NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 2

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 3

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Continuous monitoring (CM) is the sixth and final step in the RMF, and includes both automated and manual security monitoring and remediation activities. The routine security-control monitoring and remediation that occur after an application has been authorized to operate often includes a combination of automated diagnostics services such as vulnerability management, intrusion detection and prevention, system and application event log collection and analysis, and patch management. Along with these, manual assessment and remediation procedures such as annual assessments (AA), security impact reviews, plan of action and milestones (POA&M) management, and ongoing authorization (OA) or re-authorization must be performed.

Annual Assessments

The NIH SA&A policy requires application owners to assess a set of controls that is roughly 1/3 of the total applicable controls, each year after the ATO has been issued. Each year NIH issues guidance on which controls must be annually assessed. This list is available from the NCI ISSO upon request, or may be provided by your C.O.R. This approach helps owners address the most prevalent security threats on an ongoing basis while maximizing efficiency and supports the system's re-authorization decision every three years. If a system owner fails to keep up with the annual assessments, then every three years the system must be fully re-assessed. These controls need only be assessed to the extent they are not already covered under the FedRAMP inherited controls.

Security Impact Reviews

When significant changes to your application are proposed (while it is operational and has an active ATO), you must ensure that new security risks are identified, evaluated, and addressed before those changes are implemented. This may require re-testing of any new or modified controls and, possibly, reauthorization of your application. However, if you follow a defined change control process, and if you adequately identify and address potential risks that may result from a proposed significant change, re-authorization may not be required. The idea is to be transparent about such changes, adequately identify and address potential risks, and to keep a record of such assessments. Some changes may be so significant that the system must be re-authorized, such as changing the operating location of a system or a complete re-design of a system. When in doubt about when a re-authorization may be needed, please consult with your ISSO.

POA&M Management

The Plan of Action and Milestones (POA&M) is a key management tool that lists, prioritizes, and tracks an application's identified weaknesses and progress. Any new security findings that are generated from ongoing security assessment and risk impact reviews should be added to the application specific POA&M and remediated in a timely manner. You should not track the CSPs POA&M items as those will be monitored by the FedRAMP Project Management Office (PMO) or by the agency that sponsored their FedRAMP assessment.

Ongoing Authorization and Re-authorization

The NIH is currently developing its ongoing authorization (OA) model so we are not using a true ongoing authorization approach at this time.  However, by demonstrating that you have conducted annual assessments, applied sound configuration and change control, scanned for and closed technical and security vulnerabilities, addressed your POA&M items in a timely manner, and patched your systems and applications in accordance with NIH standards, you will be able to seek re-authorization as required every three years and should find the process less time consuming and less expensive than starting from square one. 

IaaS

PaaS

SaaS