Memorandum of Understanding (MOU)
Total Page:16
File Type:pdf, Size:1020Kb
OFFICIAL USE ONLY
Memorandum of Understanding (MOU) Between [Your Organization] And National Institutes of Health [DATE]
LOGO
Org name National Institutes of Health Address 9000 Rockville Pike City, state zip Bethesda, MD 20892
OFFICIAL USE ONLY This page intentionally left blank.
OFFICIAL USE ONLY MEMORANDUM OF UNDERSTANDING (MOU)
[NOTE: Please delete everything inside square brackets “[ ]” throughout this template including this comment.]
SUPERSEDES:
[If this is a new MOU, delete this section.]
[If this is from a previous MOU, use the following. Please show title and date of previous MOU.] This Memorandum of Understanding (MOU) supersedes all previous agreements between the parties regarding the interconnection of the parties’ systems.
INTRODUCTION
The purpose of this document is to establish a management agreement between the [Your organization], and the National Institutes of Health (NIH) regarding the development, management, operation, and security of a connection between systems owned by [Your organization] and systems owned by the NIH. This agreement will govern the relationship between [Your organization] and the NIH, including designated managerial and technical staff, in the absence of a common management authority.
AUTHORITY
The authority for this agreement is based on the following policy, standards and guidance:
Federal Information Security Management Act (FISMA) as part of the E-Government Act of 2002
Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources
NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology systems
NIH Information Security Policy Handbook Version 2.0, April 29, 2015
[Any other policy, standards or guidance as needed]
BACKGROUND
1 OFFICIAL USE ONLY It is the intent of both parties to this agreement to maintain an interconnection of information technology (IT) systems to [share, exchange, or pass one-way] data between [Your system] and [NIH system]. Systems administrators from both parties will comply with appropriate security requirements to protect both parties’ data and information systems. [Please explain the expected benefit of the interconnection and/or the business purpose for the interconnection (Example: The expected benefit of the interconnection is to expedite the processing of data associated with “Project” within prescribed timelines).]
Name: [Your system name (GSS)]
Function: [Briefly describe the function - What is the purpose of the system? How will it function?]
Location: [Identify the physical location – complete address]
Description of data, including sensitivity or classification level:
[Identify the sensitivity or classification level based on FIPS 199. Identify the data that is beingn stored, processed, and/or transmitted.]
[Example:
The data that traverses this connection contains federal financial information as well as Privacy Act data and is classified Sensitive but Unclassified (SBU). The data sensitivity classification for confidentiality is high, integrity high, and availability high for the following reasons:]
[Select the correct level for your system]
Confidentiality – [High, Moderate, or Low] - Data that traverses this interconnection contains information that if accessed or disclosed is expected to have [a severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
Integrity – [High, Moderate, or Low] – Data that traverses this interconnection contains information that, if altered, is expected to have [a severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
Availability – [High, Moderate, or Low] – Data that traverses this interconnection contains information that, if not timely and readily accessible, is expected to have [a
2 OFFICIAL USE ONLY severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
Name: [Name of the NIH system (i.e. application name or specific system name)]
Function: [Briefly describe the function - What is the purpose of the system? How will it function?]
Location: [Location] i.e. Building 12, 9000 Rockville Pike, Bethesda, MD 20892
Description of data, including sensitivity or classification level:
[Identify the sensitivity or classification level based on FIPS 199. Identify the data that is been stored, processed, and/or transmitted.]
[Example:
The NIH system is one of multiple general support systems that support scientific and general administrative applications for the National Institutes of Health, the Department of Health and Human Services (HHS), and other federal agencies.
The data sensitivity classification for confidentiality is medium, integrity medium, and availability medium, determined as follows. (Select the correct level for the specific system being connected).]
NIH used NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, to determine the security categories for all general support systems that host customer applications. NIH formulated a list of all possible information types from NIST 800-60 that might be stored/processed on the general support systems. Based on the NIST-assigned default categories for the identified possible information types, the high-water mark for confidentiality, integrity, and availability is [place classification level] based on the following:
Confidentiality – [High, Moderate, or Low] - Data that traverses this interconnection contains information that if accessed or disclosed is expected to have [a severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
Integrity – [High, Moderate, or Low] – Data that traverses this interconnection contains information that, if altered, is expected to have [a severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
3 OFFICIAL USE ONLY Availability – [High, Moderate, or Low] – Data that traverses this interconnection contains information that, if not timely and readily accessible, is expected to have [a severe or catastrophic, a serious, or a limited] adverse effect on organizational operations, organizational assets, or individuals.
COMMUNICATIONS:
Frequent formal communications are essential to ensure the successful management and operation of the interconnection. The parties agree to maintain open lines of communication between designated staff at both the managerial and technical levels. All communications described herein must be conducted in writing unless otherwise noted.
