Internal Revenue Service (IRS)
Challenge
The IRS maintains an extensive inventory of approximately 170 major/minor applications and approximately 20 general support systems. The organization was faced with the following challenge: With a 3-year C&A cycle, how would the agency complete the recertification efforts of approximately 60 major/minor applications and seven general support systems in a given year? Due to its sheer size, the IRS required a large team of risk management subject matter experts who could ensure that the IRS was meeting its FISMA requirements.
Solution
Veris Group responded to this challenge by assembling a highly skilled team of experts to serve various roles, including documentation leads, team leads, quality control leads, and team managers for approximately 80 applications and seven general support systems undergoing C&A. Our team, supporting the IRS Certification Program Office (CPO), serves as the primary point of contact to each business unit that has an information system undergoing C&A. In our roles, we update all security documentation for a respective information system, including the System Security Plan, Information Technology Contingency Plan, Privacy Impact Assessment, e-Authentication Risk Assessment, Security Test and Evaluation Plan, and the Security Assessment Report.
Veris Group also provides subject matter expertise in regards to organizational common controls. The IRS tests organizational common controls on an annual basis and over the past few years, our team has worked with the IRS to first identify what controls were applicable at the organizational level, helped identify the appropriate owner of those controls, and documented the implementation status of each control within an organizational common control system security plan. In addition, we have developed the organizational common controls security assessment report.
Results
Through the work of our team, Veris Group was able to elevate the IRS C&A program’s FISMA score from “Satisfactory” to “Good” and maintain this level over the course of two years. We have also been able to ensure that 100% of IRS information systems were properly certified and accredited in accordance with federal regulations and NIST guidance. Additionally, we have provided various process improvements to steer the IRS C&A program in the direction of the NIST Risk Management Framework.
