Risk Management Framework (RMF) Consulting Services for Federal Information Systems

The Program Manager's Dilemma

The Program Manager/System Manager’s primary responsibility is to oversee the development and maintenance of a system that fulfills its stated mission. However, in order for the system to be put into operation, it must receive authorization to operate (accreditation). The Program Manager must therefore ensure the appropriate risk management activities are integrated into the system life cycle. Usually there is a support contractor in place to provide system development and integration services, but additional Information Security support is often needed to oversee risk management activities.

In response to this need, RMF Resource Center is pleased to offer information security consulting services to federal program and system managers.

Consulting Services

Our RMF consulting services include, but are not limited to, the following:

  • Supporting the Program Manager in identifying key personnel, forming a risk management team, and conducting a successful “project kickoff”
  • Supporting the team in determining the FIPS 199 categorization, then selecting and augmenting the baseline security controls
  • Supporting the team in initiating and executing a security authorization (C&A) project plan
  • Supporting the system development team in design/implementation of assigned security controls
  • Developing documentation, such as policies, procedures and other “artifacts”, in support of the authorization process
  • Supporting the team in evaluating compliance with assigned security controls, both technical and non-technical
  • Supporting the Program Manager during the security controls assessment process
  • Developing the authorization (C&A) package, including the System Security Plan (SSP), Risk Assessment (RA), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M)
  • Supporting the Program Manager in maintaining “continuous monitoring” of security posture, conducting annual reviews as required by FISMA, and conducting re-authorization as required
  • Classroom training to government and industry (at our location or yours)