Page History
Artifact Name | FAST ATO (Low) | Low | Moderate | |||||
Contractor Hosted (Third Party)* | Cloud Hosted* | CBIIT Fully Managed | NCI Customer Managed and Co-Location | FIPS-199 Security Categorization | √ | √ | √ | |
√ | e-Authentication Risk Assessment | √√ | √ | √ | ||||
Privacy Impact | AnalysisAssessment (PIA) | √ | ||||||
Business Impact Analysis | √ | √ | ||||||
System Security Plan (SSP) | √ | √ | √ | √ | ||||
Configuration Management Plan (CMP) | √ | √ | √ | √ | Business Impact Analysis | |||
Contingency Plan (includes disaster recovery/incident response plans | √ (may embed with ISCP) | √ | (may embed with ISCP)√ | (may embed with ISCP)√ | (may embed with ISCP)||||
Contingency Plan Exercise Report |
| √ Tabletop | √ Tabletop | √ Simulated | √ | √ | √ | √|
Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA) | As neededAs needed | As needed | As needed | |||||
Security | (Control)Assessment Plan (SAP | /SCAP) | √√ | √ | √ | |||
Security Assessment Report (SAR) | √√ | √ | √ | |||||
Plan | (CMP)√ | √ | √ | √ | Planof Action and Milestones (POA&M) | √ | √ | √ |
Self Attestation | √ | |||||||
Signed ATO Letter | √ | √ | √ | √ | ||||
These requirements apply to all NCI federal systems regardless of hosting location: Externally (Contractor/Third Party) Hosted | * All security packages including the ATO letter for externally hosted systems (i.e., 3rd party and Cloud) should be electronically copied to the NCI ISSO as evidence that the SA&A was completed in accordance with NIST 800-37 Risk Management Framework.