NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Old Version 7

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

compared with

New Version Current

changes.mady.by.user Hayn, Craig (NIH/NCI) [E]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

All federal systems, regardless of where they are hosted or operated, must adhere to the NIST Risk Management Framework (RMF) and business owners must ensure their system is authorized to operate in accordance with OMB A-130 and FISMA law. The hosting solutions discussed on this page are NCI- and NIH-fully managed application solutions. These two options provide the least impactful and simplest authorization options available to NCI customers.  For more information on NCI's various hosting options, please visit the CBIIT Solutions Hosting Page

This page provides guidance for achieving FISMA compliance and receiving Authorization to Operation (ATO) for the CBIIT fully-managed hosting environment.

The RMF comprises 6 key steps as described below. You will see that Security Assessment and Authorization (SA&A) makes up just two of the six steps (steps 4 and 5), but they are the two most commonly linked with the FISMA. It's critical not to forget about the other four steps though since they greatly impact the success of the assessment and authorization phases.  As you will see, steps 4 and 5 can only happen with proper planning and preparation. Since  Since your system will be fully managed by NCI or by the NIH CBIIT's application hosting service team, the SA&A activity is activities you need to follow are relatively easy and requires require the least amount of support and resources from you out of all of the hosting alternativeswhen compared to non CBIIT-managed options

By choosing a fully managed hosting option, your application will inherit the majority of security controls that you might otherwise be responsible for implementing, assessing, and maintaining over the system's lifetime. As the application owner (aka, the business sponsor), you will be asked to support the Categorize step by complete completing the NCI Starter Kit, and you will be required to develop a minimal set of standard operating procedures for your application. You will also be asked to document the limited set of security controls that you partially or fully manage in a system security plan, but the NCI pre-assessment team (PAT) will assist you with your documentation development activities to reduce the your burden and provide one-on-one support during the pre-assessment phasesphase. NCI CBIIT Security will also provide the independent assessor who will conduct formal system testing needed to support the authorization decision. As the application owner you will need to demonstrate applicable system-specific or portions of hybrid controls that you are responsible for, are in place and operating effectively. You will do this by participating in interviews, and by providing requested evidence and artifacts (i.e., completed SOPs, screen captures, log files, relevant communications such as email threads, etc.) to the security assessors.   

The following information will help you further understand and prepare (pre-assessment) for the formal security assessment step and to manage the FISMA assessment, following system authorization.  Note that this process does not reflect the process for cloud hosted applications. Please visit the Cloud Hosted Systems SA&A page for more information on conducting an SA&A for a cloud based applications.

Step 1. Categorize the Application

Use the NCI Security Starter Kit for templates and guidance on completing the

  • Federal Information Processing Standard (FIPS)-199 form

...

  • ;
  • the e-Authentication Threshold and Risk Analysis (eTA/eRA)

...

  • form;
  • the Privacy Impact Assessment (PIA);
  • and the Business Impact Analysis (BIA)

. All four of these forms are required to ensure that you properly categorize your application based on its security-impact rating, authentication needs, privacy concerns, and system availability needsmission criticality. This step is consistent with other types of federal information systems whether hosted internally, externally, or in the cloud.

Step 2. Select Security Controls

Once you have completed categorization step Step 1 (Categorization) you can determine which security controls are required for your application. You should refer to two resources to aid in this step.  First,

  1. NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations document, which provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations.

...

  2. NCI maintains a Security Control Inheritance Matrix to help you identify the controls needed for your system

...

  1. . The matrix factors in pre-defined

...

  1. common controls (i.e., controls and services provided by NCI CBIIT for all similar systems they host) so you can more easily identify controls that you are responsible for implementing and managing, and those that are partially or fully implemented and managed for you by CBIIT, NCI, or by NIH.

Step 3. Implement Security Controls

As part of the implementation step, you may need to update your application’s design requirements to account for new or modified security requirements identified in Step 2. You may also need to implement or develop specific tools, feature, settings, etc. to satisfy required controls.  If these required controls.  For example, you may need to configure your application to comply with NIH security policies like password settings.  Under the risk-based approach the NIST follows, if the cost of developing or implementing a new security control is impractical or if it is not cost effective when compared to the potential risk of not implementing the control, you can apply for a security waiver to the NIH chief information security officer (CISO). You should discuss any waiver requests with the NCI ISSO first before submitting the request to determine whether it is likely to be approved, and to help appropriately document the waiver. Waivers are never approved when the system can comply but simply chooses not to. There must be extenuating factors the limit or prevent compliance, and there need to be adequate compensating controls in place to reduce risk.

