Industries

<Government>

Agiliance Federal Market Solutions

Agiliance delivers a purpose-built IT GRC application as a COTS solution that implements a full range of commercial as well as federal and defense agency related standards and regulations containing more than 10,000 controls mapped across multiple standards, regulations and frameworks including ISO 17799 / ISO 27002, ISO 27001, SOX, HIPAA, GLBA, FFIEC, and CobiT.

Additionally Agiliance addresses the needs of the federal, defense and intelligence agencies by implementing policies and controls contained in standards like FISMA, FIPS 199, NIST SP 800-37, NIST SP 800-53A, NIST SP 800-66, DCID 6.3, DOD 8500.1 & 8500.2, DIACAP, and DISA STIGS.

Agiliance IT-GRC 3.0 as a software application platform supports the delivery of multiple solutions to provide a top-down view into the information security, risk and compliance needs of departments and agencies. These include:

Certification & Accreditation

Certification - System certification requires controls to be assessed and certified to be functioning properly. Based on the categories defined in FIPS 199, the certification will vary from self-assessment to third-party validation. NIST SP 800-53A provides guidance on the assessment methods applicable for individual controls. Agiliance maintains a common control framework with more than 10,000 controls spanning multiple frameworks and regulations including NIST SP 800-53A. The Agiliance application delivers guidance on individual controls right in the application to project managers and analysts.

Accreditation – Once a system has been certified, the security documentation package is reviewed by an accrediting official who accredits the system by issuing an Authorization to Operate (ATO). NIST SP 800-37 provides guidance on certification and accreditation of systems. There are generally accepted methodologies used for C & A initiatives are based on DIACAP and NIST. Agiliance supports these methods.

Agiliance IT-GRC allows agency operational managers to:

  • Assess facilities and programs before engaging the agency C&A authority
  • Gain C&A interim approval quickly by pre-testing, for a favorable outcome
  • Automate the questionnaire and control test process and attach evidence
  • Generate audit reports, compliance reports and documentation packages
  • Ability to Accept, Transfer, Mitigate, or Remediate risk
  • Include information from security automation tools
  • Reduce time-to-approval; obtain full operational approval in weeks versus months-to-a year
Standards, regulations and frameworks supported FISMA, FIPS 199, NIST SP 800-37, NIST SP 800-53A, NIST SP800-66, DCID 6.3, DOD 8500.1 & 8500.2 and DIACAP, DISA STIGS

 

Top of Page


Continuous Compliance

Agiliance provides the ability to monitor security controls for all accredited systems. Any changes to the security profile of the system will trigger an updated risk assessment and modified controls can be flagged and scheduled for re-test and re-certification.

  • Maintain approved status
  • Eliminate costs from full re-certification
  • Roles-based dashboards and reports provide actionable information at all times
Standards, regulations and frameworks supported: FISMA (NIST SP 800-53A), NIST SP 800-37, NIST SP 800-66, DCID 6.3, DOD 8500.1 & 8500.2, DISA STIGS and upcoming ICD 503
Agiliance also support compliance with out-of-band mandates including: OMB 06-16, OMB 07-16, and HSPD-12

 

Top of Page

Enterprise Vulnerability Management Dashboard

Determining vulnerabilities in systems, applications and processes is key to managing risk. The degree of vulnerability also contributes to the risk score. Creating a risk based response allows managers to focus on areas of risk that are most critical to the organization.

Federal agencies and departments have implemented various security automation solutions over time. These legacy solutions while operational produce individual logs and reports and tend to deal with vulnerabilities at an asset by asset level. IT security experts need to interpret these logs and reports and render an opinion on the criticality. Ad hoc reporting like this does not meet the continuous compliance capabilities prescribed by FISMA.

