NIH | National Cancer Institute | NCI Wiki  

Error rendering macro 'rw-search'

null

Versions Compared

Old Version 3

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 4

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step 4. Conduct the Security Assessment

During this phase of the Risk Management Framework, (RMF) a qualified – and usually an independent, 3rd party – security assessor will evaluate the effectiveness of your application's non-inherited (i.e.., non-common) security controls. This process must be completed before your application goes into production.   The cost and burden of identifying and paying for the assessor varies based on where the application resides or operates, but the general rule rules of thumb at NCI isare:

  • CBIIT Fully Managed applications are assessed -fully-managed applications will be assessed by the internal CBIIT security and audit team
  • Non-CBIIT-managed applications are assessed applications will be assessed by external security assessors, . These assessors are usually hired by and paid for by the system owner (business owner). All packages for externally hosted systems should be provided to the NCI ISSO's office so they can perform a quality assurance review and provide feedback to the authorizing official for the authorization decision.   
NOTE: All final SA&A packages must contain the minimum set of artifacts required by NIH. Visit the NCI SA&A Package Checklist for more information.

The preliminary package that includes the System Security Plan, Security Assessment Report, and Plan of Action and Milestones must be provided to the AO or her designated reviewing official to assess the quality and completeness of the package, and to review the findings. This gives the system owner and the system operator a chance to correct invalid findings, and to address any that can quickly and easily be closed before the authorization request is made. Once this review has been completed and the business owner is satisfied that the package is ready for review, it is sent to the authorizing official. 

Step 5. Authorize the Application (System)

Once the system's security assessment has been completed and the POA&M has been finalized, the final and complete authorization package is submitted to the authorizing official for (AO) for a decision.  The authorizing official varies as will make the final decision if residual risks are acceptable and if the remediation plan (POA&M) to address them is adequate.  The AO varies based on the hosting solution, as follows:

  • CBIIT fully managed: NCI CIO
  • Non-CBIIT Managed: Business Owner
  • Contractor/Third-party hosted: Business Owner
  • Cloud: May be the FedRAMP PMO or Agency CIO 

...