Cybersecurity Shared Services Contact Info

Email: cyberservices@esc.gov Phone: (405) 954-4444

About Us

The Enterprise Services Center’s (ESC) Cybersecurity Shared Services Center is a Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) vetted Federal Shared Services Provider (FSSP) under the Cyber Quality Services Management Organization (QSMO) program. Prior to the Cyber QSMO program taking flight, ESC operated as an Office of Management and Budget (OMB) designated Shared Services Center for Risk Management Framework (RMF) services under the Information Systems Security Line of Business (ISSLoB) program. ESC was one of the first federal organizations to receive this designation in 2009. Additionally, ESC’s Cybersecurity Shared Services organization is an accredited Third Party Assessment Organization (3PAO) under the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP^®). ESC earned the distinction of being the first federal organization to receive the 3PAO accreditation in 2012. ESC’s Cybersecurity Shared Services Center provides a variety of Independent Cybersecurity Assessment, Cybersecurity Vulnerability Scanning/Penetration Testing and Cybersecurity Compliance Support services in the federal space.

---

Independent Cybersecurity Assessment Services

Credentialed federal employee led independent security control assessments to include:

Assessments are conducted in accordance with NIST 800-37 & 800-53A along with agency tailoring. Standard deliverables include:

For security control assessments of cloud-based systems, ESC performs assessments in accordance with GSA’s FedRAMP^® requirements. Cloud providers, sponsored by a Federal agency, should have already been approved by the FedRAMP^® Program Management Office (PMO) to engage with a 3PAO for their system's assessment.

As an add-on to ESC’s assessment work, an Independent Verification & Validation (IV&V) service is available. This service provides an independent perspective on the effectiveness of an organization’s remediation activities. If remediation is incomplete, Assessors will articulate the remaining gap.

---

Cybersecurity Vulnerability Assessment Services

Credentialed federal employee led specialized and customizable vulnerability scanning services that include the following:

• Database Vulnerability Scanning
  • Scanning of databases is conducted with credentials to provide a full and comprehensive view of the database(s). The database scanning tool is updated to the latest known version prior to any scan assessment.
    • Each discovered vulnerability will be analyzed, compared and cross-referenced against the National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) database.
    • A comprehensive report will be generated that identifies all potential database security-related issues.

• Phishing Testing
  • Customer defines scope of targeted users for a phishing e-mail to be sent. Report includes how many users open the e-mail and how many clicked the link in the e-mail. Analysis of users that clicked the link will be conducted to determine potential level of impact.

• Penetration Testing
  • Penetration testing can be conducted from an external and/or internal view. A Rules of Engagement document (RoE) is drafted and signed by both parties that describes the scope of the engagement. Standard practices include:
    • At the customers discretion, and in accordance with the RoE, vulnerabilities may be tested based on the potential level of risk they pose to the system.
    • The pen tester shall remain in constant communication with the technical point of contact throughout the engagement.
    • Penetration tests will only occur during agreed upon scheduled times on pre-determined systems.
    • If a system’s vulnerabilities are successfully exploited, the pen tester will provide verification either by the placement of a file on the compromised system or screen shots.

• Wireless Network Vulnerability Scanning
  • Wireless scanning will include:
    • Wireless scan(s) at the customer's designated location.
    • Detected wireless devices shall be recorded, analyzed, classified and sorted.
    • Each access point reviewed for determination of detectable weaknesses (i.e. default/weak password check).
    • A comprehensive report that identifies all discovered wireless devices. For each device detected, the report will contain the type of signal detected, the MAC address of the device, the wireless channel the device is operating on, what type of security/encryption the device is using, and the GPS location of said device.

---

Cybersecurity Compliance Support Services

Credentialed federal employee led support services focused on compliance with National Institute of Standards and Technology (NIST) 800-series requirements. These customizable services include:

• Information System Security Officer (ISSO) Services
  • Service available to systems hosted in ESC’s federal Tier 3+ data center; assignment of dedicated ISSO support personnel of appropriate skill level to match the needs/complexity of customer system(s). Includes year-round tracking, reporting, and providing recommendations on Plan of Action & Milestones (POA&M)s; monthly continuous monitoring security meetings with system representatives to discuss any outstanding security items or changes to risk posture; authoring of Security Impact Analyses (SIAs) for planned changes and/or deployments; and maintenance of FISMA inventory records as applicable.

• Creation/Maintenance of Security Documentation and/or Procedures
  • Initial creation, updates to existing, and/or consultation on information protection processes and procedures (based on NIST 800-53 and any other applicable Federal guidance). This service yields the required documentation for a new or continuously monitored system to prepare for a security control assessment. Key deliverables include:
    • System Security Plans (SSP)
    • Audit log monitoring procedures
    • Information System Contingency Plans (ISCP)
    • Account Management Plans (AMP)
    • Incident Response Plans (IRP)

• Disaster Recovery Consultation, Documentation & Testing
  • System contingency planning and testing services in accordance with NIST 800-37 and 800-53. Services include the delivery of a customized contingency plan tailored for the unique needs and structure of a system. Deliverables include:
    • Information System Contingency Plan (ISCP)
    • ISCP Exercise Plan and After Action Report

• Incident Response Planning & Testing Strategies Consultation & Documentation
  • System security incident response planning and testing services in accordance with NIST 800-37 and 800-53. Services include the delivery of a customized security incident response plan tailored for the unique needs, structure of a specific system, and the higher-level incident response plans of the federal organization. Deliverables include:
    • Incident Response Plan (IRP)
    • Incident Response Exercise Plan and After Action Report

• Interface Memorandum of Understanding / Interconnection Security Agreement Negotiations & Documentation
  • Collaborative authorship of system-to-system interconnection agreements in accordance with NIST 800-47. Through guided discussions, we help federal organizations document the terms of an agreement that protect the interests of each party while concurrently meeting all applicable federal policies.

• Risk Management Framework (RMF) Lifecycle Consultation
  • Helping agencies navigate the NIST Risk Management Framework (RMF) steps required for systems to meet all Federal policies, gain a Federal security authorization, and be continuously monitored by the agency until the system is decommissioned.

• Privacy Data Handling Policies/Procedures Consultation & Documentation
  • Security documentation service focused on helping agencies design and document system privacy handling processes and procedures that comply with Federal guidelines.