Artifact NameFAST ATO (Low)LowModerate
FIPS-199 Security Categorization
e-Authentication Risk Assessment

Privacy Impact Assessment (PIA)



Business Impact Analysis


System Security Plan (SSP)
Configuration Management Plan (CMP)

Contingency Plan

(includes disaster recovery/incident response plans)

Contingency Plan Exercise Report

  • the Tabletop option is available to any systems with a "Low" rating for availability

Tabletop

Tabletop

Simulated
or
Functional

Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA)As neededAs neededAs needed
Security Assessment Plan (SAP)
Security Assessment Report (SAR)
Plan of Action and Milestones (POA&M)
Self Attestation

Signed ATO Letter

These requirements apply to all NCI federal systems regardless of hosting location:

Externally (Contractor/Third Party) Hosted
CBIIT Managed
Customer Managed
Co-Location
Cloud