CNSSI 1253 and FISMA Focused Audit and Assessments; we are ready when you are!

Just the facts ...

Lazarus Alliance provides a solid road-map to your CNSSI 1253 assessment requirements with our leading technology powered by Continuum GRC's ITAM SaaS platform coupled with our Proactive Cyber Security™ service methodology.

A System is holistically comprised of the Technology, People, Processes, and Data used to complete the services provided. The CNSSI 1253 authorization is designed to provide comfort over the following principles described in brief:

• Access Control: This control environment measures the security features of the system boundary that control access rights and resources. Areas to be examined include, but are not limited to: account management, access enforcement, unsuccessful login attempts, system use notification, permitted actions, permitted actions without identification/authorization, remote access, wireless access, access control for mobile devices, use of external information systems, and publicly accessible content.
• Awareness and Training: This control environment measures the security awareness training that the organization has in place, with respect to the system boundary. Areas to be examined include, but are not limited to: security awareness, security training, and security training records.
• Audit and Accountability: This control environment measures the resources in place to measure and hold accountable audit practices over the system boundary. Areas to be examined include, but are not limited to: audit events, content of audit records, audit storage and capacity, response to audit processing failures, audit review process, time stamps, and protection of audit information, audit record retention, and audit generation.
• Assessment Authorization and Monitoring: This control environment examines how organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle.
• Configuration Management: This control environment examines the configurations around the system boundary. Areas to be examined include, but are not limited to: baseline configurations, security impact analysis, configuration settings, least functionality, information system component inventory, software usage restrictions, and user-installed software.
• Contingency Planning: This control environment examines the organization's processes around contingencies. Areas to be examined include, but are not limited to: the contingency plan, contingency training, plan testing, information system backup, and information system recovery and reconstitution.
• Identification and Authentication: This control area examines the procedures and tools in place to identify and authenticate users who are granted access to the system boundary. Areas to be examined include, but are not limited to: identification and authentication, identifier management, authenticator management, authenticator feedback, and cryptographic module authentication.
• Incident Response: This control area examines the process and practices in place for handling and responding to incidents within the system boundary. Areas to be examined include, but are not limited to: incident response training, handling, monitoring, reporting, response assistance, and the incident response plan.
• Maintenance: This control area examines the processes and procedures in place, which support controlled maintenance within the system boundary. Areas to be examined include, but are not limited to: controlled maintenance, nonlocal maintenance, and maintenance personnel.
• Media Protection: This control area examines the processes and procedures in place, which support proper protections around system media assets. Areas to be examined include, but are not limited to: media access, sanitization, and disposal.
• Physical and Environmental: This control area examines the process and procedures in place, which support proper physical and environmental protections to the system boundary. Areas to be examined include but are not limited to physical access control and authorizations, monitoring physical access, visitor access records, emergency lighting, fire protection, temperature and humidity controls, water damage protection, and delivery and removal.
• Planning: This control area examines the processes in place around proper planning for the system boundary. Areas to be examined include but are not limited to: The System Security Plan and rules of behavior.
• Program Management: This control environment measures the organization’s status in the development and implementation of an organization-wide information security program to address information security for the information and information systems that support the operations and assets of the organization, including those provided or managed by another organization, contractor, or other source.
• Personnel Security: This control environment measures the practices and processes in place that examine, screen, and review personnel assigned to the system boundary. Areas to be examined include but are not limited to: position risk designation; personnel screening, termination, and transfer; access agreements, third-party personnel, and personnel sanctions.
• Personally Identifiable Information Processing and Transparency: This control environment measures the Personally Identifiable Information; Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
• Risk Assessment: This control area examines the process and procedures in place, which measure risk and vulnerabilities to the system boundary. Areas to be examined include, but are not limited to: security categorization, risk assessment, and vulnerability scanning.
• System Services and Acquisition: This control environment measures the practices and processes in place for the development of the system boundary. Areas to be examined include, but are not limited to: the allocation of resources, the system development life cycle, the acquisition process, information system documentation, and external information system services.
• System and Communication Protection: This control area examines the process and procedures in place, which measure the protection in place for the system boundary. Areas to be examined include but are not limited to denial of service protection, boundary protection, cryptographic key establishment, protection and management, collaborative computing devices, secure name/address resolution devices, provisioning architecture, and process isolation.
• System and Information Integrity: This control environment measures the practices and processes in place for the assurance of system boundary integrity. Areas to be examined include, but are not limited to: flaw remediation, malicious code protection, information system monitoring, and information handling and retention.
• Supply Chain Risk Management: This control environment measures the practices and processes in place for identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.

Lazarus Alliance CNSSI 1253 client services will schedule our team to prioritize this engagement based on the needs of our clients and ensure timely delivery of the required compliance package, subject to client resources being available.