 |
Page History
...
The Federal Information Security Modernization Act (FISMA) of 2014 mandates that all federal information systems — including all NCI information systems — must be formally assessed and authorized to operate (ATO) using the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF). The RMF is the model used to conduct federal system assessment and authorizations (A&A), so the terms RMF and A&A may be used interchangeably. NIST documented the RMF in Special Publication 800-37 rev. 2, Risk Management Framework for Federal Information Systems and Organizations: A Security System Life Cycle Approach for Security and Privacy. The RMF is also supported by several additional NIST special publications (SP) guides that are designed to work in conjunction with 800-37 rev. 2. To further help system owners implement the RMF, NIH and NCI have also developed agency-specific A&A guidance, templates, and sample materials, which are discussed in the following A&A process guidance pages.
...
