NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 6

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 7

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Since these definitions can be somewhat vague or misinterpreted, many people often assume that a federal information system only includes those that are physically housed or operated within a federally owned or operated facility, and that any information system that is housed elsewhere (i.e., at a contractor's location, at a hosting provider's location, or by a cloud service provider) are not federal information systems. This is not necessarily the case. In fact, a better determination can be made by examining accountability and control of a system's information and who is directing the establishment or operation of the system. For example, if an agency of the federal government has directed or mandated (i.e., through a contractual arrangement or through other means of federal funding – sometimes to include grants) the creation or operation of an information system, or if the government owns or will likely take possession of the data that is used in the system, then FISMA would apply to that system. Contracting with a non-federal organization to host or operate your system does not exclude the system from FISMA regulations. If you are uncertain about whether yours is a federal information system, please contact the NCI ISSO's office for clarification.

The following examples are for illustrative purposes and are not exhaustive.

Federal Information System

NOT a Federal Information System

Website(s) used to collect or publish information by or on behalf of the federal government (regardless of the type or sensitivity of information collected, processed, or stored).

Websites operated by third parties, independent from any government organization (e.g., they do not collect, store, or process any information for or on behalf of the federal government).

Web application/N-tiered application used to collect or publish information on behalf of the federal government. This includes client-server architectures where remote access is possible.

Desktop productivity tools (e.g., Microsoft Office tools, WordPerfect, FileMaker Pro desktop version, MS Access)

An enterprise database system (e.g., Oracle, SQL, Postgres) that contains federal government records. Note that even an MS Access or FileMaker Pro database, which is normally considered a desktop tool rather than a system, could be considered an information system if it is not limited to use by a single user and if it provides a remote/web user interface that could allow multiple people to access the data.

A Microsoft Access database operated on a single workstation, and that does not provide a remote access user interface (i.e., it is not web enabled and is only accessible form the local workstation).

A centrally managed and automated system (collection) of Adobe PDF forms that has been web-enabled to allow users remote access and modification of the forms.

Adobe PDF files kept on a local user's desktop computer or on a networked file share drive.

General Support Systems (GSS) (e.g., enterprise network environment, data center, enterprise database system, enterprise e-mail environment, etc.) used to support federal information and federal technology resources.

User files that are kept in a network file share or network attached drive for the purpose of online storage and backup. (Note that you should never store sensitive or patient related information in group or public file shares without first checking the security policy and checking with your information security officer)

Any externally operated system where the federal government has a contractual arrangement or expectation to access or receive the data stored therein. That is, data that is not owned solely by the external organization but is collected on behalf of or for the benefit of the federal government.

Third Party Websites and Applications (TPWA) as defined by HHS and on the approved TPWA list. TPWAs are usually subscription based applications like Facebook, Flickr, GitHub, YouTube, Twitter, IdeaScale, Survey Monkey). To view the full list of currently HHS approved TPWAs, go here.

Any cloud based website or system that that collects, stores, or processes information on behalf of the federal government. Note that cloud systems also must abide by FedRAMP.


*Please note that even if yours is not an IT system, federal privacy and OMB regulations may still apply, especially if you are collecting information from private citizens or contractors, including, for example, through online or paper surveys, via clinical trials, etc. You should always consult the OMB clearance office and the NCI Privacy Coordinator for additional guidance.

...