The Federal Information Security Modernization Act (FISMA) requires government agencies to implement an information security program that effectively manages risk. The National Institute of Standards and Technology (NIST) is a non-regulatory agency that has issued specific guidance for complying with FISMA.

Some specific goals include:

• Implementing a risk management program

• Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

• Ensure the integrity, confidentiality and availability of sensitive information

Some FISMA requirements include:

• Maintain an inventory of information systems

• Categorize information and information systems according to risk level

• Maintain a system security plan

• Implement security controls (NIST 800-53)

• Conduct risk assessments

• Certification and accreditation

• Conduct continuous monitoring

Potential Risks

An organization's failure to meet the necessary FISMA requirements or NIST standards may lead to a breach of data, loss of ability to process or handle 3rd party data, loss of business customers or partners or regulatory fines. It's also important to keep in mind the possibility of PR damage to your organization and loss of brand equity.

How THarWi Can Help

Building a compliant cybersecurity program, getting all the right documentation together, and going through the A&A process to receive your ATO can be challenging and requires both compliance expertise and quite a bit of cyber engineering. THarWi’s team of cyber and compliance experts bring decades of combined experience to serving DoD contractors and organizations looking to implement NIST’s Risk Management Framework (RMF). Whether helping you to develop or revamp a compliant cybersecurity program to meet the RMF controls of NIST 800-53, or building approaches to your cybersecurity programs, our experts:

• Develop the right policies and procedures for your program;

• Implement security controls, architectures, and validation; and

• Author, review, or contribute to your System Security Plan, Security Control Traceability Matrix, Security Assessment Review; Risk Assessment Review; and Plan of Actions & Milestones.

Our expert consultants will be with you every step of the way to guide your artifact creation and management process. Our consulting and managed solutions team can help implement your program and supplement your teams RMF continuous monitoring activities.

Consulting & Security Documentation

Your dedicated THarWi advisor will review existing documentation and work with your key stakeholders to update your cybersecurity policies and procedures, and other required security documentation for your business. This includes:

• System Security Plan (SSP)

• Security Assessment Plan

• Security Assessment Report

• Risk Assessment Report

• Privacy Impact Assessment

• RMF Validation Plan and Procedures

• System Security Categorization Federal Information Processing Standards (FIPS) 199

• Validation Security Test & Evaluation (ST&E) Report / ST&E Plan and Results

• Plan of Action & Milestones (POAM)

• Contingency Plan

Assessment & Authorization (A&A) Support

THarWi A&A support services work hand-in-hand with your cybersecurity system administrator(s) to collaborate on final documentation review and submit your RMF package to obtain your ATO. These services include:

• RMF package generation & review

• Authorizing Official (AO) Briefing

• Collaborating with AO to mitigate and remediate outstanding vulnerabilities