Identify Security Technical Implementation Guide (STIG) requirements that do not have associated Common Control Identifiers (CCIs) or associated Risk Management Framework (RMF) Security Controls in the System Impact Level Baseline.

Correlate STIG CCIs to RMF Security Controls.

TERMS

• STIG – Security Technical Implementation Guide. Interchangeable with DISA STIG, DISA Checklist
• CCI – Common Control Identifiers. Unique identifier associated with an individual STIG requirement or RMF AP. The CCI provides traceability from the STIG requirement to the AP.
• AP – Assessment Procedure. Unique requirement associated with a Security Control
• Security Control – RMF requirement that provides high-level guidance. APs fall under Security Control to provide distinct requirements.

HOW IT WORKS

The tool parses the STIG/SCAP content to find the associated CCI, matches the CCI to the Security Control, determines if the Security Control is found within the System Impact Level Baseline, identifies unmapped CCIs and Security Controls, provides report of non-matches.

1. Parse STIG/SCAP content and find associated CCI. If the STIG requirement contains an associated CCI, goto Step 2. If no CCI is found then processing is complete as further matches cannot be made. NOTE: Not all STIG requirements have an associated CCI.
2. Perform lookup of the STIG CCI in the AP.XLSX file (STIG-CCI-ControlMapper\References). NOTE: This file is an export of all APs from the RMF Knowledge Service Security Control Browser.
   3. Determine if a CCI match is found. If Yes, correlate the Security Control associated with the CCI in the APS.XLSX file and goto Step 3. If No CCI match is found, populate the Requirements grid with a status of “Unmapped CCI”. NOTE: There are STIG CCIs that do not associate to any RMF Security Controls.
3. Perform lookup of the matched CCI > Control from the APS.XLSX file to the CONTROLS.XLSX file (STIG-CCI-ControlMapper\References). NOTE: This file is an export of all Security Controls from the RMF Knowledge Service Security Control Browser. This step is required because the APS.XLSX file does not contain Impact Level mapping to Security Control.
   1. Determine if a Security Control match is found. If Yes, determine if the Security Control is present in the System Impact Level Baseline. If Yes, a match is complete and the Requirements grid is populated with the CCI to Security Control match. If No, the tool determines if the Security Control exists within the full Security Control Baseline and the mismatch occurs due to System Impact Level, or if the Security Control has not been allocated into any Impact Level. Possible results are:
      1. Yes. The Security Control associated with the STIG CCI is found in the selected System Impact Levels.
      2. No. The Security Control associated with the STIG CCI is NOT found in the selected System Impact Levels. NOTE: Usually due to the STIG CCI being associated with an Impact Level that is higher than the selected System Impact Level.
      3. Unmapped CCI. The STIG CCI does not have a correlating RMF Assessment Procedure, therefore it does not have an associated RMF Security Control.
      4. Unmapped Control. The STIG CCI does have a correlating RMF Assessment Procedure, however the Assessment Procedure does not have a correlating RMF Security Control.

https://github.com/i-assure/STIG-CCI-CONTROLMAPPER

The post STIG-CCI-CONTROL MAPPER appeared first on I-Assure.

Effective 7/16/2018, I-Assure has been certified as an SDVOSB.

The SDVOSB Sole Source program, governed under FAR 19.1406 “Sole source awards to service-disabled veteran-owned small business concerns”, is an excellent contracting strategy to streamline the acquisition of our services.

19.1406 Sole source awards to service-disabled veteran-owned small business concerns.
(a) A contracting officer shall consider a contract award to a SDVOSB concern on a sole source basis (see 6.302-5(b)(6)), before considering small business set-asides (see 19.203 and subpart 19.5) provided none of the exclusions of 19.1404 apply and-
(1) The contracting officer does not have a reasonable expectation that offers would be received from two or more service-disabled veteran-owned small business concerns;
(2) The anticipated award price of the contract, including options, will not exceed-
(i) $6.5 million for a requirement within the NAICS codes for manufacturing; or
(ii) $4 million for a requirement within any other NAICS code;
(3) The requirement is not currently being performed by an 8(a) participant under the provisions of Subpart 19.8 or has been accepted as a requirement by SBA under Subpart 19.8;
(4) The service-disabled veteran-owned small business concern has been determined to be a responsible contractor with respect to performance; and
(5) Award can be made at a fair and reasonable price.
(b) The SBA has the right to appeal the contracting officer’s decision not to make a service-disabled veteran-owned small business sole source award.

SDVOSB Program

The federal government’s goal is to award at least three percent of all federal contracting dollars to service-disabled veteran-owned small businesses each year.

The post I-Assure Certified as a Service-Disabled Veteran-Owned Small Business (SDVOSB) appeared first on I-Assure.