Conducting the SA&A
In accordance with the Federal Information Systems Modernization Act (FISMA) of 2014, all new and existing Federal information systems (IS) are required to have written authorization to operate (ATO) from a designated [federal] authorizing official (AO). In order to receive an ATO, which is typically valid for a maximum of three years at a time, systems undergo a security assessment and authorization (SA&A) using the NIST risk management framework (RMF), as described in the National Institute of Standards and Technology’s (NIST) Special Publication 800-37. The SA&A is designed to evaluate the status and effectiveness of required security controls for each federal IS. Once a system owner is ready to begin the SA&A, appropriate and required security controls should have been selected and implemented, and should be ready to be tested by the designated security control assessor.
Once the assessment has been completed, results and findings are documented in the Security Assessment Report (SAR), updates are made to the system security plan as needed, and the final findings are captured in the Plan of Action and Milestones (POA&M). The full completed package is then reviewed by the designated authorizing official (AO) for that system who makes a formal, risk based decision on whether to authorize the system in the form of the authorization letter.
Guidance for externally operated NCI systems is divided into traditional contractor or third party hosting, and cloud hosted categories. You can find more information on how to conduct the SA&A for these solutions below.
- Contractor and third party hosted systems (e.g., systems hosted by a professional data hosting provider, or by a university or other private organization)
- Cloud Service Provider (CSP) (Cloud service definitions and deployment models are defined by NIST SP 800-145)
Please review the appropriate guidance for your particular operational situation and, if you have any questions about the SA&A process, contact the NCI ISSO at nciirm [at] mail.nih.gov.