RYAN’s role in any Cybersecurity solution is as a consulting and advisory services partner supporting system security compliance and security education and awareness across your organization. This is the role we began with U.S. Customs and Border Protection (CBP) over 14 years ago, and it has become one of our most mature capability sets. Our team understands the building blocks of a robust cybersecurity posture Ours is based on effective policy and compliance communication where stakeholders are actively engaged through education and awareness training, job aid support, regular audits, and periodic email reminders. With this understanding, RYAN will support this requirement as your integrated partner by providing expert staff and staying engaged with industry and Government trends to proactively anticipate emerging and long-term needs. This may manifest itself in a myriad of ways to include responding to cybersecurity trends through the development of new policy and procedures, updated awareness training to align with the latest cyber threats, and modifying compliance standards within accepted framework parameters to satisfy changes in congressional mandates or Office of Management and Budget (OMB) guidelines.


RYAN’s knowledge and understanding of protecting sensitive Government information come from its prior experience of working within the Commercial, Civilian, and DoD environments. We understand the importance of maintaining data system integrity and information confidentiality so that PII is never compromised. To this end, we have applied NIST, FISMA, FIPS, PCI, and HIPPA standards to several of our past Cybersecurity projects for various customers. The graphic to the left illustrates our approach to ensuring that your organization’s security posture is always maintained in full compliance. We have successfully used this framework on similar projects with CBP, the United States Department of Agriculture (USDA) Agricultural Research Service (ARS) and the Department of Energy (DOE). The “Analysis” phase includes performing the security assessment and authorization (SA&A) process for FISMA systems. This will allow our team to become familiar with the applicable security policies, procedures and any technical deficiencies identified. The SA&A process will also allow the identification of any areas where the polices or procedures are not clear or need improvement. The plan of action and milestones (POA&Ms) generated from the SA&A process leads to the “Recommendation” phase of our approach. We will make recommendations to remediate the POA&Ms discovered from the SA&A process. This includes technical changes, as well as drafting policies and procedures. The proposed changes will be implemented by adapting them to your organization’s existing change management process. This includes assessing proposed technical changes in applicable test and development environments, before migrating to production. The “Monitoring” phase assesses the impact of the implemented change on the overall functioning of the production environment.


We are currently performing similar support, under the direction of the Information System Security Officer (ISSO) and Chief Information Security Officer (CISO) for the DHS Customs and Border Protection (CBP) and USDA ARS. Both programs are successfully managing cybersecurity concerns from vulnerability management and network security analysis, to updating policy and managing security controls. Our team also employs the NIST Risk Management Framework (RMF) to assist with identifying security controls and control objectives. We will assist with providing strategies for monitoring each control whether implemented or in a Plan of Action and Milestones (POA&Ms).


At CBP, our team applied the NIST RMF to produce tangible results by defining and monitoring procedural and technical controls for several CBP financial systems. Our role as the primary cybersecurity support services provider has resulted in zero negative security audit findings over our entire 14 years of service since we were awarded the CBP contract in 2005. We believe this is a direct result of applying NIST, FISMA and FIPS guidelines as defined by CBP’s enterprise security policy. CBP’s NFC Campus is consistently rated as one of the top three most secure financial information systems across CBP’s enterprise domain and is considered to be a definitive implementation of the NIST RMF by DHS.


We also provide SA&A support to ensure CBP’s compliance with Federal policies and guidelines. We provide input for the POA&Ms, authorization/accreditation expirations and other relevant security artifacts for the Information System Security Officer (ISSO) and Chief Information Security Officer (CISO). We provide corrective actions for deficiencies found during system self-assessments (NIST SP 800-37), reviews, or during any review or monitoring period where deficiencies or hardening opportunities are identified. We test and evaluate systems for compliance with Federal security standards and guidelines (i.e. NIST and FISMA). Our team gathers information and supporting documentation for both annual control reviews and the tri-annual Certification and Accreditation (C&A) process for the CBP NFC LAN, a Federal Financial System containing several subsystems. Our staff has also coordinated with the ISSO in addressing POA&Ms established in the review process and updating progress status. Our team has substantial experience working with NIST control sets and the RMF guidelines that are fundamental to the security C&A process.


