Assess & reassess

Officials at SRA International Inc. were well aware of the benefits of receiving an Information Security Assessment Capability Maturity Model (IA-CMM) rating, having first gone through the process of receiving an assessment back in 2001.

The rating, sponsored by the National Security Agency, identifies and measures the maturity of nine process areas related to performing information security assurance services and helps agencies select qualified providers to assess the security of their information systems.

"The Web site for the IA-CMM actually identifies the companies that have been assessed and puts your rating right out there for everybody to look at," said William Bell, SRA vice president and director information assurance and privacy solutions. "We got a lot of calls after that, since it gives agencies a strong comfort level about your ability to do the assessment according to some pretty stringent guidelines."

When the rating was nearing expiration, SRA officials didn't hesitate to renew. Plus, going through the steps of updating processes and having an independent, objective source come in and take a look at how the company was doing is a good way to improve the overall information assurance and privacy practice, Bell said.

"We were putting in new methodologies and new processes all along, so it was kind of like having an external audit come in and say, 'These are the good things you're doing and here are some areas where you can improve,'" he said. "We wanted to really improve our processes?not just get a stamp."

Knowing how rigorous the rating effort could be, SRA took plenty of time to develop a plan. The effort was set up as a specific project, "just as we would do for a customer?identifying a project manager and a project team, laying out milestones and deliverables, all the typical things you would do with project management," he said.

The process took about a year, and SRA made it a point to do the rating work in conjunction with other process improvements and revisions, including recent guidelines put out by the National Institute of Standards and Technology. "It took longer because we were doing that kind of pick-and-shovel work on our overall processes, but we wanted to do it the right way."

The biggest challenges with the certification process was getting up to speed on all the processes laid out under the rating's new version 3.1 and determining what the company was going to be evaluated against, he said.

"It's understanding the rules of engagement and communicating effectively with your staff so that you generate the appropriate artifacts that would match up with those processes," he said. "That required a little bit of extra effort to do that."

The IA-CMM rating, which has been included as a requirement in a couple of intelligence procurements, sets SRA apart from competitors, Bell said. "We definitely use it that way, whether it's responding to proposals or in presentations and marketing materials, it can definitely help put you a notch up over the competition."