DHS Science & Technology Information Assurance and Compliance Support
Challenge: DHS Science and Technology Directorate (S&T) is the research and development (R&D) section of DHS and therefore is tasked with organizing scientific, engineering, and technological resources of the United States and leveraging these existing resources into technological tools to help protect the homeland. To assist in that effort, Cybersmart provided information assurance and compliance services through a team that was responsible for securing S&T’s assets (Classified and unclassified) and ensuring that the agency remained compliant with FISMA and DHS policy.
- Refined the agency’s Software exception request (SER) process. This ensured that all newly submitted applications were thoroughly tested, analyzed, and researched before an approval decision was made.
- Developed, updated DHS S&T policies, Standards and Procedures (SOPs)
- Determined security requirements by evaluating business strategies and requirements. Researched information security standards and conducted system security and vulnerability analysis and risk assessments.
- Performed internal system audits on S&T systems by checking for completeness of authorization documents, security controls implementation details, and supporting artifacts.
- Produced audit findings report with the identification of system gaps, level of risks, and recommended solutions.
- Organized quarterly social engineering exercise via phishing that targeted both the privilege and non-privilege users. Provided security awareness training for agency users by helping them identify phishing emails.
- Provided strategic focus, leadership and presided over client engagements to elicit, document, analyze and validate IT security compliance by applying the latest Security Frameworks such as the Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), STIGs and Risk Management Framework (RMF).
- Developed Vulnerability Management Policy that provides the structure, process, and procedures for a Vulnerability Management Team.
DHS Federal Emergency Management Agency (FEMA) ISSO Support
Challenges: The Federal Emergency Management Agency (FEMA) as an agency of DHS is tasked with coordinating the response to any disaster that occurs in the United States, which overwhelms the resources of local and state governments. Cybersmart was there to provide ISSO support to FEMA, during some of its most challenging period (Hurricane season) by implementing defense in-depth strategies on its grants systems, which had a history of multiple breaches.
- Expanded and improved agency’s information assurance and compliance programs; reduced non-compliance from nearly 50% to less than 10% across the agency within 3 months.
- Organized a tiger team of 10 Information System Security Officers (ISSO’s) during resiliency effort to put together complete ATO packages for five new systems within 6 weeks.
- Provided guidance on and implementation of technical controls to support end user information and system infrastructure in cloud-based environments.
- Created, updated and maintained documentation (System Security Plan (SSP); Security Test and Evaluation (ST&E); Security Assessment Report (SAR); Signed Accreditation Letter ATO; Contingency Plan (CP); Contingency Plan Test (CPT) Results; FIPS 199; E-Authentication; Privacy Threat Assessment (PTA)) associated with C&A and for continuous monitoring of applications/systems classified as Sensitive But Unclassified.
- Helped streamlined the Change Management process to increase efficiency and better process flow.
- Prepared and presented briefings to senior management officials on Information Assurance/Information Security principles to manage risks. These streamlined briefings aided in swift decision-making for IT security assessments, monitoring and detection of intrusion.
United States Department of Veterans Affairs (VA) Vulnerability Management Support
Challenges: The Veterans Affairs (VA) is charged with integrating life-long healthcare services to eligible military veterans. It also provides non-healthcare benefits such as disability compensation, vocational rehabilitation, education assistance, home loans, etc. Cybersmart was entrusted to provide remediation recommendations and vulnerability management support for Information Systems at the VA.
- Identified, evaluated, treated, and reported security vulnerabilities in systems and the software that runs on them. Proper implementation alongside other security tactics was vital for the VA to prioritize possible threats and minimize their “attack surface.”
- Developed standardized scanning profiles and methodology for all VA’s assets and automated scan execution.
- Evaluated risks that were identified during scanning and ensured that vulnerabilities were dealt with appropriately and in accordance with an organization’s risk management strategy.
- Prioritized system risk by utilizing the impact level of high, medium, and low.
- Developed remediation action to help minimize agency-wide systems risk.
- Developed POA&M (Plan of Action & Milestones) document to take corrective actions resulting from ST&E (System Test & Evaluation).
National Institutes of Health (NIH) Information Assurance Support
The National Institute of Health (NIH) is the nation’s medical research agency, supporting scientific studies that turn discovery into health. It is responsible for clinical trials, biomedical and public health research. The CIO’s goal is to enable the creation and sharing of scientific and business knowledge; enhance business adaptability by ensuring that NIH information and information technology (I&IT) projects are well managed to respond rapidly to business and research needs, as well as build a robust and secure NIH infrastructure at or above industry standards.
- Worked with the OCIO management to provide feedback/input on US Senate Bills establishing law for NIH protection of domestic and global research with grants/contracts worth over 2 billion in government funding.
- Worked closely with the CISO to drive the current IA standardization project, which includes creating system images for NIH.
- Developed and published OCIO/ISAO guidance on NIH’s Assessment and Authorization processes.
- Provided quarterly Training for System Owners, ISSOs, and other Stakeholders in the completion of their security documentation and reviewed templates to ensure completeness and accuracy.
- Created a Vulnerability Management Policy that provides the structure, process, and procedures for a Vulnerability Management Team.
- Provided oversight for Plans of Action and Milestone (POA&M) identified as part of the system assessment /authorization, audits, and facilitate their closure/remediation with the system/program area personnel