Regulatory Compliance Assessment

Our certified IT Auditors help federal and state government, financial and banking institutions perform compliant assessment, and help address issues of the following:

U.S. Department of Defense (DoD) Cybersecurity Consulting

1. RMF (Risk Management Framework) 

If you are a DoD contractor/subcontractor (or want to become one), you’re required to obtain Authorization to Operate (ATO) for the information system you’re contracting to sell.  We help clients plan, develop and finalize cybersecurity and privacy policies, programs, and compliance artifacts to support government security compliance, systems accreditation and management:

  • Assessment and Authorization (A&A)
  • Prepare and complete the RMF package to obtain Authorization to Operate (ATO)
  • FIPS 199, FIPS 200, NIST 800-30, NIST 800-37, NIST 800-53, NIST 800-53A
  • DoD Security Technical Implementation Guide (STIG) Assessment and Implementation
  • Security Requirements Compliance for Federal Contractors
  • NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
  • Penetration Testing & Vulnerability Assessment
  • DoD/DHS Critical Infrastructure Protection (CIP) Assessment

2. FISMA

FISMA is the acronym for the Federal Information Security Management Act, including revisions since inception in 2002. Vendors and sub-contractors who provide information and/or information systems to federal agencies must prove through an annual assessment that they meet FISMA requirements. This process involves working directly with agencies to conduct ongoing assessments and authorization based NIST Special Publications 800-37, 800-39, 800-53, 800-53A, and 800-137.

How KLC Consulting Can Help

KLC’s assessment and advisory services are designed to help you meet your FISMA authorization needs. We provide guidance in the selection of controls based on the level of impact your system creates to federal agencies with whom you contract business, in adherence to the NIST Risk Management Framework (RMF). Our process includes control mapping, documentation development for a system security plan (SSP), security testing and POA&M generation.  We also liaise with and provide guidance in communications with your designated Authorizing Official (AO).


NIST 800 Series (800-53, 800-37, 800-34 and more)

The National Institute of Standards and Technology (NIST) is the federal agency that works with industry to develop and apply technologies, measurements, and standards. KLC’s SMEs have worked directly with Federal and Private Institutions to assist with compliance to NIST standards. Our core competencies include experience in:

  • NIST 800-53: Recommended Security Controls for Federal Information Systems and Organization
  • NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems
  • NIST 800-34: Contingency Planning Guide for Federal Information Systems

Privacy Impact Analysis (PIA)

The objective of the Privacy Impact Analysis (PIA) is to determine the scope, justification, and Privacy Act applicability for systems collecting, storing or processing sensitive, personal data that may be considered private. Starting with an analysis of current business operation, KLC can assess your privacy impact and help determine the potential damage to your brand and revenue. State and Federal laws set forth steep fines for non-conformance or non-compliance to regulatory privacy laws.

Sarbanes-Oxley (SOX)

KLC has performed Sarbanes-Oxley audits and General Controls testing since the inception of the Sarbanes-Oxley law. We have Big 4 experience with experience in dozens of industries. Our risk based approach to testing IT Audits and controls has been proven effective with some of the largest companies in the world.

Gramm-Leach-Bliley Act (GLBA)

Section 501 of the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999, addresses “Protection of Nonpublic Personal Information,” and financial institutions to implement safeguards for the protection of customer information. KLC has assisted some of the largest financial institutions in the world with the implementation, testing, and maintenance of administrative, technical, and physical safeguards to ensure compliance with the Gramm-Leach-Bliley Act.

Financial Regulations FDIC, OCC, OTS, NCUA, FFIEC

KLC has over 10 years experience working with Regulators from the FDIC, OCC, OTS, NCUA, the Federal Reserve, and State examiners. We can represent your company in regulatory audits and examinations and be your central point of contact for all regulatory matters acting as interim CIO or CISO.

Payment Card Industry (PCI) Security Standard

Does your organization store or process credit cards? We have been assisting companies of all sizes achieve PCI compliance for over 8 years. We have developed proprietary templates and utilize industry best practices to achieve compliance at minimal cost to our clients.

Health Insurance Privacy and Accountability Act (HIPAA)

KLC has assisted Government institutions and the private healthcare industry achieve HIPAA compliance by performing detailed analysis of administrative, technical, and physical safeguards of ePHI (electronic protected health information).

California Consumer Privacy Act of 2018 (CCPA)

The California Consumer Privacy Act of 2018 (CCPA), is a bill that enhanced privacy rights and consumer protections for residents of the US state of California.

The intention of the act is to provide California residents with the right to:

  1. Know what personal information is being collected about them.
  2. Know whether their personal information is sold or disclosed and to whom.
  3. Say no to the sale of personal information.
  4. Access their personal information.
  5. Equal service and price, even if they exercise their privacy rights.

Compliance

The CCPA applies to any business, including any for-profit entity that collects consumers’ personal information, which does business in California, and satisfies one or more of the following thresholds:

  • Has annual gross revenues in excess of US$25 million;
  • Possesses the personal information of 50,000 or more consumers, households, or devices; or
  • Earns more than half of its annual revenue from selling consumers’ personal information.

Massachusetts State Data Security Privacy Regulations (201 CMR 17)

Massachusetts and other states require companies to abide by state privacy regulations if you maintain access to someone’s data that resides in that state.

ISO/IEC 27001 Consulting

The ISO 27001 standard (International Organization for Standardization) provides a methodology for the implementation, management and maintenance of information security within a business organization.  An ISO 27001 certification demonstrates your Information Security Management System (ISMS) is mature and provides an advantage over other competitors lacking certification.  KLC consulting provides help with the Pre-Assessment audit, Stage 1 Audit, Stage 2 Audit, and Surveillance Audit.  We also serve as consultants to help client companies prepare for and/or remediate findings.