QSMO Services - Risk Assessment


Services and tools that support the agency's assessment of cybersecurity risks. Risk assessments help the agency to understand the cybersecurity risks to the agency's operations (i.e., mission, functions, image, or reputation), organizational assets, and individuals. Select the services and agency provider logos below to contact service providers directly and learn more about how to obtain these services. 

Cyber Security Assessment and Management (CSAM)

DOJDOJ’s CSAM application enables agencies to automate Federal Information Security Modernization Act of 2002 (FISMA) inventory tracking and ongoing authorization processes, while following the Risk Management Framework (RFM). CSAM is an end-to-end Assessment and Authorization (A&A) application providing automated inventory, configuration, and vulnerability management. CSAM also provides standard data for use in reports and dashboards. The application includes:

  • Common controls, enhanced inheritance, and automated baselines
  • Ongoing authorization and A&A management
  • Plan of Action and Milestone (POA&M) management
  • Robust reporting and dashboards
  • Oversight and support
  • Customer support and training

Cyber Security Assessment and Management (CSAM) Advisory Services

DOJDOJ's CSAM advisory services help agencies with dedicated on-site support to ensure the CSAM application is effectively utilized and continuously aligned with the organization’s policy, posture, maturity, and culture.

 


Cyber Threat Intelligence Validated Service

DOJDOJ's Cyber Threat Intelligence (CTI) service provides agencies with tailored threat intelligence and remediation guidance. DOJ reviews and analyzes classified and open source threat intelligence to identify attack indicators, mitigate identified threats, establish threat data feeds, and share advisories with customers and other federal specialists. With DOJ's CTI service, agencies can expand their security program capabilities with access to DOJ's specialized investigative resources and intelligence sources.

 


Database Vulnerability Scanning

DOTThis service includes the scanning of databases and is conducted with credentials to provide a full and comprehensive view of the database(s). The database scanning tool is updated to the latest knowledge version prior to any scan assessment.

  • Each discovered vulnerability will be analyzed, compared, and cross-referenced against the National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) database    
  • A comprehensive report will be generated that identifies all potential database security-related issues

 


Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) Assessment of Cloud Environments

DOTThis service performs a security control assessment of a Cloud Environment in accordance with the General Services Administration (GSA) FedRAMP requirements. Cloud providers, sponsored by a federal agency, should have already been approved by the FedRAMP Program Management Office (PMO) to engage with a 3PAO for their system's assessment.

 


High Value Asset (HVA) Assessment

DOJDOJ helps agencies prioritize and secure HVA information systems through tiered assessments:

  • Tier 1: Conducts pre-assessments with the same methodology as the U.S. Department of Homeland Security (DHS) to identify and mitigate weaknesses in preparation for the formal Tier 1 assessments performed by DHS.
  • Tier 2 | Tier 3: Implements independent security control assessments as well as policy evaluation, Security Architecture Reviews (SARs), and penetration testing.

Independent Assessments in Support of Systems Continuous Monitoring

DOTThis service includes an annual, independent security control assessment of a system under Continuous Monitoring/Ongoing Authorization. The assessment is conducted in accordance with National Institute of Standards and Technology (NIST) 800-37 & 800-53A and agency tailoring. Standard (electronic) deliverables include:

  • Executive Summary
  • Certificate
  • Control inheritance as appropriate
  • Travel to designated customer location as required
  • Security Assessment Report (SAR)
  • Findings & Recommendations
  • Optional: Data population in the agency's Federal Information Security Modernization Act (FISMA) reporting system

Independent Security Control Assessments

DOJDOJ’s Independent Security Control Assessment service helps agencies uncover risks as part of the Assessment and Authorization (A&A) steps of the Risk Management Framework (RMF). DOJ services provide agencies with an independent assessment of the security controls selected for the system, resulting in a recommendation of whether the system should receive an Authority to Operate (ATO). DOJ’s assessment methodology is consistent with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 regulations. Capabilities include:

  • Security Assessment Plan
  • Assessment activities
  • Security Assessment Report and POA&Ms
  • ATO briefing and documentation package

Independent Verification & Validation (IV&V) of Mitigation Activities

DOTThis service includes independent verification by federal assessors of remediation of mitigation activities performed by system personnel following an independent assessment of their system. If additional remediation remains, assessors will provide feedback on the remaining gap.

 


Information System Security Officer (ISSO) Assessment & Authorization (A&A) Support

HHSThe A&A Support service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are appropriate for a system. This service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 to submit the A&A Authorization to Operate (ATO) and Interim Authority to Test (IATT) package for Chief Information Security Officer (CISO) approval.

