The Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 mandates for agencies to take specific steps to ensure the security of Federal information systems. Federal agencies must create an information security program made up of eight security areas. In addition, each agency must annually report its progress to the Office of Management and Budget. This information is used to make an annual report to Congress on FISMA implementation across the executive branch.
Per FISMA regulations, each organization will develop an agency-wide information security program which includes the following areas of concern:
- Create a security program for managing information risk
- Create an incident response and reporting program
- Document policies and procedures
- Select security controls for systems
- Create a continuity-of-operations plan
- Create a security training program
- Create a remediation program
- Conduct continuous monitoring
FISMA Program Support
- CKSS Compliance Services are geared to provide FISMA Program Support to your Computer Information Security Officer (CISO), Senior Agency Information Security Officer (SAISO), Information System Security Officer (ISSO), Information System Security Manager (ISSM) Program and Policy Support: CKSS works closely to develop, update and/or maintain information security program and policies, standards, and procedures.
- CKSS ensures that the federal organization has a plan in place to address known regulatory requirements as well as understands what new requirements are being developed by entities such as NIST and OMB.
Security Assessment and Authorization (SA&A)
- CKSS assists clients in conducting C&A of applications and general support systems. CKSS follows NIST SP 800-37, NIST SP-800-53, FISMA, and agency-specific SA&A process guidelines. As part of conducting a SA&A for federal clients, we conduct on-site data collection activities, offer scan services, and run applications looking for known vulnerabilities; conduct security assessment activities and develop the following deliverables: SA&A Plan; System Security Plan (SSP); Risk Assessment; Security Assessment Test Plan; Security Assessment Test Report; IT Contingency Plan; Privacy Impact Assessment (PIA); Transmittal Letter; and Accreditation Decision Letter.
- CKSS also provides assistance in developing and delivering security awareness & training support to our clients.
CKSS Continuous Monitoring solution enables you to sustain security posture through continuous monitoring as specified by NIST 800-37, NIST 800-137 and other pertinent standards and guidance.
Once a year, we develop and conduct:
- Incident Response Plans, ST&E tests of key controls
- Contingency Plan and Test Report assessments
- Separation of Duties Matrix
- Penetration Testing
Quarterly and on a regularly scheduled basis we offer:
- Security event and log management to enable more efficient event and log management
- Compliance Monitoring and Reporting for established Configuration Baselines
- Ongoing POA&M Remediation and Updates
- Vulnerability and Application Scans of All Systems within the System Boundary
The Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, defines management’s responsibility for internal control in federal agencies. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982 (FMFIA), are the center of the existing federal requirements to improve internal control. The Circular also establishes requirements for conducting management’s annual assessment of the effectiveness of internal control over financial reporting (required by Appendix A of the Circular). The requirements specifically state that agencies are to include information system controls in their assessment.
OMB A-123 Assessment consists of evaluating key controls for each system and application significant to financial reporting to determine if they are operating effectively. Specifically, this includes evaluating:
- General controls at the General Support level
- General controls as they are applied to the system being examined
- Application controls
- Documented policies, procedures, and evidence of controls implementation
- The assessment, to include documenting assessment results and uploading evidence in a tool of your choice.
- CKSS helps government agencies ensure compliance with OMB A-123 requirements by:
- Developing and finalizing the scope for the assessment, for example, ensuring that appropriate individuals are available to perform and review required control tests; and defining the roles, responsibilities structure to support OMB Circular A-123 compliance
- Testing the effectiveness of controls by reviewing documented policies, procedures, and evidence of controls implementation.
- Documenting the assessment, to include documenting assessment results and uploading evidence in a designated tool to ensure results are verifiable.