Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
In support of this requirement, all systems and applications supporting Federal government agencies must follow National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication (SP) 800-37
as the standard for Assessment and Authorization (A&A) process before being put into production, and every five years thereafter.
The A&A process is a comprehensive assessment and/or evaluation of an information system policies, technical / non-technical security components, documentation, supplemental safeguards, policies, and vulnerabilities. The A&A process establishes the extent to which a particular design and implementation, meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates into a formal authorization package. This authorization package is reviewed by the Authorizing Official (AO) and a formal declaration of an information system accreditation is either granted as an Authorization to Operate (ATO) or ATO with conditions or outright denial of authorization to operate. Given the ATO the information system is to operate in a particular security mode using a prescribed set of safeguards and function at an acceptable level of risk to the agency. Each information system is placed into the Information Security Continuous Monitoring (ISCM) (NIST SP 800-137)
program which maintains the ongoing awareness of information security, vulnerabilities, and threats to an information system.
DOI Office of the Chief Information Officer (OCIO) provides A&A accreditation services through a proven methodology that ensures customer readiness and efficient delivery, minimizing impact to your technology support teams.
OCIO's Information Systems Security Line of Business Center of Excellence (ISSLOB COE) performs the development, update and review of all required security documentation, provide A&A consultation services to the information system personnel, and performs an independent assessment on the information system to ensure all required system security controls are in place, implemented correctly and operating as intended.
Our A&A Services
In the Initiation Phase, the policy analyst (OCIO) analyzes the security documentation supporting the information system. The purpose of the initiation phase is to ensure that the Authorizing Official (AO) and the client's Chief Information Security Officer (CISO) are in agreement with the contents of the System Security Plan (SSP). In the Initiation Phase we review or update the following documentation:
The assessment is a comprehensive analysis of the management, operational, and technical security controls in an information system, made in support of A&A. The purpose of our assessment is to determine if the controls are implemented correctly, operating as intended and producing the desired control described in the System Security Plan. Activities include:
- Security Test and Evaluation Plan
- Security Assessment Report
- Plan of Action and Milestones
ATO is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Activities include:
- A&A Package Review
- AO Briefing
- Authorization Package Submission
- Authorization Decision
Customized A&A Services
OCIO offers customized A&A services to include:
- System Development Lifecycle A&A Services Integration
- Pre-Deployment Certification and Accreditation
- System Reauthorization
- In-flight Annual Reviews
- CP/DR Test, Compliance Verification (Optional)
In addition to the basic A&A package, OCIO can provide assistance creating or updating the following:
- A&A Documentation Preparation
- Security Policies
- Security Procedures
- Security Technical Guidelines
- Security Awareness and Training Plan
- Configuration Management Plan
- Patch Management Plan
- Rules of Behavior
- Contingency/Disaster Recovery Plan
- Incident Response Plan
- Continuous Monitoring Plan
No separate contract is required.
No sole source justification is required.
The OCIO ISSLOB COE is positioned to provide A&A services to DOI and federal government agencies. As an OMB designated ISSLOB, work is initiated through an Inter-Agency Agreement (IAA) with the Interior Business Center Line of Business.
The IAA will reference an agreed upon Memorandum of Understanding, with supporting Proposal, Statement of Work and Rules of Engagement documents. Authority Under Which A&A is Provided: Economy Act — 31 USC 1535 and Working Capital Fund, 43 USC 1467, 1468.
For Additional Information:
Contact OCIO ISSLOB