TDI has assisted NIH with the Certification and Accreditation (C&A) process for over 100 of their critical systems. In the course of our work at NIH, TDI was either directly responsible for or heavily supporting the following components of the C&A lifecycle as laid out by NIST SP 800-37, Guide for Security Certification and Accreditation of Federal Information Systems, and as required under the Federal Information Security Management Act of 2002 (FISMA) as well as other Federal laws and regulations:
- System Categorization: TDI identified and/or verified the high, moderate, or low categorization of the NIH systems in scope based on an impact analysis covering Confidentiality, Integrity, and Availability of the system.
- Security Control Selection and Implementation: TDI assisted NIH in selecting security controls most appropriate for the targeted information systems and consulted on their implementation. We heavily leveraged Risk Assessments, including vulnerability assessments, to tailor the control selection to NIH and achieving the best and most efficient protection. Finally, we documented these controls in NIH's System Security Plan (SSP).
- Security Control Assessment: TDI performed Security Testing and Evaluation (ST&E) of all selected security controls implemented in NIH's information systems to determine whether or not the controls were implemented effectively to provide NIH with real protection against threats to their systems.
- System Authorization: TDI prepared all necessary paperwork, including the certification package, to streamline the process of obtaining Authority to Operate (ATO) for all covered NIH systems.
- Continuous Monitoring: TDI supported NIH in maintaining security in its systems even after ATO was granted by ensuring progress on the Plan of Action and Milestones (POA&M) and providing consulting on control implementations.
- Based on TDI's performance on C&A-related activities, NIH has indicated that the efficacy with which we are conducting our efforts warrants our being the sole authors of the NIH Policy for Certification and Accreditation of Systems and Applications.
TDI also provided legal and regulatory guidance for the C&A process, including advice on how to adhere to national and organizational security requirements such as FISMA, NIST-issued Federal Information Processing Standards (FIPS) and Special Publications (SPs), The Computer Security Act of 1987, The Privacy Act of 1974, and Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources.