Risk Management Framework Step 4-4B Formerly C&A Phase II
The United States Department of Agriculture (USDA), Office of the Chief Information Officer (OCIO), Animal and Plant Health Inspection Services (APHIS) required an Information Technology Security Assessment (formerly Certification & Accreditation) for Risk Management Framework (RMF) Step 4 (Formerly Phase 2) of the Animal and Plant Health Inspection Services (APHIS) which includes developing specific documentation that meets USDA requirements for verifying security controls and security assessment of the Animal and Plant Health Inspection Services (APHIS) for approximately 25 information systems. APHIS also required additional support for independent testing of key controls and contractor support to include contingency plan testing and the documentation of the results including the development of the after action reports and POA&Ms in CSAM.
TDG was competitively awarded a two-year single awardee Blanket Purchase Agreement (BPA) to provide Step 4 A&A services for all APHIS systems. USDA is moving to a continuous monitoring strategy that involves assessing all applicable system controls on a triennial basis with a subset of controls (a set of common controls and a set one-third of additional controls) on an annual basis. In the first year of the contract we have performed A&A of over twenty systems. This involved multiple site visits with various agencies and included both general support systems (GSS) and major applications located on APHIS’ internal data center at the Department’s National Information Technology Center (NITC).
TDG conducted the first continuous monitoring annual assessment in the entire department using the annual set of common controls and one-third of the remaining controls. We worked directly with the compliance division within the OCIO’s office to resolve CSAM issues and successfully use CSAM for that purpose.
Contracting Officer: Mr. Herbert Suber
Program manager: Mr. Rajiv Sharma
