Cybersecurity Service Provider (CSSP)
Obsidian is leading the way in next generation CSSP solutions and IA architecture, development of next generation network operations security centers (NOSC) and aiding our customer’s in operational and service provider alignment with DoDI 8530.01, cybersecurity activities support to DoD information network operations. This includes the reshaping of provision of CSSP services for DISA/DoDIN connected networks, combatant commands (CCMDs), DoD agencies, and other organizations that subscribe or align to DISA circuits.
Risk and Vulnerability Assessment (RVA)
Our personnel have years of direct experience leading cybersecurity programs in advising Information Systems Security Managers (ISSMs), performing Information Systems Security Officer (ISSO) roles, implementing the full suite of NIST security doctrine including NIST SP 800-53 Rev 4 and NIST SP 800-37 Rev1, and meeting personnel qualification of 8570.01-M. Additionally, Obsidian personnel have experience as principal cyber advisors to DoD components before, during, and after DoD’s transition to DoD Instruction (DoDI) 8510.01: RMF for DoD Information Technology (IT), CNSSI 1253, Security Categorization and Control Selection, DISA’s Cloud Security Implementation Guide, and related publications. Obsidian uses the DoD 8510.01 Risk Management Framework (RMF) six-step process for DoD Information Technology and National Security systems
Incident Response (CDM, SOC)
Dynamic support to an ever-changing cyberattack surface is necessary for high-operational-tempo (OPTEMPO) and a mission-focused environment. Obsidian uses the NIST Cybersecurity Framework and MITRE Corrective Action Requests (CARs) as a key part of our process for hunting, identifying, assessing, and managing cybersecurity risk and incident response. This Cybersecurity Framework is the foundation for our incident response and provides a common language to communicate security requirements across stakeholders and external partners responsible for the delivery of critical mission services. Our cybersecurity incident response process is based on the NIST SP 800-61, Computer Incident Handling Guide, and ensures that security operations and incident response is coordinated with all interconnected systems across various partners.
Obsidian has a proven penetration testing approach that uses industry best-practice and standard toolsets for each phase, which provides structure and consistency both in the implementation and the outcome. We use automated toolsets to reduce the risk of penetration testing, and our expertise in manual testing allows us to complement the automated results with targeted and precise tests that enhance the results. Our penetration test scenarios focus on locating and targeting exploitable defects in the design and implementation of applications, systems, or networks. Our tests reproduce the most likely and most damaging attack patterns, including worst-case scenarios such as malicious actions by insider threats.
High Value Assets (HVA), Security Architecture, and Systems Security Engineering
With the continued intensity of cyber-attacks, the need to enhance security monitoring and incident response capabilities has never been more critical. Obsidian tackles security issues by addressing protection requirements throughout the life cycle of the systems. Obsidian uses the Systems Security Engineering Framework defined in NIST SP 800-160, which defines three contexts in which systems security engineering activities are conducted: the problem context, the solution context, and the trustworthiness context. The three contexts share a base of system security analyses that produce data to support security engineering decision-making.
Obsidian provides offensive security operations support for responding to a crises or urgent situations to mitigate immediate and potential threats. Cyber Hunts start with the premise that threat actors known to target some organizations in a specific industry or with specific systems are likely to also target other organizations in the same industry or with the same systems.