U.S. Department of Health and Human Services
Does an IT Administrator typically get involved in security for MAs? It depends. Each category - high, moderate, or low - dictates the different security controls that must be in place for every major application to meet the guidance of NIST SP 800-53 Rev. 3.
Some SP 800-53 Rev. 3 controls are handled at the organization level (that is, HHS-wide, or even within an OPDIV). These controls are usually related to policy, guidance, personnel controls (such as background checks), or security training. Some controls are also handled by the GSS – such as intrusion detection, or virus protection. IT Administrators do not typically check the MA against the controls that are handled by the GSS or the organization.
A local IT Administrator is likely to get involved when an MA requires additional protection above and beyond what the organization or GSS provides. This occurs after an MA System Owner or ISSO determines additional security controls are needed.
Page 2 of 3
Types of Systems
Securing a Major Application