department-of-labor

Client: United States Department of Labor

 

Strong Crypto Innovations (SCI) was the key teaming partner selected to conduct an Independent Security Assessment of the U.S. Department of Labor (DOL) Web Production Environment System (WPES) on a Firm Fixed Price Contract. The WPES Security Controls Assessment addressed those National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev 3 controls identified in the on-line Cyber Security Assessment and Management (CSAM) system by DOL OPA for the WPES General Support System (GSS) and twenty-five (25) of its minor applications.

CLIENT'S CHALLENGES

Fundamental challenges included:

  • The CSAM application (in which assessment findings were required to be input / validated) is resident on a Department of Justice system, outside the control of DOL.
  • Security testing (i.e., vulnerability scanning / penetration testing) of the minor applications was required to be conducted in the WPES development environment rather than in the WPES production environment.

SCI SERVICES AND DELIVERABLES

  • Security Controls Assessment Plan and Rules of Engagement
  • Security Testing (i.e., vulnerability scanning / penetration testing) of twenty-five (25) minor applications
  • Security Testing Results Report and security testing tools report format output for high severity issues as applicable
  • CSAM entry to satisfy Validator Role and CSAM Validation Test Report
  • Risk Assessment Report (RAR)
  • Security Controls Assessment Report (SCAR)
  • Recommendation for ATO Approval Memo
  • Presentation of Security Controls Assessment Findings and Recommendations to Key DOL WPES stakeholders

RESULTS

The SCI team worked on non-business days and after hours in order to meet the project timeframes agreed upon with the key DOL stakeholders. This resulted in completion of the project on-time and according to schedule. In addition, the team provided findings of critical importance to DOL.

  • Vulnerability findings and remediation advice
  • Backup and contingency planning recommendations
  • Component inventory and configuration management recommendations
  • Operational process improvement recommendations