Page History

...

As part of the implementation, you may need to update your application’s design requirements to account for new or modified security requirements. You may also need to implement or develop specific tools to satisfy required controls.  If the cost of developing or implementing a new security control is impractical or if it is not cost effective when compared to the potential risk of not implementing the control, you can apply for a security waiver to the NIH chief information security officer (CISO). You should discuss any waiver requests first with your Contracting Officer Representative (COR), and with the NCI ISSO (nciirm@mail.nih.gov) before actually submitting the request, to determine if there are compensating control options and whether the waiver is likely to be approved.

...

Your designated authorizing official (AO) will review the assessment package to determine whether residual risks are acceptable to the organization before issuing a written authorization to operate (ATO) that is valid for a maximum of three years. Your AO will likely be either your Contracting Officer Representative (COR) or your federal program manager (PM). If you have questions, email the NCI ISSO for assistance in identifying your system’s AO.

...

The NIH SA&A policy requires application owners to annually assess the NIH-selected AA controls, which represent approximately 1/3 of the NIST 800-53 control catalog once your system has been authorized to operate. These AA controls are published each year and and are available upon request by emailing the NCI ISSO (NCIIRM@nih.gov) NCI ISSO. Annual assessments are part of NIST's continuous monitoring phase of the risk management framework and will help ensure a simpler and faster re-authorization of your system.

...