CYBER SECURITY

Obsidian provides ongoing Certification & Accreditation as well as Information Assurance support. Obsidian SMEs use:

  • Host Based Security Systems (HBSS), Antivirus, BlueCoat, Q1 Snare (log server), multiple IDS and scanning tools to ensure that the RTD&E network is compliant and efficient while ensuring end user performance satisfaction is maintained.
  • Retina, SCAP, ACAS and NMAP tools for automated scanning. Locally created scripts and security templates are used to ensure all systems are IA compliant and to formally document the systems security posture.
  • Obsidian SMEs analyze current government regulations and proposed regulatory changes of other automated or manual systems that could impact the information systems.
 
Cyber Security
 

Obsidian Security Capabilities include:

  • Network Security Engineering
    • Network Enclaving
    • Firewall Engineering
    • Computer Network Defense (CND)
  • Information Security Policy
    • Information Assurance (IA)
    • Assessment & Authorization (A&A)
    • Certification & Accreditation (C&A)
    • Risk Management Framework (RMF)
  • Cyber Security Training
    • Obsidian supports the Defense Cyber Investigations Training Academy (DCITA) by developing and delivering training courses in the areas of Cyber Counter-Intelligence, Cyber Forensics, Network Intrusions, Incident Response and General IT for approximately 2,000 students per year.

Cyber Security Tools Used:

  • PKE/PKI, ICAM, Network Intrusion and Cyber Forensics
  • Compile A&A packages for IA Assessments
  • Collaborate with System Owners to mitigate IA findings

Cyber Programs:

  • DOJ, FBI
  • DHS, I&A
  • DoD, USAF
  • DOS, IRM
  • DoD, Navy
  • DHS, CBP
  • DHS, OBIM
  • DC3

FEDRAMP

Federal Risk and Authorization Management Program (FedRAMP) provides a standard approach for conducting security assessments across the U.S. Government. In 2011, OMB published a memo requiring that all cloud services leveraged by the government must comply with the FedRAMP requirements by 2014. 

Self-Assesment

Certain controls can be challenging to meet, so you must confirm they can be met before applying.

  • We go through the FedRAMP preparation check list to determine if you have the right controls in place and have the ability to manage them
  • We contract with accredited 3PAOs to perform security testing to identify deficiencies
  • We develop solutions to implement baseline security controls that are not currently in the cloud system

Initiate the Process

You must advise the FedRAMP PMO of your intent to obtain a provisional authorization.

  • We determine the categorization of your systems and information types based on NIST SP 800-60
  • We consult on the selection of which control baseline to implement – Low or Moderate.

Document Security Controls

FedRAMP requires that a comprehensive set of templates be completed.

  • We complete the documentation and provide consulting to develop solutions to mitigate deficiencies

Perform Security Testing

You must choose a 3PAO to perform security testing.

  • We recommend accredited 3PAOs to perform the security testing.
  • We review the findings from the testing, and provide consulting to implementation of solutions to remediate findings.

POAM/Self Attestation

You must to put together POA&Ms for mitigating security weaknesses.

  • We consult with your staff to group findings and develop POAMs, and provide consulting to help mitigate vulnerabilities.

Annual Security Testing

After obtaining Provisional Authorization, you must engage a 3PAO to perform ongoing security testing on an annual basis.

  • We contract with accredited 3PAOs to perform the annual security testing.
  • We review the findings and assess the impact on maintaining authorization.