HHS relied upon TDI’s help to perform numerous security assessments across their entire enterprise including all 8 of their GSS.
TDI has performed a number of Assessment & Authorization (A&A) tasks at HHS, including the very high-profile security assessment for the HHSIdentity system. HHSIdentity was projected to become the single provider of identity and access management services for the Program Support Center (PCS) and HHS at large. TDI conducted A&A and security assessment services on eight high-profile general support systems (GSS) at HHS. Our services included penetration testing as well as independent review and recommendations on the overall security practices at HHS and their application to each of the eight GSS. TDI diligently conducted security assessment activities for each of the 8 GSS and produced a detailed Security Assessment Report (SAR) for each system. Previous ST&E efforts conducted at Prior to the concept proliferating and becoming normal practice, TDI developed a formalized list of “common controls” which facilitated the efficiency of evidence collection and is currently being used by the HHS to streamline future assessment efforts by eliminating duplication in evidence collection for any system in possession of “common controls”.
TDI naturally delivered the requisite work products for a normal A&A and security assessment effort for the eight GSS systems, yet as with all our efforts we went above and beyond our contractual requirements. TDI also provided an Independent Review and Recommendations report which complemented the A&A deliverables required by the contract. We essentially provided a high-level overview of findings not covered by the security assessment yet related to deficiencies in HHS security policy distribution, naming conventions, compliance with government template standards, etc. According to the customer, the added efforts provided HHS with insight otherwise unavailable from any of the previously conducted security assessment efforts. Finally, the evidence artifact list we provided for each of the 8 GSS demonstrated TDI’s findings were not only legitimate but also readily traceable and actionable to specific system, system artifact, and – at times – system personnel.
HHS’ PSC CISO was delighted with the level of involvement TDI demonstrated and the extensive project delivery expertise exhibited by TDI on this effort.