 |
Page History
| Contractor Hosted ATOaaS (Third PartyLow)* | Cloud Hosted* | CBIIT Fully Managed | Low | Moderate | NCI Customer Managed and Co-LocationHigh | |||
| FIPS-199 Security Categorization | √ | √ | √ | √ | ||||
| e-Authentication Risk Assessment | √ | √ | √ | √ | ||||
Privacy Impact Analysis | √Assessment (PIA) | √ | √ | √ | ||||
| System Security Plan (SSP) | √ | √ | √ | √ | ||||
| IS Contingency Plan (includes disaster recovery/incident response plans) | √ | √ | √ | √ | ||||
| Business Impact Analysis | √ (may embed with ISCP) | √ (may embed with ISCP) | √ (may embed with ISCP) | √ (may embed with ISCP) | ||||
IS Contingency Plan Exercise Report
| √ | √ | √ |
| √ Tabletop | √ Tabletop | √ Simulated | √ Simulated |
| Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA) | As needed | As needed | As needed | As needed | ||||
| Security (Control) Assessment Plan (SAP/SCAP) | √ | √ | √ | √ | ||||
| Security Assessment Report (SAR) | √ | √ | √ | √ | ||||
| Configuration Management Plan (CMP) | √ | √ | √ | √ | ||||
| Plan of Action and Milestones (POA&M) | √ | √ | √ | √ | ||||
| Signed ATO or Endorsement Letter | √ | √ | √ | √ | ||||
These requirements apply to all NCI federal systems regardless of hosting location: Contractor/Third Party Hosted | ||||||||
