You are here

Using the NCI System Security Starter Kit

 

All new information systems require that three forms be completed to establish an information system's security-impact rating, authentication requirements, and privacy implications:

  • FIPS-199 System Security Impact Categorization
  • e-Authentication Threshold and the e-Authentication Risk Analysis (eTA and eRA)
  • Privacy Impact Assessment (PIA)

We refer to these forms collectively as the "system security starter kit" because they should be completed before any other security work begins. The information needed for these forms also helps define a system’s security and privacy requirements.  The starter kit is required prior to a system going live.

The information below will help you complete the starter kit.

Form Title(s)

Purpose

Responsibilities

FIPS-199

Establishes a system's security-impact rating based on confidentiality, integrity, and availability requirements.

You must work with the Information System Security Officer (ISSO) to complete this form to ensure the correct information categories and ratings are applied to your system. Send any questions to NCIIRM [at] mail.nih.gov.

e-Authentication

The eTA determines whether a system requires an eRA and establishes the appropriate authentication requirements for remote users.

The system owner or project manager completes the eTA and, if needed, the eRA. Completed forms must be signed by the system owner and the designated authorizing official (AO).

For more information on determining who your AO is, please go to the Points of Contact (POC) page.

PIA

Helps determine whether any information covered by the Privacy Act is collected, processed, or stored in your system.

The NIH privacy review process and all PIAs are governed by the NIH Office of the Senior Official for Privacy (OSOP). Contact the NCI Privacy Coordinator  to start the PIA, and the NCI ISSO for assistance with security-related questions in the PIA.

 

Send any questions to NCIIRM [at] mail.nih.gov