Consulting ServicesRMF BackgroundIt is federal government policy that all information systems receive formal Security Authorization (authority to operate) from a designated senior official, based on a technical analysis of the system’s compliance with an assigned set of Security Controls (i.e., requirements) that provides an assessment of the system’s risk level. This process of compliance analysis and formal authorization is also known as certification and accreditation (C&A). Formal Security Authorization of information systems is part of a broader Risk Management Framework (RMF) established by federal agencies in accordance with FISMA, the Federal Information Security Management Act. RMF roles and responsibilities, process steps, and documentation deliverables are detailed in National Institute of Standards and Technology (NIST) Special Publication 800-37. Security Controls are detailed in NIST SP 800-53. RMF is now in use within federal “civilian” agencies (Departments. of State, Homeland Security, Justice, Commerce, Transportation, etc.). RMF is also being adopted by Department of Defense (DoD) and Intelligence Community (IC) agencies. The end result is that RMF will become the government’s standard, unified process for information security management. RMF Consulting ServicesWe offer a variety of FISMA, Risk Management Framework (RMF) and C&A Consulting Services to federal agencies and the commerical organizations (support contractors, product developers and service providers) that supply and support them. For more information, please see the following links: RMF Consulting Services for Federal Information Systems -- for federal agencies and their supporting contractors. RMF Consulting Services for Product Developers -- for developers, manufacturers, and vendors of hardware and software products. RMF Consulting Services for Service Providers -- for providers of outsourced data services to federal agencies. Contractual Arrangements and FeesFISMA/NIST Compliance Survey engagements are typically done on a “firm fixed price” basis. FISMA/NIST Readiness Assessment engagements may be done on a “firm fixed price” or “time and materials” basis. If a firm fixed price arrangement is desired, the quoted cost will be dependent upon the number and complexity of the environment to be analyzed, and the breadth of desired services. For “time and materials” engagements, an initial estimated number of hours will be given, and adjusted thereafter based on progress and issues encountered. FISMA/NIST Liaison consulting engagements are typically done on a “time and materials” basis. We initially recommend a “block” of hours to be allocated in the form of a purchase order. We will then track utilization of these hours and provide a monthly statement along with our invoice. |
Security Authorization (C&A) of Federal, DoD, and IC Information Systems