Firms undergo NSA infosec rating

IATRP home page

Related Links

The National Security Agency last week announced the first companies to undergo an appraisal of their information security practices in a program aimed at helping government and commercial organizations improve their systems security.

According to the Infosec Assessment Training and Rating Program, organizations that need to assess their vulnerability can call on companies that are qualified to perform such assessments within NSA-defined guidelines and standards, according to NSA.

This marks the first time civilian agencies have been able to access security assessment companies that have undergone this type of government evaluation and it enables customers to judge whether a provider is capable of meeting its requirements.

Many agencies are using the General Services Administration's Safeguard contract, which offers more than 25 vendors who perform such cybersecurity assessments, but GSA does not provide any standard evaluation of the vendors' capabilities.

NSA established the program because it does not have the resources to perform all the Infosec assessments requested. The training part of the program teaches NSA's standardized Infosec Assessment Methodology, which is a systematic way of examining cyber vulnerabilities. Then, providers undergo an Infosec Assessment Capability Maturity Model appraisal and receiving a rating.

Seven companies agreed to have their Infosec vulnerability assessment capability appraised: Backbone Security.com Inc., Booz Allen Hamilton, Computer Sciences Corp., EDS, Lucent Technologies, SRA International Inc. and TrustWave Corp. (formerly NetSafe).

All the companies use either the NSA-developed Infosec Assessment Methodology or a similar assessment methodology, and their ratings can be found at www.iatrp.com.

Paul Holmes, director of assessment operations at EDS, said the company had participated in the program since it was piloted in 1998. In September 2001, NSA completed its review of EDS' security assessment processes and the company already has performed those services for government and commercial clients, he said.

Holmes said the cost and time needed to perform an assessment varied by client, and he would not go into further detail. He did say that inclusion in the NSA program has been a "valuable credential to have," and he considers the effort "an ongoing, continuously improving process."

The program's long-term goal is to assist in the protection of sensitive data by increasing the information assurance levels of national and defense information systems, according to NSA. The program also enables compliance with the Presidential Decision Directive 63 requirements for vulnerability assessments.

PDD-63 requires agencies to protect the information systems that support the nation's critical infrastructure, including transportation and banking. It also directed industry to form information sharing and analysis centers to collaborate on security incidents and to work with government.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.