With a strong foundation in Certification & Accreditation and Risk Management, TDI offers Assessment & Authorization methodologies to strengthen your security posture while ensuring you’re compliant.

Given the very real and present nature cybersecurity threats, organizations must consistently maintain heightened security awareness to protect their critical information and assets. Concerning federal agencies and organizations that deal with their data, this translates to implementing effective security controls and various IT processes to protect resources and secure infrastructure. TDI is intimately familiar with the associated Assessment & Authentication (A&A) process – sometimes still referred to as Certification and Accreditation (C&A) – and the relevant standards, frameworks, and regulations that organizations should employ, such as:

  • FISMA
  • Risk Management Framework (RMF)
  • FedRAMP
  • DIACAP
  • NIST SP 800-37
  • NIST SP 800-53
  • NIST SP 800-115
  • DCID 6/3

Ever since the A&A process was initially defined (GISRA, DITSCAP, NIACAP, etc.), TDI has been providing support and services to many of our Government and commercial clients. TDI has the experience (DoD, Civil, Intelligence, Commercial) and expertise to support your organization, department, or agency in gaining formal system approval/authority to operate at the appropriate security level. Stemming from a comprehensive risk management framework, TDI’s tactical approach allows us to:

  • Articulate security controls in a System Security Plan (SSP) and/or System Security Authorization Agreement (SSAA) for a given Major Application (MA) or General Support System (GSS)
  • Define system boundaries; draft Interconnection Agreements; establish security categorizations (FIPS 199)
  • Assess the effectiveness of in-place security controls with a thorough Security Test and Evaluation (ST&E) or Security Assessment and produce a respective Security Assessment Report (SAR) to make certain the necessary controls are implemented and fully operational
  • Manage and remediate uncovered vulnerabilities through continuous monitoring and a Plan of Action and Milestones (POA&M)
  • Interface and produce documentation for the Certification Agent (CA) and Designated Approval Authority (DAA)

As a client of TDI, a security assessment for your organization, department, or agency will be conducted by a team of experienced security engineers with strong backgrounds in cybersecurity, compliance, and specific systems experience. Employing the RMF A&A process as a baseline, we will collaborate with your associated security team, system owners, and department leads to thoroughly assess your IT environment while maintaining a strong line of communication. While providing associated ongoing walkthrough briefings for key stakeholders, TDI will initialize the process through:

  • Identifying security categorization resources
  • Defining/evaluating the overall security categorization
  • Identifying/evaluating key roles, responsibilities, and information types
  • Defining impact values and their application
  • Describing confidentiality security categorization factors
  • Defining/evaluating system boundaries
  • Drafting a security plan or evaluating an existing security plan

Once we’ve determined the information being processed, stored, and transmitted by the system or program, TDI will determine an appropriate initial set of security controls based on the security categorization or conduct an analysis of existing security controls through:

  • Defining/evaluating security control policies and guidelines
  • Identifying/evaluating hybrid, system-specific, and common controls
  • Describing the purpose of security overlays and tailoring them to the IT environment
  • Analyzing current efforts of continuous monitoring

Through the selection or evaluation of relevant security controls and safeguards based on mission/business impact, risk to operations and assets, and personnel, TDI will then determine the control documentation requirements, develop or review control-related artifacts, and reference the processes for applying industry best practices to reduce the overall level of risk. Following the implementation process, we will assess the security controls to ensure they were implemented correctly, operate as intended, and successfully meet the system or program security requirements. Our base testing process includes:

  • Development, review, or approval of a security assessment plan
  • Assessing controls based on the finalized security assessment plan
  • Identifying security assessment results
  • Explanation of how to conduct remediation activities

Concerning roles and responsibilities of key stakeholders, as they relate to the completion, submission, and approval of authorization packages, TDI will collaborate with you to:

  • Prepare a Plans of Action and Milestones (POA&M)
  • Assemble and submit a security authorization package
  • Recognize and describe the overall risk based on artifacts submitted
  • Define key resources to make a risk acceptance decision

As maintaining an effective security posture and accreditation status is of critical importance, TDI will conclude the security assessment with a deliverable package and a final briefing that overviews:

  • The importance of documenting system changes
  • The recognition of a need for ongoing assessment, risk determination, and remediation
  • How assessor results can be used
  • A required frequency for reassessment
  • The necessity of status reporting
  • The information system removal and disposal process

 

TDI is a Fully Qualified Navy Validator company