This document represents the Security Assessment Report (SAR) for HBWC as required by NIH for security authorization. This SAR contains the results of the comprehensive security test and evaluation of HBWC. This assessment report, and the results documented herein, supports program goals, efforts, and activities necessary to achieve compliance with organizational security requirements.
The SAR describes the risks associated with the vulnerabilities identified during HBWC’s security assessment and also serves as the risk summary report as referenced in NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems.
All assessment results have been analyzed to provide both the information system owner, institute/center information system security officer (IC ISSO), and the authorizing officials, with an assessment of the security controls as described in the HBWC System Security Plan.
Title III, Section 3544, of the E-Government Act of 2002, dated December 17, 2002, requires agencies to conduct periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency. Appendix III of Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, requires federal agencies to:
• Review the security controls in each system when significant modifications are made to the system, but at least every three years. §3(a)(3)
• Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information. §8(a)(1)(g); §8(a)(9)(a)
• Demonstrate specific methods used to ensure that risks and the potential for loss are understood and continually assessed, that steps are taken to maintain risk at an acceptable level, and that procedures are in place to ensure that controls are implemented effectively and remain effective over time. §8(b)(3)(b)(iv)
• Ensure that a management official authorizes in writing use of the application by confirming that its security plan as implemented adequately secures the application.
Results of the most recent review or audit of controls shall be a factor in management authorizations.
The application must be authorized prior to operating and re-authorized at least every three years thereafter. Management authorization implies accepting the risk of each system used by the application. §(3)(b)(4)