You are here

SA&A Package Checklist by System Type

The Security Authorization Package documents the results of the formal security control assessment and provides the designated Authorizing Official (AO) with the necessary information to make a risk-based decision on whether to authorize the system. In addition to supporting artifacts listed below, the core package should always include at least the following:

  • System Security Plan (SSP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestones

 

Contractor Hosted Systems*

Cloud Hosted Systems*

System Security Plan

X

X

IS Contingency Plan

X

X

IS Contingency Plan Test Report

X

X

e-Authentication Risk Assessment

X

X

Privacy Threshold Analysis/Privacy Impact Analysis

X

X

FIPS-199 Security Categorization

X

X

Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA)

As applicable

As applicable

Security Control Assessment Plan

X

X

Security Assessment Report

X

X

Configuration Management Plan

X

X

Plan of Action and Milestones

X

X

Signed ATO Letter

X

X

* All security packages including the ATO letter for externally hosted systems (i.e., 3rd party and Cloud) should be electronically copied to the NCI ISSO as evidence that the SA&A was completed in accordance with NIST 800-37 Risk Management Framework.