This test will ensure that the policies, plans, and procedures can be completed in compliance with NIST 800-53 Rev. 2 and Rev. 3.


SecureState will have discussions with key system owners and administrators to determine their day-to-day activities and ensure they are in compliance with both the requirements and policies in place.

What Makes Us Different


  • Uses a team based approach for all Penetration Tests
  • Highly involved in the local and National Physical Security community through Physical Security organizations such as ASIS International
  • SecureState’s Profiling Team Members founded the first local chapter of TOOOL (The Open Organization Of Lockpickers) in the Cleveland Ohio area
  • Profiling Team members are frequent speakers at National and world-wide security and hacking conferences such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
  • Provides a secure two-factor authentication web portal for access to Penetration Test results
  • Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments to compare your company to your industry peers from a security perspective


We Can Help You