[Your organization’s system] and [the NIH system] agree to designate and provide contact information for technical leads for their respective system, and to facilitate direct contacts between technical leads to support the management and operation of the interconnection. See Attachment 2 (NIH POCs) and Attachment 3 (Your POCs). To safeguard the confidentiality, integrity, and availability of the connected systems and the data they store, process, and transmit, the parties agree to provide notice of specific events within the time frames indicated below:
Security Incidents: The technical staffs will immediately notify their designated counterpart by telephone or e-mail when a security incident(s) is detected, in order to determine whether their system has been compromised and take appropriate security precautions. In addition, the technical staffs will notify their respective Incident Response Centers or points of contact to ensure that appropriate actions and reporting takes place.
Disasters and Other Contingencies: The technical staff will immediately notify their designated counterpart by telephone or e-mail in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected systems.
Material Changes to System Configuration: Planned technical changes to the system architecture will be reported to technical staff within a week before such changes are implemented. The initiating party agrees to conduct a risk assessment based on the new system architecture and to modify and re- sign the ISA within one (1) month of implementation.
New Interconnections: [Your Organization] will notify the NIH at least one (1) month before it connects the system that is related to this interconnection with any system that is not directly related to this interconnection, including systems that are owned and operated by third parties.
Personnel Changes: The parties agree to provide notification of the separation or long-term absence of their respective system owner or technical lead. In addition, both parties will provide notification of any changes in point of contact information. Both parties will also provide notification of changes to user profiles, including applicable users who resign or change job responsibilities.
4 OFFICIAL USE ONLY INTERCONNECTION SECURITY AGREEMENT
The technical details of the interconnection will be documented in an Interconnection Security Agreement (ISA). The parties agree to work together to develop the ISA, which must be signed by both parties before the interconnection is activated. Proposed changes to either system or the interconnecting medium will be reviewed and evaluated to determine the potential impact on the interconnection. The ISA will be renegotiated before changes are implemented.
SECURITY
Both parties agree to work together to ensure the joint security of the connected systems and the data they store, process, and transmit, as specified in the ISA. Each party certifies that its respective system is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies. Interconnecting systems shall have undergone a Security Assessment and Authorization (SA&A) process with associated memorandums that designate the systems as fully accredited and has an Authority to Operate (ATO). Upon request, a SA&A and/or an ATO will be provided for review.
COST CONSIDERATIONS
Both parties agree and are responsible for their own agency costs for the equipment necessary to interconnect its local system. Modifications to either system that are necessary to support the interconnection should be mutually agreed upon and are the responsibility of the respective system owner’s organization. Should it be necessary, the organizations will jointly fund the interconnecting mechanism and/or media, but no such expenditures or financial commitments shall be made without the written concurrence of both parties.
TIMELINE
This agreement will remain in effect for three (3) years after the last date on either signature in the signature block below. After three (3) years, this agreement will expire without further action. If the parties wish to extend this agreement, they may do so by reviewing, updating, and reauthorizing this agreement. The newly signed agreement will explicitly supersede this agreement, which should be
5 OFFICIAL USE ONLY referenced by title and date in the appropriate section of this document. If one or both of the parties wish to terminate this agreement prematurely, they may do so upon 30 days' advanced notice or in the event of a security incident that necessitates an immediate response. This agreement will be reviewed at least annually or whenever a significant change occurs to ensure that security controls are operating properly and providing appropriate levels of protection.
[Your Authorizing Official] NCI, Authorizing Official Jeff Shilling NCI, Chief Information Officer (NCI-CIO) Center for Biomedical Informatics & Information Technology National Cancer Institute 9609 Medical Center Drive Rockville, MD 20850
(Signature Date) (Signature Date)
6 OFFICIAL USE ONLY Attachment 1
ISSO Recommendation Letter
From: NCI Information System Security Officer
To: NCI AO
I have reviewed this MOU and find the overall security safeguards for this connection to have been addressed. I recommend that this agreement be signed. (Or similar words)
______IC/ISSO Signature/Date
A-1 OFFICIAL USE ONLY Attachment 2
National Institutes of Health Points of Contact:
IT Security Program IT Security Compliance Christopher S. Todd Patty Ferson NIH – Chief Information Security Officer Acting Deputy CISO and Audit Lead (NIH-CISO) 6555 Rock Spring Drive 6555 Rock Spring Drive Suite 200, Office 2034 Suite 200, Office 2033 Bethesda, MD 20817 Bethesda, MD 20817 301.480.4627 301.402.4445 Email [email protected] Email [email protected]
Contingency Planning Incident Response NIH/NCI Jacki Wilson Craig Hayn IT Security Analyst 9609 Medical Center Drive 6555 Rock Spring Drive Gaithersburg, MD 20850 Suite 1SW05 240-276-5159 Bethesda, MD 20817 240.380.0110 Email [email protected]
NCI Publications Locator (Pubs Enterprise) Technical POC Bryan Pizzillo NIH/NCI 9609 Medical Center Drive Gaithersburg, MD 20850 240-276-6547
A-2 OFFICIAL USE ONLY Attachment 3
[Your organization] Points of Contact:
IT Security Program Security Operations Your POC Your POC
Incident Response POC Contingency Planning Your POC Your POC
A-3 OFFICIAL USE ONLY