Vulnerabilities versus controls

Agiliance IT-GRC provides a vulnerability dashboard that delivers visibility into vulnerability trends mapped to technical control checks from security automation tools

Agiliance delivers a Vulnerability Management Dashboard solution that:

  • Provides connectors to the widest range of security automation tools via the Agiliance Open Connector™ architecture to connect to Vulnerability Scanners, Security Incident Management (SIM), Security Configuration Management systems, CMDBs – Change Management Data Bases.
  • Provides knowledge of and visibility into IT assets like server, applications, network devices, databases, storage appliances, etc.
  • Connects to the security automation tools to link to results, log data and exceptions - allows organization to leverage its existing investment in those automation tools.
  • Aggregates that information to deliver roles-based dashboards delivering continuous visibility across the agency or department.
  • Delivers web-based eSurvey capability to test those controls that cannot be automated and combines them with the results derived from the security automation tools
  • Track Vulnerability Identification and Resolution Trends
  • Orchestrate Vulnerability remediation on an enterprise level across multiple security operation tools
Standards, regulations and frameworks supported FISMA, FIPS 199, NIST SP 800-37, NIST
SP 800-53A, NIST SP800-66, DCID 6.3, DOD 8500.2 and DIACAP

 

Top of Page

Enterprise IT Risk Dashboard

Federal agencies, as with their private sector counterparts, can achieve superior operational performance when managing proactively. By anticipating potential security risks and taking steps to alleviate negative outcomes, management can be reasonably assured that the organization will meet its mission objectives.

Unfortunately, many agency directors and their oversight committees have limited visibility into IT risk. This puts a large burden on CIOs and CISOs to articulate the challenges they face as different parts of the organization must comply with mandates, regulations, and policies. IT risk, compliance, and audit; IT security; and IT operations typically function as silos.

Enterprise Risk Dashboard

The Agiliance Enterprise IT Dashboard provides a consolidated view into IT risk and compliance including metrics like Top 5 High Risk entities, Top 5 Vulnerabilities, Monthly Security Risk Trend, Compliance by Division or Department, Top 5 Threats.

With Agiliance IT-GRC organizations can

  • Identify and Quantify risk actions with cost impacts – acceptance, avoidance, compensation, mitigation, or remediation.
  • Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the agency, including contractors and vendors
  • Custom dashboards deliver branch/division executives with the knowledge to act on risk that matters.
  • Deliver sharable security and risk dashboards highlighting the mission priorities and objectives.
  • Implement a robust operational IT risk program including automating survey workflow throughout the organization,
  • Developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 4360 standard methodologies
  • Manage all enterprise risk – both IT and non-IT. Incorporates methodologies to address current, potential and historical risk trending
  • Integrate and automate technical controls by leveraging existing IT investments in security and change management systems including data from systems that are SCAP and OVAL compliant.
  • Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST and FFIEC
  • Create enforceable policies and monitor controls across functional and geographical boundaries
Standards, regulations and frameworks supported FISMA, FIPS 199, NIST SP 800-30, NIST
SP 800-37, NIST SP 800-53A, NIST SP800-66, DCID 6.3, DOD 8500.2 and DIACAP

 

Top of Page

Security Operations Center

FISMA and NIST SP800-30 Information Management Guide for IT Systems discuss risk assessment, risk mitigation, and evaluation and assessment. In the federal government the system authorizing official is responsible for determining whether the remaining risk is at an acceptable level or whether additional security controls should be implemented to further reduce or eliminate the residual risk before authorizing (or accrediting) the IT system for operation. The Security Operations Center delivers senior managers and situation managers with visibility into FISMA based Risk Management gaps across multiple compliance silos to identity and present the cost impacts of avoidance, stop gap remediation (per control) and complete mitigation (set of controls) for the daily risk management prioritization as well as exec staff briefings.

Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions.

Main Dashboard

Agiliance Security Operations Center showing entity distribution by stage, entity distribution by asset type and distribution by criticality.

Agiliance IT-GRC delivers

  • Operational and Key Risk Indicator Dashboards
  • Visibility into automated controls from security automation tools
  • Incident management workflow capability including native ticketing and interface to external ticketing
  • Drill down reports showing controls, vulnerabilities and mitigation efforts
  • Real-time risk-response functions to deliver mitigation options – Accept, Transfer, Mitigate, Remediate

Standards, regulations and frameworks supported

FISMA, FIPS 199, NIST SP 800-30, NIST SP 800-37, NIST SP 800-53A, NIST SP800-66, DCID 6.3, DOD 8500.2 and DIACAP
Other control libraries supported: OMB 06-16, OMB 07-16, HSPD-12

 

Top of Page

Live Demo Sign Up