Electrosoft supports Federal agencies in the design and implementation of information systems that are fully compliant with applicable security and privacy regulations. In particular, we assist compliance with Office of Management and Budget (OMB) policy, Department of Homeland Security (DHS) directives, National Institute of Standards and Technology (NIST) standards and guidelines, Government Accountability Office (GAO) audit guidance, agency policies and procedures, and industry best practices. We perform independent evaluations of the effectiveness of the agency's overall information security (IS) programs and practices to help identify (a) current weaknesses and vulnerabilities and (b) opportunities to improve these programs by streamlining activities and making them more effective.
NIST Special Publication (SP) 800-53, rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, defines security control effectiveness as the extent to which security controls are implemented correctly, operating as intended, producing the desired outcomes with respect to the security requirements for the system in its operational environment, and enforcing/mediating established security policies. The publication specifies 18 families of security controls. Seventeen pertain to security mechanisms that must be implemented or inherited by information systems. The eighteenth family, Program Management, helps facilitate compliance with applicable Federal laws, executive orders, directives, policies, regulations and standards at the organizational level.
Our security experts and analysts identify and mitigate the risks an organization faces from IT security threats. Using the latest methodologies and technologies, we help customers understand and interpret Federal mandates – and the related guidance material – to support the implementation of compliant and secure systems.
Security Architecture and Policy
Electrosoft stays current with all pertinent Federal mandates and requirements in order to create and shape appropriate cybersecurity policies and procedures for our customers. We then help customers interpret and comply with these policies by implementing technical or procedural controls. By analyzing policies and procedures in the areas of identity and access control, audit, system and communications security, physical security, configuration management, incident response, contingency planning and others, we ensure that the policy’s intent is satisfied through standard operating procedures and periodic compliance assessments.
Security Assessment and Authorization; FISMA; RMF
Electrosoft’s proficiency in performing the activities defined within the NIST Risk Management Framework (RMF) for federal information systems sets our company apart. We help customers conduct the needed analyses (such as security categorization) and develop the necessary documentation (such as the System Security Plan in accordance with the NIST FISMA documentation suite). We also help customers prepare for an independent assessment of the security controls. In addition, we can perform the security control assessment activity using NIST SP 800-53A and document our findings in a Security Assessment Report. Then, we can develop Plans of Actions and Milestones to manage and mitigate the identified risks.
Vulnerability Analysis and Penetration Testing
Electrosoft possesses expertise in enterprise-wide vulnerability scanning using cutting-edge tools such as Nexpose Rapid 7, Nessus, Retina, Wikto, Nikto, AppScan and WebInspect, among others. Tool selection depends on the types of technologies employed within the target system (e.g., OS, databases, web applications, network devices) and in coordination with the tools in use for ongoing vulnerability scanning. Our approach ensures identification and mitigation of all common vulnerabilities and exposures before they are exploited. Our process includes pre-scheduled periodic scanning for vulnerabilities as well as ad hoc scanning. Electrosoft also performs penetration testing in simulated attempts to breach security controls using the capabilities a hypothetical attacker might possess. Organizations can use our results to enhance their understanding of their systems, potential weaknesses and vulnerabilities, and the level of effort adversaries require to bypass system security controls.
Cloud Security Services; FedRAMP Compliance
Electrosoft experts worked with NIST to co-author and help develop many of the security standards and guidelines that form the backbone of FISMA and the Federal Risk and Authorization Management Program (FedRAMP). We help Cloud Service Providers (CSPs) interpret and apply FISMA/FedRAMP controls during cloud implementation.
Electrosoft experts guide CSPs along the most streamlined, cost-effective path to achieve Authority to Operate (ATO) under FedRAMP. With Electrosoft, CSPs avoid false starts and misguided attempts, which translate to less time to ATO and more competitive costs. Electrosoft employs structured, well-defined processes (honed through numerous past engagements) to systematically identify gaps in the CSP’s current security posture; provide specific, practical and actionable recommendations to close the identified gaps; and assist the CSP in preparing the documentation needed for an independent Third-Party Assessment Organization (3PAO) review.
Security Operations Center
Electrosoft helps customers overcome the hardest part of security monitoring: reducing the massive volume of log information collected. Our analysts apply sophisticated techniques that eliminate false positives and employ asset, user and zone models. We also correlate common identifiers such as email addresses to reduce data. Notably, existing compliance and security tools can only identify a user based on an IP address, not by an actual account name. This approach is inadequate as compliance auditing and security forensic investigations demand an end-to-end review of who did what and when. To obtain a complete picture, Electrosoft helps customers align identity management data with log management and security event management data. Electrosoft’s level of integration can reduce the time and effort necessary for security event detection, root cause analysis and emergency response.
Electrosoft personnel expertly conduct continuous monitoring of security controls by providing near real-time security monitoring on both Unclassified and Secret network infrastructures. For example, we conduct monitoring using myriad security tools that provide host Intrusion Detection System (IDS) capabilities, rogue system sensors, system baseline auditing and compliance, and infrastructure policy enforcement capabilities.
HIPAA Security & Privacy; HIPAA Compliance
Electrosoft performs investigative work for our customers. We maintain the technology portfolios and the Electronic Health Technology (EHT) roadmap; perform targeted research to identify and validate that technology solutions have the potential to improve the customer’s healthcare line of business; conduct technology assessments and document the results in formal reports or white papers; conduct analyses of existing or best-practice processes or discovery methodologies and suggest repeatable processes; and identify potential business requirements based on emerging health technologies and policies.
To ensure security and privacy, we use universal exchange language for healthcare information and tagged data structures. Both techniques are outlined in Federal legislation (Health Insurance Portability and Accountability Act of 1996 [HIPAA] and Health Information Technology for Economic and Clinical Health [HITECH] Act) and OMB Guidance such as the December 2010 President’s Council of Advisors on Science and Technology (PCAST) report.