Risk Assessment


Services and tools that support the agency's assessment of cybersecurity risks. Risk assessments help the agency to understand the cybersecurity risks to the agency's operations (i.e., mission, functions, image, or reputation), organizational assets, and individuals. Select the services and agency provider logos below to contact service providers directly and learn more about how to obtain these services. 

Database Vulnerability Scanning

DOTThis service includes the scanning of databases and is conducted with credentials to provide a full and comprehensive view of the database(s). The database scanning tool is updated to the latest knowledge version prior to any scan assessment.

  • Each discovered vulnerability will be analyzed, compared, and cross-referenced against the National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) database    
  • A comprehensive report will be generated that identifies all potential database security-related issues

 


Federal Risk and Authorization Management Program (FedRAMP) Third Party Assessment Organization (3PAO) Assessment of Cloud Environments

DOTThis service performs a security control assessment of a Cloud Environment in accordance with the General Services Administration (GSA) FedRAMP requirements. Cloud providers, sponsored by a federal agency, should have already been approved by the FedRAMP Program Management Office (PMO) to engage with a 3PAO for their system's assessment.

 


Independent Assessments in Support of Systems Continuous Monitoring

DOTThis service includes an annual, independent security control assessment of a system under Continuous Monitoring/Ongoing Authorization. The assessment is conducted in accordance with National Institute of Standards and Technology (NIST) 800-37 & 800-53A and agency tailoring. Standard (electronic) deliverables include:

  • Executive Summary
  • Certificate
  • Control inheritance as appropriate
  • Travel to designated customer location as required
  • Security Assessment Report (SAR)
  • Findings & Recommendations
  • Optional: Data population in the agency's Federal Information Security Modernization Act (FISMA) reporting system

Independent Verification & Validation (IV&V) of Mitigation Activities

DOTThis service includes independent verification by federal assessors of remediation of mitigation activities performed by system personnel following an independent assessment of their system. If additional remediation remains, assessors will provide feedback on the remaining gap.

 


Information System Security Officer (ISSO) Assessment & Authorization (A&A) Support

HHSThe A&A Support service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are appropriate for a system. This service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 to submit the A&A Authorization to Operate (ATO) and Interim Authority to Test (IATT) package for Chief Information Security Officer (CISO) approval.


Initial Independent Assessment in Support of Assessment & Authorization (A&A)

DOTThis service includes an independent security control assessment of a new system or system undergoing significant changes. The assessment is conducted in accordance with National Institute of Standards and Technology (NIST) 800-37 & 800-53A and agency tailoring. Standard (electronic) deliverables include:

  • Executive Summary
  • Certificate
  • Control inheritance as appropriate
  • Travel to designated customer location as required
  • Security Assessment Report (SAR)
  • Findings & Recommendations
  • Out-Brief Teleconference
  • Optional: Data population in the agency's Federal Information Security Modernization Act (FISMA) reporting system

Penetration Testing

DOTPenetration testing can be conducted from an external and/or internal view. A Rules of Engagement is drafted and signed by both parties that describe the scope of the engagement. Standard practices include:

  • Potential vulnerabilities tested based on the potential level of damage and in coordination with the customer
  • The pen tester shall remain in constant communication with the technical point of contact throughout the engagement
  • Penetration tests will only occur during agreed upon scheduled times on pre-determined systems
  • If a system is successfully penetrated, the pen tester will provide verification either by the placement of a file or screen shots

Phishing Vulnerability Scanning

DOTThis service sends a mock phishing email to a defined group of targeted users to assess an agencies vulnerability to phishing scams. The service also includes a report that identifies how many users opened and clicked the link in the email to determine potential level of impact.

 


Security Assessment Reporting

HHSThe Security Assessment Reporting service provides an overall report that displays the results of an independent assessment to include control validation and technical vulnerability analysis through applicable scan of the system.

 

 


Security Consultation Services (SCS) Assessment & Authorization (A&A) Support

HHSThe A&A Support service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are appropriate for a system. The service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 to submit the A&A Authorization to Operate (ATO) and Interim Authority to Test (IATT) package for Chief Information Security Officer (CISO) approval.


Security Controls Assessment

HHSThe Security Controls Assessment service verifies and validates independent controls (National Institute of Standards and Technology [NIST] 800-53 Rev 4 and NIST 800-53A), through interviews, examination, and testing.

 

 


System Security Management

HHSThe System Security Management service ensures and/or monitors that all systems maintain a secure posture (i.e., install security patches; review audit logs/vulnerability scan reports; participate in change control/configuration management; and prepare Decommission Memo, etc.).

 


Technical Vulnerabilities Assessment

HHSA Technical Vulnerabilities Assessment is a technical scan to measure the current security impacts and risks to the system through applicable security tools (i.e., WebInspect, Nessus, etc.).

 

 


Vulnerability & Specialized Vulnerability Scanning

HHSThe Vulnerability and Remediation Scanning service is part of an accreditation package (i.e., Interim Authority to Test [IATT] or Authorization to Operate [ATO]).

 

 


Wireless Network Vulnerability Scanning

DOTThe Wireless Network Vulnerability Scanning service includes:

  • Wireless scan(s) at the customer's designated location
  • An analysis, classification and record of detected wireless devices
  • A review of each access point to determine detectable weaknesses (i.e., default/weak password check)
  • A comprehensive report that identifies all discovered wireless devices. For each device detected, the report will contain the type of signal detected, the Media Access Control (MAC) address of the device, the wireless channel the device is operating on, what type of security/encryption the device is using, and the Global Positioning System (GPS) location of said device

 

Was this document helpful?  Yes  |  Somewhat  |  No