NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 4

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 5

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As part of the system's design process, you will need to ensure that system-specific and hybrid portions of controls are properly designed and implemented.  By incorporating security control requirements into your overall system design and development process, and continuously throughout the system's life cycle, you should realize cost savings when compared to implementing security to an existing system or retrofitting the application to meet security requirements.  You may even find that security ends up driving or altering some of your functional and design requirements, which is why it is best to integrate security early in the system's life cycle instead of later. However, if the cost of developing or implementing a new security control is not possible, causes undue hardship, or is not cost-effective then you may be able to apply for a security waiver to the NIH chief information security officer (CISO). All waiver requests must be vetted first with your Contracting Officer Representative (COR), and then with the NCI ISSO (nciirm@mail.nih.gov(link sends e-mailemail). All final waivers must be approved by the NIH CISO.

...

  • CBIIT-fully-managed applications will be assessed by the internal CBIIT security audit team
  • Non-CBIIT-managed applications will be assessed by external security assessors. These assessors are usually hired by and paid for by the system owner (business owner). All packages for externally hosted systems should be provided to the NCI ISSO's office so they can perform a quality assurance review and provide feedback to the authorizing official for the authorization decision.   
NOTE: All final SA&A packages must contain the minimum set of artifacts required by NIH

...

.

The preliminary package that includes the System Security Plan, Security Assessment Report, and Plan of Action and Milestones must be provided to the AO or her designated reviewing official to assess the quality and completeness of the package, and to review the findings. This gives the system owner and the system operator a chance to correct invalid findings, and to address any that can quickly and easily be closed before the authorization request is made. Once this review has been completed and the business owner is satisfied that the package is ready for review, it is sent to the authorizing official. 

...