Risk Management Framework


Brown Secure Technologies staff includes Subject Matter Experts (SMEs) in RMF Assessment and Authorization (A&A) activities for guiding systems to obtain a successful Authority to Operate (ATO) or Authority to Connect (ATC).  We lead teams of Information System Security Officers (ISSOs) and Security Engineers to perform cybersecurity engineering and RMF A&A efforts for advanced cyber defense and analytic programs used in protecting national public and private-sector critical infrastructure from emerging cyber threats.

Our experienced ISSOs able to provide the full realm of security support activities for a system including the integration of secure engineering enhancements into systems.

We thoroughly document all security requirements and capabilities of systems through writing the Security Controls Traceability Matrix (SCTM), the System Security Plan (SSP), the Concept of Operations (CONOPS), the Configuration Management Plan, Contingency Plan, and Incident Response Plan.

Use RMF tools including XACTA, Continuum and TAF.


Perform Risk Assessments

Brown Secure Technologies has experience in performing independent risk assessments for the following types of organizations:

  - Federal

  - State

  - Commercial

Address all security aspects of the organization including access control, configuration and change management, training, contingency planning, incident response and physical and environmental security controls.

Interview relevant stakeholders to identify and assess organizational security vulnerabilities and threats

Assist organizations with implementing security enhancements to remove or mitigate potential security vulnerabilities

We then provide full Risk Assessment results that:

  - Document the results of the assessment in a Risk Analysis Report that provides a determination of risk based on the expected harm and likelihood of harm occurring due to identified vulnerabilities and associated potential for exploitation

  - Provide recommendations for improving the security posture for the organization or system

Security Engineering

Brown Secure Technologies supports the full spectrum of Security Engineering activities associated with the System Engineering Life-Cycle (SELC) 

  - Architecture and Design

        - Defining requirements

        - Identifying security solutions

  - System Development

         - Integration of Security Controls into the system

          - Identification and implementation of Security Best Practices

Cross Domain Solutions


Brown Secure Solutions has extensive experience in implementing Cross Domain Solutions.  We have provided Subject Matter Expertise in performing A&A activities for guiding CDS systems to obtain a successful Authority to Operate (ATO).  We have documented Security Policy/Programs as needed, as well as identified and integrated Security Controls into the Architecture.  As part of the CDS, we have implemented Identity and Access Privilege Management policy, rules, and attribute identification.


We have taken systems through the A&A process to receive an ATO.  Brown Secure Technologies Security Engineers led the security engineering effort that certified and accredited the Defense Cross Domain Analytic Capability (DCAC) System for the U.S. Army INSCOM.  DCAC was a CDS designed to allow analysts from two adjacent security enclaves access to the data they are authorized to see stored in a single Oracle Database.  Access to the data was strictly enforced through the use of Attribute Based Access Control (ABAC) of the data, security enclave, users, and the workstations used to query the data.

We have coordinated with the Cross Domain Solutions Management Office (CDSMO) as part of the approval process.

Identity and Access Management


Brown Secure Technologies has provided engineering support in the development of Integrated Identity and Access Management Solutions.  This has included systems requiring 

multiple authentications and multiple authorizations including ABAC and Role Based Access Control (RBAC), multiple Public Key Infrastructures (PKIs) and Directories  as well as Cross Domain Solutions.

We have also provided integration of Identity services with authentication services.

Customers have questions, you have answers. Display the most frequently asked questions, so everybody benefits.