It is a balancing act: determining an acceptable level of risk weighed against the life-cycle costs of security operations. At STG, we use a defined set of safeguards to find the right balance and ensure that your operation is fully NIST and DIACAP compliant.

Our security engineering experts perform a comprehensive evaluation of your IT systems and site. The C&A process analyzes physical environment, personnel, administrative processes, information, information systems and data communications. Deliverables include the following:

• Certification Timeline (including Weekly Status Reports)
• Threat/Vulnerability Assessment Report
• C&A Plan
• System Security Categorization Recommendation
• System Security Plan
• Security Assessment Report
• Memorandum of Agreement/Service Level Agreements
• Plans of Action with Milestones (POA&M)
• Certification Letters
• Accreditation Letters

Knowing what you have determines how you protect it. As part of the C&A process, STG experts help you put together complete asset identification and inventories that follow the Office of Management and Budget (OMB) Project Matrix format. The agencies that received the highest commendations during the 2003 FISMA review were those that correctly and consistently identified their assets and systems. STG will ensure that your system inventory is complete, consistent and coordinated with agency business process reporting requirements, OMB 300 submissions and federal enterprise architectural efforts.

There are always risks, but sorting credible threats from the unlikely ones takes knowledge and experience. When your information system is at stake, you do not want the second-best security plan.

As part of the C&A process, STG creates system security plans. A system security plan is a roadmap for implementing the security controls needed to protect your information system. Our security engineering experts will document the security requirements and controls for your information systems. We will provide essential information for the security C&A process. Security plans typically include other important security-related documents, such as:

• Contingency Plans
• Configuration Management Plans
• Risk Assessments
• Incident Response Plans
• System Interconnection Agreements to Facilitate the Security Accreditation Process
• Privacy Impact Assessments
• System Rules of Behavior
• Configuration Checklists
• System Interconnection Agreements
• System Security Training Plans

STG ensures that system security plans produced for federal customers are fully compliant with NIST SP 800-18 and fully integrated with the system C&A process.

What are your most important assets? Databases? Applications? Are they dependent on other programs across your network? Any one of them can be vulnerable to intrusion or attack unless you know how to protect them.

As part of the C&A process, STG provides security assessment and reporting services. Our security engineering experts can identify your assets, assess their vulnerabilities and protect them. We will examine your organization’s policies and test critical systems using the very latest in intrusion detection and threat analysis tools. In most cases, vulnerabilities can be mitigated or avoided when they are identified early.

STG’s security assessment services are nondisruptive to your agency’s workflow. Their modular design assures accurate assessment outcomes no matter where you are in the security program life cycle. Modules include the following:

• Security Policy Review
• System Security Architecture Review
• Assets Inventory
• Penetration Test (Internal, External, Dial-Up Devices)
• Automated Vulnerability Assessments
• Mitigation Road Map
• Management Out-Brief

Can you be sure your agency’s assets are safe? Have all the security controls been properly implemented? Can you monitor and get verification of your security status on any given day? Continuous monitoring is an important part of C&A.

STG can provide agency assessment reports from a database of continuously accumulated audit results. Agencies can demonstrate assessment execution and compliance as often as desired. Easily generated, these time-saving reports range from the executive-level compliance and remediation progress to detailed reports showing network- and host-level compliance.

STG also provides complete remediation management. We can provide a complete POA&M and processes to review historical data, track closing policy violations and vulnerabilities, and monitor improvements in security policy compliance and remediation economies.

Does your security performance measure up to the security controls you have planned? Are your server rooms fortified against break-ins? Are visitors to sensitive areas being logged? Are your firewalls robust?

As part of the C&A process, STG addresses security program performance. We help customers improve their FISMA rating and security posture through continuous security program performance monitoring. This includes real-time traffic performance monitoring to allow for early detection of anomalous network behavior backed up with known-threat detection and total OSI layer filtration from layered Intrusion Protection Devices and firewalls. STG provides the technical expertise to install and manage omni-directional cyber defense and certifies that configurations conform to national defense and commercial industry standards.