Security Assessment and Authorization (SA&A) are just two of the six steps that comprise the risk management framework (RMF) as defined by the National Institute of Standards and Technology in NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems. The RMF is the full life cycle approach to managing federal information systems’ risk and includes these steps: 1) categorizing the system; 2) selecting security controls; 3) implementing security controls; 4) assessing controls; 5) authorizing systems; and 6) monitoring security controls.
According to FISMA, all federal applications/systems must be authorized in writing before they are placed into operation. This applies to both internally- and externally-hosted federal applications. Because your NCI owned system will be hosted and/or operated external to the NIH Network, you most likely will need to test the full set of applicable 800-53 controls. If your system will be operated within a previously assessed and authorized shared environment such as a general support system or another major application that has an active FISMA ATO, then you may have fewer controls to test. Otherwise, you should plan to assess the full set of applicable NIST 800-53 controls as required under FISMA and in accordance with Federal Information Processing Standard 200 (FIPS-200), Minimum Security Requirements for Federal Information Systems.
The information below will help you understand how to prepare for and conduct the SA&A for your externally-hosted federal application. Note that this process does not reflect the process for cloud hosted applications. Visit the Cloud Hosted Systems SA&A for more information on conducting an SA&A for a cloud based applications.
1. Categorize the Application
Use the NCI Security Starter Kit for templates and guidance on completing the Federal Information Processing Standard (FIPS)-199 form, the e-Authentication Threshold and Risk Analysis (eTA/eRA) forms, and the Privacy Impact Assessment (PIA). All three forms are required to ensure that you select the appropriate security controls for your application based on its security-impact rating, authentication needs, and privacy concerns. This step is consistent with other types of federal information systems whether hosted internally, externally, or in the cloud.
2. Select Security Controls
Once you have completed categorizing your application you can determine which security controls are required. Since your application is hosted externally, you will most likely need to implement most or all of the applicable controls, or ensure that they have been implemented by your service provider for your use. Any controls that you are required to implement will be evaluated during the assessment phase. In addition to using FIPS-200, you can reference the Security Control Inheritance Matrix to help identify the controls you need in a contractor hosted environment.
You should also reference the Top 20 Critical Security Controls for Cyber Defense list. This list represents a consortium of industry and government security experts' assessment of the most effective set of controls that achieve the highest immediate value against current and common attack methods. The list is essentially a subset of the NIST 800-53 catalog, but is designed to serve as the basis for immediate high-value action.
3. Implement Security Controls
As part of the implementation, you may need to update your application’s design requirements to account for new or modified security requirements. You may also need to implement or develop specific tools to satisfy required controls. If the cost of developing or implementing a new security control is impractical or if it is not cost effective when compared to the potential risk of not implementing the control, you can apply for a security waiver to the NIH chief information security officer (CISO). You should discuss any waiver requests first with your Contracting Officer Representative (COR), and with the NCI ISSO (link sends email) before actually submitting the request, to determine if there are compensating control options and whether the waiver is likely to be approved.
4. Conduct the Security Assessment
During this phase of the Risk Management Framework, (RMF) a qualified -- and usually independent 3rd party -- security assessor will evaluate the effectiveness of your application's security controls. This process must be completed before your application goes into production (i.e., is live with real data being collected, processed, or stored). Because your system is hosted externally, your organization will likely bear the full cost of the security assessment activity. Whoever conducts the assessment shall be experienced in using the National Institute of Standards and Technology (NIST) RMF as outlined in NIST 800-37.
Your final SA&A package must contain the minimum set of artifacts required by NIH. Visit the NCI SA&A Package Checklist for more information.
5. Authorize the Application
Your designated authorizing official (AO) will review the assessment package to determine whether residual risks are acceptable to the organization before issuing a written authorization to operate (ATO) that is valid for a maximum of three years. Your AO will likely be either your Contracting Officer Representative (COR) or your federal program manager (PM). If you have questions, email the NCI ISSO (link sends email) for assistance in identifying your system’s AO.
6. Conduct Continuous Monitoring and Reauthorization
Continuous monitoring (CM) is the sixth and final step in the RMF, and includes both automated and manual security monitoring and remediation activities. The routine security-control monitoring and remediation that occur after an application has been authorized to operate often includes a combination of automated diagnostics services such as vulnerability management, intrusion detection and prevention, system and application event log collection and analysis, and patch management. Along with these, manual assessment and remediation procedures such as annual assessments (AA), security impact reviews, plan of action and milestones (POA&M) weakness management, and ongoing authorization (OA) or reauthorization must be performed.
Annual Assessments
The NIH SA&A policy requires application owners to annually assess the NIH-selected AA controls, which represent approximately 1/3 of the NIST 800-53 control catalog once your system has been authorized to operate. These AA controls are published each year and and are available upon request by emailing the NCI ISSO. Annual assessments are part of NIST's continuous monitoring phase of the risk management framework and will help ensure a simpler and faster re-authorization of your system.
Security Impact Reviews
Any time a significant change to your application is proposed while it is operational, you must ensure that new security risks are identified, evaluated, and addressed before those changes are implemented. This may require re-testing of any new or modified controls and, possibly, reauthorization of your application.
POA&M Weakness Management
The Plan of Action and Milestones (POA&M) is a key management tool that lists, prioritizes, and tracks an application's identified weaknesses and progress against approved milestones. Any new findings that are generated from ongoing security assessment and risk impact reviews should be added to the POA&M as they are living documents. All progress and closure of weaknesses must be documented and include adequate evidence to support closure.
Ongoing Authorization or Re-authorization
The NIH is currently developing its ongoing authorization (OA) model for externally hosted applications. Because of the numerous technical challenges associated with automating security analyses and remediation activities outside of the NIH network boundary, this process will most likely include a hybrid of automated and manual activities. NIH is now able to conduct AppScans of applications hosted external to the NIH firewall. Please review the AppScan procedure for instructions on how to setup external scans and reporting. Also, please check back here periodically for updates on NIH’s continuous monitoring efforts.