We hope that the information provided on the following pages is useful to a variety of users including NCI information system owners, project officers and mangers, contracting officers, software developers, security officers, and security practitioners. The extent of CBIIT’s support for exclusively contractor- and cloud-hosted systems is advisory only.Ī&A is the methodology by which an organization establishes and then demonstrates sound, risk-based security posture for a specific system. NCI CBIIT does not develop required FISMA/FedRAMP security documentation (except for assisting with the FIPS-199, e-Authentication, and Privacy Impact Assessment), or conduct any of the security testing for applications that are operated exclusively at contractor locations or hosted in the cloud. Most importantly, this means that you are responsible for securing the resources to conduct required security testing, which for moderate impact systems means using an independent third party assessor qualified to conduct FISMA/FedRAMP audits. This includes all planning, testing, and continuous monitoring activities associated with the system’s life cycle. Government project officers are responsible for ensuring their contractor-hosted or cloud-hosted applications are authorized to operate (ATO) in accordance with FISMA.
The information provided here is intended to supplement guidance provided by the National Institute of Standards and Technology (NIST) and NIH to provide best practices for managing the A&A process (A&A was formerly called security assessment and authorization (SA&A) and certification & accreditation(C&A) before that). Welcome to the NCI Information System Assessment and Authorization (A&A) information and guidance page.
0 kommentar(er)
