...

Information Owner (also known as the Business Owner)

The information owner, or business owner as he or she is sometimes calledInformation Owner (also synonymous with Business Owner), is a federal official Federal official with the statutory, management, or operational authority to safeguard specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. A single information system may contain information data from multiple information or business owners, who also can provide input to IT - system owners regarding security requirements and controls. The Information Owner has a governance role to ensure Information System Owner(s) working on their behalf are meeting the operational interests of the user community and maintaining compliance with security requirements.  The role of Information Owner/Business Owner is of Information Owner is an inherently governmental one and cannot be delegated to non-government staff.

*Note:* NIST combines both of the Information (aka Business) Owner and Information System owner roles into a single role called “System Owner.” NCI split the NIST-defined “System Owner” role into two separate roles as described on this page, so that we can better distinguish their unique features and roles. The former must be filled by a federal staff member, the latter can be filled by federal or contractor staff. When NIST calls for a system owner role, NCI normally associates that with our Information/Business Owner role.  

Information System Owner

The Information System Owner is (commonly referred to as System Owner) is an official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. System owners are also responsible for addressing the operational interests of the user community and for ensuring compliance with security requirements.

...

An AO is a senior federal official with the authority to assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, or the country. AOs oversee budgets for information systems, and they may be responsible for the mission or business operations supported by a system. They are also accountable for the security risks associated with information-system operations.  AOs have primary responsibility for ensuring adequate resources (e.g., funding and staffing) are made available to address POA&M items. The role of AO is an inherently governmental one.

NCI Security Teams

All NCI security teams are organizationally located within Center for Biomedical Informatics and Information Technology (CBIIT) supporting the NCI ISSO.

Enterprise Security Team (EST)

The EST is responsible for the cyber governance and compliance of all NCI information systems.  In performing these functions, the EST works with Information Owners, System Owners, and their support teams to establish their system's categorization (Step 1 of the RMF) and also finalizes the ATO package for the system and works with the Federal A&A Lead and AO to issue the system's authorization to operate (ATO) (Step 5 of the RMF).

Pre-Assessment Team (PAT)

The PAT works with works with Information Owners, System Owners, and their support teams to provide guidance during the implementation of security controls (Step 3 of the RMF) and completing the required documentation for the system to receive an ATO.

Security Assessment Team (SAT)

The SAT performs the independent security control assessment (SCA) for internal NCI systems (Step 4 of the RMF).