Security Documents

Mid 2022

The first step was to fill out several IT project overview forms and documents required by the NOAA Fisheries Office of the Chief Information Officer (OCIO) cloud security team. Some of the content was technical, some was not, and some was still guesswork at the time, but all information was based on the public VIAME server that Kitware was already running for NOAA:

1. Technical Description

This document described the project’s environmental factors such as where the application would be deployed, the components of the application, and the operating system and network requirements. It also summarized communication resources, IT security baselines, security software protection, and contained a diagram of the proposed application/system.

2. System description

This document provided an executive summary of the project and statements of scope, business objectives, purpose, and mission.

3. NIST FIPS-199

This National Institute of Standards and Technology (NIST) Federal Information Processing Standard Publication 199 (FIPS 199) document established the security categorization for the proposed application as part of the initial risk assessment. It described the security objectives and impact levels, the security categorization process, system information requirements, and the NOAA4000 security category. It required signatures from an authorized official (e.g., branch chief), the system owner, the system IT Security Officer (ITSO), and the Line Office ITSO.

4. Initial Data Gathering

This document summarized the initial project security requirements as responses to 18 questions. These were mostly high level responses but also included a fairly detailed description of the system environment in the form of a flow diagram, network diagram, and hardware architecture layout.

5. Privacy Impact Assessment

This Department of Commerce (DOC) Privacy Impact Assessment (PIA) form outlined the system description, data and information to be stored on the system, system supported activities, purpose of the system, use of the information and data on the system, information sharing and access, notice and consent, administrative and technological controls, privacy act considerations, retention of information, confidentiality impact level, and an analysis of the system. It required signatures from the system owner, an authorizing official, ITSO, the NOAA Privacy Act Officer, and the NOAA Chief Privacy Officer.

6. Privacy Threshold Analysis

This DOC Privacy Threshold Analysis was used to determine whether a PIA was needed for the system. The form described the system and its purpose, the type of information on the system, users and those with access to the information, and whether the system will contain Personal Identifiable Information (PII) or Business Identifiable Information (BII). The questionnaire determined that a PIA was needed for this system because it was expected to contain PII and BII. It required signatures from the system owner, an authorizing official, ITSO, the NOAA Privacy Act Officer, and the NOAA Chief Privacy Officer.