SCENARIO: Wilson Consulting Group (WCG) was contracted to help create a Certification and Accreditation (C&A) program for a federal agency that is responsible for administering medical-related services to ensure that good information security practices are in place and maintained.
The agency is responsible for the payment of more than$400 billion annually for medical services provided to nearly 90 million program beneficiaries and recipients. They have about 4,900 employees at their central site, with ten regional offices throughout the country. In the administration of these national programs, they utilize many assets, including buildings, facilities, communications equipment, computer systems, employees, and contractors. A breach of any one of these assets could affect the quality of support provided by the agency to its customers.
The agency required a system of cost-effective information security controls to protect the information it collects, including privacy and proprietary data, procurement data, inter‑agency data, and privileged system information. Access to such information is controlled by various federal acts and guidelines, such as FISMA and NIST. The agency has a legal responsibility to maintain the confidentiality and integrity of this information.
WCG's Strategy: To ensure that good information security practices were in place and maintained, WCG helped the agency create an effective C&A program, with information security policies and standards that met Office of Management and Budget (OMB) and NIST requirements.
RESULTS: To create these policies and programs, WCG:
Reviewed, updated, and developed information security guidelines. These guidelines arerequired as part of the agency’s Integrated IT Investment & System Life Cycle Framework and the agency’s C&A program. Examples of guidelines are included, but were not limited to the following: System Security Plan (SSP); Information Security Risk Assessment (IS RA); Contingency Plan (CP).
Provided technical and administrative support forthe creation and management of Corrective Action Plans (CAPs) and participated in their execution. This included technical testing to validate that the implemented solution effectively addressed the identified weakness.
Identified mechanisms to increaseefficiencies in the daily management and maintenance of all aspects of the agency’s C&A program,provided technical and administrative support in the implementation of the plans, and trained staff in their use.
With a solid C&A program in place, the agency’s management team can now effectively make risk-based decisions concerning the security of the applications, systems, and infrastructures within its purview.