NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 15

changes.mady.by.user Unknown User (scotterr)

Saved on

compared with

New Version 16

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A security impact analysis is conducted in the continuous monitoring phase after a system receives an ATO when the system is planning to undergo a significant change which may impact the security posture of the system.  The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision 2, Risk Management Framework SIA process analyzes significant changes to the information system to determine potential security and privacy impact prior to change implementation. An SIA must be completed and approved before a new significant change, upgrade, or release is deployed to the production environment.

Significant Change

A significant change as defined in the NIST Special Publication 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Appendix F, Pages 153-154) provides a general definition of what a significant change is and provides examples of what could be considered a significant change, is a change that is likely to substantively affect the security or privacy posture of a system.  Depending on the type of significant change to a system it can trigger one of two processes: 1) the completion and approval of a SIA or 2) re-authorization of the system.

Examples of significant changes to a system that may trigger a security impact analysis may include, but not limited to:

  • Installation of a new or upgraded operating system, middleware component, or application;
  • Modifications to system ports, protocols, or services;
  • Installation of a new or upgraded hardware platform;
  • Modifications to how information, including PII, is processed;
  • Modifications to cryptographic modules or services;
  • Changes in information types processed, stored, or transmitted by the system; or
  • Modifications to security and privacy controls.

Significant changes to the environment of operation that may trigger a re-authorization action may include, but are not limited to:

  • Moving to a new facility or operating environment;
  • Adding new core missions or business functions;
  • Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
  • Establishing new/modified laws, directives, policies, or regulations.

System Security Plan (SSP)

...