B&M has extensive experience in helping to strengthen cybersecurity and privacy programs. A key focus of our support is the use of innovative approaches to automation, data analytics, integrated cyber capabilities, and process streamlining/optimization to help drive significant and measurable improvements to cybersecurity and privacy program operations, and lower the operational burden on IT leadership, external stakeholders, and application teams. This can include the development and implementation of (1) cybersecurity and privacy strategies, plans, and roadmaps; (2) enterprise security architectures and associated artifacts; (3) cybersecurity and privacy continuous monitoring capabilities and processes; and (4) awareness and role-based training for users, executive leadership, and IT personnel. We have assisted several organizations in preparing for, supporting, and responding to Federal cybersecurity and privacy audits and evaluations, and achieving Green / Managed and Measurable in external scorecards and audit reports.

We provide full-lifecycle NIST Risk Management Framework (RMF) support for Federal systems, applications, and common control programs, in accordance with Federal Information Security Modernization Act (FISMA), Office of Management and Budget (OMB), and National Institute of Standards and Technology (NIST) requirements and standards. Our teams have extensive experience in guiding new system acquisitions and development efforts from initiation to Authorization to Operate (ATO), including supporting stakeholders in the design and implementation of appropriate cybersecurity and privacy controls, and serving as independent assessors.

We provide full-lifecycle cybersecurity engineering support for Federal systems and applications, to include cloud deployments as well as cyber tools. This includes.

• Cyber Capability Alternatives Analysis and Selection: We provide alternatives analysis support for security capabilities to protect Federal systems and data. This includes: (1) performing gap analyses and alternatives analyses of cyber capabilities required vs. available across existing environments (including cloud); (2) providing recommendations for enterprise-level cyber capabilities, and optimal capabilities for use in different hosting environments, in alignment with ZTA requirements and principles; and (3) supporting the acquisition process (soliciting price quotes, etc.) for these capabilities.
• Cyber Capability Implementation, ZTA Alignment, and SDLC Support: We provide ongoing cyber engineering SME support to Federal application teams throughout each SDLC lifecycle stage, to include (1) working with Federal project teams to define/validate cyber capability requirements for specific applications and platforms; and (2) supporting the implementation of required/optimal cyber capabilities for Federal systems and applications.

B&M has supported various Federal Agencies in the migration of on-premises applications to FedRAMP CSPs. B&M provides SME support on strategies and specific technical approaches for (1) the secure migration of Federal systems/applications to cloud environments, leveraging traditional and cloud-native technologies; and (2) effectively embedding vulnerability identification and remediation into DevSecOps processes and the CI/CD pipeline. For example, at one of our clients, B&M designed, implemented, and oversees a DevSecOps pipeline using dynamic application security testing (DAST) tools (Invicti, Burp Suite Pro, MS Defender), Static Application Security Testing (SAST) tools (SonarQube), and other application security scanning tools (MS Defender), for both on-premises and cloud-hosted applications. This included defining a DevSecOps approach, conducting an alternatives analysis of tools, documenting and communicating procedures and guidelines, supporting tool acquisition, implementing and administering tools, and providing ongoing security SME support to application teams on tool usage, false-positive analysis, and remediation validation.

We provide robust and adaptive cyber defense support, as well as full-lifecycle IR support to Federal Agencies. This includes identifying events; analyzing detected events to triage, categorize, and classifying them as an incident; defining and implementing containment measures; analyzing relevant evidence to determine the event root cause, timeline, and forensic/evidence preservation requirements; providing incident coordination support; performing incident tracking; and reporting incidents per Agency and Federal guidelines. B&M maintains real-time monitoring of the threat landscape, to include threats identified via open-source and proprietary collection platforms, and provides proactive threat hunting on Federal networks, systems, and applications. We also configure, operate, maintain, and continuously enhance real-time security monitoring capabilities.

B&M provides a suite of Risk and Vulnerability Assessment (RVA) support services that can be delivered on a one-time, ad-hoc, or continuous basis. In fact, B&M was one of the first 12 vendors to obtain GSA approval to offer RVA support services under the GSA HACS. Service areas include security assessments; vulnerability scanning; threat analysis and penetration testing; and the development of risk metrics and risk mitigation strategies.