Volpe Information Technology Group (VITG), Inc. a Baltimore based information technology (IT) consulting services firm with a core focus on cyber security has been awarded a two-and-a-half-year prime contract to provide automation services to the General Services Administration (GSA) Federal Risk Authorization Management Program (FedRAMP) program. Under this contract VITG will assist the FedRAMP program with the implementation of cutting-edge solutions to automate the security authorization process, develop threat-based risk profiles for information systems to support security authorization decisions, and implement automation for the monthly continuous monitoring deliverables.
For this project, VITG will leverage the National Institute of Standards and Technology (NIST) Open Security Controls Assessment Language (OSCAL). NIST, in collaboration with industry has developed OSCAL as a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, assessment plans, and results. Machine readable representation will provide the foundation upon which future automations will be developed.
In addition, VITG through the FedRAMP program will work with the Department of Homeland Security (DHS) .gov Cybersecurity Analysis and Review team (.govCAR) to conduct threat-based scoring of NIST Special Publication 800-53 security controls. This effort will rank each security control for its ability to protect, detect, and respond to a series of threat actions based upon real word cyber threat intelligence. Ranking security controls based upon threat will enable threat-based risk profiling and will increase the return on cybersecurity investments made by government agencies and cloud service providers (CSPs).
“We are excited to enter the next chapter in the evolution of our company by providing services to the GSA as a prime contractor. We are honored that the FedRAMP program has entrusted us to assist with these important innovations. This work will drive a culture shift from compliance to informed risk management and will reduce cost while improving the security posture of government information systems." .