Cirb Fips

attachment_F04 - CIRB_FIPS_199_09_2015.pdf

CTEP Branch Support Contracts Forms and Surveys (NCI)

CIRB FIPS

OMB: 0925-0753

Document [pdf]
Download: pdf | pdf
The Central Institutional Review Board (CIRB)
CIRB Information System
FIPS 199 Security Categorization

Version 2.0
September 01, 2015
Prepared for:
The National Cancer Institute
Clinical Trials Operations & Informatics Branch
Co-Contracting Officer Representative CIRB
Contracting Number: HHSN261201400023C

SENSITIVE

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

Record of Changes/Version History

Version
Number
1.0
2.0

Date of
Summary of Changes
Change
09/30/2014 Initial submission
09/01/2015 Annual update

Sections
Changed

Jennifer Dugan /
Brian Campbell
No changes

2

Person Entering Change

Jennifer Dugan /
Brian Campbell

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

Table of Contents
1.  INTRODUCTION .................................................................................... 4 
1.1.  Purpose ............................................................................................................... 4 
1.2.  Scope .................................................................................................................. 4 
1.3.  System Description.............................................................................................. 4 

2.  METHODOLOGY ................................................................................... 5 
3.  APPLICABLE INFORMATION TYPES .................................................. 7 
4.  SYSTEM SECURITY CATEGORIZATION APPROVAL ...................... 15 

3

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

1. INTRODUCTION
The Federal Information Processing Standard 199 (FIPS-199) Categorization (Security Categorization)
report is a key document including the determination of the security impact level for the cloud
environment that hosts CIRB Web System. The ultimate goal of the security categorization is to be able
to select and implement security controls applicable to its environment.
1.1. Purpose
The purpose of the FIPS-199 Categorization assessment is to determine categorization of environment,
to provide the categorization to the NCI in helping them make a determination of the CSP’s ability to host
systems at that level. The completed security categorization assessment will aid the NCI in selection and
implementation of security controls at the determined categorization level.
1.2. Scope
The scope of the FIPS-199 Categorization includes assessment of the information type categories as
defined in the NIST Special Publication 800-60 Volume 2 Revision 1 document.
1.3. System Description
The CIRB Web system has been determined to have a security categorization of Low.
The Central Institutional Review Board (CIRB) provides a central resource for expediting Institutional
Review Board (IRB) activities for National Cancer Institute (NCI) Cooperative Group clinical trials. For
informatics systems to support all CIRB Operations, EMMES provides an integrated suite of informatics
systems for comprehensive data collection, data management and information dissemination. These
systems support CIRB study tracking and CIRB Operations support for the CIRBs; enrollment and
management of Signatory Institutions and associated child institution and person records; and the NCI
CIRB website. The systems are fully interoperable on both the Test and Production instances, and are
configured to support industry-standard best practices for Software Development Life Cycle (SDLC).

The systems and their interoperability are outlined in the figure below:

4

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

2. METHODOLOGY
Impact levels are determined for each information type based on the security objectives (confidentiality,
integrity, availability). The confidentiality, integrity, and availability impact levels define the security
sensitivity category of each information type. The FIPS-199 Categorization is the high watermark for the
impact level of all the applicable information types.
The FIPS 199 analysis represents the information type and sensitivity levels of the CIRB cloud service
offering. The analysis must be added as an appendix to the SSP and drive the results for the
Categorization section.
The CIRB Web system categorization is expected to resolve to Moderate or Low.

5

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

Table 1, summarizes the potential impact definitions for each security objective—confidentiality, integrity, and
availability.
POTENTIAL IMPACT
Security Objective

Confidentiality
Preserving authorized
restrictions on information
access and disclosure,
including means for
protecting personal
privacy and proprietary
information.

LOW

MODERATE

HIGH

The unauthorized disclosure of
information could be expected
to have a limited adverse effect
on organizational operations,
organizational assets, or
individuals.

The unauthorized disclosure
of information could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.

The unauthorized disclosure
of information could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.

The unauthorized modification
or destruction of information
could be expected to have a
limited adverse effect on
organizational operations,
organizational assets, or
individuals.

The unauthorized
modification or destruction of
information could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.

The unauthorized
modification or destruction of
information could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.

The disruption of access to or
use of information or an
information system could be
expected to have a limited
adverse effect on organizational
operations, organizational
assets, or individuals.

The disruption of access to
or use of information or an
information system could be
expected to have a serious
adverse effect on
organizational operations,
organizational assets, or
individuals.

The disruption of access to or
use of information or an
information system could be
expected to have a severe or
catastrophic adverse effect
on organizational operations,
organizational assets, or
individuals.

[44 U.S.C., SEC. 3542]

Integrity
Guarding against improper
information modification
or destruction, and
includes ensuring
information nonrepudiation and
authenticity.
[44 U.S.C., SEC. 3542]

Availability
Ensuring timely and
reliable access to and use
of information.
[44 U.S.C., SEC. 3542]

6

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 01, 2015 - Confidential

3. Applicable Information Types with Security Impact Levels
Table 2, provide a summary of information types based on NIST SP 800-60 Version 2, Revision 1, and FIPS 199 assessment.

Information Type

NIST SP 800-60
V2 R1
Recommended
Confidentiality
Impact Level

NIST SP 800-60
V2 R1
Recommended
Integrity Impact
Level

NIST SP 800-60
V2 R1
Recommended
Availability
Impact Level

CSP Selected
Confidentiality
Impact Level

CSP
Selected
Integrity
Impact Level

CSP Selected
Availability
Impact Level

Statement
for Impact
Adjustment
Justification

Regulatory
Development Guidance
Development
Information

Low

Low

Low

Low

Low

Low

Low

Public Relations Customer Service
Information

Low

Low

Low

Low

Low

Low

Low

Public Relations Official Information
Dissemination
Information

Low

Low

Low

Low

Low

Low

Low

Public Relations Outreach
Information

Low

Low

Low

Low

Low

Low

Low

Public Relations
Information

Low

Low

Low

Low

Low

Low

Low

7

NCI CIRB Web System
FIPS 199 Security Categorization 1.0
September 30, 2014 - Confidential

4. System Security Categorization Approval
Table provides a summary of the information types that apply based on the selections identified in the FIPS 199 assessment.

Table 3: FIPS 199 Security Categorization Summary
Information Type Name

Confidentiality

Security Objective
Integrity
Availability

Regulatory Development

Public Affairs

Low

Low

Low

Low

Low

Low

Rationale for Selecting or Adjusting Security
Categorization Levels
Due to the change in user authentication protocol and the
transition of the responsibilities from the CIRB website to the
CTSU website
All information provided is on the public website

Provide the overall impact rating (i.e., the high water mark) for each security objective:
Confidentially =

LOW

Integrity =

LOW

Availability =

LOW

Based on the above information, the System Impact Level for the CIRB Web System is: Low.
I, Mike Montello, approve the System Impact Level selected for the CIRB Web System. Changes to the data processed, stored and transmitted by
the information system will require a review and update to the Security Categorization.

Mike Montello
NCI CIRB
System Owner for the CIRB Web System

Date

8
File Typeapplication/pdf
File TitleMicrosoft Word - CIRB_FIPS_199_Sept2015.docx
Authorjdugan
File Modified2018-04-30
File Created2015-08-31
© 2024 OMB.report | Privacy Policy