cybersecurity related images

Independent Assessments in Support of Continuous Monitoring

Maintain ongoing authorization - get annual assessments from ESC

This service includes an annual, independent security control assessment of a system under Continuous Monitoring/Ongoing Authorization. These point-in-time Continuous Monitoring Assessments (CMA's) augment the ongoing activities the customer performs to maintain the security posture of their system. The assessment is conducted in accordance with (the latest versions of the) National Institute of Standards and Technology (NIST) 800-37 & 800-53A and agency tailoring and any applicable control overlays (e.g., industry control systems, high value assets, etc.). Standard (electronic) deliverables include:

  • Executive Summary
  • Certificate
  • Travel to customer location as required
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Findings & Recommendations
  • Optional: Data population in the agency's Federal Information Security Modernization Act (FISMA) reporting system

As an add-on to ESC's assessment work, follow-on Independent Verification & Validation (IV&V) is available.

Independent control assessment engagements are scoped using customer-provided information, specifically with regards to the number of Control Objectives that would be in scope for testing. Control inheritance from separately-accredited systems will lower the level-of-effort (LOE) for control testing. Likewise, embedded subsystems may multiply the testing LOE.

DOT/ESC recommends organizations not pursue CMA's until a comprehensive, full assessment is completed to establish a baseline for the system's security posture. Significant changes to the system environment, or applicable standards (e.g., the release of a new version of NIST SP 800-53A), may warrant a new full assessment.

Eligibility

Federal civilian agencies are eligible to use these cybersecurity services from the DOT Enterprise Services Center (ESC). Department of Defense (DOD) organizations may be eligible for ESC cybersecurity services if their systems are unclassified.

Interested in this Fed-to-Fed service? Get a quote!

To get started, reach out to the ESC team. We will send you a simple questionnaire to fill out. Return the completed questionnaire to us and we will promptly develop a firm fixed-price quote, to include proposed schedules. If you just need a rough order of magnitude (ROM) estimate for budget planning purposes, just let us know.

Contact ESC at CyberServices@esc.gov to get more information and assistance.