 


Information System Security Officer (ISSO) Services - Assessment and Authorization (A&A) Support

DOJDOJ’s ISSO Services help agencies comprehensively integrate cybersecurity into system development lifecycles and comply with the Federal Government’s RMF standards as maintained by the National Institute of Standards and Technology (NIST). DOJ's A&A service provides agencies with the development and maintenance of system security documents and facilitate the process to ensure the system receives an ATO. DOJ security experts generate documents required for the ATO package; coordinate with the assessment team to perform the system’s security assessment; and facilitate support to implement any mitigation steps needed to acquire the ATO.


Information System Security Officer (ISSO) Services - Continuous Monitoring

DOJDOJ’s ISSO Services help agencies comprehensively integrate cybersecurity into system development lifecycles and comply with the Federal Government’s Risk Management Framework (RMF) standards as maintained by the National Institute of Standards and Technology (NIST). DOJ's Continuous Monitoring service manages system security after the initial Assessment and Authorization (A&A) is complete. This service provides stakeholders visibility into the information system’s security status over time and supports configuration management, security impact analysis on system changes, assessment of selected security controls, incident reporting, and security status reporting.


Initial Independent Assessment in Support of Assessment & Authorization (A&A) Validated Service

DOTThis service includes an independent security control assessment of a new system or system undergoing significant changes. The assessment is conducted in accordance with National Institute of Standards and Technology (NIST) 800-37 & 800-53A and agency tailoring. Standard (electronic) deliverables include:

  • Executive Summary
  • Certificate
  • Control inheritance as appropriate
  • Travel to designated customer location as required
  • Security Assessment Report (SAR)
  • Findings & Recommendations
  • Out-Brief Teleconference
  • Optional: Data population in the agency's Federal Information Security Modernization Act (FISMA) reporting system

Penetration Testing Validated Service

DOJDOJ's Penetration Testing service helps agencies use a variety of tactics, techniques, and procedures to identify exploitable vulnerabilities in networks and systems. This testing also measures compliance with organizational security policies by detecting whether staff are aware of security issues and, ultimately, determining the organization’s risk of cybersecurity threats.

 


Penetration Testing

DOTPenetration testing can be conducted from an external and/or internal view. A Rules of Engagement is drafted and signed by both parties that describe the scope of the engagement. Standard practices include:

  • Potential vulnerabilities tested based on the potential level of damage and in coordination with the customer
  • The pen tester shall remain in constant communication with the technical point of contact throughout the engagement
  • Penetration tests will only occur during agreed upon scheduled times on pre-determined systems
  • If a system is successfully penetrated, the pen tester will provide verification either by the placement of a file or screen shots

Phishing Vulnerability Scanning

DOTThis service sends a mock phishing email to a defined group of targeted users to assess an agencies vulnerability to phishing scams. The service also includes a report that identifies how many users opened and clicked the link in the email to determine potential level of impact.

 


Security Assessment Reporting

HHSThe Security Assessment Reporting service provides an overall report that displays the results of an independent assessment to include control validation and technical vulnerability analysis through applicable scan of the system.

 

 


Security Consultation Services (SCS) Assessment & Authorization (A&A) Support

HHSThe A&A Support service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are appropriate for a system. The service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 to submit the A&A Authorization to Operate (ATO) and Interim Authority to Test (IATT) package for Chief Information Security Officer (CISO) approval.


Security Controls Assessment

HHSThe Security Controls Assessment service verifies and validates independent controls (National Institute of Standards and Technology [NIST] 800-53 Rev 4 and NIST 800-53A), through interviews, examination, and testing.

 

 


System Security Management

HHSThe System Security Management service ensures and/or monitors that all systems maintain a secure posture (i.e., install security patches; review audit logs/vulnerability scan reports; participate in change control/configuration management; and prepare Decommission Memo, etc.).

 


Technical Vulnerabilities Assessment

HHSA Technical Vulnerabilities Assessment is a technical scan to measure the current security impacts and risks to the system through applicable security tools (i.e., WebInspect, Nessus, etc.).

 

 


Vulnerability & Specialized Vulnerability Scanning

HHSThe Vulnerability and Remediation Scanning service is part of an accreditation package (i.e., Interim Authority to Test [IATT] or Authorization to Operate [ATO]).

 

 


Wireless Network Vulnerability Scanning

DOTThe Wireless Network Vulnerability Scanning service includes:

  • Wireless scan(s) at the customer's designated location
  • An analysis, classification and record of detected wireless devices
  • A review of each access point to determine detectable weaknesses (i.e., default/weak password check)
  • A comprehensive report that identifies all discovered wireless devices. For each device detected, the report will contain the type of signal detected, the Media Access Control (MAC) address of the device, the wireless channel the device is operating on, what type of security/encryption the device is using, and the Global Positioning System (GPS) location of said device

 

Was this webpage helpful?  Yes  |  Somewhat  |  No