© 2018 MHM Innovations, Inc.

Cyber Security | Risk Management Framework (RMF)

All information systems carry operational risks, but what are they and how can they be mitigated? Cyber Security/Information Assurance (IA) seeks to minimize these risks as much as possible and describe the residual risks to an authorizing official for a risk-based authorization decision. MHM specializes in Risk Management Framework (RMF) which provides a process that integrates security and risk management activities into the system development life cycle. The risk-based approach which has been adopted by DoD and the IC considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. A successful cyber effort includes implementing over 1,000 individual security requirements, developing a technical “body of evidence” set of documents that describe the security features of the system, executing security scans and resolving findings, developing granular security test plans to demonstrate compliance and navigate the political landscape of the formal assessment and authorization that conclude the process.

Our staff includes experienced DoD and Intelligence Community Cyber/IA professionals skilled in executing the responsibilities of each of the major stakeholders, including assessment, authorization, and security engineering through multiple standards such as DCID 6/3, DIACAP, NIST 800-37, and ICD 503, as well as holding 8570 compliant certifications for all levels. By providing expert-level understanding of all the steps and roles of an accreditation or authorization effort, MHM ensures that all security controls and/or requirements are satisfied with sound, well-engineered, documented, and industry best practice solutions. This ensures both a successful and a cost effective effort.

Specifically MHM can:

  • Build and execute a plan to get an information system to an ATO status.

  • Provide security engineering during the entire software development lifecycle process to ensure applications comply with applicable Assessment and Authorization (A&A) requirements. MHM is skilled at integrating Cyber into multiple software development processes and methodologies, including agile, devops, and waterfall development.

  • Enhance the security posture of an organization by performing Information Systems Security Engineering activities, such as implementing security controls, developing the body of evidence, and conducting tests to prepare for security assessments.

  • Employ industry best practices that span product evaluation, testing, analysis, and resulting decisions and recommendations, while keeping pace with client development requirements.

  • Conduct assessments and provide guidance for information assurance implementations, and the validation and verification of security features to determine if they are adequate to protect against the threats to your environment threats.

Cyber/Information Assurance:

  • MHM staff includes expertise from all IA roles and many IA methodologies.

  • MHM maintains expertise in both full system accreditation/authorization and certifying/assessing in a prototyping/software integration laboratory environment.

  • MHM understands that certifying a constantly moving target is very difficult. Certification requirements, documentation and testing methods are normally based on a stable system targeted for operation. In response to this challenging environment, MHM developed a concept of a process certification where rather than certify the end state of the equipment and software, we certify the base system and the processes and methods used to add, remove or alter any part of the system.

  • Our process-oriented certification methodology supports the dynamic nature of the System Integration Lab (SIL) environment while simultaneously lays a basic foundation for systems moving from the prototyping environment into a formal individual system accreditation.

Cross Domain Solutions:

  • MHM’s expertise is in the design and deployment of a Multi-Level Security (MLS) solution that provides a PL4 storage and retrieval of documents on a single database with security classifications from different networks and sources. The data is stored with the proper CAPCO security labels and allows retrieval of the data with a PL4 protection by analysts according to their personal security clearance and the classification of the network they are using.

  • MHM provides expertise in architecting one-way and bidirectional PL5 cross domain solutions for specialized systems. These efforts include both the integration of the guards as well as the development of multiple API’s to ensure the proper implementation of a security model that protects the confidentiality of the high security domains and protected data, as well as providing an effective user experience.

  • Our objective development is the deployment of solutions that minimize the requirement for multiple systems and integrates the analytical function and data availability on only one physical database machine.

  • MHM maintains a strong team of both system and software engineers coupled with highly experienced Information Assurance professionals to achieve realistic and operationally relevant cross domain solutions.