The U.S. Patent and Trademark Office (USPTO) was charged by the U.S. Department of Commerce Inspector General (IG) with three material weaknesses and was on the Office of Management and Budget (OMB) Watch List due to shortfalls in their IT system security. The USPTO Senior Agency Information Security Officer (SAISO) needed independent and objective advice and assistance on improving USPTO’s security program.
Engility conducted a comprehensive assessment of all aspects of the USPTO security program and produced a program-level Plan of Action and Milestones (POA&M) in accordance with OMB guidance and directives. Our support included:
- Project Management. Engility provided program management support to help USPTO implement the policies, controls, and procedures needed to improve IT security.
- Certification and Accreditation (C&A). Engility examined technical documentation and interviewed management and subject matter experts (SMEs). We used a traceability matrix for compliance tracking and generated all C&A artifacts.
- Security Test and Evaluation (ST&E). We performed ST&E activities, which required complete independence and highly skilled personnel to conduct the necessary testing.
- Policy Development Assistance. Engility helped revise security policies that required updates to accommodate new regulations (e.g., National Institute of Standards and Technology [NIST], U.S. Government Accountability Office [GAO], IG, and OMB guidance for Capital Planning and Investment Control [CPIC] activities).
- Product Evaluation. Engility evaluated various products to determine if they met the business requirements and conducted risk assessments of each product to ensure no threats or other risks would be introduced into the enterprise.
- Security Architecture Services. Engility conducted architecture updates associated with introducing a new product or service. We reassessed the architecture, implemented the change, and continuously monitored the security architecture in response to USPTO’s dynamic environment, tying all architecture planning to the CPIC process and balancing user access needs with security requirements.
- Helped USPTO get off OMB’s Watch List within 6 months.
- Helped get one of the three material weaknesses lifted within 1 year, and remediation efforts for the other two weaknesses are progressing according to plan.