Home > Customers > Federal  > Department of Commerce OCIO

Department of Commerce

Department of Commerce OCIO

Date Range:

September 2015 till August 2019

Project Brief:

Provided Risk Management Framework (RMF) Security Control Assessment (SCA) Support Services.

Full Contract Details:

SONA provided Security Assessment and Authorizations (A&A) support for the DOC OCIO. Our services included subject matter expertise in the areas of risk management and compliance in helping to assess DOC operational systems which were scheduled for A&A activities each fiscal year including annual RMF security control testing. 

SONA staff interviewed the agency staff, facilities security and management staff, application system support service providers, infrastructure support staff, application systems owners and users, business process managers, and security support personnel. We reviewed documents such as security plans, application system input and output documents, Certification & Accreditation (C&A) packages, user guides, operational procedures, historical logs and mission statements. SONA staff took into consideration existing FISMA related authorities or direction from OMB, existing and draft federal guidelines and standards from NIST, and commercial best practices. SONA developed a thorough familiarization with the customer agency’s mission and the role each asset plays in the support of that mission. 

SONA staff was responsible for conducting security assessments and testing for 15 systems under the Office of the Secretary, five of which are cloud-based systems. SONA staff provided direction and program support in developing the appropriate methodology for vulnerability management and assessing these systems based on a leveraged authorization framework.

SONA completed A&A efforts for Amazon Web Services (AWS). We completed the review/assessment of two (2) FEDRAMP AWS Packages. We also reviewed scans/vulnerabilities using tools like WebInspect (HP Inspect), Nessus and AppDetective. SONA support included:

  • NIST 800-53 Control Assessments
  • System Security Authorization Consulting Advice
  • Risk Assessments Development
  • FedRAMP/Cloud Computing Package Review
  • Security Assessment Report Development
  • POA&M Development/Management
  • Vulnerability Scan Review
  • SSP/SSP Addendum Reviews/Updates
  • Security Assessment Package (SAP) Development
  • Authorization Official Briefing Development
  • Authorization Official Meeting Support