Assurit’s Security Assessment and Authorization services help you evaluate your management, operational, technical and privacy controls to ensure they are implemented properly and operating effectively.
Whenever possible, our team approaches an SA&A engagement by advising and supporting our clients to integrate security requirements into the system development life cycle (SDLC). This ensures that security is addressed at the onset and not added on later and treated as an afterthought.
Identify True Risk
For every security assessment and authorization (SA&A) activity, our team will support your organization in identifying the true risk in operating the system and provide our recommendation if an ATO should be granted. The security assessment should be used to answer the following questions:
- Is there any critical information?
- What controls are in place?
- What is the current security posture?
- Are there sufficient countermeasures?
- Are there any high-priority issues that need to be resolved first?
Federal agencies are mandated by the Federal Information Security Modernization Act (FISMA) to understand the security risks posed to their systems, applications and environment, and are required to take appropriate actions to mitigate these risks. Assurit provides SA&A services that will help you get and remain compliant through a proven methodology that ensures customer readiness and efficient delivery with minimal impact on your support teams.
Assurit Security Assessment and Authorization Services
Our Security Assessment and Authorization engagements include:
Security Architecture, Policy and Procedures Review
By evaluating the overall security design and architecture of your environment and thoroughly reviewing all organizational policies and procedures, Assurit can provide proactive support to ensure that the necessary aspects required for authorization are addressed. We utilize industry best practices and applicable guidance based on your information types as a guide to perform a gap analysis.
System Documentation Development
Using the guidance provided in the NIST Special Publications (e.g., SP-800-18, SP 800-37, SP 800-61, SP 800-137, etc.) we will develop all documentation required for your organization to successfully obtain an ATO from the authorizing official. These include the system boundary, system categorization, system security plan, risk assessment and supporting policies and procedures.
Security Control Assessments
Our assessments, for both commercial and government clients, are based on the Risk Management Framework (RMF) and security controls defined in NIST 800-53 Rev4, Security and Privacy Controls for Federal Information Systems and Organizations. Our standard assessment approach which follows SP 800-53A determines if security controls are implemented correctly, operating as intended, and producing the desired outcome.
Development and Tracking of POA&Ms
A Plan of Actions & Milestones (POA&M) describes the current disposition of any discovered vulnerabilities and system findings resulting from an assessment or continuous monitoring activities. By supporting tracking and remediation of these items in a timely manner, Assurit can ensure the risk of operations is always within acceptable limits for the organization.