Inactive

The Contractors shall assist VA with its compliance with 44 U.S. Code § 3554 - Federal agency responsibilities in accordance with (b) Agency Program (1) periodic assessments of the risk and magnitude ... The Contractors shall assist VA with its compliance with 44 U.S. Code § 3554 - Federal agency responsibilities in accordance with (b) Agency Program (1) periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, which may include using automated tools consistent with standards and guidelines promulgated under section 11331 of title 40. This requirement will help VA fulfill its obligations directed in NIST 800-37 Risk Management Framework (RMF) which provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. Additionally, all these activities are mandated by Federal law (the Federal Information Security Modernization Act (FISMA) The Contractor shall enable the VA to comply with 44 U.S. Code § 3554, NIST 800-37 RMF, and FISMA to assess, review and validate that security and privacy controls are being implemented properly, operating as intended or producing the desired results thus minimizing exposure to VA systems and information to high risk of security incidents that seriously impact VA networks and information. These support activities for assessment, review and implementation and assessments, will assist Information System Security Officers (ISSOs), System Owners (SOs), Authorizing Officials Designated Representative (AODRs), Authorizing Officials (AOs) and senior leadership and other relevant personnel to have detailed assessments, reviews, validations, prior to issuing Authorization To Operate (ATOs). This requirement will also meet the mission of the organization to effectively conduct continuous monitoring through controls assessment reports listing every control that did not comply with NIST and VA requirements, including a comprehensive listing of the full spectrum of federally-mandated controls the Department of Veteran Affairs must satisfy in accordance with FISCAM and FISMA audit. These reports are vital to helping System Owners create corresponding POA&Ms to remediate control risks or accept them, as required by FISMA law. In addition, Contractor will provide the VA support for risk management framework pre-assessment, assessment, and post-assessment activities through site visits to VA and non-VA sites hosting VA information systems, as well as direct support during FISCAM/FISMA audits.