Current federal regulations require all general support systems (GSSs) and major applications (MAs) to be certified as being compliant with information technology (IT) security requirements so that information resources and data are adequately protected.  Based on this certification, agency heads issue authorizations to operate (ATOs – accreditations) to systems that are compliant.  This highly structured and regulated process serves two purposes: it documents various aspects of the system’s security posture, and it allows the system owner to understand and accept the residual risk associated with the system’s operation.  This provides the basis for the Government-mandated, risk-based management of IT resources.  An indirect result of the certification and accreditation (C&A) process is the ability to better justify budget requests and to plan more efficient capital expenditures.  Both the Department of Defense (DOD) and Office of Management and Budget (OMB) require every system to be recertified once every three years after initial accreditation, or whenever major changes are implemented.

SeNet will perform initial system assessments for all of your systems undergoing a C&A and deliver results in concise packages that provide a snapshot of your current security posture.  Packages will address all relevant issues and will include a list of recommendations.

SeNet will begin by completing a thorough review of all available system documents.  We will gather additional information through face-to-face or telephone interviews with appropriate personnel, including system owners, managers, Information System Security Officers (ISSOs), and administrators.  In order to maximize efficiency and minimize the amount of time required from your staff, SeNet will provide an appropriate list of topics and questions in advance.  Questions will be tailored to individual systems and will vary based upon system and Government requirements.

SeNet will review and provide a technical edit for each C&A package to determine the:

  • Presence or absence of each required document
  • Adequacy of each document’s contents
  • Completeness and accuracy of presented information
  • Appropriateness of references to documents not included in the package.

Final deliverables will be in a format suitable for use in obtaining Authorizations to Operate (ATOs).

In addition to the document reviews and interviews, SeNet will utilize Government-approved vulnerability assessment tools (such as IBM Internet Security Systems [ISS] and Nessus) and our own vulnerability assessment tools to gather additional information and to complete a comprehensive technical vulnerability assessment.

SeNet will complete Security Test and Evaluations (ST&Es) for each assigned system in accordance with Department of Defense (DoD) or National Institute of Standards and Technology (NIST) guidelines.  When automated tools are used, they will be adjusted for the specific system and Government-issued requirements, and the final product will undergo a manual review process.  We will not simply assume that the tools interpreted all the results correctly.

The DIACAP and Certificate of Networthiness plans establish standard processes to certify and accredit an information system so that when it is connected to the NIPRNET, it will maintain the information assurance and security posture of the Defense Information Infrastructure (DII).  In addition, military installations require a Certificate of Networthiness to install an application on base.  These processes support a risk-based approach to security, with a focus on a system’s mission, environment, and cost factors.   Let SeNet’s experienced professionals guide you through these processes and ensure that your system is secure and has the proper ATOs.


Securing credit card data is one of the most pressing information security challenges facing organizations today.  Identity theft is the fastest growing form of crime in the United States.  In response, card associations (led by Visa and MasterCard) have created a data security standard called the Payment Card Industry (PCI) Data Security Standard (DSS).  PCI DSS compliance is mandatory for all organizations that “process, store, or transmit” cardholder data.  Furthermore, federal and state governments (like Minnesota, Nevada, etc.) have added their own compliance requirements, including the Federal Trade Commission (FTC) Act and state notification laws.  As a result of these compliance obligations, damages from a compromise of cardholder data often total millions of dollars.
Securing credit card data and achieving compliance requires more than periodic vulnerability scanning and annual audits.  True compliance is achieved when companies are able to make the right security decisions throughout the year and are required to:
•    Understand rapidly evolving security compliance obligations.
•    Develop an enterprise-wide strategy and plan for achieving compliance.
•    Implement required operational changes.
•    Train employees on threats and compliance obligations.
•    Maintain compliance throughout the year.

Small and midsize merchants are prime targets for data thieves. It’s merchant’s job to protect cardholder data at the point-of-sale.  If cardholder data is stolen, and fault is determined to lie with the merchant, the following could be incurred; fines, penalties, even termination of the right to accept payment cards.  PCI Data Security Standard compliance can protect cardholder data and prevent theft.  

Team SeNet follows the approach outlined below when performing PCI assessments.
1.    Test Planning and Scope
2.    Testing Approach and Methodology
3.    Reporting and Deliverables



Our security analysts that are working on compliance side of SeNet’s security practice are well trained in various industry security compliance standard including standards from International Standards Organization (ISO). We understand that risk assessment methodologies as laid out in ISO standards provide a solid framework for an organization to follow and they also are flexible in implementation of security controls based on specific security requirements.  Specifically we will be following the “Plan, Do, Check, and Act (PDCA)” risk management strategy as laid out in ISO 27005 standard.

