Risk Management Framework Step 4-6 Formerly C&A Phase II
For the United States Department of Agriculture (USDA), Animal and Plant Health Inspection Services (APHIS) TDG provides Information Technology Security Assessment and Authorization (SA&A) for Risk Management Framework (RMF) Step 4 and Step 6, which includes the security assessment and continuous monitoring of APHIS information systems. APHIS also required additional support for independent testing of key controls and other contractor support to include contingency plan testing and the documentation of the results, after action reports, and POA&Ms in CSAM.
TDG was competitively awarded a five-year Blanket Purchase Agreement (BPA) to provide Step 4 and 6 A&A services for all APHIS systems. USDA has moved to a continuous monitoring strategy that involves assessing all applicable system controls on a triennial basis with a subset of controls (a set of common controls and a set one-third of additional controls) on an annual basis. This work involves multiple site visits with various agencies and includes both general support systems (GSS) and major applications located on APHIS’ internal data center, the USDA Digital Infrastructure Services Center (DISC), and cloud vendors. TDG conducted the first continuous monitoring annual assessment in the entire department using the annual set of common controls and one-third of the remaining controls. We work directly with the compliance division within the OCIO’s office to resolve CSAM issues and successfully use CSAM for that purpose.
USDA has developed its own Risk Management Process Guide that provides a comprehensive and uniform approach to the Risk Management Framework (RMF) process and APHIS has adopted and implemented the USDA Risk Management Process Guide. The USDA RMF guide provides the accepted methodology for conducting a FISMA/NIST/USDA compliant A&A of APHIS IT systems and performing the corresponding CSAM data entry of all results and required documentation. TDG provides RMF Step 4 (Formerly Phase 2) and the assessment part of Step 6 as described in the USDA RMF guide, which includes developing specific documentation that meets USDA requirements for verifying security controls and security assessment of the APHIS systems. This includes all of the RMF Step 4 and Step 6 activities outlined in the USDA RMF guide.
Contracting Officer: Ms. Linda Washington
Program manager: Mr. Rajiv Sharma
