JD Biggs & Associates, Inc. has demonstrated experience and success completing security & privacy engagements for public and private organizations.  These engagements on major applications and general support systems involve performing: FISMA compliance, risk assessments, certification and accreditation, conducting vulnerability and penetration tests, threat assessment, and developing business continuity & disaster recovery programs.

Our consulting staff is fluent in defining management, operational, and technical security requirements, and mapping these requirements to in-place & planned controls.  Additionally, verification & validation on existing controls is paramount in determining their effectiveness and recommending improvements that will eliminate or mitigate vulnerabilities and threats.

JD Biggs & Associates FISMA compliance support services can improve your agency FISMA grade, by establishing policies, standards, training, and assessments for systems and enterprise security programs. Our security and privacy consultants are subject matter experts, with experience developing the required policy, procedures and documentation in the eight points of the agency’s security program.  These services help to fill in the gaps of your security program, especially with risk assessments, certification and accreditation process, privacy impact analysis, security categorization, development of security plans, setting security configuration, and evaluating the effectiveness of management, operational and technical security controls. 

The objectives of JDBiggs & Associates FISMA compliance support services are to improve the enterprise security program, major applications and general support systems with regard to the eight areas cited by FISMA:

1. Security Policies and Procedures
2. Subordinate Systems Plans
3. Continuity of Operations Plan (COOP) 
4. Security Incident Reporting
5. Training Plans
6. Testing and Evaluation Results
7. Agency Risk Assessments
8. Remedial Action Process

Performing a risk assessment on a major application or general support system is complex, time consuming and resource intensive.  It involves the collection, review and analysis of security program documentation, physical walkthrough of production facilities, one-on-one interviews with staff and subject-matter-experts, and verification & validation of In-Place and Planned security controls. 

Our consultants use the nine phases outlined in the “Security Program Assessment & Validation Methodology” as a framework and structured approach to identifying, assessing and initiating steps that will eliminate and mitigate risk to an acceptable level.  This methodology is designed to examine and analyze In-Place & Planned common and system specific security controls for management, operational, and technical security requirements.

Recommendations are produced after the analysis is completed that will improve existing security requirements, in-place and planned management, operational & technical security controls for the purpose of eliminating and mitigating threats and vulnerabilities.

Performing a certification and accreditation (C&A) on major applications or general support systems has shared responsibilities across an agency.  Top level agency officials with oversight, signature authority, along with key personnel possessing subject-matter-expertise in the system, must have advanced notification in the scheduling of C&A activities.  These activities as defined by the National Institute of Standards and Technology (NIST) Special Publication 800-37 is complex, time consuming and moderately expensive.  It involves completing four distinct phases; (1) Initiation Phase, (2) Security Certification Phase, (3) Security Accreditation Phase, and (4) Continuous Monitoring Phase. 

The objective of JDBiggs & Associates C&A support services is to assist the agency in completing certification and accreditation on major applications and general support systems.  We primarily operate in the capacity as a certification agent completing phase 1 & 2 of the C&A process.  Our team will certify the system in accordance with NIST SP 800-37, organizational policy(s), standards, and manuals.  This team will also provide recommended corrective actions on in-place and planned common and system specific security controls to eliminate or mitigate vulnerabilities in the system.

The CA team results provided to the designated accrediting authority (DAA) are the most complete, accurate, and trustworthy information possible on the security status of the system.  This information will be used by the DAA to make timely, credible, risk-based decisions on whether the system should receive:

1. Authorization to operate
2. Interim authorization to operate; or
3. Denial of authorization to operate

JDBiggs & Associates will also assist in developing or refining existing security program documentation in accordance with NIST and FIPS publications and agency operational standards and policies.  Our consultants will provide recommendations on specific security controls that should be monitored after the accreditation is formalized.