NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 3

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version 4

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The current regulations are pursuant to the Federal Information Security Management Act (FISMA), 44 U.S.C. 3541 et seq. The applicability of FISMA to NIH grantees applies only when grantees collect, store, process, transmit or use information on behalf of HHS or any of its component organizations. In all other cases, FISMA is not applicable to recipients of grants, including cooperative agreements. The grantee retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy, and research. If and when information collected by a grantee is provided to HHS, responsibility for the protection of the HHS copy of the information is transferred to HHS and it becomes the agency's responsibility to protect that information and any derivative copies as required by FISMA. For the full Grants policy, please visit the NIH Grants policy page here (link is external)

Do I need to complete any NCI-required security forms?

...

Yes, if the system meets the criteria that define a federal information system, then it does need an SA&A and an ATO. If you are responsible for a system that is hosted outside an NIH-owned or NIH-operated facility, you should consult with the the NCI Information Systems Security Officer ( ISSO) (link sends e-mailemail).

for specific guidance to make sure you're properly complying with FISMA regulations. You should also coordinate with your respective Contracting Officer Representative (COR) for contract related questions, and with your grants administrator if operating under a grant. Keep in mind that systems or applications that live within an existing authorization boundary of a Major Application or General Support System may inherit an authorization. See the FAQ below regarding authorizations within authorized Major Application or GSS systems.

...

You should coordinate SA&A activities with your Contracting Officer Representative (COR) and NCI project/program manager. If you still have questions after speaking with your COR or PM, you can email the NCI ISSO at nciirm@mail.nih.gov (link sends e-mailemail).

Who pays for the SA&A?

The responsible government project sponsor must ensure that adequate funding is allocated to support all security-related compliance activities, including FISMA and the SA&A. Responsible individuals should plan accordingly in their operating budgets as well as in all IT-related acquisition plans.

...

If you have questions about risk acceptance memos or security waivers, contact the NCI ISSO at nciirm@mail.nih.gov (link sends e-mailemail).

Who is my Authorizing Official/Designated Approving Authority (AO/DAA)?

...