What is required of the GSA SmartPay 2 contractors?
All systems and applications supporting the GSA SmartPay 2 program were subject to an initial security review before they began processing transactions and every three years thereafter throughout the period of performance. This includes audits of management, operational, and technical controls of the GSA SmartPay systems. GSA requires that GSA SmartPay contractors provide access to their systems including onsite inspections, if appropriate. They must also provide support personnel as needed.
What is the Assessment and Authorization (A&A) Security Requirement?
A security process called Assessment and Authorization (A&A), formally Certification and Accreditation (C&A), is required by the Federal Information Security Management Act (FISMA) of 2002 for all Federal systems containing Personally Identifiable Information (PII). PII is any data maintained by an agency that can be used to identify, locate, or contact a specific individual (name, social security number, date and place of birth) or can be used to distinguish one person from another (medical, educational, financial, or employment information).
A FISMA compliant A&A package consisting of documents and test results that provide the foundation for a certifying authority to make a decision on whether a system receives its Authority to Operate (ATO).
Below is a list of the documents and test results that must be included in the A&A package:
System Security Plan in accordance with NIST 800-53
Configuration Management Plan
Privacy Impact Assessment
Contingency Plan
Contingency Plan Test
Incident Response Plan
Rules of Behavior
Security Controls Assessment
Plan of Action & Milestones (POA&M)
Authority to Operate Request Memo
The entire A&A process will take about 5-9 months depending on availability of GSA resources, contractor due diligence and system level of security.
Where do I go for guidance?
For guidance to the security control reviews, refer to NIST SP 800-26
For guidance on the certification and accreditation process, refer to NIST SP 800-117 37
Views: 1110