H2L Solutions offers subject matter expertise in all areas of Risk Management Framework (RMF) compliance. RMF is a seven-step process that incorporates standards used by federal agencies and the DoD community to make informed, risk-based decisions regarding security policies and controls. Step 6 of RMF requires an independent third-party assessor to formally inspect the information system. H2L Solutions can help your organization prepare for this event, ensuring a smooth inspection and compliance with the latest DoD standards.
Scanning & Data Collection
Our on-site pre-inspections include testing security controls based on the system’s Confidentiality, Availability, and Integrity (CIA) and applicable overlays. Scans are conducted in accordance with NIST and DISA guidelines. We complete STIG checklists (automated and manual) for all technologies within the system boundary, adding comments within the checklists detailing any findings and our recommendations to mitigate or remediate them. Our scans are thorough, providing the most holistic view of system compliance possible.
- Security Content Automation Protocol (SCAP)
- Assured Compliance Assessment Solution (ACAS)/Nessus
- Security Technical Implementation Guides (STIGs)
- Manual Checklists
- Personnel Interviews
- Physical Security Walk-Throughs
H2L Solutions has subject matter experts (SMEs) in Enterprise Mission Assurance Support Service (eMASS), the collaborative solution used to automate and manage process control mechanisms and report generation. Our SMEs will evaluate all RMF controls in eMASS and determine if the implementation or inheritance of a control meets the intent of the control and provides adequate supporting information. We ensure that document formatting is consistent and controls are answered in a standardized matter. We also verify that the customer’s answers speak to the actual Control Correlation Identifiers (CCIs) and provide evidence, rather than simply regurgitate the control language.
- Deep-dive Documentation Review
- Review Self-Assessment of Controls in eMASS
- Quality Control/Quality Assurance
H2L Solutions provides a range of reporting services and deliverables. Our SMEs will generate reports in eMASS, as well as develop summaries and presentations in response to customer requests and specifications. We report compliance versus non-compliance for each CCI. Presentations can be given in person or remotely. All presentations and reports are tailored to the audience, whether they are senior executives with limited understanding of cybersecurity or IT specialists responsible for controls implementation. Recommendations are given regarding how to become compliant in the eyes of the third-party assessor.
- Risk Assessment Workbook (RAW)
- Findings Summary