It's almost that time of year again: Time for agencies to file their annual Federal Information Security Management Act (FISMA) reports, detailing each department's cybersecurity successes and failures over the past year.
As the time nears, the Court Services and Offender Supervision Agency (CSOSA) is looking for a vendor to audit its systems and file the report with Homeland Security. If all goes well, that vendor could keep CSOSA's business for the next four years.
FedBizOps: FISMA Annual Independent Audit Services
CSOSA — which monitors accused and convicted offenders during pretrial and probation/supervised release, respectively — maintains a number of sensitive computer systems storing personal information on offenders, both accused and convicted. A major breach of those systems could have a serious effect on those persons and their families.
The contractor will be responsible for assessing CSOSA's cybersecurity posture along the guidelines set forth by the National Institute of Standards and Technology and codified in the 2014 update to FISMA. The vendor will also be required to upload the results to DHS's CyberScope reporting portal.
Specifically, the auditors will be expected to:
- Deliver an overall project plan with project schedule at the kick-off meeting and submit updates of the project plan to the contracting officer representative (COR), as revised.
- Deliver weekly written status reports to the COR which are due by close of business each Friday during the course of the active project.
- Deliver a draft FISMA Independent Assessment Report for CSOSA and Pretrial Services Agency (PSA).
- Populate in draft (not submitted to DHS/OMB), the Annual IG FISMA Reporting Metrics in the DHS CyberScope FISMA Reporting system.
- Deliver a final FISMA Independent Assessment Report for CSOSA and PSA.
- Deliver a final FISMA Independent Assessment Out-Brief presentation for CSOSA and PSA directors and management.
The solicitation notes that unlike other agencies, CSOSA does not have an inspector general, the office generally charged with conducting FISMA audits. Instead, the audit will be managed through the Information Security Office, part of the Office of the Director.
The solicitation includes a base period through Nov. 30, with four optional one-year add-ons to prepare reports through November 2020.
According to CSOSA financial documents, the agency spent $50,000 on its FISMA audit in fiscal 2014.
Responses to the RFP are due by 1 p.m. on Aug. 5. Questions must be submitted by 3 p.m. July 29.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
