Aspiryon Earns Spot on DISA ENCORE III

Aspiryon was Awarded a postion on the DISA ENCORE III Contract.

Encore III supports DoD’s Joint Information Environment initiative which seeks to achieve a globally-interconnected, end-to-end set of information capabilities, associated processes and personnel to manage and provide information on-demand to warfighters, policy makers and supporting personnel. The overall aim is to move towards an integrated and interoperable DoD Information Network provided by services and systems to establish a technological edge on land, sea, air and cyberspace through the use of information superiority.

For more information view our Contract Vehicles

Tips: Meeting DSRIP Requirements (System Security Plans – Documenting Controls)

As part of DOH’s Data Exchange Application and Agreement (DEAA) data sharing agreements, business partners who desire access to DOH provided Medicaid data are required to compete System Security Plans (SSPs) that document which controls have been implemented and how for all systems that are used to house and process the DOH provided Medicaid Data.

The NYS DOH SSP requirement is based on the set of NIST 800-53 recommended security controls for government information systems at the moderate level with enhancements that are necessary to comply with NYS Policies and Standards (aka Moderate Plus).

One of the most important and difficult to grasp aspects of completing an SSP is how to properly write a Security Control.

There are four basic questions to address for each element of each security control requirement:

  1. What is the solution? The solution can be a device, document, process, or plan. It must be clearly stated as the object that governs the implementation of the security control at hand.
  2. Who is responsible? Although the Security Officer may be responsible for the oversight of system security measures, a system-specific role will need to be identified as the manager, operator, or implementer of control-relevant security measures.
  3. When is the solution implemented/reassessed? Control solutions may be initiated once and continually monitored or they may require continual implementation (as is the case with revisions or updates) or a combination of the two. The timing of the solution implementation should be addressed for each requirement.
  4. How does the solution satisfy the control or requirement? The solution being discussed must be directly correlated to the presented requirements. It must be clear how the system uses the discussed solution to satisfy the security requirements. Although the same solution may satisfy multiple requirements, it will be required to state how the solution provides the capabilities to satisfy each requirement.

A few other tips when determining control requirements:

“The organization” Indicates a policy, process, or procedure
“The information system” Indicates a technical implementation
“The organization ensures/enforces/etc.” Indicates both policy/process/procedure and technical implementation
Access: remote, local, network Remote: Off-site
Local: Physically present, keyboard/terminal attached
Network: On-site and over a network (e.g. SSH)
External v. Internal systems/connections/etc. External systems are not under the jurisdiction of the Organization. Other systems may be external, but are governed by an MOU/MOA/ISA.


Aspiryon provides DSRIP assessments and consulting for PPS entities and partner service provider organizations.

Tips: Meeting DSRIP requirements (Boundary Definition)

The DSRIP requirements are based upon the NIST Risk Management Framework (RMF). There are many NIST special publications (SP) that are referenced within RMF.

The first NIST SP to address is NIST 800-18. This SP illustrates how to breakdown an enterprise into logical boundaries.

Why is this the first SP to be addressed?

When you breakdown your enterprise into logical boundaries the boundaries provide a scope for what and how security controls are applied. The key point is that different boundaries require different control implementations.

Here’s an example: One system boundary is called the WAN infrastructure General Support System (GSS) that encompasses routers, switches, firewalls, network intrusion devices. Another system boundary is called the XYZ Major Application (MA). In the WAN GSS the devices in the boundary use Cisco ISE for Authentication, Authorization and Accounting. The Cisco ISE maintains a database that has user ID’s, passwords and role based access controls for device administrators that can make changes to devices within the boundary.

The XYZ Major Application (MA) is a web based application. The XYZ MA encompasses three web servers, three application servers, two database servers and a load balancer. These system use a multi-factor authentication product and active directory for authentication and role based access controls.

As you can see the implementation for access control is very different. Segmenting the Enterprise into logical boundaries narrows the scope for how controls are applied. The narrowed scope (boundary definition) helps PPS’s save time by focusing on the boundary where DSRIP data is processed, transmitted and stored. The boundary definition also saves PPS’s money by only applying controls where needed.

Aspiryon provides DSRIP assessments and consulting for PPS.

Delivery System Reform Incentive Payment (DSRIP) Program

DSRIP is the main mechanism by which New York State will implement the Medicaid Redesign Team (MRT) Waiver Amendment. DSRIP´s purpose is to fundamentally restructure the health care delivery system by reinvesting in the Medicaid program, with the primary goal of reducing avoidable hospital use by 25% over 5 years. Up to $6.42 billion dollars are allocated to this program with payouts based upon achieving predefined results in system transformation, clinical management and population health.

NYS DOH has in depth Information Security and Data Privacy requirements in order to participate in DSRIP. Aspiryon has conducted security assessments for organizations that are seeking to participate in the DSRIP Program.

More Information about the DSRIP Program and its information security requirements contact us today and view the below link.


DFARS, FAR, Controlled Unclassified Information CUI and NIST 800-171 Demystified

DOD DFARS and NIST 800-171 Public Meeting – Jun 23 2017 Final

The attached slide presentation (above link) was provided via a DoD Industry day that discussed in detail DFARS, FAR and Contract requirements for protecting Controlled Unclassified Information (CUI).

This presentation can assist you in determining if your systems are applicable to the requirements and need to implement the NIST 800-171 information security controls.

The DFARS requirements become effective as of December 2017 for all prime and subcontractors.