Central to our process is the Interview and Examination application.  This serves as a central repository throughout the testing process and provides traceability.  It contains a listing of all required ISO controls along with the requested information/evidence that is required to determine if the control is in-place. 


It seems as if health care compliance and regulatory requirements are constantly changing.  First, there was the Health Insurance Portability and Accountability Act (HIPAA).  Now, the HITECH act is getting more attention due to the financial incentives for automating Electronic Health Records (EHRs).  Consequently, the security of EHR systems and the data they contain has become even more important for organizations that store health care data.

The HITECH Act also expands the scope of HIPAA in terms of penalties, compliance, and enforcement. Until recently, HIPAA has been laxly enforced. The HITECH Act significantly increases the exposure risk of non-compliance.  The privacy and security requirements under HIPAA have also significantly expanded, as well as penalties for violations.  Ensuring that your organization complies with HIPAA requires an understanding and implementation of the various rules.  The area of HIPAA most closely related to information security is the security rule.  Security rule compliance revolves around documentation and policies.

Here are examples of areas with which SeNet can assist your organization to comply with the security rule:

  • Risk Analysis – Security rule Section 1.1 calls for a risk analysis. This is also required as item 25 in the list of HITECH meaningful use requirements. A risk analysis should be the starting point for any security implementation process. SeNet has a software solution that will allow you to conduct a standards-based risk analysis quickly and efficiently.
  • Risk Management – Security rule Section 1.1 also mandates a risk management program. SeNet can help clients develop a risk management program based on the results of the risk analysis and their available resources. The plan should address the most critical risks first, followed by other items as resources allow.
  • Education and Training Programs – Security rule Section 1.5 requires formal education and training programs for staff members. SeNet can help clients develop a program that is appropriate to their organization, level of complexity, and resources. The best technological controls will be useless if the staff is ignorant of security issues and responsibilities.
  • Contingency Plan – Security rule Section 1.7 states that practices must have a contingency plan that includes data backups, disaster recovery, emergency mode procedures, etc. It is important for practices, or any business, to have robust plans and procedures to deal with emergencies such as data loss, equipment theft, and other important issues.
  • Technical Safeguards – Security rule Section 3 outlines the necessary technical security controls. SeNet can work with practices to meet the minimum necessary technical controls that are appropriate for their organization. As you know, technical safeguards are where the “rubber meets the road.” SeNet can advise clients on what technologies are appropriate for their organization and how they should be implemented in a timely, cost-effective manner.

Depending on the development stage in your HIPAA and overall information security roadmap, SeNet can assist in several ways.  From performing a simple computer security “checkup” to performing complete, comprehensive HIPAA assessments and EHR integration and security testing.  SeNet is a leading company in the field of information security and provides these services to many organizations, including the Department of Health and Human Services (HHS).


The FBI Criminal Justice Information Services (CJIS) Division maintains a vast repository of Criminal Justice Information (CJI) such as fingerprint records, criminal histories, and sex offender registrations.  Access to this database (known as CJIS) is provided to state, local, and federal law enforcement and criminal justice agencies for use in on going activities subject to Title 28, Part 20, Code of Federal Regulations (CFR).

In order to ensure the integrity of CJIS and to prevent unauthorized access to this extremely sensitive information, The FBI CJIS Division has published a security policy (currently at Version 5.2)  governing the access to the CJIS database.  The CJIS security policy, which is based on established Presidential directives, FBI directives, Federal laws (e.g., FISMA) and NIST guidelines. Implementation of the CJIS Security Policy as applicable to individual CJIS Systems Agencies (CSAs) is a requirement for granting continued access to the CJIS database.

While the most visible and pressingrequirement is for “Advanced Authentication,” or multi-factor authentication, (with an implementation deadline of Sept. 2013), the CJIS Security Policy is much broader in scope and covers areas such asSecurity Awareness Training, Auditing, Security Incident Handling, Media Protection and Configuration Management, as detailed in the document’s twelve “Policy Areas”. Each CSA is required to execute a signed, written user agreement with the FBI CJIS Division stating willingness to abide by and demonstrate compliance with this Policy (in its entirety) before accessing and participating in CJIS records information programs.  As part of this agreement, CSAs consent to be audited by the FBI CJIS Division once every three (3) years as a minimum to assess compliance with the policy.

SeNet International Corporation is offering State & Local law enforcement organizations a CJIS Readiness Review – aquick and complete package of analyzing and reviewing your organization’s readiness for compliance with CJIS Security Policy requirements.. Our team of technical and management experts will visit your facility, and together with your MIS team, will review, analyze and assess your security and privacy measures, both from the technical as well as management and operational aspects.

