Contractor Hosted (Third Party) | Cloud Hosted | CBIIT Fully Managed | NCI Customer Managed and Co-Location | |
FIPS-199 Security Categorization | √ | √ | √ | √ |
e-Authentication Risk Assessment | √ | √ | √ | √ |
Privacy Impact Analysis | √ | √ | √ | √ |
System Security Plan | √ | √ | √ | √ |
IS Contingency Plan | √ | √ | √ | √ |
Business Impact Analysis | √ (may embed with ISCP) | √ (may embed with ISCP) | √ (may embed with ISCP) | √ (may embed with ISCP) |
IS Contingency Plan Exercise Report
| √ | √ | √ | √ |
Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA) | As needed | As needed | As needed | As needed |
Security (Control) Assessment Plan (SAP/SCAP) | √ | √ | √ | √ |
Security Assessment Report (SAR) | √ | √ | √ | √ |
Configuration Management Plan (CMP) | √ | √ | √ | √ |
Plan of Action and Milestones (POA&M) | √ | √ | √ | √ |
Signed ATO Letter | √ | √ | √ | √ |
* All security packages including the ATO letter for externally hosted systems (i.e., 3rd party and Cloud) should be electronically copied to the NCI ISSO as evidence that the SA&A was completed in accordance with NIST 800-37 Risk Management Framework. |