USDA MRP RMF

For the United States Department of Agriculture (USDA), Marketing and Regulatory Programs (MRP), TDG provides Information Technology Security Assessment and Authorization (SA&A) for Risk Management Framework (RMF) Steps 1-3, Step 4 and Step 6, which includes developing and/or updating specific documentation as part of continuous monitoring. 

 The United States Department of Agriculture (USDA) has developed its own Risk Management Process Guide that is intended to provide a comprehensive and uniform approach to the Risk Management Framework (RMF) process.  This guide and the Department’s mandate to store all system information in the Cyber Security Assessment and Management (CSAM) tool incorporates information and standards directly from the most recent version of National Institute of Technology (NIST) Special Publication (SP) 800-53 and NIST SP 800-53A.

 TDG has been providing SA&A support to MRP since 2012 for three consecutive iterations of this Blanket Purchase Agreement.  The scope of this work  includes the requirements for Step 1-3a (Documenting Controls and Creating Documentation) and 3b (Review and Approve), Step 4 (Assess Security Controls) and Step 6-6b (Documenting Controls and Updating or Creating existing documentation) as described in FISMA, NIST SP 800-37, and the USDA RMF guide.

 The purpose of this requirement is to obtain technical support and to perform all tasks necessary for RMF Steps 1-3b, Step 4 and Step 6 to help MRP meet the following objectives:

• Protecting information assets and maintaining the availability, integrity, and confidentiality of MRP information technology systems and telecommunications resources vital in meeting USDA’s program delivery requirements;

• Improvements to MRP cybersecurity posture to solve problems and improve the security infrastructure at USDA and MRP nationally and globally according to laws, policies, and procedures;

• Security services that protect the confidentiality, integrity, and availability of information and resources, which provide accountability for activities involving MRP’ Information Technology assets;

• Provide an all-encompassing foundation for the prevention of, or response to, significant loss and damage associated with the loss of critical infrastructures and information as relates to activities that link planning, implementing, and maintaining information security to the Capital Investment Control Process (CPIC), Systems Development Life Cycle (SDLC), Telecommunications, and the MRP Enterprise Architecture (EA);

• Perform information resource management activities in an efficient, effective, and economical manner to include develop and implement uniform and consistent information resources management policies; oversee the development and promote the use of information management principles, standards, and guidelines; evaluate MRP information resources management practices in order to determine their adequacy and efficiency; and determine compliance of such practices with the policies, principles, standards, and guidelines;

• Establish and maintain a capital planning and investment control process that links mission needs, information, and information technology in an effective and efficient manner;

• Systematically evaluate and ensure the continuing security, interoperability, and availability of systems and their data to include security accreditation to ensure that a management official authorizes in writing the use of each general support system based on implementation of its security plan before beginning or significantly changing processing in the system; that the use of the system shall be re-authorized at least every 3 years; security accreditation is the official management decision to authorize operation of an information system; security accreditation, which is required under OMB Circular A-130, provides a form of quality control and challenges managers and technical staff at all levels to implement the most effective security controls and techniques, given technical constraints, operational constraints, cost and schedule constraints, and mission requirements;

• Maintain the most complete, accurate, and trustworthy information possible on the security status of information systems to make credible, risk-based decisions on whether to accredit operation of those systems; this information and supporting evidence for system accreditation is often developed during a detailed security review of the information system, typically referred to as security certification. Security certification is the comprehensive evaluation of the management, operational, and technical security controls in an information system; this evaluation, made in support of the security accreditation process, determines the effectiveness of these security controls in a particular environment of operation and the vulnerabilities in the information system after the implementation of such controls; the results of the security certification are used to reassess the risks and update the security plan for the information system—thus, providing the factual basis for the authorizing official to render the security accreditation decision.