NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 3

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The current regulations are pursuant to the Federal Information Security Management Act (FISMA), 44 U.S.C. 3541 et seq. The applicability of FISMA to NIH grantees applies only when grantees collect, store, process, transmit or use information on behalf of HHS or any of its component organizations. In all other cases, FISMA is not applicable to recipients of grants, including cooperative agreements. The grantee retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy, and research. If and when information collected by a grantee is provided to HHS, responsibility for the protection of the HHS copy of the information is transferred to HHS and it becomes the agency's responsibility to protect that information and any derivative copies as required by FISMA. For the full Grants policy, please visit the NIH Grants policy page here (link is external)

Do I need to complete any NCI-required security forms?

...

Yes, if the system meets the criteria that define a federal information system, then it does need an SA&A and an ATO. If you are responsible for a system that is hosted outside an NIH-owned or NIH-operated facility, you should consult with the the NCI Information Systems Security Officer ( ISSO) (link sends e-mailemail).

for specific guidance to make sure you're properly complying with FISMA regulations. You should also coordinate with your respective Contracting Officer Representative (COR) for contract related questions, and with your grants administrator if operating under a grant. Keep in mind that systems or applications that live within an existing authorization boundary of a Major Application or General Support System may inherit an authorization. See the FAQ below regarding authorizations within authorized Major Application or GSS systems.

Can you provide an overview of the SA&A process?

NCI and NIH follow the National Institute of Standards and Technology (NIST ) Special Publication 800-37 (link is external)rev. 2Guide for Applying the Risk Management Framework to Federal for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. You should adhere to the 800-37 RMF rev. 2 RMF and use templates published by the NIST under the 800 series of NIST special publications.

...

You should coordinate SA&A activities with your Contracting Officer Representative (COR) and NCI project/program manager. If you still have questions after speaking with your COR or PM, you can email the NCI ISSO at nciirm@mail.nih.gov (link sends e-mailemail).

Who pays for the SA&A?

The responsible government project sponsor must ensure that adequate funding is allocated to support all security-related compliance activities, including FISMA and the SA&A. Responsible individuals should plan accordingly in their operating budgets as well as in all IT-related acquisition plans.

...

If you have questions about risk acceptance memos or security waivers, contact the NCI ISSO at nciirm@mail.nih.gov (link sends e-mailemail).

Who is my Authorizing Official/Designated Approving Authority (AO/DAA)?

...

For the latest list of cloud providers that are FedRAMP certified, visit the marketplace within the FedRAMP webpage(link is external)Marketplace.

If my system is part of an existing major application (MA) or general support system (GSS), do I still need an SA&A?

...