NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 7

changes.mady.by.user Unknown User (scotterr)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Panel

Table of Contents

Annual Assessment (AA)

After an initial SA&A package is completed, an annual assessment is conducted to review specific security controls identified by the agency each year, and to review outstanding plan of action and milestone (POA&M) weaknesses that remain from prior assessments and from any ongoing testing that has been conducted during the previous reporting year.  

...

Systems enter the CM Phase (Step 6 of the NIST RMF) after achieving ATO.  The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the Authorizing Official (AO) when changes occur that may impact the security of the system.  CM  consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation, which are performed continuously throughout the life cycle of an information system.

Control Baseline

The set of security and privacy controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk.  The control baseline is developed during Step 2 (Select) of the RMF.

E-Authentication Risk Assessment (eRA) / e-Authentication Threshold Analysis (eTA)

...

The FIPS-199 Security Categorization process addresses the first task required by the Risk Management Framework (RMF) to develop standards for categorizing information and information systems. The FIPS-199 publication from NIST establishes security objectives for both information and information systems on Confidentiality, Integrity, and Availability as well as defines correlating potential impact levels of Low, Moderate, and High. Security categories (security objective + impact level) are then derived based on the potential impact on each of the Confidentiality, Integrity, and Availability of information and information systems within an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.  The security categorization is the collection of all security categories for all security objectives and is recorded on the FIPS-199 form.  NCI uses the high watermark approach, so the overall categorization of the system is the equivalent to the highest individual security category(ies). 

High Water Mark

For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system.  So for example a system rated M-L-L, L-M-L, M-M-L, etc. would all be rated Moderate overall since Moderate is the highest rated security objective.

Low-Impact Software-as-a-Service (LI-SaaS) Approval

To use cybersecurity as an enabler in the NCI research enterprise, the NCI Chief Information Security Officer (CISO) and Chief Information Officer (CIO) will consider requests to authorize certain innovative cloud services if they are low risk (i.e., rated Low impact using the FIPS-199 process) and are classified as software as a service (SaaS) cloud offering. The low impact SaaS (LI-SaaS) review and authorization is intended to streamline the authorization necessary for the federal government to use a SaaS product (1) when the cloud service provider does not have and is not willing to obtain a FedRAMP authorization, and (2) when the product is not listed on or eligible to be approved as Third Party Websites and Applications (TPWA). TPWA's are a special category of no-cost (free) online services and products, and when approved by HHS are placed on the list of HHS-approved TPWAs.  See the LI-SaaS Review/Approval Process and Approved SaaS Cloud Products Knowledge Article for more information.

NIH Security Assessment Tool (NSAT)

...

A security impact analysis is conducted in the continuous monitoring phase after a system receives an ATO when the system is planning to undergo a significant change which may impact the security posture of the system.  The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Appendix F, Section F.6, Page F-8) provides a general definition of what a significant change is and provides examples of what could be considered a significant change.SIA process analyzes significant changes to the information system to determine potential security and privacy impact prior to change implementation. An SIA must be completed and approved before a new significant change, upgrade, or release is deployed to the production environment.

Significant Change

A significant change as defined in the NIST Special Publication 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations, is a change that is likely to substantively affect the security or privacy posture of a system.  Depending on the type of significant change to a system it can trigger one of two processes: 1) the completion and approval of a SIA or 2) re-authorization of the system.

Examples of significant changes to a system that may trigger an SIA may include, but not limited to:

  • Installation of a new or upgraded operating system, middleware component, or application;
  • Modifications to system ports, protocols, or services;
  • Installation of a new or upgraded hardware platform;
  • Modifications to how information, including PII, is processed;
  • Modifications to cryptographic modules or services;
  • Changes in information types processed, stored, or transmitted by the system; or
  • Modifications to security and privacy controls.

Significant changes to the environment of operation that may trigger a re-authorization action may include, but are not limited to:

  • Moving to a new facility or operating environment;
  • Adding new core missions or business functions;
  • Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
  • Establishing new/modified laws, directives, policies, or regulations.

Special Purpose Equipment (SPE)

Equipment which is used only for research, medical, scientific, or other technical activities. Examples of special purpose equipment include microscopes, x-ray machines, surgical instruments, and spectrometers. 

System Security Plan (SSP)

...