Optic has extensive experience assisting organizations in implementing the Risk Management Framework (RMF) to meet both FISMA and FedRAMP requirements. Our team has worked with Authorizing Officials (AO) across the Federal Government including DoD, VA, and NIH.
We have supported organizations by defining the boundaries of the systems undergoing evaluation, identifying approaches for implementing SP 800-53 security controls, conducting Security Control Assessments (SCA), as well as defining & implementing continuous monitoring programs to ensure systems are securely maintained.
Optic's engineers have also helped organizations implement cybersecurity capabilities and define FISMA & FedRAMP compliant Authorization Packages. We have developed capabilities and policies to support Access Control (AC), Incident Response (IR), and Configuration Management (CM), as well as developed System Security Plans (SSPs) to help align organizational activities with FISMA requirements.
We can assist you at any step in the process!
- Prepare - Scope and define system boundaries and resources. Begin development of the SSP.
- Categorize - Use FIPS 199 to define the system confidentiality, integrity, and availability requirements. Coordinate with the AO to gain approval and document the systems categorization in the SSP.
- Select - Identify and tailor the appropriate SP 800-53 security controls for the system based on cyber risks and required baselines.
- Implement - Develop new or enhance existing cybersecurity policies, procedures, and capabilities to ensure all selected security controls are implemented. Capture security objectives for the system within the SSP.
- Assess - Perform SCA to ensure the system meets identified security controls. For systems we did not assist in developing, our Security Control Assessors can perform the SCA to develop Security Assessment Plans (SAP) and Security Assessment Reports (SAR) as independent assessors.
- Authorize - Develop Risk Assessment Reports based on the findings from the SCA and Plan of Action and Milestone (POA&M). Coordinate with AOs to obtain an Authority to Operate (ATO) for the system.
- Monitor - Develop and implement Continuous Monitoring (CM) Programs to help track and maintain secure operation of the system in accordance with the ATO.