We bring a wealth of experience working in tandem with CISOs and ISSOs. Our support includes creating overall security program plans; creating executive and end user presentations; performing the entire SA&A process for new as well as existing systems (internal\external hosted systems, FedRAMP cloud systems, etc.); contingency plan testing; and security training. At DOE, RYAN was instrumental in developing a security program plan for the organization. The plan outlined key aspects of the program which included lines of service (vulnerability scanning, policies and procedures, privacy, etc.); SA&A roles and responsibilities; appropriate use of tools and metrics to assess the status of the program. We presented quarterly presentations that documented the status of vulnerabilities and performed other critical CISO initiatives for the Executive Leadership. We also created end-user training documents to assist the system owners with the completion of initial FIPS 199 and e-Authentication documents.


We have guided USDA, CBP, and DOE systems thru the SA&A process to achieve an Authority to Operate (ATO). In support of DOE and USDA, we created critical SA&A documentation (SSP, Risk Assessment, Contingency Plan, Security Assessment Report, etc.) and assessed applicable security controls for new and existing systems to achieve an ATO. We performed all the technical evaluation, including the vulnerability and compliance scans. The SA&A process also included the entering of data in tools such as the Cyber Security Asset Management (CSAM). We also designed scenarios to test contingency and disaster recovery plans at DOE and USDA. We performed ad hoc tasks deemed critical by the CISO, as necessary. For example, during the evaluation and implementation of new tools, RYAN created the architecture and installed the AppScan Enterprise and Source tools at USDA.


Like the services we provide to CBP, we also provide network security analysis, cyber incident handling, and patch and vulnerability management across the USDA enterprise. Our team monitors multiple sources of security related information and assimilates this information into strategic and tactical intelligence relevant to protecting Government assets and information. We also use this output to ensure consistent and coordinated responses to ongoing security threats across the network to ensure available, secure operation of USDA systems. Our team ensures that all devices connected to the USDA ARS network are known, identified, scanned for vulnerabilities, and patched and remediated as needed. We also provide the ARS CISO with recommendations to improve the cybersecurity posture for the enterprise. As with most Federal Agencies, ARS has highly complex network configurations, along with a distributed network infrastructure requiring our team to have a holistic, continuously improving understanding of the modern cybersecurity landscape. We currently use IBM BigFix, Tenable SecurityCenter (that includes Nessus), AppScan, and Microsoft System Center Configuration Manager (SCCM). We perform vulnerability scans on a recurring basis for every ARS device.


In terms of technological innovation, we provided the initial implementation, as well as ongoing support for a next generation network security protocol called Host Identity Protocol (HIP) for the DOE’s Southeastern Power Administration (SEPA). HIP uses an overlay layer to eliminate the dual roles of IP addressing (naming and addressing) by replacing IP addresses with uniquely and locally generated cryptographic keys. Without the matching cryptographic key allowing access to the overlay network, no data sent from unauthorized devices are even aware that anything other than a generic cryptographic key exists. This “cloak” eliminates the ability of external attackers from performing any kind of port scan or piggyback attack that would easily compromise a traditionally hardened system. Not only did this solution vastly improve DOE’s network security, it also allowed for a significant cost savings realized by leveraging the HIP hypervisor’s automated reporting, monitoring, segmentation and network inventory functionality. As a result, DOE was able to assign a single resource to manage their entire network, versus a team of multiple full time employees performing Subject Matter Expert level work.


Service Desk:


Our innovative. proven approach to Service Desk support is based on our continuous improvement and lessons learned while providing Best Value Service Desk support to CBP and the Cleveland Metropolitan School District (CMSD). We employ the ITIL Framework to ensure that transparent communication and clear lines of authority and accountability are made visible across each organization that we serve. Our Service Desk solution provides support from Tiers 0 through 4.


Tier 0: Self Help Portal and FAQs. This Tier of support is built upon a basic library of lessons learned, known issues, and problems we have collected over the course of 20 years of combined Service Desk support. This level of support reduces the total number of calls to the Service Desk and helps us ensure that all first call resolution, related call handling expectations, and SLAs are met or exceeded.


