Page History

...

Systems enter the CM Phase (Step 6 of the NIST RMF) after achieving ATO.  The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the Authorizing Official (AO) when changes occur that may impact the security of the system.  CM  consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation, which are performed continuously throughout the life cycle of an information system.

E-Authentication Risk Assessment (eRA) / e-Authentication Threshold Analysis (eTA)

Control Baseline

The set of security and privacy controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk.  The control baseline is developed during Step 2 (Select) of the RMF.

E-Authentication Risk Assessment (eRA) / e-Authentication Threshold Analysis (eTA)

The e-Authentication initiative describes trusted, secure, standards-based, interoperable authentication architecture. This initiative has been developed to provide a uniform process for establishing electronic identity to support the President's Management Agenda (PMA) of 2002 and the E-Government Act of 2002. The e-Authentication initiative eliminates the need for each agency to develop a redundant solution to verify an individual's identity and The e-Authentication initiative describes trusted, secure, standards-based, interoperable authentication architecture. This initiative has been developed to provide a uniform process for establishing electronic identity to support the President's Management Agenda (PMA) of 2002 and the E-Government Act of 2002. The e-Authentication initiative eliminates the need for each agency to develop a redundant solution to verify an individual's identity and to support electronic signatures. The e-Authentication Risk Assessment process provides a systematic process by which system/information owners assess relative security impacts across multiple threat areas, to determine the appropriate authentication and identity proofing requirements for their system. The e-Authentication process generates an e-authentication assurance level (EAL) rating (i.e., 1-4), which can then be mapped against guidance in NIST 800-163 to determine the appropriate authentication technology and identity proofing requirements.

...

Low-Impact Software-as-a-Service (LI-SaaS) Approval

The NCI Security Office will consider requests to authorize certain low risk cloud software services To use cybersecurity as an enabler in the NCI research enterprise, the NCI Chief Information Security Officer (CISO) and Chief Information Officer (CIO) will consider requests to authorize certain innovative cloud services if they are low risk (i.e., they are rated Low impact using the FIPS-199 process) . Only products deemed cloud Software and are classified as software as a Service service (SaaS) are eligible for the cloud offering. The low impact SaaS (LI-SaaS) review and authorization .  They are is intended to streamline the authorization necessary for the NCI federal government to use SaaS products that carry low risk and are needed by the government to perform a legitimate business function in the absence of a FedRAMP authorization.  Often, a SaaS product (1) when the cloud service provider does not have a FedRAMP cloud authorization and is not willing or does not have the resources to obtain one.  The product should not be categorized as a Third Party Websites and Applications (TPWA) as defined by the OMB memo M-10-23.  TPWAs a FedRAMP authorization, and (2) when the product is not listed on or eligible to be approved as Third Party Websites and Applications (TPWA). TPWA's are a special category of no-cost (free) online services and tools that are not subject to FedRAMP or to agency LI-SaaS reviews.  The products, and when approved by HHS are placed on the list of HHS-approved TPWAs can be found here: https://www.hhs.gov/web/policies-and-standards/terms-of-service-agreements/index.html. LI-SaaS reviews are not appropriate if you need to collect, store or process sensitive data using the tool, or if the cloud service is considered mission critical to your organization or business processes.  See the LI-SaaS Review/Approval Process and Approved SaaS Cloud Products Knowledge Article for more information.

NIH Security Assessment Tool (NSAT)

...

Examples of significant changes to a system that may trigger a an SIA may include, but not limited to:

...

Significant changes to the environment of operation that may trigger a re-authorization action may include, but are not limited to:

• Moving to a new facility or operating environment;
• Adding new core missions or business functions;
• Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
• Establishing new/modified laws, directives, policies, or regulations.

Special Purpose Equipment (SPE)

Equipment which is used only for research, medical, scientific, or other technical activities. Examples of special purpose equipment include microscopes, x-ray machines, surgical instruments, and spectrometers. 

System Security Plan (SSP)

...