Federal Agency Case History

WCG performed a variety of services, including system documentation assessment, security certification and accreditation, and other tests to assess the effectiveness of the DSTM security controls.


Call Us Today
SCENARIO:A federal agency was in need of compliance and certification assistance. They were responsible for coordinating technical support for the safety and health of personnel responding to the clean-up and recovery operations following the destruction of Hurricane Katrina along the Gulf Coast of the United States.

This agency’s technical data center contracted Wilson Consulting Group (WCG) to provide a variety of turn-key certification and accreditation compliance services. WCG reviewed, verified, and tested the security controls (management, operational, and technical) of the electronic docket management system and related systems serving the agency’s Directorate of Science, Technology and Medicine (DSTM).

WCG's Strategy: WCG performed a variety of services, including system documentation assessment, security certification and accreditation, and other tests to assess the effectiveness of the DSTM security controls. The tests included vulnerability assessments and penetration testing, where appropriate. WCG made recommendations for cost-effective solutions to correct identified vulnerabilities. As a direct result of the quality of these efforts, WCG was retained to provide remediation services.

WCG provided guidance and documentation to assist the agency in obtaining Authority to Operate (ATO) certification for several of the agency’s systems.

ATO certification requires that systems be tested to verify compliance with applicable federal management, operational, and technical security guidelines, regulations, and controls. These guidelines included, but were not limited to:

  • OMB Circulation A – 130, Management of Federal Information Resources
  • Department of Labor (DOL) Computer Security Handbook
  • DOL System Development Lifecycle Manual (SDLCM)
  • DOL Technical Security Standards Manual
  • NIST SP 800-30, Risk Management Guide for IT Systems
  • NIST FIPS 31, Guidelines for ADP Physical Security and Risk Management
  • NIST SP 800-37 (draft), Guidelines for Security Accreditation of IT Systems
  • NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems
  • Administration Procedures Act
  • Title 29, Code of Federal Regulations, Part 70
  • Information Technology Management Reform Act of 1996
  • Privacy Act of 1974
  • Computer Fraud & Abuse Act of 1986, as amended
  • Freedom of Information Act, as amended
  • E-Government Act of 2002
  • Department of Labor Technical Security Standards Manual (TSSM)
  • Department of Labor FIPS 199/Security Self-Assessment (MS Access)
  • Federal Information Processing Standards (FIPS 199)
  • NIST Special Publication 800-53, “Recommended Security Controls for Federal Information Systems”
  • NIST Special Publication 800-60, “Guide for Mapping Types of Information & Information Systems to Security Controls”

The goal of the system vulnerability assessment was to examine the information system’s security infrastructure to determine its ability to prevent breaches.

The assessment’s findings and recommendations were outlined in the recent Office of the Inspector General (OIG) reports. These included:

  • DOL and Occupational Safety and Health Administration (OSHA)security policies and procedures, and their enforcement
  • Emergency response and recovery plans
  • Physical security of facilities and equipment housing the information systems
  • Use of the applications security features, including user administration and access control
  • Level of user awareness and technical personnel training in security issues and technology
  • Use and protection of all outside connections, including access via LANS, dial-up, and individual workstations/servers
  • Susceptibility to non-technical attacks
  • Unintended use of the information systems by OSHA personnel
WCG RESULTS: WCG successfully examined, evaluated, documented, and prepared certification and accreditation tests, procedures, and approvals for the complex multi-tiered records management applications within the agency’s environment.

We provided guidance and documentation to assist them in obtaining ATO certification for the following systems:
  • OHMS (the agency’s health monitoring system)
  • Salt Lake Technical System (SLTS)
  • TESS (Technical Equipment Support System)
  • MAO (Medical Access Order)

The project was delivered on time, on budget, and to the government’s specifications. Due to the quality and timeliness of our work, WCG was asked to expand the scope of services provided to the agency.


WCG Results

WCG successfully examined, evaluated, documented, and prepared certification and accreditation tests, procedures, and approvals for the complex multi-tiered records management applications within the agency’s environment.


The project was delivered on time, on budget, and to the government’s specifications. Due to the quality and timeliness of our work, WCG was asked to expand the scope of services provided to the agency.


Get Started Now
Other Track Records Services You May be Interested In:

WCG developed a budget to support the system improvements and implementation.

WCG exceeded all of the ministry’s requirements for improving the security of its IT system.

WCG can help your company meet these security challenges and regulatory hurdles.

WCG provided deliverables on time, on budget, and to the HIPAA specifications, thus enabling the agency to achieve the required HIPAA security compliance posture

WCG effectively assisted government agenciesand businesses in Sub-Saharan Africa to overcome their technological challenges and achieve their goals.

WCG successfully prepared certification, procedures and approvals for the complex multi-tiered records management applications within the agency’s environment.

WCG helped the organization rectify all risks based on the findings of the vulnerability assessment and gap analysis.

WCG Reviewed, updated, and developed information security guidelines.

As GDPR was fast approaching, the company needed to see if their processes were aligned with regulations.

A private research university needed to create its GLBA program.

Cyber-attacks damage an institution’s reputation, disrupt the operation of a business, and cost time and money to remediate the impact of an attack.
Blog : Industry Perspectives