Attachment 11 Authorization to Operate

DATE:

November 13, 2012

TO:

Dr. Diane Brandt
FISMA System Owner, RMD-SSA DAS
Protocol Manager, Clinical Center Rehabilitation Medicine Dept.
National Institutes of Health
Dr. Elizabeth Rasch
FISMA System Owner, RMD-SSA DAS
Staff Scientist, Clinical Center Rehabilitation Medicine Dept.
National Institutes of Health

FROM:

Dr. Jon McKeeby
FISMA Authorizing Official, RMD-SSA DAS
Clinical Center CIO
National Institutes of Health

CC:

Jothi Dugar
FISMA Certifying Authority, RMD-SSA DAS
Clinical Center ISSO
National Institutes of Health

SUBJECT: Rehabilitation Medicine Department—Social Security Administration Data
Analysis System (RMD-SSA DAS) Security Certification
A security certification review of the National Institutes of Health (NIH) Clinical Center
(CC) Rehabilitation Medicine Department—Social Security Administration Data Analysis
System (RMD-SSA DAS) major application (MA) was conducted in accordance with the
Office of Management and Budget (OMB) Circular A-130, Management of Federal
Information Resources, Appendix III, Security of Federal Automated Information Resources,
the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37,
Guide for the Security Certification and Accreditation of Federal Information Systems, and
the HHS Certification and Accreditation Guidance. I have carefully reviewed the
certification statement of the RMD-SSA DAS Certifying Authority and the supporting
evidence provided in the RMD-SSA DAS certification package.
After reviewing planned and implemented RMD-SSA DAS security controls and weighing
residual risks against operational requirements, I hereby grant an authorization to operate
(ATO) the RMD-SSA DAS in its existing environment. This ATO is issued for a period of
three years from the date of this letter under the following conditions:

1

1.

The RMD-SSA DAS ISSO and RMD-SSA DAS system owners must address the
security findings listed in Table 4.0 of the RMD-SSA DAS Security Assessment
Report and document progress on those findings in an RMD-SSA DAS Plan of
Actions and Milestones (POA&M).

2.

Commencing three months after the date of this letter, the RMD-SSA DAS ISSO and
RMD-SSA DAS system owners must provide an updated RMD-SSA DAS POA&M
to the RMD-SSA DAS CA and RMD-SSA DAS AO quarterly.

At the end of the period of authorization, the RMD-SSA DAS ATO will be terminated unless
the RMD-SSA DAS system is reauthorized to operate. During the period of authorization,
the RMD-SSA DAS CA and RMD-SSA DAS AO will monitor the progress by the RMDSSA DAS ISSO and RMD-SSA DAS system owners in addressing RMD-SSA DAS
POA&M items. The RMD-SSA DAS CA, RMD-SSA DAS ISSO, and RMD-SSA DAS
system owners should retain copies of this letter and the RMD-SSA DAS certification
package as a permanent record.

Jon W.
Mckeeby
__________________________________________
Digitally signed by Jon W. Mckeeby
DN: c=US, o=U.S. Government, ou=HHS,
ou=NIH, ou=People, cn=Jon W. Mckeeby,
0.9.2342.19200300.100.1.1=0010057498
Date: 2013.01.05 13:34:59 -05'00'

Dr. Jon McKeeby
FISMA Authorizing Official, RMD-SSA DAS
Clinical Center CIO
National Institutes of Health

2