Page History
Security Forms and Templates
The links for security and privacy forms and templates listed below have been divided by functional areas to better assist you in locating specific forms associated with security and/or privacy related activities that are described elsewhere in the NCI IT Security Website.
Risk planning and risk management
Prepare (RMF Step "0")
Categorize System and Select Controls (FISMA Starter Kit) (RMF Steps 1 & 2)
- FIPS-199 System Categorization (FIPS-199)
- NIST SP 800-60 Volume 1 (Mapping Guidelines)
- NIST SP 800-60 Volume 2 (Information Types w/ provisional security impact level assignments)
- E-Authentication Risk Assessment (E-Auth)
- FIPS-199
- e-Authentication Risk Analysis
- Privacy Impact Assessment (PIA) (Blank) (Requires Internet Explorer (right click and save to open)
- Third Party Website and Applications (TPWA) PIAs – contact the NCI Privacy Coordinator to initiate a new TPWA PIA (Requires Internet Explorer to open)
- Risk Acceptance Memo
- Security Assessment Plan (SAP/SCAP)
- Security Assessment Report (SAR)
- External System Security Plan (SSP) - Contractor Hosted
- Security Impact Analysis (SIA)
Plan of action and milestones (POA&M)
Implement Controls (RMF Step 3)
System Security Plans (SSPs)
- FISMA Moderate SSP (for non-cloud systems categorized as Moderate only)
- FISMA Low SSP (for non-cloud systems categorized as Low only)
- NIH Information Security Policy Handbook (Security Policies and Security Control Implementation Requirements)
(FOUO - Request from NCI ISSO Office)
- NIH Information Security Policy Handbook (Security Policies and Security Control Implementation Requirements)
System Standard Operating Procedure (SOP) templates
- Plan of action and milestones (POA&M
- )
Configuration management
- HHS Minimum Configuration Guides and Checklists
Contingency planning and disaster recovery templates
- NCI Business Impact Analysis
- Sample Reconstitution Checklist
- Sample Recovery Checklist
...
Incident response planning templates
Assess Controls (RMF Step 4)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of action and milestones (POA&M)
Authorize System (RMF Step 5)
- Authority To Operate Letter (ATO) Letter
System Standard Operating Procedure (SOP) templates
Monitor System (RMF Step 6)
- Security Impact Analysis (SIA)
- Annual Assessment (AA) Guidance
- AA Security Control Matrix by Fiscal Year (list of security controls to be assessed during AA)
- AA Supplemental Testing Guidance (guidance on testing and evidence to be requested during AA)
- AA Security Control Matrix by Fiscal Year (list of security controls to be assessed during AA)
- NCI Identity and Access Management SOP
- NCI Audit Management SOP
- NCI System Physical and Environmental Control SOP