Challenges & Needs

• No Consensus on Where to Start: Since eMASS was new to the client, they were unclear as to where to even begin such a project.
• Inadequate Security Policies and Procedures: The client had very little documentation in place when it came to information security policies and procedures. Additionally, what policies and procedures they did have, were not specific to the system in scope.
• Missing Security & Compliance Tools and Solutions: eMASS compliance required implementation of various tools, such as two-factor authentication, File Integrity Monitoring (FIM), data marking/tagging solutions, and more – all of which the client did not have in place.
• No Project Management Experience for Regulatory Compliance: None of the internal I.T. and operational staff had any experience in managing a federal compliance engagement like eMASS.

Our Solution

• Successfully defined project scope, including roles and responsibilities for all internal personnel at the client.
• Identified gaps and deficiencies within the client’s control environment, offering expert recommendations on remediation and next-steps.
• Initiated contact with external vendors for determining third-party compliance requirements.
• Began authoring an all-new set of NIST SP 800 specific information security policies and procedures documents

Challenges Solved

• Implementation of a true compliance framework in accordance with eMASS.
• Developed all required information security policies and procedures.
• Developed all required plans and programs for eMASS, specifically, an incident response plan, contingency planning program, tabletop exercises, and more.
• Successfully remediated all technical and security controls that previously had notable gaps.
• Client granted Authorization to Operate (ATO) designation.

Value Created

• Put in place a corporate culture that now understands, respects, and truly values the concept of information security.
• Successfully met the rigorous DoD compliance requirements of eMASS.