You are here

SA&A Package Checklist by System Type

The Security Authorization Package documents the results of the formal security control assessment and provides the designated Authorizing Official (AO) with the necessary information to make a risk-based decision on whether to authorize the system:

 

Contractor Hosted Systems,

CBIIT Customer-Managed Hosting,

and CBIIT Co-Lo Hosting*

Cloud Hosted Systems*

FIPS-199 Security Categorization

X

X

e-Authentication Risk Assessment

X

X

Privacy Impact Analysis

X

X

System Security Plan

X

X

IS Contingency Plan

X

X

Business Impact Analysis (may also be included with the system contingency plan)

X

X

IS Contingency Plan Exercise Report (renew annually)

X

X

Memorandum of Understanding (MoU) and/or Interconnection Security Agreement (ISA)

As applicable

As applicable

Security (Control) Assessment Plan (SAP/SCAP)

X

X

Security Assessment Report (SAR)

X

X

Configuration Management Plan (CMP)

X

X

Plan of Action and Milestones (POA&M)

X

X

Signed ATO Letter (Note: ATO letter must be signed by a federal official with the authority to accept risks associated with the system being authorized)

X

X

* All security packages including the ATO letter for externally hosted systems (i.e., 3rd party and Cloud) should be electronically copied to the NCI ISSO as evidence that the SA&A was completed in accordance with NIST 800-37 Risk Management Framework.