Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

M3 Playbook > Phase 4: Migration > 4.6 Conduct Security and Privacy Reviews

4.6 Conduct Security and Privacy Reviews

Technology

Task Activities

  1. Shared

    Develop Privacy Framework to include system categorization, data type, handling, storing and sharing method, and incident response process

  2. Shared

    Develop Privacy documentation and training material (if needed) to provide guidance to all stakeholders

  3. Shared

    Implement privacy training roadmap and integrate with overall Training Plan

  4. Shared

    Roll out privacy regulations to all users

  5. Shared

    Document and receive Systems of Record Notice (SORN), if required

  6. Shared

    Understand provider security environment and assess against requirements

  7. Shared

    Develop Security documentation and Security Test Plan if applicable

  8. Shared

    Execute security test according to test plan to include both physical and logical security, document and correct issues

  9. Shared

    Request and receive Authority to Operate (ATO) if necessary

4.6 Best Practices

  • Understand the customer’s ATO process and allow sufficient time to get documentation through review and approvals
  • Develop and define Security/Privacy plan before development as part of the Target State Solution Architecture
  • Begin security and privacy planning early and include security steps across all migration phases

Stakeholders

Customer

  • Program Manager
  • Functional Lead
  • Functional SME
  • Technical Lead/Solution Architect
  • Data SME
  • Security Lead
  • Information Systems Security Officer (ISSO)
  • Network SME
  • PMO Lead

Provider

  • Program Manager
  • Functional Lead
  • Functional SME
  • Technical Lead/Solution Architect
  • Security Lead
  • Information Systems Security Officer (ISSO)
  • Network SME
  • PMO Lead

Inputs

Outputs

  • Security Documentation, including Security Test Results and ATO
  • Privacy Documentation, including Initial Privacy Assessment, FIPS 199, SORN, Privacy Impact Assessment
Return to top