Services

We provide full-lifecycle NIST Risk Management Framework (RMF) process support for Federal systems, applications, and common control programs, in accordance with Federal Information Security Modernization Act (FISMA) requirements. Our teams have extensive experience in guiding new system acquisitions and development efforts from initiation to Authorization To Operate (ATO), including supporting stakeholders in the design and implementation of appropriate cybersecurity and controls, and serving as independent assessors. We also perform more targeted security impact analyses and assessments for changes to existing systems. Additionally, we have deep experience helping Federal Agencies ensure that solutions moved to FedRAMP Cloud Service Providers (CSP) are appropriately secured and monitored. Our services are tailored to the specific needs of each organization and engagement, and are continuously updated to reflect lessons learned from our projects with other organizations, as well as emerging technologies, requirements, and threats.

Our team members bring extensive experience working with the U.S. Government Accountability Office (GAO), Offices of Inspectors General (OIG), and internal audit groups, and we have successfully supported a number of Agencies in preparing for, supporting, and responding to Federal cybersecurity audits and evaluations. We have the depth and breadth of experience across GSA HACS SINs, including:


Security Governance

B&M provides security and consulting services that address risk from a holistic, organizational perspective and assist in designing and establishing security governance structures in accordance with Federal guidelines. This type of support includes the implementation of an organization’s risk management strategy; an assessment of risk tolerance; security awareness training; and continuous security policy development. B&M also aids in the development of a continuous monitoring plan that performs testing on common controls across an entire organization.


Risk Management Framework (RMF) Support and Security Assessment and Authorization

We provide full-lifecycle NIST Risk Management Framework (RMF) support for Federal systems, applications, and common control programs, in accordance with Federal Information Security Modernization Act (FISMA) requirements. Our teams have extensive experience in guiding new system acquisitions and development efforts from initiation to Authorization To Operate (ATO), including supporting stakeholders in the design and implementation of appropriate cybersecurity and controls, and serving as independent assessors. We also perform more targeted security impact analyses and assessments for changes to existing systems. We have successfully supported a number of Agencies in preparing for, supporting, and responding to Federal IT security audits and evaluations.


Information Security Continuous Monitoring/Ongoing Authorization (ISCM/OA) Transition

We provide support to Federal Agencies in planning for and implementing strategies and transition plans to Information System Continuous Monitoring (ISCM) and Ongoing Authorization (OA), in alignment with Office of Management and Budget (OMB) requirements and NIST guidelines. Our teams have worked with Federal Agencies to assess readiness for ISCM/OA transition through the three prisms of people, process, and technology, and to define ISCM strategies and implementation plans. We are also helping guide Federal Agency stakeholders and systems through the ISCM/OA transition, including providing oversight to the implementation of Continuous Diagnostics and Mitigation (CDM) capabilities.


IT Security Managed Services

We provide cybersecurity and privacy consulting and operational support on-premises and offsite in a number of programmatic areas and at various organizational levels, including:

  • Security Asset Management & IT Component Inventory

  • Plan of Actions and Milestones (POAMs) Management

  • Data Call Assistance (FISMA Reports, Internal Reports)

  • Development, Modernization, & Enhancement Tasks

  • Security Documentation, Event, & Incident Management

  • Assessment & Authorization Support for Various Systems

  • Cybersecurity Awareness Training

  • Sensitive Information Management & Data Loss Prevention

  • Continuous Diagnostics and Mitigation Tools


Risk and Vulnerability Assessment

B&M provides a suite of Risk and Vulnerability Assessment (RVA) support services that can be delivered on a one-time, ad-hoc, or continuous basis. In fact, B&M was one of the first 12 vendors to obtain GSA approval to offer RVA support services under the GSA IT Schedule 70 Highly Adaptive Cybersecurity Services (HACS) initiative. Service areas include operation system security assessments; vulnerability scanning; threat analysis and penetration testing support; and the development of risk metrics and risk mitigation strategies.