The missions of our clients are enabled by new and advanced technologies which must be securely integrated into existing networks and legacy systems. This requires timely, accurate, and seamless security assessments of future and current information systems (IS). This case study shows how Invictus’ cybersecurity experts established a standardized and repeatable workflow utilizing the Risk Management Framework (RMF) to enhance the security posture of the Agency.
Prior to Invictus supporting our client (Agency), they struggled to adequately ensure the security of their current and future IS were properly and timely assessed. This led to significant delays in deploying needed functionality to its 20k+ global mission users and raised the risk to the Agency, its mission, and its data.
Invictus employed its signature stakeholder engagement approach to identify, document, and update the Agency’s System Development Lifecycle (SDLC) processes and aligned them with the Agency’s risk tolerance. Invictus also created an RMF Transformation Team to establish common, repeatable processes, documentation, and workflow standardization with embedded security into every step to provide a combined RMF-SDLC solution.
Paired with a newly documented automated processes, Invictus developed training for all contract and Government personnel to implement the new processes and establish a mechanism to suggest changes for continuous process improvement. A standardized Assessment & Authorization (A&A) process was instituted to establish a set standard – one that was reinforced by quality assurance checks and further automated the RMF process. This was codified in assessment workflows and modernized the RMF System of Record (SoR). These efficiencies reduced SoR data by half, enabled SoR to respond 65% faster to queries, produced accurate metrics on the Agency’s IS portfolio, and optimized SoR database to automatically generate, publish, and update changes made.
The Agency saw payoffs immediately after Invictus implemented its RMF solution. Utilizing RMF best practices, processes, and documentation, the Agency became more productive, spent less time reassessing and redocumenting systems, and ultimately saved money. As higher quality and more consistent documentation was entered into the Agency’s SoR, the Authorizing Officials could make quicker authorization decisions, cutting the time from IS registration to an Authority to Operate (ATO) by more than 50%. The RMF SoR is now capable of producing quality metrics on the Agency’s IS portfolio and able to provide transparency into the level of IS risk the Agency faces.