Professional Documents
Culture Documents
SIA v1 - Final-A
SIA v1 - Final-A
SIA Purpose
The SIA process articulates how changes to the system may affect the security posture of the system.
Documentation chronicling the SIA provides insight to the development team, ISSO, Business
Owner, and other key stakeholders.
The SIA and associated documentation may highlight the need for future actions including:
o Communication with the Technical Review Board (TRB);
o Updates to Security Artifacts (SSP, ISRA, CP, PIA, etc);
o Determination if Third Party security testing will be required;
o The potential requirement for a new Authority to Operate (ATO).
SIA documentation may serve as a “to-do” list for ISSOs to make sure that documentation is updated
appropriately, tests performed for identified controls, etc. It may also help justify further testing and
potentially expensive processes to the Business Owner.
SIA documentation, if properly tailored, is particularly useful for a DevSecOps environment where
multiple changes may occur within a relatively short time-frame and the ISSO can reuse existing
documentation to quickly make any updates necessary.
SIA documentation may serve as evidence of system compliance.
SIA 1
Version 1.0
Note: NIST Special Publication 800-128 “Guide for Security-Focused Configuration Management of
Information Systems” indicates that the change management process (and by extension, security impact
analysis) is not required for changes that are specifically noted as being excluded in each organization’s
Configuration Management Plan (CMP). If there is an anticipated change not so noted in your
organization’s CMP, perform a SIA.
Significant changes to the environment of operation that may trigger an event-driven authorization
action may include, but are not limited to:
Moving to a new facility;
Adding new core missions or business functions;
Acquiring specific and credible threat information that the organization is being targeted by a
threat source; or
Establishing new/modified laws, directives, policies, or regulations.
Note: The examples of changes listed above are only significant when they represent a change that is
likely to affect the security and privacy posture of the system.
References
NIST SP 800-37 Rev. 1 under Security Impact Analysis
CNSSI 4009-2015 (NIST SP 800-37 Rev. 1)
NIST SP 800-137 under Security Impact Analysis (NIST SP 800-53)
NIST SP 800-30 Rev. 1 under Security Impact Analysis (NIST SP 800-37)
NIST SP 800-39 under Security Impact Analysis (NIST SP 800-37)
NIST SP 800-53 Rev. 4 under Security Impact Analysis (CNSSI 4009)
NIST SP 800-18 Rev. 1 under Security Impact Analysis (NIST SP 800-37)
NIST SP 800-53A Rev. 4 under Security Impact Analysis (NIST SP 800-37)
NIST SP 800-128 under Security Impact Analysis (CNSSI 4009 - Adapted)
SIA 2
Version 1.0
1. Section 1 – An overview of the proposed change. If this document is maintained for record
keeping/compliance, the completion of this section will make identification easier in the future.
2. Section 2 – Information on who is performing the SIA if a technical representative of the ISSO is
performing the assessment on behalf of the ISSO. If a technical representative of the ISSO has
performed this assessment, they will forward it to the ISSO for discussion and review. It remains
the ISSO’s responsibility to complete all appropriate actions.
3. Section 3 – An extensive list of “Trigger Events”, most of which are a decomposition of the
boxes checked in Section 2. This section is the heart of the assessment. To complete this
section:
1. The assessor examines each event under “Scope of Change” (column 2).
2. If an event is part of the potential change, enter a “Y” under “Impact Y/N” (column 1).
At this point, elaboration of the events noted is included in the section “Summary of
Security Impact/ Technical Overview/ Risks Identified”. This includes detailing the
technical overview of the item and a description of the potential impact and risk. Where
other data associated with the change is available such as scan information, reference
should also be included in this area.
4. Section 4 – The ISSO recommendation to the Business Owner on the overall status of the change
and what actions necessary. This section should function as a high-level summarization of the
necessary activities determined in Section 3 “Mitigation or Necessary Updates” and “Summary
of Security Impact/Technical Overview/Risks Identified”.
a. Note that the “Mitigation or Necessary Updates” area within Section 3 provides
recommended actions. Actions may individually or as a group indicate the requirement
for a new ATO. At this point, the ISSO may choose to consult with their Cyber Risk
Advisor or Privacy Advisor prior to providing the recommendation of activities to the
Business Owner and System Maintainer.
