Cybersecurity Assurance functional areas test, measure, and analyze the cybersecurity posture of individual agencies to produce a baseline of the federal government's cybersecurity posture.

Operational Assurance 

Operational Addurance (OA) assesses Federal Civilian Executive Branch (FCEB) agencies' compliance with cybersecurity laws, regulations, policies, standards, initiatives, and directives across the federal government, including Comprehensive National Cybersecurity Initiative, Domain Name System Security Extensions (DNSSEC), Internet Protocol version 6 (IPv6), and FISMA.

• Cybersecurity Capability Validation (CCV): comprehensive, and consistently executed, onsite validations of an agency's implementation of required cybersecurity capabilities.
• Cyber Hygiene (CH): promotes a healthy IT infrastructure across the nation’s computer networks and systems through the use of diagnostic monitoring and agency self-reporting.

Risk Evaluation

Risk Evaluation conducts risk and vulnerability assessments in conjunction with penetration testing to identify agency-specific risks, thus enabling agency leaders with improved prioritization and implementation guidance to identify appropriate mitigation techniques.

• Vulnerability Assessment: utilizes methods such as vulnerability scanning, system evaluation, penetration testing, social engineering, and policy/procedural reviews to identify and report on vulnerabilities and gaps within the people, process, and technology of the selected FCEB agency
• Threat Assessment: leverages proven assessment methodologies and commercial best practices that integrate data collected from various government information sharing sources to identify internal and external threats to an organization based on their specific operational mission.

Analysis & Reporting

Analysis and Reporting analyzes the data collected through Compliance & Assurance activities, identifies trends, produces reports, and provides information that assessed agencies can use to identify gaps and develop risk mitigation strategies.

• Reports: detail specific data compiled from assessments that measure progress implementing cybersecurity standards, policies, and guidance, and detail identified vulnerabilities and risks specific to the assessed agency.
• Dashboards: provide easy-to-access, up-to-date views of the cybersecurity posture of the federal government or an individual agency.