The Federal Network Resilience (FNR) Cybersecurity Assurance (CA) branch employs a collaborative approach with the Federal Civilian Executive Branch, to measure, monitor, and validate cross-government initiatives and to assess cyber risks.
CA assesses the state of operational readiness and cybersecurity risk of unclassified federal networks and systems. CA proactively engages with departments and agencies to improve their cybersecurity posture by assessing capabilities, identifying vulnerabilities, evaluating risks, and providing prioritized guidance that optimizes the remediation activities needed to close capability gaps, limit exposure, reduce exploitation, and increase the speed and effectiveness of cyber attack responses.
CA seeks to provide services which promote a healthy, secure and resilient IT infrastructure across the federal enterprise’s computer networks and systems; measure the implementation of mandatory cybersecurity capabilities; and provide an enterprise view of the federal government’s cybersecurity posture.
Benefits to the Federal Government
CA benefits the federal government by providing cost savings and cross-government consistency through centralization of information system security services. CA services and activities include:
- promotion of awareness of agency compliance with cybersecurity responsibilities;
- collection of objective data that validates previous, and supports ongoing, improvements by the agency;
- establishment of an enterprise view of the federal government’s cybersecurity posture, thus enabling policy-makers to develop sound cybersecurity policy and risk mitigation strategies;
- increasing confidence that agencies are complying with published cybersecurity requirements; and
- reducing government spending on cybersecurity by leveraging our resources in engagements across Federal Civilian Executive Branch agencies, thus maximizing the return on investment in those resources by DHS and eliminating the need for similar investments by agencies.
Benefits to Individual Agencies:
CA benefits individual agencies by:
- satisfying agency requirements stemming from the FISMA, Office of Management and Budget Memos, and the Comprehensive National Cybersecurity Initiative;
- identifying capability gaps that help agencies recognize opportunities for improvement and assist agencies with prioritization of remediation activities and justification of budget requests;
- evaluating the overall effectiveness of an agency’s security program;
- clearly articulating and quantifying agency risk;
- providing access to expertise and resources not readily available and at no cost to the agency; and
- providing third party risk assessments at no cost to the agency to assist with FISMA compliance.
Operational Assurance Section
The Operational Assurance Section (OAS) works in coordination with agencies to conduct proactive blue-team assessments that validate their technical capabilities (tools and technologies) and operational readiness (people, processes, and security program maturity).
Cybersecurity Capability Validations (CCV) assessments are conducted collaboratively with an agency to assess and validate their implementation of cybersecurity capabilities required by Federal laws, policies and initiatives.
Analysis and Reporting
The data collected through OAS activities is used to produce reports for departments and agencies that have been assessed and is also anonymized, aggregated, and normalized in order to create summary dashboards and reports for trending and visualization.