Coalfire is an independent, IT Governance, Risk and Compliance (IT-GRC) organization with offices across the U.S., providing IT Security advisory and assessment services to organizations that are required to conduct compliance assessments/audits to meet the requirements of an industry standard or regulation. As a benefit, clients are finding that maintaining compliance accelerates sales discussions with existing customers and new prospects, where compliance is considered a prerequisite for doing business.
Coalfire is an accredited FedRAMP 3PAO, providing advisory services and security assessments of cloud environments and systems being made available for hosting government data. Services include pre-assessment, advisory services for documenting policies and procedures as well as developing a Systems Security Plan (SSP), security assessment services, vulnerability scanning, penetration tests and development of Security Assessment Reports (SARs). In addition, Coalfire is available to conduct 3PAO-required portions of the Continuous Monitoring requirement to maintain the FedRAMP Provisional ATO.
Government agencies, and their vendors and subcontractors, are required to go through a FISMA assessment to achieve an agency ATO. Coalfire conducts assessments in accordance with NIST SP 800-53 r3 and FIPS 199, 200 that prescribe the minimum framework controls for government information systems. Coalfire's team of FISMA experts assist organizations in preparing for FISMA audits, system accreditation, asset classification, and risk assessments.
Coalfire provides advisory and assessment services supporting a CSP’s pursuit of DISA ECSB provisional authority to operate (P-ATO) and listing in the DISA enterprise cloud service catalog, and a cloud service consumer request form by which requirements will be submitted to the ECSB. Our services are intended for CSPs seeking authorization for ECSB Impact Levels 1 – 6
Electrical utility companies and organizations involved with the smart grid need to meet the new NERC Critical Infrastructure Program (CIP) requirements. Coalfire offers a complete range of services that meet the nine key areas addressed by NERC CIP - Sabotage, Critical Asset Identification, Security Management Controls, Personnel and Training, Electronic Security Perimeter, Physical Security Protection, Systems Security Management, Incident Reporting, and Response Planning and Recovery Plans.
Coalfire is a HITRUST certified assessor for healthcare organizations seeking a Common Security Framework (CSF) assessment. The HITRUST CSF consolidates and normalizes the healthcare security requirements for healthcare organizations. For those that don't choose to pursue a HITRUST assessment, Coalfire can assess a healthcare organization, covered entity or business associate for their specific HIPAA or HITECH compliance requirements.
Coalfire assists financial services institutions reduce security risk, meet FFIEC and GLBA compliance requirements, mitigate e-authentication risk and increase operational efficiency throughout an organization. Our experience in training NCUA, FDIC and OCC/OTS regulators allows us to provide thorough, cost-effective solutions to complex IT risk management requirements.
Coalfire has been a leader in conducting PCI assessments for the full range of organizations that make up the payment processing ecosystem. Coalfire carries all the required certifications and credentials to assess compliance to the Payment Card Industry Data Security Standard for ecommerce merchants, retail organizations, payment processors, service providers and payment application developers.
Coalfire provides gap analysis and pre-assessment services for organizations that need to meet ISO standards, such as 27001.
Coalfire, through its suite of Navis solutions, provides vulnerability scanning services for both external and internal networks. Scan services are generally a complementary requirement for the security audit and assessment services for industry-specific regulatory requirements (e.g. PCI DSS).
The Coalfire Labs team of professionals conduct penetration testing and ethical hacking scenarios to demonstrate how well an organization's network assets are protected. Penetration testing services are available for corporate networks, data environments, and software applications. In addition, our forensic team assists with incident response issues, data breach analysis and threat mitigation.