Though every change requires a SIA, organizations may utilize their own internal methods or processes
that can automate or streamline the security analysis rather than using a formal SIA form. These types
of changes may include processes for configuration control such as vendor-provided security patches,
updated antivirus signatures, creation, or deletion of users, replacement of defective peripherals,
SIA 3
Version 1.0
motherboard or hard drives, etc. Processes associated with similar functions, may have built-in security
components or controls that may not require a formal SIA form. Any of these processes whether
automated or manual, must capture the elements needed to properly analyze the security impacts of the
particular change and the ISSO may at any time require a formal SIA for any change.
Post change. This document, when completed and shared with the Business Owner can be used as a
checklist to make sure that any work such as documentation changes are performed.
SIA 4
Version 1.0
Element Description
CR Number Click here to enter text.
CR Submitter (Contact Information) Click here to enter text.
System/Application/Tool Click here to enter text.
Description of System Change Click here to enter text.
(This must be a detailed description that
includes the Drivers for the change)
If applicable, provide the details of the change if the SIA is dependent on a Change Request (CR).
Element Description
CR Number Click here to enter text.
CR Submitter (Contact Information) Click here to enter text.
If a technical representative of the ISSO is performing this assessment on behalf of the ISSO, please provide your
contact information.
Element Description
Representative performing the SIA Click here to enter text.
Title of Representative performing the SIA Click here to enter text.
Date Click here to enter text.
Phone Click here to enter text.
Email Click here to enter text.
SIA 5
Version 1.0
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
Mission/ New Users or ISRA updates, potential PIA AC-2, AC-6
Business New User Roles update, CFACTS system
requirements Added description updates.
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
directives.
System Interconnections and Updates to ISA and MOU must AC-4, CA-3,
boundary New connection to occur. If not standard connection CA-9, PL-2, AC-
FISMA system or service/inheritance from another 3, AC-20, AU-2,
Service accredited FISMA system, SCA AU-12, AU-16,
will be required. CA-7, IA-3, SA-
9, SC-7, SI-4
Updates to FISMA artifacts must
be made, including SSP, XLC/TLC
System Slides, CFACTS Boundary
information, etc
System Architecture, Zone changes CM-2, PL-2, PL-
boundary Topology, Implementation or inheritance of 8, SA-3, CM-6,
Port/Protocol/Service new services CM-8, CM-9,
change Updates to FISMA artifacts must SA-10, PM-5,
be made, including SSP, XLC PM-7
System Slides, CFACTS Boundary
information, etc
Security Identification, New and modified control IA (all)
components Authentication, implementations must be tested.
Authorization SCA required unless inheriting
from existing FISMA system.
New methods for
authentication Updates to all FISMA artifacts
and/or identifiers must be made, including SSP,
added XLC/TLC System Slides, CFACTS
Boundary information, etc
Migrations between
Single Factor and
MFA
Security Security Controls – New and modified control List specific
Components Change in implementations must be tested via controls changed
implementation existing security processes. All
standard or status changes must be documented PL-2 (SSP)
within the SSP and the Controls tab
SIA 7
Version 1.0
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
within CFACTS. Changes in
controls that cause controls to no
longer be “Satisfied” must be
submitted as a POA&M and
documented within the ISRA.
User Interface Updates to GUI New pages must go through 508 CM-2, CM-3,
including addition of testing, Static and Dynamic code CM-4
new pages, new analysis to determine no additional
inputs threats from XSS or other new SI-10
vulnerabilities.