Tier 1: Basic Access Issues, Reboots, Password Resets, etc. This Tier of support represents the highest volume of Service Desk calls and trend analysis of Tier 1 call data drives our continuous improvement of our Tier 0 Self Help tools. This approach provides additional support for a much higher rate of first call resolution. It opens direct lines of communication between the Service Desk and our customer’s user base that exist virtually within SharePoint, user facing BigFix, Service Now, Change Gear, or other incident management software portals, and other organizationally variable interaction tools such as, chat or email interfaces.




Tier 2: Escalated Incidents Unable to be Resolved at Tier 1. This Tier represents a wide array of potential problems which require a more in-depth analysis of contributing variables. Our approach to Tier 2 resolution involves Root Cause Analysis (RCA) as shown in Figure 5. Often, the root cause of a Tier 2 problem is simply overlooked based on assumption or miscommunication. Our RCA process and the associated logical analytical mindset that it promotes allow us to resolve Tier 2 issues rapidly by directly engaging the user experiencing the issue without assumption or prejudice. Our Tier 2 Service Desk staff are chosen based on their ability to listen to user input about the problem, objectively observe and inventory all relevant variables, account for situational variables that may contribute to the problem, and then rely on their tools, professional instincts, and contemporary, relevant training to identify root causes of problems quickly. By integrating respectful, professional Socratic dialogue into our RCA process, we work more closely with the user and have proven that this tactic increases user satisfaction, as well as user acceptance of Service Desk policies and conclusions. While such tactics are recommended within several incident management frameworks, our implementation and adoption of them, as culturally mandatory, is where we truly innovate in our approach to this specific Task segment.


Tier 3: Escalated Incidents Requiring Expert Intervention. This Tier of support represents a small fraction of the calls typically handled by a Service Desk yet presents the most opportunity to mitigate previously undetected risks and improve overall IT Service Delivery quality. Our approach to Tier 3 support involves ensuring that the right experts are on call to support our customer’s specific organizational technology environment. Additional support from our implementation of the ITIL Framework ensures that escalated incidents are tracked in Problem and Known Issue logs that are transparent, continuously updated by a clearly identified owner, and available to all Service Desk staff. Not only does this practice further improve SLA adherence and overall service delivery, it creates value by increasing user acceptance and trust of the Service Desk as consummate, organized professionals who are just as skilled in interpersonal communications as they are in technology troubleshooting.


Tier 4: Escalated Incidents Requiring Vendor or other 3rd Party Support. This frequently overlooked support tier is one that we have learned to provide a clearly defined solution for based on our vast experience providing Best Value Service Desk support to our customers. Our experience has taught us that transparently mapping out vendor relationships and clearly defined 3rd party system dependencies are critical. This data is made available as a part of our organizational map of managed IT assets. Examples of Tier 4 escalations could involve an ISP-level internet outage or a warranty service claim requiring vendor-employed technicians to perform onsite repair or replacement of IT assets or infrastructure components. As these types of issues require drastically different response tactics and can have enterprise-level effects on IT service availability, we handle them as top priority and assign them a designated tier that accurately represents their distinction from more “normal” incidents. This innovative approach adds value by allowing our staff and organizational stakeholders to communicate more accurately about lines of authority and accountability related to problems of this tier. This increases user satisfaction, user acceptance of onsite IT service providers, and lowers risk by ensuring that warranty services are performed as dictated by manufacturer specifications, thereby increasing our customer’s return on investment and ensuring that potentially critical IT infrastructure assets are not serviced by less qualified technicians based on miscommunication. More importantly, this Tier allows for constant, documented monitoring of vendor support staff by our team. Several recent high-profile cybersecurity related incidents within Government and industry have resulted from 3rd party vendor mistakes which our oversight prevents. The Figure  below provides an overview of our incident management process workflow.

