NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 7

changes.mady.by.user Unknown User (scotterr)

Saved on

compared with

New Version 8

changes.mady.by.user Unknown User (scotterr)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The FIPS-199 Security Categorization process addresses the first task required by the Risk Management Framework (RMF) to develop standards for categorizing information and information systems. The FIPS-199 publication from NIST establishes security objectives for both information and information systems on Confidentiality, Integrity, and Availability as well as defines correlating potential impact levels of Low, Moderate, and High. Security categories (security objective + impact level) are then derived based on the potential impact on each of the Confidentiality, Integrity, and Availability of information and information systems within an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.  The security categorization is the collection of all security categories for all security objectives and is recorded on the FIPS-199 form.  NCI uses the high watermark approach, so the overall categorization of the system is the equivalent to the highest individual security category(ies). 

Low-Impact Software-as-a-Service (LI-SaaS) Approval

The NCI Security Office will consider requests to authorize certain low risk cloud software services (i.e., they are rated Low impact using the FIPS-199 process). Only products deemed cloud Software as a Service (SaaS) are eligible for the LI-SaaS review and authorization.  They are intended to streamline the authorization necessary for the NCI to use SaaS products that carry low risk and are needed by the government to perform a legitimate business function in the absence of a FedRAMP authorization.  Often, the cloud service provider does not have a FedRAMP cloud authorization and is not willing or does not have the resources to obtain one.  The product should not be categorized as a Third Party Websites and Applications (TPWA) as defined by the OMB memo M-10-23.  TPWAs are a special category of online services and tools that are not subject to FedRAMP or to agency LI-SaaS reviews.  The list of HHS-approved TPWAs can be found here: https://www.hhs.gov/web/policies-and-standards/terms-of-service-agreements/index.html. LI-SaaS reviews are not appropriate if you need to collect, store or process sensitive data using the tool, or if the cloud service is considered mission critical to your organization or business processes.

NIH Security Assessment Tool (NSAT)

...