GAMA-1’s NWS ISSO Support Services contract performs 25 compliance reviews of all FISMA high, and moderate systems, and validates 6 low self assessed systems, as well as, develop high quality ATO packages, and assist the ITSOs with all activities of the system security authorization process.
We facilitate planning for business continuity / disaster recovery, certifying and accrediting systems, security technical assessments, monitoring security, reporting and responding to incidents, and taking corrective actions. Our Security engineers work with the CISOs, ITSOs, and ISSOs to successfully manage and architect IT security services across the agency. We ensure secure operations for IT infrastructure, networks, applications, databases, equipment, and assets. We perform required system security scans to assess vulnerabilities and to ensure the proper “hardening” to protect against potential threats.
Findings resulting from routine scans are reported to the CISOs, ITSOs, ISSOs and other stakeholders and any resolutions from issues that arise are documented and stored in compliance with configuration management (CM) processes and policy.
We support the CISOs, ITSOs, and ISSOs in preparing, performing, and executing follow-up activities associated with the annual A&A process and security posture improvement programs, including Continuous Monitoring, Contingency Testing, and Penetration Testing. In preparation for these annual activities, we review and audit that the system inventory for both hardware and software are in compliance with CM processes and DOC, NOAA, NWS policy. We ensure changes to system components are accurately reviewed, tested and authorized prior to deployment in the production environment.
For FY2019 we’ve analyzed information security systems and applications, recommended and developed security measures to protect information against unauthorized modification or loss, and evaluate authorization package documentation prepared by the system owner (e.g., SSP, RAR, CMP, CP, IRP, PTA/PIA). We have also supported the development and maintenance of the system’ security goals, policies, and procedures. Our Security team members are strong advocates of quality documentation including policies for security tools, SOPs, IR management, and Nessus scan management; policies and procedures for patch management, privileged account management; and numerous improvements to A&A packages, SSPs, and Contingency Plans.