Incident Management Process

RYAN’s Incident Management Process

Our 14 years of providing Best Value Service Desk support for over 1,000 CBP users have resulted in consistently Exceptional CPARS ratings and regular recognition by CBP Program Management Office (PMO) leadership teams. Our exceptional performance supporting the NFC ISSO resulted in the Director of the Financial Systems Division (FSD) personally requesting that we provide an ISSO for his division as well. The Decals and Transponders Online Procurement System (DTOPS) Director estimated that our gap analysis and applied Business Process Reengineering, combined with a custom GOTS application we developed for DTOPS, resulted in cost savings equivalent to no less than 12 full time employees in 2013.


We currently provide comprehensive support across all 4 Tiers of service, including full support for all NIST/FISMA/FIPS and Continuity of Operation (COOP)/Disaster Recovery (DR) activities. Over the course of our service to CBP, we have successfully transitioned incident management from the NFC’s original Tivoli Service Desk, to a Service Now environment, and then most recently to an enterprise BMC Remedy environment. Our experience through these many system transitions has allowed us to develop innovative approaches to the formulation of workgroups, SOPs, job aids, and workflows that are platform agnostic and easily adapted to any incident management system given the parallel functionality that all incident management systems share. Combined with our adoption of the ITIL Framework and its unified, uniform glossary of terms, our incident management solution is truly best in class.


Based on the current NFC business cycle and occasional events outside of our control, we handle between 500 and 750 incident calls, emails, self-service incidents, and chat incidents per month, including an average of 20 walk-up incidents per month. To date, over the last 14 years, we have never failed to meet or exceed the agreed upon SLA for call handling for the NFC. Because of the highly complex organizational makeup of the NFC, we assign an IT liaison to each PMO office, ensuring that there is at least 1 expert on the business case, output, and dependencies of each of the 28 NFC PMO offices and workgroups. This innovative approach allows us to provide exceptional service proactively with a very lean and Agile team who can adapt to a constantly evolving and reorganizing customer base. Our services include:


  • Desktop, laptop, VOIP, and mobile device management and asset tracking;
  • Mobile workforce support;
  • Patch Management for a wide array of Commercial off-the-shelf (COTS) and GOTS applications;
  • Firmware management for IT infrastructure assets like switches, routers, and network printers;
  • Windows Desktop Image and Deployment support;
  • Patch and upgrade testing, utilizing a dedicated offline lab environment;
  • Conference bridge and videoconferencing technical support and scheduling;
  • IT asset life cycle management and obsolescence prevention consulting; and
  • Training and technical writing support for a wide array of office productivity tools.


Our experience with CBP allowed us to develop Service Desk solutions in a highly dynamic environment requiring immediate adaptation to organizational change. This resulted in processes, procedures, and methodologies that are inherently scalable and easy to adapt to virtually any organizational structure. Since 2016, we have provided comprehensive Service Desk support to the Cleveland Metropolitan School District (CMSD). CMSD is a large school system with 110 instructional sites, approximately 5,500 teachers and administrative staff, approximately 40,000 students, and 6,300 classrooms. There are approximately 25,000 personal computers, 5,000 mobile devices, and 100+ software applications within the District. RYAN provides CMSD a turnkey solution for Service Desk and Field Support (Level 2 and Level 3) services to support desktops, laptops, mobile devices, Point-of-Sale (POS) systems, VoIP phones, all peripherals, and direct support for end users across the entire geographically distributed school district. Some notable projects we have completed for the CMSD include:


  • Completed a classroom IT inventory and assessment to create a full asset management and IT life cycle support plan;
  • Met or exceeded all service level agreement metrics consistently since transition;
  • Created a new and innovative custom desktop OS imaging system using existing CMSD assets that increased throughput and deployments by a factor of 20;
  • Created and implemented a technical writing style guide, technology library and process archive to support ongoing Continuous Improvement operations;
  • Significantly reduced the time in queue for helpdesk calls and increased first call resolution rates by an order of magnitude;
  • Modernized and hardened networked IT assets by removing Windows XP operating systems and CRT monitors form classrooms in all CMSD schools;
  • Upgraded over 400 HP 6000 desktop computers to ensure full functionality in preparation for Windows 10; and


Converted all desktops (25,000+) in 6 schools to a customized Windows 10 operating system image that we maintain to this day.