atsec

Deutsch | 汉语

 back to the list of services

FISMA Certification Support

What atsec offers

atsec information security is an independent, standards-based IT (information technology) security consulting and evaluation services company that combines a business-oriented approach to information security with in-depth technical knowledge and global experience. atsec’s success in the field of IT security consulting and evaluation can be measured by our customer roster, which includes large, world-renowned commercial and defense related companies.

atsec's consultants have a wide range of skills in the information security domain including completion of many projects involving risk management, a deep knowledge of security controls. We have performed many audits and assessments of security controls and developed monitoring systems for security controls for a large telecom network operator. We have assisted many organizations with:

• Providing training on the requirements of FISMA and NIST's risk management framework (RMF)
• Providing expertise on specialized requirements such as FedRAMP (Federal Risk and Authorization Management Program) for assessing and authorizing (A&A) cloud computing services and products
• Developing risk management policies, procedures and methodologies including performing or assisting with risk assessments
• The development of policies and procedures that are based on the results of risk assessments;
• Planning for providing information security controls for networks, facilities, information systems, or groups of information systems
• Providing security awareness training. Either through preparing training materials for organizations to use or by performing that training on behalf of the organization
• Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls under a variety of standards and schemes
• Supporting the resolution of remediation activities including planning, implementing, evaluating, and documenting remedial actions to address any identified deficiencies in the information security policies, procedures, and practices of the organization
• Developing procedures for detecting, reporting, and responding to security incidents
• Developing and reviewing existing plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization

Many functional and assurance requirements specified by CC, CMVP etc map directly to the FISMA controls defined in SP 800-53. The overall approach to ensuring information security defined in FISMA presents a familiar framework to atsec and is able to help with gaining the FISMA-required certifications for components and software including our NIST/NVLAP accredited laboratories (lab code 200658) for:

• FIPS 140-2, Cryptographic algorithm validation (e.g. AES)
• Biometrics testing
• Personal identity verification (FIPS 201)
• (GSA) FIPS 201 Evaluation Program (EP)
• The Common Criteria (CC)

atsec consultants are trained and have experience in a variety of compliance standards including the NIST standards, special publications , ISO/IEC 27001, Payment Card Industry standards and many others. We have experience with standards such as :

• Security Content Automation Protocol (SCAP)
• The National Checklist Program (NCP)

Because of atsec’s extensive experience in information systems auditing and testing and in security consulting including risk assessment and analysis, atsec is a good choice to provide FISMA consulting and assessment services for any Federal agency requiring FISMA certification and accreditation.

Why our services are important to you

The Federal Information Security Management Act of 2002 (FISMA) specifies:

“Each [federal] agency shall develop, document, and implement an agency-wide information security program… to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…”

and further:

“Periodic testing of the effectiveness of the management, operational, and technical controls…to be performed with a frequency depending on the risk, but no less than annually.”

The FISMA process defined by NIST in SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, defines a security lifecycle to be followed which requires a wide range of multi-disciplinary IT security skills including:

• Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization
• Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system
• Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate
• Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the organization) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks
• Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually
• A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the organization
• Procedures for detecting, reporting, and responding to security incidents
• Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the organization.

For more information

Please refer to our resource pages.