Skip to main content
M3 Playbook > Phase 4: Migration > 4.6 Conduct Security and Privacy Reviews
Play Icon

4.6 : Conduct Security and Privacy Reviews

Technology
  1. Shared

    Agree on Privacy Framework - system/data categories, handling, storing & sharing, incident response

  2. Shared

    Update privacy and training documentation (if needed) to guide all stakeholders

  3. Shared

    Implement privacy training roadmap and integrate with overall Training Plan

  4. Shared

    Roll out privacy regulations to all users

  5. Shared

    Document and receive Systems of Record Notice (SORN), if required

  6. Shared

    Understand provider security environment and assess against requirements

  7. Shared

    Develop Security documentation and Security Test Plan if applicable

  8. Shared

    Execute security test according to test plan on physical & logical security; document/correct issues

  9. Shared

    Request and receive Authority to Operate (ATO) if necessary

4.6 Lessons Learned

  • Understand customer’s ATO process and allow sufficient time to get documentation through review / approvals
  • Develop and define Security / Privacy plan before development as part of the Target State Solution Architecture
  • Begin security and privacy planning early and include security steps across all migration phases

Stakeholders

Recommended stakeholders, inputs, & outputs may vary by implementation; however, agencies that contributed to this Playbook reported these factors as increasing the likelihood of success.

Customer

  • Program Manager
  • Functional Lead
  • Functional SME
  • Technical Lead/Solution Architect
  • Data SME
  • Security Lead
  • Information Systems Security Officer
  • Network SME
  • PMO Lead

Provider

  • Program Manager
  • Functional Lead
  • Functional SME
  • Technical Lead/Solution Architect
  • Security Lead
  • Information Systems Security Officer
  • Network SME
  • PMO Lead

Inputs

Outputs

  • Security Documentation, including Security Test Results and ATO
  • Privacy Documentation, including Initial Privacy Assessment, FIPS 199, SORN, Privacy Impact Assessment

USSM.GSA.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov