U.S Patent and Trademark Office (USPTO)
For two years, the Department of Commerce Office of Inspector General had reported material weakness findings regarding FISMA compliance for USPTO vendors and contractors. As a result, the Director of Security and Privacy needed a solution to quickly and effectively ensure that contractors were compliant with federal security requirements. The solution had to effectively address a number of related questions, including: How should USPTO guide and support its contractors in their conducting of certification and accreditation (C&A) of systems?; How should USPTO assist these contractors in completing C&A of their systems and set up a robust FISMA reporting process?; and How should USPTO ensure standardization and that baseline security requirements were adequately implemented?
Veris Group developed a contractor FISMA/C&A project plan with realistic objectives and milestones to allow contractors to identify the necessary resources required, conduct C&A activities utilizing standard processes and procedures, and ensure consistency across multiple teams. The plan established clear communication and reporting channels, as well as schedules for each contractor. A key success factor was our ability to involve USPTO’s contractors throughout the plan’s development and address their input and concerns at each stage. Because of this emphasis, the plan won the full support and buy-in of executive management, ensuring that the necessary resources were allocated to the effort.
Next, Veris Group conducted C&A training sessions with each contractor in order to help them comply with USPTO, DOC, NIST, OMB, and other federal requirements. Finally, we conducted independent verification and validation of contractor security documentation and security control assessment results to ensure that all controls had been adequately identified and were operating as intended.
After only six months, USPTO achieved full FISMA compliance for all contractor general support systems and major applications. The plan provides a modular and repeatable approach for USPTO to utilize, and has enabled additional contractors to complete C&A and meet FISMA requirements in a cost-effective and efficient process. Overall, the FISMA/C&A project plan developed by Veris Group has shortened the time required to complete C&A activities by more than 200%.