Assessment & Accreditation (A&A) Offerings

NIST SP800-37 states that “…security authorization challenges managers at all levels to implement the most effective security controls Information Assurance Capability possible in an information system, given mission and business requirements, technical constraints, operational constraints, cost/schedule constraints, and risk-related considerations.” CryptoForensics is thoroughly grounded in all aspects of the Assessment and Accreditation (A&A) requirements and can expertly implement the crucial processes that will enable any government agency to successfully support and sustain an efficient process in accordance with budget and regulatory requirements. Proper planning and procedures are essential to ensure that the A&A aspect of your IT system operates cost effectively and efficiently.

We understand that documentation of security controls and process of IT systems is only the first step in the A&A process, and that systematic risk assessment and vulnerability analysis are necessary to identify potential areas to improve the A&A process. Cryptoforensics can assist any agency to successfully navigate the challenge set forth in several regulations and standards, including:

  • Federal agencies: FISMA, NIST SP800-37, HIPAA, and OMB A-130
  • DoD specific: 8510.01 (DIACAP) and transition from 5200.40 (DITSCAP)
  • National security systems specific: DCID 6/3 and NSTISSI No. 1000 (NIACAP)

Our A&A offerings include repeatable and efficient processes that streamline the C&A process to ensure the following objectives:

  • Enhanced overall enterprise security management plan and processes through integration of lessons learned from the A&A process
  • Improved system and program security beyond compliance requirements
  • Quicker and more effective transition to new guidance and regulations
  • Qualified professionals with the appropriate level of training and skill sets to address mission critical and business challenges

Our Comprehensive Suite of Solutions and Services . ..


Today, most enterprises try to deal with cybersecurity threats by focusing inwardly through conducting vulnerability assessments, making detailed network maps, and in some cases, deploying robust patch management processes to continuously monitor their networks and systems. While this approach provides some benefits, against many cyber threats it's ineffective. Most corporate networks are so large and complex that it's simply too difficult to identify all of their assets, or all of their vulnerabilities, and patch them fast enough. Today's cyber wrongdoers are sophisticated, well-funded, and patient—they use a wide range of techniques to penetrate even well-protected enterprises...