The CIO and CISO of the Federal Election Commission (FEC) needed to perform a System Inventory, Maturity Assessment, GAP Analysis for the FEC. The key objectives are to create a baseline, Impact Assessment, System Categorization (High, Moderate, and Low) and provide Recommendations for NIST/FISMA implementations to strengthen Cybersecurity Posture and Compliance and ensure Roadmap for Disaster Recovery, Continuity of Operations.
SD Solutions, LLC has won the contract competitively and delivered FEC with the following:
- Set up a way or process to document information about FEC network (must be easy to use).
- Create and document an accurate map of the network. This map should also include wireless devices and connections to any clouds, external networks, and other networks.
- Create an accurate list of all devices (computers, printers, routers, gateways, etc.) on the network. For each device, record hostname, role (its purpose on the network), MAC Address (and IP address if static), service tag, physical location, operating systems or firmware, Ports use, Firewall rules (if any), type of data the devices process and who can access the data.
- Create a list of all protocols running on the network.
- Record physical routes that FEC Virtual Local Area Network (VLAN) traffic traverse.
- Identify and document the current network enclaves: which groups of users on the network have access to what types of information. (HR enclave has access to the personnel files; OGC has access to the legal files, etc.).
- Map and document the FEC’s information systems according to the definitions provided for in NIST 800-60.
- Develop and document a high-level, comprehensive understanding of the FEC’s strategic dependency on each information system and the data it contains.
- Develop and document an analysis of the impact that a loss of the Confidentiality, Integrity or Availability of the information contained in each system would have on the agency according to FIPS 199.
- Formally document the organizational Impact Statement for each information system that describes the business function supported by the system (or group of systems) and the mission impact (High, Moderate and Low) in the event of a loss of Confidentiality, Integrity or Availability of that information.
- Apply the FIPS 199 mandatory security categorization standard to each information system using the Organizational Impact Statement as a guide. This task will establish the initial baseline of security controls for each system.
- Map and document existing security controls as they apply to the identified information systems. NIST 800-60
- Identify and document gaps between NIST 800-53 minimum security controls and existing security measures.
- Provide recommendations on implementing NIST Guidelines to the FEC
- Provide cost analysis of implementing the recommended security controls