NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A&A Introduction

Welcome to the NCI Information System Assessment and Authorization (A&A) information and guidance page. The information provided here is intended to supplement guidance provided by the National Institute of Standards and Technology (NIST) and NIH to provide best practices for managing the A&A process (A&A was formerly called security assessment and authorization (SA&A) and certification & accreditation(C&A) before that).

Government project officers are responsible for ensuring their contractor-hosted or cloud-hosted applications are authorized to operate (ATO) in accordance with FISMA. This includes all planning, testing, and continuous monitoring activities associated with the system’s life cycle.  Most importantly, this means that you are responsible for securing the resources to conduct required security testing, which for moderate impact systems means using an independent third party assessor qualified to conduct FISMA/FedRAMP audits.  NCI CBIIT does not develop required FISMA/FedRAMP security documentation (except for assisting with the FIPS-199, e-Authentication, and Privacy Impact Assessment), or conduct any of the security testing for applications that are operated exclusively at contractor locations or hosted in the cloud. The extent of CBIIT’s support for exclusively contractor- and cloud-hosted systems is advisory only.

SAA&A is the methodology by which an organization establishes and then demonstrates sound, risk-based security posture for a specific system. We hope that the information provided on the following pages is useful to a variety of users including NCI information system owners, project officers and mangers, contracting officers, software developers, security officers, and security practitioners. It is intended to help you better understand, plan for, and execute the SAA&A process as it applies to your situation (i.e., based on your system's operating location), along with the requirements and expectations for completing the SAA&A. We have also tried to provide you with the tools, templates, and guidance to facilitate the A&A process.

...

*Please note that even if yours is not an IT system, federal privacy and OMB regulations may still apply, especially if you are collecting information from private citizens or contractors, including, for example, through online or paper surveys, via clinical trials, etc. You should always consult the OMB clearance office and the NCI Privacy Coordinator for additional guidance.

Overview of FISMA and

...

A&A

The Federal Information Security Modernization Act (FISMA) of 2014 mandates that all federal information systems — including all NCI information systems — must be formally assessed and authorized to operate (ATO) using the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF). The RMF is the model used to conduct federal system assessment and authorizations (A&A), so the terms RMF and A&A may be used interchangeably. NIST documented the RMF in Special Publication 800-37, Risk Management Framework for Federal Information Systems: A Security Life Cycle Approach. The RMF is also supported by several additional NIST special publications (SP) guides that are designed to work in conjunction with 800-37. To further help system owners implement the RMF, NIH and NCI have also developed agency-specific A&A guidance, templates, and sample materials, which are discussed in the following A&A process guidance pages.

...