The Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 mandates for agencies to take specific steps to ensure the security of Federal information systems. Federal agencies must create an information security program made up of eight security areas. In addition, each agency must annually report its progress to the Office of Management and Budget. This information is used to make an annual report to Congress on FISMA implementation across the executive branch.
Per FISMA regulations, each organization will develop an agency-wide information security program which includes security testing by a third party assessor.
Security Assessment and Authorization (A&A)
- CKSS assists clients in conducting A&A of applications and general support systems. CKSS follows NIST SP 800-37, NIST SP-800-53, FISMA, and agency-specific C&A process guidelines. As part of conducting an A&A for federal clients, we conduct on-site data collection activities, offer scan services, and run applications looking for known vulnerabilities; conduct security assessment activities and develop the following deliverables: A&A Plan; System Security Plan (SSP); Risk Assessment; Security Assessment Test Plan; Security Assessment Test Report; IT Contingency Plan; Privacy Impact Assessment (PIA); Transmittal Letter; and Accreditation Decision Letter.
CKSS Continuous Monitoring solution enables you to sustain security posture through continuous monitoring as specified by NIST 800-37, NIST 800-137 and other pertinent standards and guidance.
Once a year, we develop and conduct:
- ST&E tests of key controls
- Separation of Duties Matrix analysis
- Penetration Testing
- Quarterly and on a regularly scheduled basis we offer:
- Compliance scans against established configuration checklists.
- Vulnerability and Application Scans of All Systems within the System Boundary
The Office of Management and Budget (OMB) Circular A-123, Management’s Responsibility for Internal Control, defines management’s responsibility for internal control in federal agencies. Circular A-123 and the statute it implements, the Federal Managers’ Financial Integrity Act of 1982 (FMFIA), are the center of the existing federal requirements to improve internal control. The Circular also establishes requirements for conducting management’s annual assessment of the effectiveness of internal control over financial reporting (required by Appendix A of the Circular). The requirements specifically state that agencies are to include information system controls in their assessment.
OMB A-123 Assessment consists of evaluating key controls for each system and application significant to financial reporting to determine if they are operating effectively. Specifically, this includes evaluating:
- General controls at the General Support level
- General controls as they are applied to the system being examined
- Application controls
- Documented policies, procedures, and evidence of controls implementation
CKSS helps government agencies ensure compliance with OMB-123 requirements through:
- OMB A-123 Readiness Reviews: CKSS aims to help organizations save money by solving issues before they become problems. As part of our readiness reviews, we will perform a mock audit that identifies deficiencies prior to your real audit and remediates them to an acceptable level to ensure that your internal controls are operating effectively. You can be prepared for your OMB A-123 audit, confident that there will be no significant deficiencies.
OMB A-123 Audits:
- Developing and finalizing the scope for the assessment, for example, ensuring that appropriate individuals are available to perform and review required control tests; and defining the roles, responsibilities structure to support OMB Circular A-123 compliance
- Testing the effectiveness of controls by reviewing documented policies, procedures, and evidence of controls implementation
- Documenting the assessment, to include documenting assessment results and uploading evidence in a designated tool to ensure results are verifiable