Skip to main content
New InterSec is now ISO/IEC 42001 certified for AI management systems Read the announcement
Book a Call
Security Architecture & Engineering
Cybersecurity Advisory
Threat & Vulnerability Management
Compliance Services
Managed Security Services
Cyber Workforce Development
The Company
How We Engage
Capability Statement

Download our Capability Statement for a complete view of InterSec.

Download Now
Learn & Apply
Research & Outcomes
News & Updates ISO/IEC 42001 Certified

The latest milestones, trends, and analysis from the InterSec team.

Read the latest

Client Success Story

ISSO Support and DevSecOps for the CMS Marketplace

The CMS Marketplace runs FISMA High systems that must ship fast and pass a stack of federal audits. As a subcontractor to the prime, InterSec built DevSecOps into the Expedited Life Cycle and held continuous authority to operate with zero coverage disruptions.

Download the Case Study Read the Story
ISSO Support Federal Engagement in progress
9 yrs
Of continuous authority to operate
DevSecOps built into the Expedited Life Cycle, with zero coverage disruptions.
Zero disruptions to coverage from authorization gaps
Met EO 14028 zero trust and supply chain requirements
Passed annual control assessments with minimal findings
Client
Centers for Medicare & Medicaid Services (FFE)
Sector
Federal
Environment
FISMA High systems for millions of Americans
Engagement
Subcontractor to the prime, ~9 years
01

The Challenge

CMS needed to launch updates rapidly while meeting strict compliance across multiple federal standards, and falling short on either speed or security would erode trust in the Marketplace. The difficulty came from three directions at once.

Multi-layered compliance
Cross-agency audits and complex requirements overlapped at once.
High-value assets
The systems held personally identifiable information within FISMA High categories.
Expedited delivery
The Expedited Life Cycle demanded fast delivery without exposing new vulnerabilities.
02

The Approach

Working as a subcontractor to the prime over roughly nine years, InterSec built DevSecOps checks into each step of the Expedited Life Cycle, so security moved at the same pace as delivery rather than gating it at the end. The approach rested on three practices.

01
Apply zero trust and supply chain security
Verify every user and vendor component before granting access.
02
Run collaborative gate reviews
Integrate security checks into each Expedited Life Cycle milestone.
03
Keep documentation continuous
Hold the key authorization artifacts current so audit readiness is a standing state rather than a scramble.
03

The Solution in Practice

InterSec combined automated vulnerability scanning with secure coding practices and continuous penetration testing, letting CMS roll out updates with confidence rather than caution. Ongoing penetration testing and risk assessments caught emergent threats as systems changed, regular artifact updates kept the program audit-ready, and application security was built into development with secure coding standards, automated scans, and code reviews.

Speed and assurance were not a trade-off; DevSecOps built into the lifecycle let a high-tempo program ship fast and stay compliant at the same time.

04

Results & Impact

CMS held the balance between regulatory obligation and rapid feature delivery, reinforcing the Marketplace's reputation for reliable coverage.

Continuous authority to operate was maintained, with zero disruptions to coverage from authorization gaps.
The security posture improved through DevSecOps practices embedded across the lifecycle.
The program met Executive Order 14028 requirements, including zero trust and supply chain security.
The systems passed annual control assessments and a range of federal audits with minimal findings.
05

Key Takeaways

Speed and assurance are not a trade-off
DevSecOps built into the lifecycle lets a high-tempo program ship fast and stay compliant at the same time.
Continuous ATO is earned by continuous documentation
Keeping authorization artifacts current is what turns audit readiness into a standing state.
Audit readiness is a posture, not an event
Maintaining evidence year-round is what produces minimal findings across many overlapping audits.
Verify before you trust
Zero trust and supply chain checks are foundational for high-value federal systems.
Capabilities Demonstrated
ISSO Support (FISMA High)DevSecOps Across the Expedited Life CycleContinuous Penetration TestingZero Trust & Supply Chain SecurityCross-Agency Audit Readiness

Working With InterSec

High-tempo delivery and uncompromising compliance can coexist.

When security is built into the lifecycle, they reinforce each other. InterSec provides ISSO support and DevSecOps for federal programs that cannot afford to slow down or fall out of authorization. Let's talk about your environment.

Book a Call Download This Case Study

More Case Studies

Explore related work

View all
Risk Management Federal
Securing Global ERP Systems for the U.S. Department of the Army
Read case study
C-SCRM Federal
Building Cyber Supply Chain Risk Management (C-SCRM) for the U.S. Department of the Interior
Read case study
Penetration Testing Federal
Red Teaming and Penetration Testing for the Administrative Office of the U.S. Courts
Read case study