NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 2

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 3

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Continuous monitoring (CM) is the sixth and final step in the RMF, and includes both automated and manual security monitoring and remediation activities. The routine security-control monitoring and remediation that occur after an application has been authorized to operate often includes a combination of automated diagnostics services such as vulnerability management, intrusion detection and prevention, system and application event log collection and analysis, and patch management.  Along with these, manual assessment and remediation procedures such as annual assessments (AA), security impact reviews, plan of action and milestones (POA&M) weakness management, and ongoing authorization (OA) or reauthorization must be performed.

Annual Assessments

The NIH SA&A policy requires application owners to annually assess the NIH-selected AA controls, which represent approximately 1/3 of the NIST 800-53 control catalog once your system has been authorized to operate. These AA controls are published each year and and are available upon request by emailing the NCI ISSO (NCIIRM@nih.gov). Annual assessments are part of NIST's continuous monitoring phase of the risk management framework and will help ensure a simpler and faster re-authorization of your system.

Security Impact Reviews

Any time a significant change to your application is proposed while it is operational, you must ensure that new security risks are identified, evaluated, and addressed before those changes are implemented. This may require re-testing of any new or modified controls and, possibly, reauthorization of your application.

POA&M Weakness Management

The Plan of Action and Milestones (POA&M) is a key management tool that lists, prioritizes, and tracks an application's identified weaknesses and progress against approved milestones.  Any new findings that are generated from ongoing security assessment and risk impact reviews should be added to the POA&M as they are living documents. All progress and closure of weaknesses must be documented and include adequate evidence to support closure.

Ongoing Authorization or ReauthorizationRe-authorization

The NIH is currently developing its ongoing authorization (OA) model for externally hosted applications. Because of the numerous technical challenges associated with automating security analyses and remediation activities outside of the NIH network boundary, this process will most likely include a hybrid of automated and manual activities.  NIH is now able to conduct AppScans of applications hosted external to the NIH firewall. Please review the AppScan procedure for instructions on how to setup external scans and reporting.  Also, please check back here periodically for updates on NIH’s continuous monitoring efforts.