Aspiryon is proud to be a part of the ARMY ITES-3S (CHESS) Contract

The ITES-3S contracts are the Army’s preferred source for the purchase of a full range of services and solutions within CONUS and OCONUS. The IT services solutions include but are not limited to the following

Task Areas: Business Process Re-engineering (BPR), Information Systems Security, Information Assurance, Information Technology Services, (CAD/CAE/CAM), Development, Software/Middleware Development, Enterprise Design Integration and Consolidation, Education/Training, Program/Project Management, Systems Operation and Maintenance and Network Support.

Contact our Business Development Team for more information on how to use the ARMY ITES-3S (CHESS)

Another opportunity to serve DHS S&T SETA

Aspiryon is a part of a team that was awarded a position on the DHS S&T SETA Contract.

The Department of Homeland Security has awarded a potential $236 million contract covering research and development and related professional services. DHS’ Science and Technology (S&T)  Directorate awarded the potential five-year indefinite-delivery/indefinite-quantity contract. Contractors will perform test and evaluation, systems engineering and technical assistance to support the Department’s planning, acquisition, programming and implementation activities.

For more information view our Contract Vehicles

Aspiryon Earns Spot on DISA ENCORE III

Aspiryon was Awarded a position on the DISA ENCORE III Contract.

Encore III supports DoD’s Joint Information Environment initiative which seeks to achieve a globally-interconnected, end-to-end set of information capabilities, associated processes and personnel to manage and provide information on-demand to warfighters, policy makers and supporting personnel. The overall aim is to move towards an integrated and interoperable DoD Information Network provided by services and systems to establish a technological edge on land, sea, air and cyberspace through the use of information superiority.

For more information view our Contract Vehicles

Tips: Meeting DSRIP Requirements (System Security Plans – Documenting Controls)

As part of DOH’s Data Exchange Application and Agreement (DEAA) data sharing agreements, business partners who desire access to DOH provided Medicaid data are required to compete System Security Plans (SSPs) that document which controls have been implemented and how for all systems that are used to house and process the DOH provided Medicaid Data.

The NYS DOH SSP requirement is based on the set of NIST 800-53 recommended security controls for government information systems at the moderate level with enhancements that are necessary to comply with NYS Policies and Standards (aka Moderate Plus).

One of the most important and difficult to grasp aspects of completing an SSP is how to properly write a Security Control.

There are four basic questions to address for each element of each security control requirement:

  1. What is the solution? The solution can be a device, document, process, or plan. It must be clearly stated as the object that governs the implementation of the security control at hand.
  2. Who is responsible? Although the Security Officer may be responsible for the oversight of system security measures, a system-specific role will need to be identified as the manager, operator, or implementer of control-relevant security measures.
  3. When is the solution implemented/reassessed? Control solutions may be initiated once and continually monitored or they may require continual implementation (as is the case with revisions or updates) or a combination of the two. The timing of the solution implementation should be addressed for each requirement.
  4. How does the solution satisfy the control or requirement? The solution being discussed must be directly correlated to the presented requirements. It must be clear how the system uses the discussed solution to satisfy the security requirements. Although the same solution may satisfy multiple requirements, it will be required to state how the solution provides the capabilities to satisfy each requirement.

A few other tips when determining control requirements:

“The organization” Indicates a policy, process, or procedure
“The information system” Indicates a technical implementation
“The organization ensures/enforces/etc.” Indicates both policy/process/procedure and technical implementation
Access: remote, local, network Remote: Off-site
Local: Physically present, keyboard/terminal attached
Network: On-site and over a network (e.g. SSH)
External v. Internal systems/connections/etc. External systems are not under the jurisdiction of the Organization. Other systems may be external, but are governed by an MOU/MOA/ISA.

 

Aspiryon provides DSRIP assessments and consulting for PPS entities and partner service provider organizations.

Tips: Meeting DSRIP requirements (Boundary Definition)

The DSRIP requirements are based upon the NIST Risk Management Framework (RMF). There are many NIST special publications (SP) that are referenced within RMF.

The first NIST SP to address is NIST 800-18. This SP illustrates how to breakdown an enterprise into logical boundaries.

Why is this the first SP to be addressed?

When you breakdown your enterprise into logical boundaries the boundaries provide a scope for what and how security controls are applied. The key point is that different boundaries require different control implementations.

