The NIST Risk Management Framework (NIST Special Publication 800-37) has created a new model for risk analysis for federal agencies by moving from the traditional Certification & Accreditation (C&A) approach to a Security Assessment & Authorization (SA&A) model – a more real-time, dynamic view of risk. Federal agencies must adapt their current cybersecurity programs to align with the SA&A model, and focus on identifying security risks throughout the Systems Development Lifecycle (SDLC).

KCG supports all aspects of the SA&A model and brings our unique methodologies for assessing risk throughout each phase of a system’s SDLC to each engagement, helping agencies assess their systems’ security posture and make appropriate authorization decisions. We differentiate ourselves from our competitors by bringing real-world attack and exploitation experience to our security assessments to provide our customers a true understanding of a system’s risk to its environment, enabling them to make an informed authorization decision. KCG supports federal agencies’ implementation of the SA&A model by providing these key services:

• Threat Modeling
• Security Requirements Analysis
• Security Architecture and Design Review
• Application Security Code Reviews
• Vulnerability Assessments
• Penetration Testing
• Web Applications
• Network and Host
• Wireless
• Social Engineering
• Enterprise Security Program Assessments