About UsCyber-ThreatComplianceEnterpriseConsultingGSA ScheduleCareersContact

KCG assists clients in navigating the often confusing and conflicting world of Certification and Accreditation (C&A) by providing years of experience working with, and tailoring enterprise-wide C&A standards and guidelines. KCG focuses on translating these standards to define the processes, steps, and deliverables required to achieve a true understanding of the risk of operating the system. KCG has significant operational experience in providing C&A services to public sector clients in accordance with NIST 800 series standards, DITSCAP, DIACAP, and DCID 6/3. KCG works closely with stakeholders and infrastructure team members to ensure an organization's networks, systems, facilities, and programs reach an acceptable level of information security to obtain and maintain their Authority to Operate (ATO) or accreditation.

KCG’s C&A services are built around the NIST Computer Security Division’s nine-step process for increasing the security of federal agency IT systems.
They are:
  1. Categorize your information and information systems
  2. Select the appropriate minimum or baseline security controls
  3. Refine the security controls using a risk assessment
  4. Document the security controls in the system security plan
  5. Implement the security controls in the information system
  6. Assess the effectiveness of the security controls
  7. Determine agency-level risk to the mission of business case
  8. Authorize the information system for processing
  9. Monitor the security controls on a continuous basis
KCG's service offerings in this area include:
  • Certification and Accreditation support complying with NIST 800-37, DITSCAP, DIACAP, and DCID 6/3
  • Risk and Privacy Impact Assessments
  • Proper security categorization of systems based on data types
  • System Security Plan (SSP) and System Security Authorization Agreement (SSAA) development and maintenance
  • Security Test and Evaluation (ST&E) Plan Development
  • Executing ST&E procedures and developing Security Assessment Reports
  • Vulnerability assessments compliant with over-arching regulations to ensure continued Accreditation
  • Development of Plans of Action and Milestones (POA&M) and continuous monitoring for compliance
  • Annual self assessments