New or Servers, If the equipment is updated with CM-2, CM-3,
Updated Communication similar vendor and models, then CM-4, CM-6,
Hardware Devices minimal testing may be needed. CM-7
However, if they are new models or
vendors, with different PL-2 (SSP)
configurations and settings, then it
is considered a significant change. HW/SW List
Equipment will need to be
hardened, and at minimum, have AC-19, SI-4
vulnerability and configuration
scans performed on them. CP-2
New or Change in Operating If the software is updated with CM-2, CM-3,
Updated System similar vendor and versions, then CM-4, CM-6,
Operating minimal testing may be needed. CM-7
System However, if they are significantly
different versions (i.e.., not an RA-5
“incremental version update”) or Vulnerability
different vendors, with different Scanning
configurations and settings, then it
is considered a significant change. CA-9(1)
Affected systems will need to be Compliance
hardened and, at minimum, have Checks
vulnerability and configuration
scans performed on them. PL-2 (SSP)
SIA 8
Version 1.0
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
HW/SW List
CP-2
New or New Security If the software is updated with CM-2, CM-3,
Updated Software or similar vendor and versions, then CM-4, CM-6,
Security Perimeter Security minimal testing may be needed. CM-7
Software Change However, if they are significantly
different versions (i.e.., not an RA-5
“incremental version update”) or Vulnerability
different vendors, with different Scanning
configurations and settings, then it
is considered a significant change. CA-9(1)
Affected systems will need to be Compliance
hardened and, at minimum, have Checks
vulnerability and configuration
scans performed on them. PL-2 (SSP)
HW/SW List
Potential impact
to multiple
controls
depending on
nature of
software
Support New Support If the software is updated with CM-2, CM-3,
Software Software similar vendor and versions, then CM-4, CM-6,
minimal testing may be needed. CM-7
However, if they are significantly
different versions (i.e.., not an RA-5
“incremental version update”) or
different vendors, with different PL-2 (SSP)
configurations and settings, then it
is considered a significant change. HW/SW List
SIA 9
Version 1.0
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
Affected systems will need to be
hardened and, at minimum, have Potential TRB
vulnerability and configuration review/approval
scans performed on them.
Vendor Software, Servers Software patch updates that cause CM-2, CM-3,
Patches the baseline configuration, or CM-4
security controls implementations,
to change will need a re- PL-2 (SSP)
authorization. All Software
upgrades need to be tested pre- HW/SW List
launch to prevent any issues.
Affected systems will need to be
hardened and, at minimum, have
vulnerability and configuration
scans performed on them.
System Change to Logical Vulnerability Scan is required AC-17, AC-2,
Boundary Access Points AC-3, AC-18,
AC-19, AC-20,
CA-3, CA-7,
SIA 10
Version 1.0
Impact? Category Scope of Change Mitigation or Necessary Updates ARS Controls Summary of Security Impact/ Technical
(Y/N) Impacted Overview/ Risks Identified
Existing) modified control implementations SC-7, SI-2, CA-
must be tested as part of the 2, CA-7, CM-3,
Configuration (Change) CM-5, CM-8,
Management processes. MA-2, IR-4, RA-
5, SA-10, SA-11,
SI-11
Vulnerability Found (No Attacks Add to Risk Assessment. New and RA-2, RA-3,
(New or Known) modified control implementations CM-8, MP-4,
Existing) must be tested as part of the SC-7, SI-2, CA-
Configuration (Change) 2, CA-7, CM-3,
Management processes. CM-5, CM-8,
MA-2, IR-4, RA-
5, SA-10, SA-11,
SI-11
System New processing A new processing location will PE(family)
boundary location(s) need to go thru an re-authorization
to ensure the system is secure from CM-2, CM-3,
any issues or attacks CM-4, CM-6,
CM-7
System Change or Addition Full authorization of the GSS is PE(family)
boundary of Hosting required. New and modified control
(environment Infrastructure or Site implementations (for applicable CM-2, CM-3,
) applications) must be tested as part CM-4, CM-6,
of the Configuration (Change) CM-7
Management processes.
Application obtains a new/updated
ATO.
SIA 11
Version 1.0
Please provide validation/security testing process as they relate to the change or any additional testing being done pertaining to this specific change.
Tool/Scan Testing
(Y/N) Testing Performed by Testing /Method Test Result Location Notes
Type Frequency
Compliance
Scans
Vulnerability
Scans
Dynamic
WAPT
Testing
Static WPT
Testing
Optional
Optional
SIA 12
Version 1.0
Using the information collected in Section 3: “Mitigation or Necessary Updates” and “Summary of Security
Impact/Technical Overview/Risks Identified”, please provide a recommendation to the Business Owner on
the status of the change.
ISSO recommendation(s):
X
ISSO
X
Bu sin ess Ow n er
SIA 13
Version 1.0
SIA 14