Obsidian provides ongoing Certification & Accreditation as well as Information Assurance support. Obsidian SMEs use:
- Host Based Security Systems (HBSS), Antivirus, BlueCoat, Q1 Snare (log server), multiple IDS and scanning tools to ensure that the RTD&E network is compliant and efficient while ensuring end user performance satisfaction is maintained.
- Retina, SCAP, ACAS and NMAP tools for automated scanning. Locally created scripts and security templates are used to ensure all systems are IA compliant and to formally document the systems security posture.
- Obsidian SMEs analyze current government regulations and proposed regulatory changes of other automated or manual systems that could impact the information systems.
Obsidian Security Capabilities include:
- Network Security Engineering
- Network Enclaving
- Firewall Engineering
- Computer Network Defense (CND)
- Information Security Policy
- Information Assurance (IA)
- Assessment & Authorization (A&A)
- Certification & Accreditation (C&A)
- Risk Management Framework (RMF)
- Cyber Security Training
- Obsidian supports the Defense Cyber Investigations Training Academy (DCITA) by developing and delivering training courses in the areas of Cyber Counter-Intelligence, Cyber Forensics, Network Intrusions, Incident Response and General IT for approximately 2,000 students per year.
Cyber Security Tools Used:
- PKE/PKI, ICAM, Network Intrusion and Cyber Forensics
- Compile A&A packages for IA Assessments
- Collaborate with System Owners to mitigate IA findings
- DOJ, FBI
- DHS, I&A
- DoD, USAF
- DOS, IRM
- DoD, Navy
- DHS, CBP
- DHS, OBIM
Federal Risk and Authorization Management Program (FedRAMP) provides a standard approach for conducting security assessments across the U.S. Government. In 2011, OMB published a memo requiring that all cloud services leveraged by the government must comply with the FedRAMP requirements by 2014.
Certain controls can be challenging to meet, so you must confirm they can be met before applying.
- We go through the FedRAMP preparation check list to determine if you have the right controls in place and have the ability to manage them
- We contract with accredited 3PAOs to perform security testing to identify deficiencies
- We develop solutions to implement baseline security controls that are not currently in the cloud system
Initiate the Process
You must advise the FedRAMP PMO of your intent to obtain a provisional authorization.
- We determine the categorization of your systems and information types based on NIST SP 800-60
- We consult on the selection of which control baseline to implement – Low or Moderate.
Document Security Controls
FedRAMP requires that a comprehensive set of templates be completed.
- We complete the documentation and provide consulting to develop solutions to mitigate deficiencies
Perform Security Testing
You must choose a 3PAO to perform security testing.
- We recommend accredited 3PAOs to perform the security testing.
- We review the findings from the testing, and provide consulting to implementation of solutions to remediate findings.
You must to put together POA&Ms for mitigating security weaknesses.
- We consult with your staff to group findings and develop POAMs, and provide consulting to help mitigate vulnerabilities.
Annual Security Testing
After obtaining Provisional Authorization, you must engage a 3PAO to perform ongoing security testing on an annual basis.
- We contract with accredited 3PAOs to perform the annual security testing.
- We review the findings and assess the impact on maintaining authorization.