Specifications include, but are not limited to: • Technical Vulnerability Assessment: An in-depth analysis of external and internal network infrastructure, applications, and systems to identify vulnerabilities that adversaries could exploit. • FISMA Compliance Assessment, identifying the level of compliance in all areas including: o Information System Inventory: Evaluate the information system inventory against the requirements of the Federal Information Processing Standards (FIPS) publication 200 to ensure comprehensive and accurate accounting of the agency's assets, examining the processes for maintaining this inventory in line with NIST Special Publication (SP) 800-53, Control CM-8 (Information System Component Inventory). o Risk Categorization: Assess the agency’s risk categorization against FIPS 199 standards to confirm that systems are categorized based on the potential impact of security breaches and validate that the process follows guidance from NIST SP 800- 60. o Security Controls: A rigorous evaluation of the existing security controls against the NIST SP 800- 53 standards to ensure they are appropriately implemented and effectively mitigate identified risks. o Risk Assessment: Analyze the risk assessment process to ensure compliance with NIST SP 800- 30, verifying that the agency systematically identifies, evaluates, and plans to mitigate risks. o System Security Plan: Review all SSPs to confirm it comprehensively outlines the security controls, consistent with NIST SP 800-18 (Guide for Developing Security Plans for Federal Information Systems). o Certification and Accreditation Verify the certification and accreditation process to ensure it meets the NIST SP 800-37 standards, which provide guidelines for applying the Risk Management Framework to federal information systems. o Continuous Monitoring Evaluate the effectiveness of the continuous monitoring program, ensuring it is aligned with the guidelines of NIST SP 800-137 (Information Security Continuous Monitoring).
