NIH | National Cancer Institute | NCI Wiki  


ATOaaS (Low)LowModerateHigh
FIPS-199 Security Categorization
e-Authentication Risk Assessment

Privacy Impact Assessment (PIA)



Business Impact Analysis



System Security Plan (SSP)
Configuration Management Plan (CMP)

Contingency Plan

(includes disaster recovery/incident response plans)

Contingency Plan Exercise Report

  • the Tabletop option is available to any systems with a "Low" rating for availability

Tabletop

Tabletop

Simulated
or
Functional

Simulated
or
Functional

Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA)As neededAs neededAs neededAs needed
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of Action and Milestones (POA&M)
Signed ATO or Endorsement Letter

Self Attestation


These requirements apply to all NCI federal systems regardless of hosting location:

Contractor/Third Party Hosted
CBIIT Managed
Customer Managed
Co-Location
Cloud























































  • No labels