Office of the Chief Information Officer

United States Department of Agriculture

System Test & Evaluation/Penetration Testing

Service Description

Determine the security posture of agency network and IT systems. Provide s System Test and Evaluation (ST&E) of agency network and IT systems. Provide risk management and mitigation guidance. Identify assets and validate identified threats of interest and vulnerability targets. Conduct Penetration Testing to exploit these vulnerabilities and determine if unauthorized access or malicious activity is possible. Recommend security controls to mitigate threats. Verify vulnerability remediation and patch deployment.

What's Included

Functions of a managed security service include:

  • Plan, execute and report on IT system vulnerability root causes and mitigation recommendations.
  • Conduct IT system testing based on the appropriate analysis and review techniques
  • Provide a security review of system documentation, audit logs, rule set and configuration to validate policy compliance.
  • Capture active IT system, operating system, communications protocol, service and application information to review operational security. 
  • Verify file integrity and encryption of communications.
  • Identify active network devices, ports and communications paths.
  • Identify and mitigate discovered vulnerabilities and weak passwords.
  • Test user awareness measurements
  • Verify vulnerability remediation through IT system and network vulnerability scanning. 

How We Charge

The cost of this service is recovered by the number of full time employees (FTE) supported in your agency as a percentage of total departmental FTEs supported.

Service Level Metrics

Measure Target SLA
System Monitoring 24 x 7
Incident Response 24 x 7
System Availability 99.99% excluding planned downtime*

Cost Saving Tips

  • Provide lower total cost of information security ownership. 
  • Allow agencies focus resources on mission critical business objectives.
  • Compliance with government regulations is provided through ongoing security monitoring.
  • A vendor neutral approach supports the appropriate composition of security services by deploying market-based solutions from a wide variety of industry sources.

Additional Information

Services are in compliance with applicable standards from NIST (including SP 800-37), OMB, FIPS and GAO.