Integrated Compliance Management
Formark is currently extending an innovative collaborative certification and accreditation solution delivered to the US Department of
Energy to incorporate the Harmonized Threat and Risk Assessment (HTRA) methodology used within the Government of Canada.
The enhanced solution, including web-based application registration, risk assessment and C&A process guidance,
will provide automated and integrated compliance management support to facilitate and enforce the discipline
and rigour of the Certification & Accreditation process.
Government departments have developed detailed process documentation that outlines the deliverables and steps of the C&A process. This
process is designed to coordinate with the development life cycle (SDLC) for the IT system being developed or upgraded.
In many cases these processes are manual and document-based which are difficult to follow with the discipline and rigour required due to the complexity of the development projects, the
large number of possible mandatory security requirements, the volume of required evidence and the large number of process participants. As a
result the following issues can arise:
Audit Difficulties - significant difficulty responding to IT security audits in a timely manner; no central repository for certification evidence and process compliance
Projects Can Take Too Long to Manually Comply with Security Policy - the manual certification process sometimes
takes too long, delaying the completion and deployment of IT projects
Duplication of Effort - duplication of effort through the re-creation of certification evidence by each IT project, and
No Central Source for Certification Status - difficult to respond to questions on process status, schedule for re-certification or the meeting of accreditation conditions
No Security Registry of IT Applications - difficult to prioritize department security compliance work including certification, based on relative risk.
Integrated Compliance Management Framework
Formark has developed and delivered an innovative collaborative certification and accreditation solution to the National Nuclear Security Administration (NNSA) of the US Department of Energy. The solution, the Integrated Certification and Accreditation System (iCAS), has dramatically reduced the cost, time and effort for the NNSA to certify and re-certify that their IT systems are compliant to government security requirements. It has also ensured that this compliance can be successfully audited.
This solution is described in the US Government Case Study
For more information download the White paper An Architecture for Collaborative Certification & Accreditation [PDF 433k]
Formark is currently extending the collaborative certification and accreditation solution to incorporate the Harmonized Threat
and Risk Assessment (HTRA) methodology used within the Government of Canada. Integrated Compliance Management, the extended C&A solution,
will provide integrated risk management support and develop a deep and broad security knowledge base.
In addition, greater emphasis is being put on audit capabilities and the re-use and repurposing of certification evidence
and other content to increase consistency and dramatically reduce effort. The latest Microsoft technology,
including SharePoint 2010 and SQL Server 2008, is being used to provide web 2.0 collaboration support
and to provide management with a department-wide view of C&A requirements, activity and risk.
The Integrated Compliance Management Framework includes the:
Application Systems Registry (ASR)
Provides the ability to profile the relative security risk for IT systems deployed within
government departments. The ASR solution captures the risk elements relating to the criticality,
sensitivity and exposure of the IT assets, which are integral to risk assessment. The ASR also
provides for the monitoring, supervision and tracking activities of events for the risk assessment
process. With the ASR solution, departments can focus on the risk exposure of critical assets,
and proactively identify risk exposure shared across assets within Departments. The initial
release of the Formark Application Systems Registry solution is scheduled for the 3rd quarter
Risk Assessment Platform (RAP)
Provides departments the capability to assess their risk and tracking their
compliance to regulatory requirements. RAP is based on the Government of Canada
Harmonized Threat and Risk Assessment Methodology (HTRA). It is architected to
provide the identification and the linkages of the complex relationships between
assets, threats and risks, and to develop risk mitigation strategies. These
relationships provide the basis of the Government of Canada's Threat and Risk
Assessment (TRA) program, a core component of the larger government cyber security
program. RAP Version 1.0 allows the user to visually link their assets to related
risk assessments, to generate a risk exposure profile. With this information, a Statement
of Sensitivity document can be automatically generated.
Certification & Accreditation Module (CAM)
Provides collaborative, roles-based process support to facilitate and enforce the
discipline and rigour of the C&A process to reduce the burden of compliance. The
process support guides analysts, developers and management through the department's
security management process which supports the development life cycle (SDLC) for the
IT system being developed or upgraded. This includes identifying the security
requirements; performing necessary analysis (eg. PIA, BIA, TRA, etc.); collecting,
cataloguing and assessing compliance evidence; and compiling necessary certification
documentation and reports. The extent of analysis identified by CAM is geared to the
level of risk. The ASR is updated with results from this detailed compliance assessment.
The Integrated Compliance Management solution will provide automated and integrated compliance
management support to facilitate and enforce the discipline and rigour of the C&A process to:
Ensure that IT systems are compliant, and can be demonstrated to be compliant, to government security policy, and
Reduce the cost, time and effort to certify and re-certify systems.