The Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130 state that bureaus and agencies must implement and maintain a program to ensure that adequate security is provided for all government information collected, processed, transmitted, stored, disseminated and destroyed. Adequate security is defined as security commensurate with the risk and magnitude of harm resulting from the loss, misuse, unauthorized access to, or modification of information. The Security Assessment and Authorization (SA&A), formally known as A&A, C&A and ST&E, is the most effective method for federal agencies to scrutinize and continuously monitor their IT systems. Dakota’s team of cybersecurity professionals can provide an independent security assessment of federal agencies’ IT systems. Our assessment features a thorough report on the compliance and effectiveness of the security control implementation. Our assessment focuses on NIST requirements and reviews security policy, procedures, standards and guidelines. Elements of the assessment include:
- Security Assessment Planning
- Security Assessment and Authorization Package
- Security Control Assessment
- System Categorization and Security Control Baseline
- Control Tailoring and Inheritance
- Penetration Testing/Vulnerability Scanning
- Independent Verification and Validation (IV&V)