FGE's Risk Management Framework (RMF)
FGE has a proven process of implementing RMF policies and procedures for
both .mil and .gov clients. We provide end-to-end RMF support services -
How Can FGE ensure that you are Compliant?
NIST regulation and the RMF (in fact, many of the data security standards and compliance regulations) have three areas in common:
Identify your sensitive and at-risk data and systems (including users, permissions, folders, etc.);
Protect that data, manage access, and minimize the risk surface;
Monitor and detect what’s happening on that data, who’s accessing it, and identify when there is suspicious behavior or unusual file activity.
Step 1: Categorize Information System
Our team will assist the Information System Owner assigns a security role to the new IT system based on mission and business objectives. The security role must be consistent with the organization’s risk management strategy.
Step 2: Select Security Controls
The security controls for the project are selected and approved by leadership from the common controls, and supplemented by hybrid or system-specific controls. Security controls are the hardware, software, and technical processes required to fulfill the minimum assurance requirements as stated in the risk assessment. Additionally, the agency must develop plans for continuous monitoring of the new system during this step.
Step 3: Implement Security Controls
During this step, our SMEs will enable the agency to have the appropriate documented processes that they have achieved the minimum assurance requirements and demonstrated the correct use of information system and security engineering methodologies.
Step 4: Assess Security Controls
FGE will assign an independent assessor which will conduct reviews and provides recommendations to client's for approval of the security controls as implemented in step 3. During this assessment - FGE will ensure compliance, outline any gaps, then address and/or remediate any weaknesses/ deficiencies found and ensure proper notation and documentation of these findings and corrective actions are provided to the client.
Step 5: Authorize Information System
FGE will prepare an authorization package for risk assessment and risk determination. This package is then given to the authorizing agent who will then submit the authorization decision to all relevant stakeholders.
Step 6: Monitor Security Controls
FGE in conjunction with the agency will continue to monitor the current security controls and update security controls based on changes to the system or the environment. FGE will ensure continuous monitoring and provide substantiating reports as required by the client's security policy.