Veteran’s Administration (VA), Tennessee Valley Health System

Gunnison assisted Huron Consulting Services’ Healthcare Software Group to prepare for a cloud migration of three disparate health IT applications to a single FedRAMP HIGH Amazon Web Services (AWS) GovCloud environment.

Gunnison acted as an advising Information Systems Security Office (ISSO) to conduct a thorough analysis of the systems architecture, implementation and documentation to assess its overall security posture with a focus on FISMA controls and documentation gaps, in order to achieve an authority to operate (ATO) by the VA. Gunnison identified several gaps and worked with system owners to recommend tools, technologies, and techniques to close the gaps, as well as  creating additional detailed plans: Configuration Management Plan, Contingency Plan, Incident Response Plan and an Account Management Plan.

To ensure FISMA HIGH compliance, Gunnison created and maintained a detailed FISMA Control compliance matrix. This matrix was configurable (Low, Moderate, High) based on the VA’s classification of the system. This allowed the team to pivot quickly when the classification was changed from Moderate (the original plan) to High. The control compliance matrix was a key tool to identify gaps, directly reference control compliance in large documents and allow for self-assessment prior to any third-party assessments. These plans, procedures and compliance matrix were all compiled into a single supporting System Security Plan (SSP) package delivered to a Third-Party Assessment Organization (3PAO), leading to a successful achievement of the VA ATO.