This technical and analytical assessment process will include:

•    Review of IT infrastructure security (incl. Systems, Applications, Network and Telecommunications
•    Vulnerability scanning using automated tools and manual techniques, from and external and internal perspectives (“pen-testing”)
•    Review of information security policies and procedures
•    Interviews with key technical and management personnel
•    Step by step evaluation of current posture against CJIS requirements
•    Conclusions and recommendations development.

At the end of this effort, the SeNet team will deliver a short presentation along with a draft report summarizing the team’s findings and recommendations. A final report will be delivered within 10 business days from the completion of the on-site portion.

This is a short, focused effort which will allow you to learn about the requirements evaluate your situation and plan your compliance strategy.  Should you require to implement additional means (be it hardware, software or even revisions to your internal operational processes), SeNet can provide you with an economical, effective and approved set of options to choose from.


The Federal Information Security Modernization Act (FISMA)  requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency or a designated third party such as a contractor or research organization. Under Executive Order 13556, Controlled Unclassified Information dated, November 4, 2010 federal agencies and their designated third parties to adhere to regulations, policies and guidelines established by NIST and OMB in order to protect Controlled Unclassified Information (CUI) at the moderate confidentiality impact level.

The US  National Archives and Records Administration (NARA) together with the US National Institute of Standards and Technology (NIST) have established a guideline, Special Publication SP 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations". NIST SP 800-171 provides federal agencies and designated third parties with recommended requirements for protecting the confidentiality of CUI when such information resides on non-federal information systems and organizations.

Beginning in the end of 2017, non-federal organizations which receive, process or store CUI (AKA "Authorized Holders") must comply with the requirements of NIST SP 800-171 per Code of Federal Regulations (CFR) at 32 CFR Part 2002. Such requirements pertain to Safeguarding, Accessing and disseminating, Decontrolling and Marking of CUI. Compliance involves establishing security controls (NIST 800-171 has 109 controls  grouped into 14 control families) that impose requirements at the environmental, system, access, user, and logging/auditing levels among other areas. Examples of these requirements are:

Hosting Requirements

The hosting environment (physical space) in which the system is housed must:

  •     Be secured (locks, cameras, card readers, guards) to ensure access only by authorized personnel.
  •     House project components (hardware, software) in separate racks from other systems. Racks must be secured with locking mechanisms

System Requirements

The system (hardware, software, data) must be logically or physically separated from other information systems and:

  •     Include only required applications and keep unnecessary processes and ports disabled.
  •     Be isolated from other information flows by firewalls and network segmentation.
  •     Encrypt all data in transit and at rest using FIPS 140-1 and FIPS 140-2 encryption standards.
  •     Include a test environment for analyzing impacts of changes; maintain regular patching timeframes.
  •     Incorporate processes for documentation, inventory, change management, personnel authorization.
  •     Collect log information documenting all user actions and user installed applications.
  •     Integrate with log analysis and security information and event management tools to provide alerts and reports, report security incidents. It must store log data outside of the specific CUI system.  A designated individual must review and audit logs.
  •     Include processes for incident reporting and remediation of vulnerabilities
  •     Provide processes for maintenance, including authorization, escort and tool validation of third party personnel, and prioritize local maintenance processes over remote.

Access Requirements

Access to the network or system storing or processing CUI requires:

  •     Connection via virtualized sessions OR other authorized devices configured to block after a certain number of  unsuccessful login attempts and time out after a certain time of inactivity.
  •     Encryption of devices/storage media in accordance with FIPS140-2 and FIPS140-2 encryption standards.
  •     Remote and wireless connections to be provided through a VPN.

User Requirements

Users of a CUI carrying system:

  •     Must be authorized by the system owner or his designee and must have a need to access the system
  •     Account for users who no longer need access to the system must be promptly disabled
  •     Must be provided accounts with the least privileges necessary to conduct their work
  •     Must use authorized computers/devices to access the system.
  •     Should not download CUI to portable storage devices or their own computers
  •     Must complete annual security training regarding the specific restrictions applicable to the CUI system(s)

SeNet International Corporation has been assisting Federal and non-federal organizations for close to 20 years achieve and maintain their IT Security objectives. Our staff of IT security analysts and engineers possess a wealth of information regarding NIST, FISMA and other regulatory compliance requirements. We can assist your organization figure out your exposure to the mandates imposed by the CUI regulations, assist in developing an appropriate compliance plan, test your CUI systems security controls' implementation against the requirements, recommend and help you implement any remediation measures necessary to achieve full compliance.