Compliance & Governance

COMPLIANCE AND GOVERNANCE

By implementing appropriate security controls and adhering to compliance requirements, organizations can reduce the risk of cyber attacks and ensure that sensitive data is protected. CDT helps organizations build a framework of policies, procedures, and processes to ensure that organizations are managing cybersecurity risks effectively. 

CDT embraces NIST Risk Management Framework (RMF) across our business services. We advise organizations on how to migrate an existing system to comply with RMF by performing a configuration gap analysis and reviewing or generating applicable guidance and policy documentation. We also advise on how to implement system and component security controls that harden the system. As part of our controls service, we offer cost-effective mitigations for those requiring corrective action based on each control’s unique requirements. These services are often contracted in preparation for an Assessment and Authorization (A&A) effort as a prelude to a government Authorization to Operate (ATO) determination.

Assessment and Authorization (A&A), previously termed Certification and Accreditation (C&A), is an adjudication body’s inspection and review of system documentation to confirm compliance to an applicable standard. Successful A&A processes in the government arena generally lead to the adjudication body granting an Authorization to Operate (ATO). CDT security experts help prepare an organization for this comprehensive evaluation, including reviewing documentation, advising of hardening controls for the system, and archiving artifacts necessary for the assessment. Following the assessment, CDT assists with the remediation of any findings or plan of action and milestones (POA&M) enabling granting of a full ATO.


During performance following A&A/ATO activities, the adjudication body reserves the right to periodically inspect a system for ongoing compliance. These inspections have similar scope as the A&A effort for ATO and may be scheduled or have limited to no advanced notice. CDT successfully supports many types of government security inspections with the most common being Defense Security Service (DSS) inspections of contractors and Cyber Command Readiness Inspections (CCRI) / Cyber Command Operational Readiness Inspection (CCORI) for Department of Defense Information Network (DoDIN) systems. As the results of these inspections are highly visible across all of the DoD, getting it right the first time is imperative. CDT has expertise in full Virtual Local Area Network (VLAN) and Authentication, Authorization and Accounting (AAA) compliant network infrastructures which are key requirements for the CCRI.

Unique to systems operating in a cloud environment, applications and systems require FedRamp certification. FedRAMP relies upon Third Party Assessing Organizations (3PAO) to conduct an independent review for compliance prior to government certification. CDT utilizes similar audit and inspection principles to help organizations prepare for a successful 3PAO assessment.

In today’s global supply chain, components sourced outside of the United States to be embedded within a mission system pose significant security risks. The federal government considers information related to the sourcing, transport, storage, and usage of components as Critical Program Information (CPI). DoDI 5200.39 specifically defines the responsibility requirements for the procurement, assembly, and integration entities to preserve the viability of individual components. CDT is an expert in applying cyber security and logistical knowledge to develop a CPI protection plan, as well as execute the strategy implementation and audit the ongoing performance to maintain the integrity of our customer’s supply chain.