You are here

Conducting the SA&A

In accordance with the Federal Information Systems Modernization Act (FISMA) of 2014, all new and existing Federal information systems  (IS) are required to have written authorization to operate (ATO) from a designated [federal] authorizing official (AO). In order to receive an ATO, which is typically valid for a maximum of three years at a time, systems undergo a security assessment and authorization (SA&A) using the NIST risk management framework (RMF), as described in the National Institute of Standards and Technology’s (NIST) Special Publication 800-37.  The SA&A is designed to evaluate the status and effectiveness of required security controls for each federal IS. Once a system owner is ready to begin the SA&A, appropriate and required security controls should have been selected and implemented, and should be ready to be tested by the designated security control assessor.

Once the assessment has been completed, results and findings are documented in the Security Assessment Report (SAR), updates are made to the system security plan as needed, and the final findings are captured in the Plan of Action and Milestones (POA&M). The full completed package is then reviewed by the designated authorizing official (AO) for that system who makes a formal, risk based decision on whether to authorize the system in the form of the authorization letter.

Guidance for externally operated NCI systems is divided into traditional contractor or third party hosting, and cloud hosted categories. You can find more information on how to conduct the SA&A for these solutions below.

Please review the appropriate guidance for your particular operational situation and, if you have any questions about the SA&A process, contact the NCI ISSO at nciirm [at] mail.nih.gov.