Skip NavigationSkip to Content

Roles and Responsibilities

  • System Owner
  • Data Owner
  • Authorizing Official
  • Information System Security Officer
  • System/Network Administrators


System Owner

Each NIH IT system must have a System Owner, who is usually the owner of the data that resides in the system, and therefore has responsibility for determining access permissions.  The System Owner is the person responsible for the business purpose served by the system.  The System Owner may or may not be the system maintainer(s) or system administrator(s) who codes, maintains, or operates the system. A System Owner:

  • Oversees procurement, development, integration, modification, operation, maintenance, and disposal of information systems.
  • Addresses the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements).
  • Ensures compliance with information security requirements.
  • Processes systems at facilities that are certified at a level of security commensurate with the risk to their systems.
  • Ensures that an information and system security categorization has been established for their systems and data in accordance with FIPS 199 and NIH guidance.
  • Determines, in coordination with the Program Executive, Data Owner, and ISSO, appropriate security controls.
  • Ensures that security is planned for each information system, documented in the SSP, and integrated into the System Development Life Cycle (SDLC) from the initiation phase through disposal.
  • Conducts security, risk, and privacy assessments as necessary of the risk and magnitude of the harm that would result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the NIH’s critical operations.
  • Ensures that system weaknesses are captured, that appropriate corrective actions are identified, and that they are reported in the Plans of Action and Milestones (POA&M).
  • Ensures that annual security reviews are conducted and validates system users’ accounts to ensure continued need for access to a system.
  • Enforces the concept of separation of duties by ensuring that single individuals do not have control of the entirety of a critical process.
  • Ensures that physical security or environmental security requirements are implemented for facilities and equipment used for processing, transmitting, or storing sensitive information based on the level of risk.
  • Ensures the development, execution, and activation of a system-to-system interconnection implementation plan for each instance of a system-to-system interconnection.


Data Owner

Data Owners gather, process, store, and transmit data in support of the program’s mission. Data Owners:

  • Ensure that System Owners and Users are aware of the sensitivity of data to be handled.
  • Ensure that data is not processed on a system (digital or non-digital) with security controls that are not commensurate with the sensitivity of the data.
  • Ensures a level of trust (i.e., via Interconnection Security Agreements [ISAs] and Memorandums of Understanding [MOUs]), for systems that are not under their control but processes their data.


Authorizing Official

At NIH, this role is usually performed by the IC CIO (in some ICs, it may be the Executive Officer), or in the case of enterprise systems, the NIH CIO.  The Authorizing Official must be a federal employee, and may be formally designated in a manner determined by the IC. The Authorizing Official:

  • Determines, through the security authorization process, whether the level of residual risk, once security procedures and controls have been implemented, is commensurate with a system’s sensitivity.
  • Takes ownership of the potential risks to organizational missions and business functions due to the use of information systems, as well as the operational gains such systems make possible.
  • Takes ownership of the System Security Plans (SSPs) developed for their information systems that define the risk mitigation needed. This includes oversight of the appropriate safeguards and countermeasures agreed upon as necessary and sufficient to protect the organizational missions and business functions.
  • Takes responsibility and accountability of the specified security solutions.
  • Makes the final decision on the type of authorization and signing the document prepared by the certification agent, or his or her designee, to document the decision.


Information System Security Officer

Each IC designates an ISSO with security responsibilities for that IC.  The IC ISSOs directly report to the management of that IC. The IC ISSO:

  • Reports security or privacy incidents and works with the NIH IRT and IC Privacy Coordinator on reporting and resolution activities.
  • Oversees the implementation of authoritative security policies and requirements.
  • Continually develops the IC’s Information Security Program to interpret and implement the required security controls consistent with the guidance from the IC’s Authorizing Official.
  • Determines, in coordination with the business owner and System Owner, appropriate security controls.
  • Provides a liaison between the NIH CIO (and the NIH CISO) and management and staff of their IC by coordinating IC security activities with the NIH OCIO.
  • Plans for the Security Assessment & Authorization (SA&A) of systems and applications and provides recommendations for resource decisions.
  • Maintains and submits system authorization letters and required associated documentation to the NIH CISO.
  • Manages implementation and day-to-day oversight of the IC Information Security Program.
  • Identifies security gaps and provides recommendations to the IC and NIH Information Security Program leadership to help reduce risk and improve security across NIH.


System/Network Administrators

System and network administrator primarily ensure that the appropriate technical and security requirements are implemented and enforced for NIH systems and networks. The System/Network Administrator:

  • Implements proper system backups, patches security vulnerabilities, and accurately reports security incidents.
  • Uses his/her administrative access rights to a computer or system only when necessary.
  • Ensures that the information security posture of the system/network is maintained during system/network maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations.
  • Assists in resolving an incident by isolating the intrusion and protecting other systems connected to the network until assurance can be made that the problem has been adequately resolved and will not recur.



Please contact the ISCO at with any questions regarding roles and responsibilities.