Services

We provide full-lifecycle NIST Risk Management Framework (RMF) process support for Federal systems, applications, and common control programs, in accordance with Federal Information Security Modernization Act (FISMA) requirements. Our teams have extensive experience in guiding new system acquisitions and development efforts from initiation to Authorization To Operate (ATO), including supporting stakeholders in the design and implementation of appropriate IT security and controls, and serving as independent assessors. We also perform more targeted security impact analyses and assessments for changes to existing systems. Additionally, we have deep experience helping Federal Agencies ensure that solutions moved to FedRAMP Cloud Service Providers (CSP) are appropriately secured and monitored. Our services are tailored to the specific needs of each organization and engagement, and are continuously updated to reflect lessons learned from our projects with other organizations, as well as emerging technologies, requirements, and threats.

Our team members bring extensive experience working with the U.S. Government Accountability Office (GAO), Offices of Inspectors General (OIG), and internal audit groups, and we have successfully supported a number of Agencies in preparing for, supporting, and responding to Federal IT security audits and evaluations. We have the depth and breadth of experience across GSA HACS SINs, including:


Penetration Testing (SIN 132-45A):

B&M performs independent, internal and external penetration testing to identify vulnerabilities and risks in Agency systems. Testing can be performed under a variety of scenarios, based on agency requirements. Additionally, B&M provides technical consulting support to Agency internal penetration testing teams, to include reviewing team structure and composition, along with methodologies and tools used, as well as providing technical consulting support to Agency penetration testing teams before, during, and after engagements.


Incident Response (SIN 132-45B):

We provide technical and surge support to clients throughout the incident response lifecycle. This includes performing reviews of Agency Incident Response Programs, and developing recommendations to address identified gaps and opportunities for improvement related to incident response planning and procedures, team staffing and training, awareness, and incident detection, analysis, containment, eradication, recovery, reporting, and post-incident procedures and capabilities. We also perform assessments of the tools used in support of the Incident Response Program, to include the architecture, configuration, management, and use of Intrusion Detection System/Intrusion Prevention Systems (IDS/IPS), Anti-Virus (AV)/malware detection and containment/eradication software, Advanced Persistent Threat (APT) detection solutions, and Security Information and Event Management (SIEM) solutions.


Cyber Hunt Support (SIN 132-45C):

We support Federal Agencies in performing cyber hunt initiatives, and in developing and maturing cyber hunt programs and capabilities. This includes performing reviews of Agency cyber hunt programs, and developing recommendations to address identified gaps and opportunities for improvement related to team composition/structure and procedures/capabilities for hypotheses generation; hypothesis testing; pattern and Tactics, Techniques, & Procedures (TTP) detection; and analytics automation.


Risk and Vulnerability Assessment (SIN 132-45D): 

B&M provides a suite of Risk and Vulnerability Assessment (RVA) support services that can be delivered on a one-time, ad-hoc, or ongoing basis. We provide a full range of Risk and Vulnerability Assessment (RVA) support services, including Network Mapping, Vulnerability Scanning, Phishing and Social Engineering Assessments, Wireless Assessments, Web Application Assessments, Operating System and Domain Security Assessments, Database and Data Security Assessments, and Perimeter and Network Security Assessments.

  • Network Mapping
  • Vulnerability Scanning
  • Phishing Assessment
  • Wireless Assessment
  • Penetration Testing
  • Web Application Assessment
  • Operating System Security Assessment
  • Database Assessment

IT Professional Services (SIN 132-51):

We provide a variety of IT security services, including:

  • Information Security Continuous Monitoring/Ongoing Authorization (ISCM/OA) Transition: We provide support to Federal Agencies in planning for and implementing strategies and transition plans to Information System Continuous Monitoring (ISCM) and Ongoing Authorization (OA), in alignment with Office of Management and Budget (OMB) requirements and NIST guidelines. Our teams have worked with Federal Agencies to assess readiness for ISCM/OA transition through the three prisms of people, process, and technology, and to define ISCM strategies and implementation plans. We are also helping guide Federal Agency stakeholders and systems through the ISCM/OA transition, including helping provide oversight to the implementation of Continuous Diagnostics and Mitigation (CDM) capabilities.
  • Risk Management Framework and Security Assessment and Authorization (SA&A): We provide full-lifecycle NIST Risk Management Framework (RMF) process support for Federal systems, applications, and common control programs, in accordance with Federal Information Security Modernization Act (FISMA) requirements. Our teams have extensive experience in guiding new system acquisitions and development efforts from initiation to Authorization To Operate (ATO), to include supporting stakeholders in the design and implementation of appropriate IT security and controls, and serving as independent assessors. We also perform more targeted security impact analyses and assessments for changes to existing systems. Additionally, we have deep experience helping Federal Agencies ensure that solutions moved to FedRAMP Cloud Service Providers (CSP) are appropriately secured and monitored. Our team members bring extensive experience working with the U.S. Government Accountability Office (GAO), Offices of Inspectors General (OIG), and internal audit groups, and we have successfully supported a number of Agencies in preparing for, supporting, and responding to Federal IT security audits and evaluations.
  • IT Security Managed Services: We provide IT security and privacy consulting and operational support on-premises and offsite in a number of programmatic areas, including:
    • Access Management and Enforcement
    • Configuration Management
    • Continuity of Operations
    • IT Component Inventory and Asset Management
    • Malware Management
    • Security Documentation Management
    • Security Event and Incident Management
    • Security Training
    • Sensitive Information Management and Data Loss Prevention
    • Vulnerability and Patch Management
       
  • Continuous Diagnostics and Mitigation Tools: Through our IT security and privacy support to Federal Agencies, we have directly leveraged, or provided oversight support for the implementation of a variety of Continuous Diagnostics and Mitigation (CDM) capabilities. Example tools include: Archer GRC, Qualys, Tenable, CoreImpact, AppScan, DbProtect, Symantec Endpoint Protection, Symantec DLP, FireEye ATP, McAfee SIEM, McAfee IDS/IPS, and ForeScout.