NIH | National Cancer Institute | NCI Wiki   New Account Help Tips
Page tree
Skip to end of metadata
Go to start of metadata

Contractor Hosted (Third Party)*Cloud Hosted*CBIIT Fully ManagedNCI Customer Managed and Co-Location
FIPS-199 Security Categorization
e-Authentication Risk Assessment
Privacy Impact Analysis
System Security Plan
IS Contingency Plan
Business Impact Analysis √ (may embed with ISCP)√ (may embed with ISCP)
√ (may embed with ISCP)
√ (may embed with ISCP)

IS Contingency Plan Exercise Report

  • Tabletop (Low (L) availability only)
  • Simulated (L/M/H)
  • Functional (L/M/H)
Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA)As neededAs neededAs neededAs needed
Security (Control) Assessment Plan (SAP/SCAP)
Security Assessment Report (SAR)
Configuration Management Plan (CMP)
Plan of Action and Milestones (POA&M)
Signed ATO Letter
* All security packages including the ATO letter for externally hosted systems (i.e., 3rd party and Cloud) should be electronically copied to the NCI ISSO as evidence that the SA&A was completed in accordance with NIST 800-37 Risk Management Framework.

  • No labels