Here’s an example: One system boundary is called the WAN infrastructure General Support System (GSS) that encompasses routers, switches, firewalls, network intrusion devices. Another system boundary is called the XYZ Major Application (MA). In the WAN GSS the devices in the boundary use Cisco ISE for Authentication, Authorization and Accounting. The Cisco ISE maintains a database that has user ID’s, passwords and role based access controls for device administrators that can make changes to devices within the boundary.

The XYZ Major Application (MA) is a web based application. The XYZ MA encompasses three web servers, three application servers, two database servers and a load balancer. These system use a multi-factor authentication product and active directory for authentication and role based access controls.

As you can see the implementation for access control is very different. Segmenting the Enterprise into logical boundaries narrows the scope for how controls are applied. The narrowed scope (boundary definition) helps PPS’s save time by focusing on the boundary where DSRIP data is processed, transmitted and stored. The boundary definition also saves PPS’s money by only applying controls where needed.

Aspiryon provides DSRIP assessments and consulting for PPS.

Delivery System Reform Incentive Payment (DSRIP) Program

DSRIP is the main mechanism by which New York State will implement the Medicaid Redesign Team (MRT) Waiver Amendment. DSRIP´s purpose is to fundamentally restructure the health care delivery system by reinvesting in the Medicaid program, with the primary goal of reducing avoidable hospital use by 25% over 5 years. Up to $6.42 billion dollars are allocated to this program with payouts based upon achieving predefined results in system transformation, clinical management and population health.

NYS DOH has in depth Information Security and Data Privacy requirements in order to participate in DSRIP. Aspiryon has conducted security assessments for organizations that are seeking to participate in the DSRIP Program.

More Information about the DSRIP Program and its information security requirements contact us today and view the below link.

https://www.health.ny.gov/health_care/medicaid/redesign/dsrip/archives/data_security.htm

 

DFARS, FAR, Controlled Unclassified Information CUI and NIST 800-171 Demystified

DOD DFARS and NIST 800-171 Public Meeting – Jun 23 2017 Final

The attached slide presentation (above link) was provided via a DoD Industry day that discussed in detail DFARS, FAR and Contract requirements for protecting Controlled Unclassified Information (CUI).

This presentation can assist you in determining if your systems are applicable to the requirements and need to implement the NIST 800-171 information security controls.

The DFARS requirements become effective as of December 2017 for all prime and subcontractors.

If you or your subcontractors are required to implement the NIST 800-171 information security controls, Aspiryon can help make it happen with:

Advisory Services

Compliance reviews, audits, assessments, gap analysis, validation and verification for your or subcontractor systems

Consulting Services

Information Security Management System Development, Policy and Procedure Reviews and Updates, Control Implementation and Continuous Monitoring

Operations Services

Vulnerability Management, Security Monitoring, Change Management and Incident Response

 

 

Aspiryon Earns Spot on the ARMY CECOM RS3 Contract

RS3 is a Multiple Award Indefinite Delivery, Indefinite Quantity (IDIQ) Performance Based Services Contract that may provide customized best value solutions to a diverse group of organizations that span the spectrum of Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) mission requirements throughout the world. RS3 has a $37.4B ceiling with a five-year base ordering period and five-year optional ordering period, for a total ordering period of up to ten-years. RS3 primary service areas include Engineering; Research, Development, Test and Evaluation (RDT&E); Logistics; Acquisition and Strategic Planning; Education and Training Services.

For more information view our Contract Vehicles

Aspiryon Earns Spot on DLA JETS J-6

The DLA JETS J-6 Contract provides support for technology service requirements across the DLA Information Operations Enterprise, the DLA Program Executive Offices (PEO), and all other technology service requirements supported through DLA Contracting Services Office (DCSO) acquisitions.

Sponsoring Agency: DCSO J6 Enterprise Technology Services

Period of Performance: December 22, 2016 – December 21, 2024

NIST SP 800-171 Protecting Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations

NIST has drafted Special Publication 800-171 that is titled: Protecting Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations.

The intent of this special publication is to provide a minimal set of security controls for Non-Federal Information Systems and Organizations AKA “Federal Contractors and their back end information systems utilized to deliver services to the Federal Government”.

The SP 800-171 has a familiar look and feel of that used in SP 800-53, the only difference being that there are less families of control and less controls as a whole.

It is expected that Federal Agencies will begin integrating 800-171 compliance at the individual contract level until a FAR (Federal Acquisition Regulation) is completed.

Aspiryon provides NIST 800-171 Compliance and Audit Services for Federal Contractor Systems and Organizations.