It is in the step that you will also document how you have or plan to implement all of the required and applicable controls. You will document these in the System Security Plan (SSP). Work with the Pre-Assessment Team to ensure you understand how to complete the SSP properly and to ensure you only address the system-specific controls that you will not inherit.

Step 4. Conduct the Security Assessment

The Since your system is fully managed by CBIIT, the NCI ISSO will conduct the independent verification of your system's security controls. the NCI ISSO and the Assessment Team will work with you to schedule your SA&A kickoff meeting and assessment, as well as keep you informed of any meetings required to plan for the assessment.

During this phase of the Risk Management Framework, (RMF) a security assessor will evaluate the effectiveness of your application's security controls through interviews, observation, testing, and data gathering. This process must be completed before your application goes into production (i.e., is live with real data being collected, processed, or stored). One of the advantages of having CBIIT host fully manage your application is that CBIIT will help defray the cost of SA&A activity.  If your application uses another NIH institute or center (IC) or uses an outsourced hosting option, you will need to make your own arrangements to hire a qualified Federal Information Security Modernization Act (FISMA) security assessor. Whoever conducts the assessment must be experienced in using the National Institute of Standards and Technology (NIST) RMF as outlined in NIST 800-37.then you will be responsible for most or all of the security assessment and authorization process and costs. 

During the SA&A kickoff meeting, your assigned pre-assessment representative will help you identify artifacts that might be required as evidence of successful security-control implementation and operation so that you can prepare or update them in advance of the assessment step.

Your final SA&A package must contain the minimum set of artifacts required by NIH. Please visit the NCI SA&A Package Checklist for more information.

Step 5. Authorize the Application

A The designated authorizing official (AO) will review the assessment package to determine whether any identified residual risks are acceptable to the organization before issuing a written authorization to operate (ATO) that is . Approved ATOs are valid for a maximum of three years. For CBIIT fully managed applications, the The NCI CIO will serve serves as the authorizing official (AO) for all CBIIT fully managed applications.

Step 6. Conduct Continuous Monitoring and Reauthorization

Continuous monitoring (CM) is the sixth and final step in the RMF, and includes both automated and manual security monitoring and remediation activities. Continuous Monitoring really is more of a an iterative cycle than a single finite step since it never ends and, if done correctly, can replace the need for a full re-assessment every three years when your ATO expires.  The routine security-control monitoring and remediation that occur after an application has been authorized to operate often includes a combination of automated diagnostic services such as vulnerability scanning, patch management, intrusion detection and prevention, and system and application event log collection and analysis.  Additionally, every year system owners must conduct an annual assessment (AA) that follows NIH guidance to review approximately 1/3 of the total controls that may apply to a system. System owners are also required to actively manage their plan of action and milestones (POA&M) to remediate weaknesses in a timely manner, and to seek re-authorization every three years.

...

If you make a significant change to your application, you are advised to document the change changes and possible impacts to the security posture of the application in a security impact analysis (SIA). Any controls that may be impacted may need to be re-tested to ensure the security posture , boundary, and authorization are not impactedis not reduced.

POA&M Management

The Plan of Action and Milestones (POA&M) is a key management tool that lists, prioritizes, and tracks an application's identified weaknesses and remediation progress.  Any new  New findings that are generated from ongoing security assessment assessments and risk impact reviews should be added to the POA&M as they are living documentsit is a living document.

Ongoing Authorization or Reauthorization

The NIH is currently developing its ongoing authorization (OA) model for externally hosted applications. Because of the numerous technical challenges associated with automating security analyses and remediation activities outside of the NIH network boundaryto fully replace manual checks and testing, this process will most likely include a hybrid of automated and manual activities.  Please check back in the future for updated information on ongoing authorization. 

Re-authorization decisions are made based on performing the required annual assessments, remediating POA&M-identified weaknesses in a timely manner as outlined in the POA&M Milestones, ensuring vulnerabilities in the application are remediated according to the NIH remediation standard, and demonstrating the you have reviewed and updated necessary documentation in accordance with the NIH review time frames.