The Continuous Readiness in Information Security Protection (CRISP) program is VA’s program to continuously address the thousands of information security vulnerabilities that exist in its vast infrastructure.
Overview
Client:
Department of Veterans AffairsIndustry:
Federal GovernmentServices:
Information Assurance, Network Engineering, CybersecurityChallenge
VA’s goal is to reduce the number of existing vulnerabilities to a level that removes a long-standing Material Weakness (MW) in its annual Federal Information Security Management Act (FISMA) audit due to these security vulnerabilities. Vigilant provides operational infrastructure and security protection support services necessary to support VA in addressing system security vulnerabilities components, ensuring information security risk controls are implemented and monitored, and in response to FISMA and FISCAM audit reporting.
Solution
Our team remediates existing vulnerabilities within system scans, access controls and operating systems/languages; performs Microsoft patching within 30 days after patch release; and performs third-party patching. Our onsite support team has access to Remedy and the Help Desk system for issues and is assigned action items prioritized by the Regional Directors (RD) in coordination with the COR. Our team is assigned work covering vulnerability remediation through established national and regional change control documentation systems. Our team provides onsite Tier 2 and Tier 3 and Tier 4 support at VA facilities to remediate security threats and vulnerabilities in the field. We strive to achieve a 98% or greater remediation rate. Our support includes both fixes and creation of Plans of Action and Milestones (POAMs). The RD’s assign the severity levels (severity code) to security threats and the threats backlog. Vulnerability remediation is generally tracked through the issuance of national action items and in response to the vulnerabilities (as established by the VA NSCO). Response to ad-hoc security incident response (emergency patching, updating, and/or sanctioned configuration changes), addressing monthly Microsoft patching requirements, and addressing critical and high vulnerabilities discovered from monthly Nessus scanning. Baselines developed are applied enterprise wide.
Results
The Vigilant team responds to and resolves tickets and delivers a Ticket Resolution Report. We implement patches and corrective actions needed to mitigate security risks and vulnerabilities and deliver a Patch Implementation Report that includes the list of implemented patches and corrective actions taken to mitigate security risks and vulnerabilities. We support the implementation of IT policies, procedures, and system controls. We deliver a Business Line Issue Report that identifies and IT-related deficiencies; and we perform a gap analysis and identify any unresolved tickets or deficiencies.