Substance Abuse and Mental Health Services Administration (SAMHSA)

Substance Abuse and Mental Health Services Administration Logo

The Substance Abuse and Mental Health Services Administration (SAMHSA) leads public health efforts to advance the behavioral health of the nation. SAMHSA’s mission is to reduce the impact of substance abuse and mental illness on America’s communities. SAMHSA’s has annual budget of approximately $6 billion.

Since 2017, Gunnison has been charged with supporting the agency’s enterprise security program from strategic and tactical stand points. To effectively meet the agency’s security requirements and support its mission, we provide a team of Security Compliance, Security Analysts, Engineers, Penetration Testers, Policy Analysts, and FITARA SMEs to deliver comprehensive information security and privacy support services under the auspices of the SAMHSA Chief Information Officer (CIO), the Chief Information Security Officer (CISO) and Senior Agency Official for Privacy (SAOP). During our work with SAMHSA, Gunnison has helped the agency develop, implement, and mature a comprehensive security program that is responsive to Federal and Departmental mandates and the continuance of a risk-based posture flexible enough to respond to the changing nature of information security and privacy threats.

The Gunnison program team is structured in multiple sub-teams to provide effective support to the Agency across the spectrum of security and compliance.

Gunnison is tasked with ensuring the SAMHSA CIO, CISO & SAOP meet SAMHSA’s programmatic needs by providing management of contract budget, communications, personnel, and tasks. Gunnison’s program management support activities also provide for change management, risk management, and performance management support. Gunnison is responsible for maintaining an effective agency-level information security and privacy program through the effective communication of the program’s goals and requirements throughout the organization and with stakeholders.

Gunnison provides FISMA Compliance support to SAMHSA through the compilation, analysis, and development of FISMA reports on behalf of SAMHSA for submission to the Department.

Gunnison provides SAMHSA RMF support for system authorization (SA) to ensure security and privacy controls are integrated and functioning properly within the system.

Gunnison works closely with the SAMHSA CISO to define SAMHSA’s Cybersecurity Governance Framework, which is tightly coupled to the NIST Cybersecurity Framework (CSF) and other industry leading best practices.

Gunnison is also responsible for supporting SAMHSA’s comprehensive privacy program. As such, Gunnison provides subject matter expertise to the SAMHSA SAOP to develop and support organization-wide approaches to meeting privacy challenges. These efforts include maintaining the Agency’s privacy program that allows privacy to align with and protect sensitive information and client privacy.

Gunnison provides security assessment and authorization (SA&A) support to SAMHSA by tracking, planning, and managing workloads for new and existing systems that required SA&A activities. We conduct SA&A package reviews to ensure compliance with all FISMA, NIST, HHS and SAMHSA standards.

Gunnison is responsible for cybersecurity governance to include policy and procedures development, process improvement, and policy and procedures maintenance. Toward that end, Gunnison creates new policies; performs annual updates of the SAMHSA Information Security and Privacy Policy to ensure it remains compliant with FIPS and NIST requirements; and develops new or supplemental policies, procedures, or guidance to ensure continued Federal and Departmental compliance that address emerging security issues and threats.

Gunnison conducts penetration testing of SAMHSA IT assets to test the agency’s security posture against internal and external threats. As part of our penetration tests for SAMHSA, our expert of pen testers conduct discovery of internal and external assets, search and test for vulnerabilities and exposure, identify security issues, conduct exploitation (when approved), develop and present test results and findings, make recommendations for mitigation strategies, and conduct outgoing briefings for the leadership and stakeholders.



With a winning combination of thought-leading innovation, industry certifications, and strong partnerships, Gunnison brings a holistic, multi-disciplinary approach to solving its customers’ biggest problems yielding long term collaborative partnerships with our clients averaging 10 or more years. What problem can Gunnison solve for you?