Since 2014, the Federal Information Security Modernization Act (FISMA) has required federal agencies to implement a program that provides security for all of the information and systems that support their operations, including those provided for and managed by third parties. As such, DoD contractors are required to follow the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication (SP) 800-37.
The Risk Management Framework defines a process for integrating security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints imposed by applicable laws, directives, Executive Orders, policies, standards, or regulations. The RMF approach can be applied to new and legacy systems, any system or technology (e.g., IoT, control systems), and within any size or sector of the organization.
The A&A process, sometimes referred to as the Certification & Accreditation (C&A) process is a comprehensive evaluation of your organization’s policies, security controls, and vulnerabilities. The A&A evaluates how well you have implemented the steps of the RMF and is confirmed via an Authorization to Operate (ATO).
Building a compliant cybersecurity program, getting all the right documentation together, and going through the A&A process to receive your ATO can be challenging and requires both compliance expertise and quite a bit of cyber engineering. Ardalyst’s team of cyber and compliance experts bring over 100+ years of combined experience to serving DoD contractors looking to implement NIST’s Risk Management Framework (RMF). Whether helping you to develop or revamp a compliant cybersecurity program to meet the RMF controls of NIST 800-53, preparing your business for the Defense Counterintelligence Agency’s (DCSA) accreditation process, or building approaches to special access programs, our experts:
- develop the right policies and procedures for your program;
- implement security controls, architectures, and validation; and
- author, review, or contribute to your System Security Plan, Security Control Traceability Matrix, Security Assessment Review; Risk Assessment Review; and Plan of Actions & Milestones.
Our experts will be with you every step of the way of your ATO process, from package authoring to submission. Beyond, our consulting and managed services teams can help implement your program and supplement your teams to RMF continuous monitoring activities.