If you or your subcontractors are required to implement the NIST 800-171 information security controls, Aspiryon can help make it happen with:

Advisory Services

Compliance reviews, audits, assessments, gap analysis, validation and verification for your or subcontractor systems

Consulting Services

Information Security Management System Development, Policy and Procedure Reviews and Updates, Control Implementation and Continuous Monitoring

Operations Services

Vulnerability Management, Security Monitoring, Change Management and Incident Response



Aspiryon Earns Spot on the ARMY CECOM RS3 Contract

RS3 is a Multiple Award Indefinite Delivery, Indefinite Quantity (IDIQ) Performance Based Services Contract that may provide customized best value solutions to a diverse group of organizations that span the spectrum of Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) mission requirements throughout the world. RS3 has a $37.4B ceiling with a five-year base ordering period and five-year optional ordering period, for a total ordering period of up to ten-years. RS3 primary service areas include Engineering; Research, Development, Test and Evaluation (RDT&E); Logistics; Acquisition and Strategic Planning; Education and Training Services.

For more information view our Contract Vehicles

Aspiryon Earns Spot on DLA JETS J-6

The DLA JETS J-6 Contract provides support for technology service requirements across the DLA Information Operations Enterprise, the DLA Program Executive Offices (PEO), and all other technology service requirements supported through DLA Contracting Services Office (DCSO) acquisitions.

Sponsoring Agency: DCSO J6 Enterprise Technology Services

Period of Performance: December 22, 2016 – December 21, 2024

NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations

NIST has drafted Special Publication 800-171 that is titled: Protecting Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations.

The intent of this special publication is to provide a minimal set of security controls for Non-Federal Information Systems and Organizations AKA “Federal Contractors and their back end information systems utilized to deliver services to the Federal Government”.

The SP 800-171 has a familiar look and feel of that used in SP 800-53, the only difference being that there are less families of control and less controls as a whole.

It is expected that Federal Agencies will begin integrating 800-171 compliance at the individual contract level until a FAR (Federal Acquisition Regulation) is completed.

Aspiryon provides NIST 800-171 Compliance and Audit Services for Federal Contractor Systems and Organizations.


Aspiryon Earns Spot on DOD DTIC CSTATS Contract

Aspiryon has been awarded a position on the DOD DTIC CSTATS Contract.

The DOD DTIC CSTATS Contract includes:

Cyber Security (CS) – Full spectrum cyber operations including 1)developing CS planning frameworks and development of requirements and mission needs documents and conducting trade-off analyses; 2) cyber threat avoidance; 3) defensive cyber operations (DCO) including red teaming and performing threat assessments; and 4) cyber offensive and exploitative operations. All of the above may include: cyber technology research, analysis and prototyping, cyber situational and mission awareness, cyber modeling, simulation and war gaming, integrating innovative cyber technologies to enable cyber superiority and the facilitation of technology transition.

Software Data & Analysis – 1) Installation, demonstration, test, validation and evaluation of new and existing software, tools, methods and software measurement technologies; 2) evaluations of the quality of existing software systems and recommending improvements; 3) needs and risk analyses of software packages (developmental, non-developmental and commercial off the shelf (COTS) relative to mission requirements; 4) development, updating, and evaluation of software engineering standards, specifications, handbooks, or manuals; 5) supporting the revision and development of military standards and specifications; 6) verification and validation of solution sets and protocols; 7) assisting user organizations with all aspects of software development or software acquisition; 8) development of life cycle cost models; and 9) customization of software analytical tools, models, decision aids, screening methods and techniques used to evaluate and support the authenticity and continuity of DoD, national, commercial, and international information systems.

Knowledge Management and Information Sharing – 1) Expertise in working with comprehensive collections of empirical data on the development, operation, and maintenance of software systems; 2) analysis of this data (data may be from new or existing sources) – this includes data analytics (data to decisions); 3) supporting the development, delivery and/or evaluation of training (including classroom, computer-based-instruction, videotape, distance learning, and other forms of instruction); 4) expertise in advanced collaborative analysis tools that allow for the integration of existing and in-process social networking and intelligence data exploitation tools; and 5) supporting the evaluation, development and implementation of a wide variety of intelligence and collaboration systems including Global Net Centric Systems — this subject area could involve computer system engineering and integration, software engineering and software technology, R&D transition, and computer network and communication engineering, development and deployment (including engineering, development and deployment involving both network devices/hardware and applications).

Modeling and Simulation (M&S) – 1) M&S subject matter expertise for supporting program reviews, strategic planning, exercise management, knowledge acquisition, and operations coordination and monitoring; 2) providing support for DoD certification of compliance with High Level Architecture (HLA) for federates; 3) evaluating and improving models and databases that support IA; 4) the development and implementation of modeling and analysis tools for collaborative databases and data stores; 5) applying M&S for evaluating the effectiveness of forces, systems, doctrines, tactics and plans in support of training, analysis and acquisition activities; 6) evaluating M&S interoperability, reuse, capabilities and cost-effectiveness, particularly as fostered by the common technical framework; and 7) supporting cross-domain coordination, configuration management, and military exercises and demonstrations.

Full and Open Contract and Small Business Contract

Aspiryon Team Awarded Spot on Navy SeaPort-E Contract

Aspiryon has teamed with Romanyk Consulting Corporation and been awarded a contract on the Navy SeaPort-e Contract.

More info: The SeaPort Enhanced (SeaPort-e) Multiple Award Contract aids the Navy with acquiring support services in 22 functional areas including Engineering, Financial Management, and Program Management. The Navy Systems Commands (NAVSEA, NAVAIR, SPAWAR, NAVFAC, and NAVSUP), the Office of Naval Research, Military Sealift Command, and the United States Marine Corps compete their service requirements amongst 2400+ SeaPort-e IDIQ multiple award contract holders. All task orders are competitively solicited, awarded and managed using the SeaPort-e platform. Since nearly 85% of its contract–holders are small businesses, the SeaPort-e approach to acquiring services provides opportunity that fuels the Nation’s engine of job growth.

Contract Number: N00178-12-D-7031