SysAudits, LLC is a small minority owned company located in Virginia that specializes in offering exceptional service involving information technology security audits. SysAudits staff and ownership is composed of skilled auditors with certifications as Certified Public Accountants (CPA), Certified Information Systems Auditor’s (CISA), Certified in Risk and Information Systems Control (CRISC), and Certified Information Systems Security Professional (CISSP).  We believe our skill mix and mind set of understanding technology and business risks, costs, and internal controls is found to be beneficial for both the Audit department and the Technology operations side of an organization.  We specialize in performing and assessing system audits for government (Federal, State, Local, Non-Profits, and Education) as well as the commercial sector.

Serves Offered: SysAudits system security services include regulatory gap/pre-assessments, network assessments, general system administration controls, security solution support, audit liaison support, and many other IT cyber assessments. More specifically, our services are directed towards performing regulatory assessments, readiness assessments involving NIST 171, 800-53, FISMA, HiTrust, ITAR, and many others.

FISMA/ITAR/CMMC/HIPAA/HiTrust Assessments and Audits

The Federal Information Security Management Act (FISMA) is a federal law under the E-Gov Act that was enacted to increase the security posture of government agency federal systems, bureaus, departments and their supporting entities. For Federal agencies that are required to comply with FISMA, the requirement extends to compliance with their 3rd party providers which may include outsourced data centers, application providers, and cloud service providers.

International Traffic in Arms Regulations (ITAR) control the export and import of defense-related articles and services on the United States Munitions List (USML).  Overseen by the U.S. State Department, U.S. Commerce Department, and Department of Defense, ITAR data must be protected and restricted under NIST 171 guidance.

DOD CMMC and NIST 171 security control assessment for Levels 1-3. Perform readiness assessments for compliance with mandated policies, procedures, design, and implementation of the 120+ security controls.  Assist organizations in designing and implementing the security controls.  Assist organizations through knowledge transfer to support enhanced policies, procedures, and operations to meet CMMC controls.

The HiTrust and Health Insurance Portability and Accountability Act (HIPAA).  HIPAA was enacted by Congress in 1996 with the Security Rule in place as a methodology to safeguard electronic Protected Health Information. HIPAA applies to healthcare providers, plans, and clearinghouses, (known as covered entities), and any organization contracted by covered entities to perform work including ePHI (business associates). The HIPAA Security Rule is based on three types of security safeguards (physical, technical, and administrative.  HiTrust is an independent certification for HIPAA and SysAudits has assisted organizations in HiTrust readiness assessment, gap assessment, and audit liaison support.

SysAudits offers a variety of services to assist in meeting regulatory compliance from an operational Office of CIO and an Inspector General (IG) audit perspective. OCIO pre-assessments can assist IT leadership in identifying weaknesses in meeting regulatory and assist in developing plans of actions and milestones prior to an Audit assessment. The value in an internal self-assessment is identifying weaknesses prior to an external audit. Audit assessments are clearly performed as an independent audit to determine an organization compliance in meeting regulatory requirements.

SysAudits staff have extensive experience on both the Audit and CIO perspective. This perspective brings value in performing pre-assessments and audits which makes SysAudits stand out amongst other consulting firms. SysAudits methodology consists of assessing, testing and reviewing information systems through in-depth assessment of NIST defined management, operational, and technical testing of controls.

The following represents services provided by SysAudits:

  • NIST 171, ITAR and CMMC compliance
  • NIST 800-53 compliance
  • FIPS 199 categorization, FIPS 200 and agency control selection.
  • Security controls assessment.
  • Authorization recommendation of system and continuous monitoring.
  • Security Assessment Plan (SAP), Rules of Engagement (ROE), and Security Assessment Report (SAR) development.
  • Vulnerability Management and Continuous Monitoring
  • Penetration testing.
  • Internal Vulnerability testing.
  • Wireless and mobile security assessments.
  • Application, database, and infrastructure vulnerability scanning and results interpretation.
  • Architecture and system boundary assessments.
  • Secure configuration management administration and operations.
  • Network design and third-party service provider evaluations.
  • Contingency system planning and additional guidance based on your agency’s requirements.
  • Compliance program pre-assessments.
  • FISMA documentation development, including System Security Plan (SSP), Contingency Plan (CP), Incident Response Plan (IRP), Configuration Management Plan (CMP), Privacy Impact Assessment (PIA), and FIPS 199 Security Categorization, Policies, Procedures, etc.


IT Audits

SysAudits has extensive experience in performing all types of IT audits that include audits of:

  • Vulnerability management programs.
  • General and application controls.
  • Disaster recovery, business continuity, and backup and recovery.
  • Event management, incident response, and remediation.
  • Penetration testing.
  • Internal vulnerability testing.
  • Secure configuration management.
  • Complete data center and outsourced service provider physical, environmental, and access controls.
  • Cloud Planning.
  • System development life cycle for new applications and enhancements.
  • IT Contracting and procurement.
  • IT Contract re-design, consolidation, and enterprise re-architect of enterprise IT contracts.
  • IT contract investigation and litigation support: cost mischarging; contract close outs under terminations for convenience and performance.
  • IT policy and procedures.
  • OCIO and IT Organizational Assessments (structure, personnel, and services)
  • Many others.