Risk Management Strategy


 

Services that support the agency's development of a cybersecurity risk management strategy. Risk management strategy services help establish and use the organization's priorities, constraints, risk tolerances, and assumptions to prioritize and implement risk-based decisions. Select the services and agency provider logos below to contact service providers directly and learn more about how to obtain these services. 

Federal Information Processing Standards (FIPS) 199 Categorization

HHSThis service will conduct FIPS 199 actions to determine system security categorization.

 

 

 


Information System Security Manager and Information System Security Officer (ISSO) Oversight and Coordination

HHSThis service assigns an agency official responsible for ensuring the appropriate operational security posture is maintained for the information system or program; responsibilities are related to system security per the Department of Health and Human Services (HHS) policy, Information Security Program Policy U.S. Department of Health and Human Services, Section 2.2.3.4, Federal Information Processing Standards (FIPS), National Institute of Standards and Technology (NIST), Office of Management and Budget (OMB), and other federal guidance.   

 

 


Information System Security Officer (ISSO) Plan of Action and Milestones (POA&M) Management

HHSThe POA&M Management service assists with reviewing, monitoring, and facilitating closure of weaknesses identified during the Security Controls Assessment (SCA) or other risk identification process.

 

 


Information System Security Officer (ISSO) Risk Management Framework (RMF) Practices Support

HHSThe RMF Practices Support service conducts monitoring to ensure appropriate system security posture by executing the RMF tasks as listed in National Institute of Standards and Technology (NIST) SP 800-37.

 

 


Information System Security Officer (ISSO) Services

DOTThis service is available to systems hosted in Enterprise Services Center's (ESC) federal Tier 3+ data center and includes the assignment of dedicated ISSO support personnel of appropriate skill level to match the needs/complexity of customer system(s). This service includes year-round tracking, reporting, and providing recommendations on Plan of Action & Milestones (POA&M); monthly continuous monitoring security meetings with system representatives to discuss any outstanding security items or changes to risk posture; authoring of Security Impact Analyses (SIA) for planned changes and/or deployments; and maintenance of Federal Information Security Modernization Act (FISMA) inventory records as applicable.

 


Information System Security Officer (ISSO) Systems Re-Authorization

HHSThe Systems Re-Authorization service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are appropriate for a system. This service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 to submit the Assessment and Authorization (A&A) Authorization to Operate (ATO) package for Chief Information Security Officer (CISO) approval.

 

 


Risk Management Framework (RMF) Lifecycle Consultation

DOTThis service helps agencies navigate the National Institute of Standards and Technology (NIST) RMF steps required for systems to meet all federal policies, gain a federal security authorization, and be continuously monitored by the agency until the system is decommissioned.

 

 


Risk Management Framework (RMF) Lifecycle Services

HHSRMF Lifecycle Services provide an advisor/security Subject Matter Expert (SME) on matters involving the assessment and mitigation of risk.

 

 

 


Security Consultation Services (SCS) Plan of Action and Milestones (POA&M) Management

HHSThe POA&M Management service assists Information System Security Officer (ISSO) with reviewing, monitoring, and facilitating the closure of weaknesses identified during Security Assessment and Authorization (SA&A) process.

 

 


Security Consultation Services (SCS) Risk Management Framework (RMF) Practices Support

HHSThe RMF Practices Support service provides assistance to ensure appropriate system security posture through executing the RMF tasks as listed in National Institute of Standards and Technology (NIST) SP 800-37.

 

 


Security Consultation Services (SCS) Systems Re-Authorization

HHSThe Systems Re-Authorization service ensures National Institute of Standards and Technology (NIST) SP 800-53 security controls assigned are system appropriate. This service prepares system security documentation based on the Risk Management Framework (RMF) and NIST 800-37 as part of the Security Assessment and Authorization (SA&A) packages.

 

 


Was this document helpful?  Yes  |  Somewhat  |  No