Governance, Risk and Compliance (GRC)

Organizations must understand and manage their Information Technology risks, while ensuring compliance with federal and industry regulations, laws, standards and guidelines.  Compass can design and implement a customized GRC Program that utilizes automation, which will allow for scalability and easily provide clear metrics on risk posture.

GRC should be implemented consistently within every level of an Organization to be effective.  Communication is critical to understand an Organization’s business priorities, security requirements, and risk tolerance, enabling Compass to introduce GRC solutions that fit the corporate culture, are routinely utilized on a daily, weekly, and monthly basis, and do not quickly become obsolete shelf-ware.

FISMA Compliance – Assessment and Authorization (A&A): Security Documentation Creation and Security Control Assessments (SCA)

All Federal agencies, and organizations who routinely do business with the federal government via grants or other funding mechanisms, are required to produce an Authority to Operate (ATO) Package for their Information Technology network and/or Systems.  

There are very specific Federal Information Processing Standards (FIPS) and Guidelines produced by the National Institute of Standards and Technology (NIST) that must be utilized to create a compliant ATO Package.  

Compass has a thorough understanding of the required NIST documents and a Passion for security that allows us to stay ahead of FISMA compliance requirements as they evolve over time.  

Compass-icon

FIPS 199 and 200

Compass-icon

NIST SP 800-53 and 800-53A (currently Revision 4 and moving to Revision 5 in 2021-2022)

Compass-icon

NIST SP 800-171

Compass-icon

System Security Plan (SSP) Development

Compass-icon

Independent Security Control Assessments

Compass-icon

Plan of Action and Milestones (POAM) creation and management

Compass-icon

Interconnection Service Agreement (ISA) / Memorandum of Understanding (MOU)

Compass-icon

Privacy Impact Assessment (PIA) / System of Record Notice (SORN) / Privacy Threshold Analysis (PTA)

Compass-icon

Risk Assessments

GRC Tool Architecture, Implementation and Management

In order to effectively manage the security documentation, it’s critical to utilize a GRC tool that allows for scalability and automated reporting at multiple levels throughout the organization.  Compass has deep experience working with the top GRC Tools in the market and has successfully deployed and manages GRC Tools across large, federated organizations.

FedRAMP Gap Assessments and Readiness Reviews

Organizations that develop a platform, service, or System that is (or may be) utilized by multiple federal organizations should consider obtaining a FedRAMP Authorization. The requirements to become FedRAMP authorized are detailed, and organizations that are new to the process typically need support getting documentation in order prior to the FedRAMP Assessment.

Compass helps organizations become “FedRAMP-ready” by clearly communicating the requirements, reviewing existing documentation, developing a Gap Analysis, and helping organizations fill those gaps by creating documentation, implementing technologies, and/or establishing processes and procedures.

CMMC Readiness

Compass has experience helping organizations become ready to obtain their Cybersecurity Maturity Model Certification (CMMC), which are a new set of Cybersecurity standards set by the Department of Defense (DoD). These standards are in place to help prevent, or minimize, cyber attacks that could occur on organizations supporting the DoD.  

There are 5 “levels” of certification, each with more stringent security requirements, that are based on the level and type of contracting support provided to the DoD.  It is anticipated that any organization contracting directly with the DoD will be required to have some level of CMMC Certification.  

Compass is intimately familiar with NIST SP 800-171 and the additional security requirements needed to obtain the CMMC.

Cybersecurity standards

Benefits and Outcomes of Compass GRC Service Engagements

Security Documentation Creation

Compass has created compliant security documentation for over a hundred different Major Applications (MA) and General Support Systems (GSS), helping our customers receive an ATO by creating documentation such as System Security Plans (SSP) and Plan of Actions and Milestones (POAM). We utilize required NIST guidance along with Agency templates (or Compass-provided templates) and GRC tools for compliance.

Independent Security Control Assessments (SCA)

Compass has conducted hundreds of SCA of  organization’s security documentation to ensure that the security controls listed are in place and operating as intended. This is a required service in support of a System obtaining an ATO and can be done directly in an Agency’s GRC tool or by using Compass-provided templates that are compliant with NIST.

GRC Tool Implementation / Management

Compass has architected and implemented GRC tools for very large, federated federal agencies.  Our experience working with these tools at the Enterprise level, combined with lower levels of the organization, allows us to offer customized solutions that meet our customer’s needs.

Gap Assessments and Readiness Reviews

Many organizations are not aware of the complex requirements needed to obtain an ATO, or to become FedRAMP authorized or CMMC certified. Compass has seasoned experts and fully understands these requirements, helping our customers clearly understand the process and level of effort required.

clients-computer-security-compass-federal-consulting-1

Real World Examples

  • NIH A&A Program Management

    +

    Compass manages the NIH Enterprise GRC Tool and supports all 27 NIH Institutes and Centers (ICs) with building compliant security documentation and managing POAMs. We conduct Security Control Assessments and manage the Enterprise guidance for A&A activities, including the Continuous Monitoring Plan, for dozens of NIH Major Applications and General Support Systems

  • Consumer Product Safety Commission (CPSC) Security Control Assessments

    +

    Compass provides Annual Security Control Assessments for all of CPSC’s Major Applications and General Support Systems, utilizing NIST 800-53A, Revision 4. SCA results are compiled directly into their GRC Tool, including a Security Assessment Report (SAR), Executive Summaries and POAMs.

Please contact us to discuss any of your organization’s FISMA Compliance, GRC and/or A&A needs.