NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 13

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version Current

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Before getting into specific A&A process and guidance, it is first helpful to review exactly what constitutes a "Federal Information System" so o you know when FISMA or other , perhaps, another federal security assessment frameworks (e.g. FedRAMP, CUI) may apply. The following definitions and clarifications are based on guidance provided by the Office of Management and Budget (OMB) as well as internal from subsequent interpretations by OMB on the matter that have been published since 2001 when FISMA became law.

OMB initially defined in 2001 a Federal Information System as: A discrete set of information resources organized for the collection, processing, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual (defined in OMB circular A-130, (6)(q)). OMB later clarified that Federal Information Systems are those that are used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency (44. U.S.C. § 3544(a)(1)(A)).

Since these definitions can be somewhat vague or misinterpretedconfusing, many people often assume that a federal information system only includes those that are physically housed and/or operated within a federally-owned or federally-operated facility (i.e., government-owned/government-operated (GOCO)), and that any other information system that is housed elsewhere (i.e., at a contractor's location, at a hosting provider's location, or by a in the cloud service provider) are not federal information systems. This is not necessarily the case. In fact, a better determination of federal system vs. non-federal can be made by examining accountability for and control of a system's information, and whether the government directed the establishment of the system. For example, if the government has directed or mandated (e.g., through a contractual arrangement or other means of federal fundingsupport), the creation or operation of an information system, or if the government will have access to the system or will take possession of the data in the system, then FISMA most likely appliesit is probably a federal information system. Contracting with a non-federal organization to host or operate your system does not exclude the system from FISMA federal regulations. If you are uncertain about whether yours is a federal information system, please contact the NCI ISSO's office for clarification.

...