 |
Page History
...
Before getting into specific A&A process and guidance, it is first helpful to review exactly what constitutes a "Federal Information System" so that you have a better understanding of when FISMA applies and when it may notknow when FISMA or, perhaps, another federal security assessment frameworks (e.g. FedRAMP, CUI) may apply. The following definitions and clarification clarifications are based on guidance provided by the Office of Management and Budget (OMB) as well as internal from subsequent interpretations by OMB on the matter that have been published since 2001 when FISMA became law.
OMB initially defined an information system in 2001 a Federal Information System as: A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual. (defined in OMB circular A-130, (6)(q)). OMB also later clarified that Federal Information Systems are those that are used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency (44. U.S.C. § 3544(a)(1)(A)).
Since these definitions can be somewhat vague or misinterpretedconfusing, many people often assume that a federal information system only includes those that are physically housed and/or operated within a federally-owned or federally-operated facility (i.e., government-owned/government-operated (GOCO)), and that any other information system that is housed elsewhere (i.e., at a contractor's location, at a hosting provider's location, or by a in the cloud service provider) are not federal information systems. This is not necessarily the case. In fact, a better determination of federal system vs. non-federal can be made by examining accountability for and control of a system's information and who is directing , and whether the government directed the establishment or operation of the system. For example, if an agency of the federal government has directed or mandated (ie.eg., through a contractual arrangement or through other means of federal funding – sometimes to include grants) support), the creation or operation of an information system, or if the government owns will have access to the system or will likely take possession of the data that is used in the system, then FISMA would apply to that it is probably a federal information system. Contracting with a non-federal organization to host or operate your system does not exclude the system from FISMA federal regulations. If you are uncertain about whether yours is a federal information system, please contact the the NCI ISSO's office for clarification.
...
The Federal Information Security Modernization Act (FISMA) of 2014 mandates that all federal information systems — including all NCI information systems — must be formally assessed and authorized to operate (ATO) using the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF). The RMF is the model used to conduct federal system assessment and authorizations (A&A), so the terms RMF and A&A may be used interchangeably. NIST documented the RMF in Special Publication 800-37 rev. 2, Risk Management Framework for Federal Information Systems and Organizations: A Security System Life Cycle Approach for Security and Privacy. The RMF is also supported by several additional NIST special publications (SP) guides that are designed to work in conjunction with 800-37 rev. 2. To further help system owners implement the RMF, NIH and NCI have also developed agency-specific A&A guidance, templates, and sample materials, which are discussed in the following A&A process guidance pages.
...
