NIH Assessment and Authorization (A&A) Program

Challenge

Build and manage an Enterprise-wide Assessment and Authorization (A&A) Program

Our Solution

Compass helped mature the NIH A&A Program by creating and communicating clear, scalable guidance across the Enterprise, helping guide the NIH ICs to create useful and compliant security documentation.

  • Every NIH System received an Authority to Operate (ATO) and is entered into the Enterprise GRC solution that is operated and managed by Compass. 
  • We manage the NIH’s Plans of Action and Milestones (POAMs) to ensure that remediation activities are occurring within stated times, often providing guidance on specific remediation techniques.

Results

Compass developed and communicated clear and concise procedures, A&A templates and guidance using an Enterprise collaboration tool, which is utilized by every NIH Institute/Center (IC).
By utilizing an automated GRC Tool, NIH ICs can easily and automatically inherit common controls that are found in other NIH Systems with an ATO, saving significant time and money.
NIH produces automated reporting on hundreds of System Inventories, ATO Status and Plan of Actions and Milestones (POA&Ms), which is shared with Health and Human Services (HHS) and used annually for IT Audits.

Compass Federal offers high quality thought leadership, information security expertise, and innovation. Not only did Compass develop a valued partnership, they were instrumental in helping us modernize the NIH Enterprise Risk Management Program. I highly recommend working with them.

five-stars
David Olson, MIS, CAP
Former NIH OCIO A&A/Risk Management Team Lead and current CISO for NIH Clinical Center