TDI’s Assessment & Authorization services helped carry 100 NIH systems over the goal-line & attain or maintain their authority to operate.
TDI assisted NIH with the Assessment & Authorization (A&A) process for over 100 of their critical systems. In the course of our work at NIH, TDI was either directly responsible for or heavily supporting the following components of the A&A lifecycle as laid out by NIST SP 800-37 and as required under the Federal Information Security Management Act of 2002 (FISMA) as well as other Federal laws and regulations:
- System Categorization: TDI identified and/or verified the high, moderate, or low categorization of the NIH systems in scope based on an impact analysis covering Confidentiality, Integrity, and Availability of the system.
- Security Control Selection and Implementation: TDI assisted NIH in selecting security controls most appropriate for the targeted information systems and consulted on their implementation. We heavily leveraged Risk Assessments, including vulnerability assessments, to tailor the control selection to NIH and achieving the best and most efficient protection. Finally, we documented these controls in NIH’s System Security Plan (SSP).
- Security Control Assessment: TDI performed Security Testing and Evaluation (ST&E) of all selected security controls implemented in NIH’s information systems to determine whether or not the controls were implemented effectively to provide NIH with real protection against threats to their systems.
- System Authorization: TDI prepared all necessary paperwork, including the certification package, to streamline the process of obtaining Authority to Operate (ATO) for all covered NIH systems.
- Continuous Monitoring: TDI supported NIH in maintaining security in its systems even after ATO was granted by ensuring progress on the Plan of Action and Milestones (POA&M) and providing consulting on control implementations.
- Based on TDI’s performance on A&A-related activities, NIH indicated the efficacy with which we conducted our efforts warranted our being the sole authors of the NIH Policy for Assessment & Authorization of Systems and Applications.
TDI also provided legal and regulatory guidance for the A&A process, including advice on how to adhere to national and organizational security requirements such as FISMA, NIST-issued Federal Information Processing Standards and Special Publications, and Office of Management and Budget (OMB) Circular A-130 and selected guidance.