Electrosoft supports Federal agencies to design and implement information systems that are compliant with applicable security and privacy regulations. We assist agencies to be compliant with OMB policy, DHS directives, NIST standards and guidelines, Government Accountability Office (GAO) audit guidance, agency policies and procedures, and applicable industry best practices. We perform independent evaluations of the effectiveness of the agency's overall information security program and practices. The independent evaluations also help to (i) identify weaknesses and vulnerabilities in the current Information Security (IS) program so as to mitigate risks they pose; and (ii) identify opportunities to make improvements to the IS program to streamline activities and make them more effective.
NIST SP 800-53, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, defines security control effectiveness as the extent to which security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system in its operational environment or enforcing/mediating established security policies. NIST SP 800-53, Rev 4 includes 18 families of security controls. Seventeen families pertain to security mechanisms that need to be implemented or inherited by information systems. The eighteenth family, the Program Management family helps to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards at the organizational level.
Our security experts and analysts identify and mitigate the risks faced by an organization from IT security threats using the latest methodologies and technologies. We help our customers to thoroughly understand and interpret federal mandates and the related guidance material to support the implementation of compliant and secure systems.
Security Architecture and Policy
Electrosoft creates and shapes cyber security policies and procedures for our customers by keeping up-to-date with the latest Federal mandates and requirements affecting cyber security. We help our customers to interpret the existing policies and achieve compliance with the policies through implementation of technical or procedural controls. By analyzing policies and procedures in the areas Identity and Access Control, Audit, System and Communications security, physical security, Configuration Management, Incident Response, Contingency Planning and others, we ensure that the intent of the policy is implemented through standard operating procedures and periodic compliance assessments.
Security Assessment and Authorization; FISMA; RMF
Electrosoft is very proficient in performing all of the activities defined within the NIST Risk Management Framework (RMF) for federal information systems. We help customers to conduct the needed analyses (such as security categorization) and develop the necessary documentation, such as the System Security Plan in accordance with the NIST FISMA documentation suite. We help our customers prepare for an independent assessment of the security controls. We also perform the security control assessment activity for various federal customers using the NIST SP 800-53A guideline, and document our findings in a Security Assessment Report. We develop Plan of Actions and Milestones for managing and mitigating the identified risks.
Vulnerability Analysis and Penetration Testing
Electrosoft is highly skilled and has extensive experience in conducting enterprise-wide vulnerability scanning using cutting-edge tools such as Nexpose Rapid 7, Nessus, Retina, Wikto, Nikto, AppScan, WebInspect and many others. We select the tools for an engagement based on the types of technologies employed within the target system (e.g., OS, Databases, Web applications, network devices) and in coordination with the tools that are used for the regular, ongoing vulnerability scans. Our approach ensures that all common vulnerabilities and exposures are identified for mitigation before intruders can exploit them. Our process includes pre-scheduled periodic scanning for vulnerabilities as well as ad hoc scanning. Electrosoft also performs penetration testing in controlled attempts to breach security controls using the capabilities of a hypothetical attacker. Organizations can use the results to enhance their understanding of their systems, potential weaknesses and vulnerabilities, and the level of effort from adversaries required to bypass system security controls.
Cloud Security Services; FedRAMP Compliance
Electrosoft experts have worked with NIST to co-author and support the development of some of the security standards and guidelines that form the backbone of FISMA and FedRAMP. We can help a Cloud Service Provider (CSP) to interpret and apply the FISMA/FedRAMP controls in an effective and streamlined manner within their cloud implementation.
Electrosoft experts can guide a CSP through the most streamlined and cost-effective path to obtain Authority to Operate (ATO) under FedRAMP. With Electrosoft, the CSP avoids false-starts and misguided paths. That means less time to ATO and at a very competitive cost. Electrosoft employs structured, well-defined processes (honed through our numerous past engagements) to systematically identify gaps in the CSP’s current security posture, provide specific, practical and actionable recommendations to close the identified gaps, and assist the CSP to prepare the documentation needed for an independent 3PAO assessment.
Security Operations Center
Electrosoft helps our customers with the hardest part of security monitoring - to assign the right rules and filters to reduce the large volume of log information collected at their sites. Our analysts apply sophisticated techniques that includes elimination of false positives and use of asset, user and zone models. We correlate common identifiers such as email addresses to reduce the data. Many existing compliance and security tools can only identify a user based upon an IP address, not by an actual account name. This is clearly inadequate as current and future compliance auditing and security forensic investigations demand an end-to-end review of who did what, and when. To get a complete picture, Electrosoft helps our customers to align identity management data with log management and security event management data. The level of integration we provide can greatly reduce the time and effort necessary for security event detection, root cause analysis, and emergency response.
Electrosoft personnel conduct continuous monitoring of the security controls implemented in or inherited by an accredited system by providing near real-time security monitoring on both Unclassified and Secret network infrastructures. For example, monitoring is conducted using a myriad of security tools that provide host IDS capabilities, rogue system sensors, system baseline auditing and compliance, and infrastructure policy enforcement capabilities.
HIPAA Security & Privacy; HIPAA Compliance
Electrosoft performs investigative work for our customers by maintaining the technology portfolios and the Electronic Health Technology (EHT) roadmap; performing targeted research to identify and validate that technology solutions have the potential to improve the customer’s healthcare line of business; conducting technology assessments and documenting the results in formal reports or white papers; conducting analyses of existing or best practice processes or discovery methodologies and suggesting repeatable processes and identifying potential business requirements based on emerging health technologies and policies.
Our customers benefit from using universal exchange language for healthcare information, and tagged data structures to ensure security and privacy, both techniques are outlined in the Federal legislation (HIPAA, HITECH) and OMB Guidance such as the December 2010 President’s Council of Advisors on Science and Technology (PCAST) report.