Security Assessment and Authorization (SA&A)

The 1982 Federal Information Security Management Act (FISMA) requires federal agencies “to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.”  Supporting FISMA compliance, The National Institute of Standards and Technology (NIST) has defined Federal Information Processing Standards (FIPS) must be implemented in order to achieve compliance.

Comprehensive SA&A Assessments

A complete Security Assessment and Authorization (SA&A) effort in support of FISMA compliance includes several core deliverables, any of which can prove very challenging for a large organization:

Security Assessment and Authorization (SA&A)

The 1982 Federal Information Security Management Act (FISMA) requires federal agencies “to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency.”  Supporting FISMA compliance, The National Institute of Standards and Technology (NIST) has defined Federal Information Processing Standards (FIPS) must be implemented in order to achieve compliance.

Comprehensive SA&A Assessments

A complete Security Assessment and Authorization (SA&A) effort in support of FISMA compliance includes several core deliverables, any of which can prove very challenging for a large organization:

  • System Categorization. The system is categized which includes defining: 1) hosts and devices, 2) ports, protocols, and services, 3) system interfaces, 4) roles and responsibilities including development and support personnel must be documented, 5) etc. Guidance is found in provided in FIPS 199 and NIST SP 800-60.
  • System Security Plan. Using the guidance provided in NIST SP-800-18, a system security plan must be developed.  This is a living document, which includes plans of actions and milestones (POA&Ms) for any assessed risks.
  • Compliance Evidence. Evidence of control implementation must be documented and aggregated. Evidence is used throughout an assessment.
  • Risk Assessment. Based on the output of the required security control assessment, system risks are assessed by calculating the likelihood and impact that any given vulnerability could be exploited, taking into account existing controls.  All risks must ultimately be accepted or mitigated. Reference: NIST SP 800-30
  • Penetration Testing. Penetration tests are conducted based on defined rules of engagement against identified threat models documented in the penetration test plan. Test types include: web applications & APIs, mobile applications, networks, social engineering, and simulated attack vectors. Security control CA-8 guides penetration testing.
  • Certification and Accreditation. Once all required artifacts have been created and the is compliant with the guidance provided in NIST SP 800-37 a security authorization package and accreditation memorandum (Authorization to Operate) is presented to the authorizing official.
  • Continuous Monitoring. Accredited systems are continuous monitored in alignment with NIST SP 800-137 to ensure ongoing compliance with identified security controls and baselines.

(703) 539-0304

© Paragone Solutions, Inc 2019