Interpreting and applying federal cybersecurity mandates and requirements based on an agency’s unique mission can be challenging. With over 20 years’ experience supporting cybersecurity initiatives within the federal government, Electrosoft understands this dilemma and is positioned to help.

We stay abreast of all current and upcoming federal cybersecurity standards, guidance, mandates and statutes in order to help customers create and shape appropriate cybersecurity architecture, product solutions, policies and procedures. Electrosoft uses our Cybersecurity Center of Excellence (CCoE) to maintain currency, evaluate, test and perform demonstrations using today’s leading cybersecurity products. We then help customers implement solutions and technical or procedural controls that comply with these requirements and agency objectives. By analyzing security controls in light of the latest revision of NIST Special Publication (SP) 800-53, we ensure that each policy’s intent is satisfied through standard operating procedures and ongoing compliance assessments.

The Federal Information Security Modernization Act (FISMA) requires federal agencies to develop, document and implement an information security program. The NIST Risk Management Framework (RMF) delineates a seven-step process for managing information security and privacy risk.

Electrosoft helps federal customers categorize information systems, select appropriate security controls, prepare System Security Plans (SSLs) and related documentation, conduct security analyses and assessments and maintain authorization to operate (ATO). We not only help customers prepare for independent assessments of security controls but also perform security control assessments using the latest NIST SP 800-53A guidance. In addition, we document our findings in a Security Assessment Report (SAR) and develop Plans of Actions and Milestones (POA&Ms) to manage and mitigate any identified risks. By getting to know each customer’s unique environment and risk tolerances, we can focus on their priorities and make optimized risk management and system authorization recommendations

For agencies that are ready to embrace Ongoing Authorization (OA), we leverage Electrosoft’s Agile-ATO methodology to implement

• effective management and oversight of security risk management activities, recognizing the evolving federal information security landscape;
• integrated security and development teams working in unison to ensure ATO of new/updated information systems;
• efficient continuous monitoring, documentation updates and POA&M management of operational information systems; and
• Agile change management of existing information systems in response to evolving requirements.

Our Agile-ATO methodology leverages Governance Risk and Compliance (GRC) tools and automation techniques such as the Open Security Controls Assessment Language (OSCAL) to enable rapid development and update of security documents, efficient security assessments and centralized management and view of information system security status.

In today’s world, developing a holistic vulnerability management and assessment program is critical to maintaining visibility, reducing overall cyberthreat and supporting asset management activities. It involves effective testing of hosts, networks, web applications and databases for known vulnerabilities and compliant configurations (such as to NIST Security Checklists, Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and Center for Internet Security (CIS) Benchmarks) as well as appropriate use of credentials based on threat landscape. We also perform external and internal penetration testing using various levels and approaches based on the customer’s penetration testing history and objectives. We perform these services in two ways: embedded within federal agencies and as a Managed Security Services offering within our CCoE.

Electrosoft uses cutting-edge tools from vendors such as Rapid 7, Tenable, Qualys, Offensive Security (Kali Linux), Arch Linux, Portswigger, Trustwave, HP, IBM and others. Our tool selection depends on the technologies employed within the target system (e.g., OS, databases, web applications, network devices) and the tools used for ongoing vulnerability scanning. In this way, we can discover assets; identify and mitigate common vulnerabilities and exposures; identify the real-world extent of exposure; and make and prioritize recommendations to remediate, mitigate or accept them before they can be exploited. Our process includes pre scheduled, periodic vulnerability testing as well as ad hoc testing.