User:Jerinpayne/sandbox

Purpose
The waiver process exists to address situations where deviations from a specific policy or standard are necessary. This guidance provides information on how to submit a complete and properly justified request for a waiver or policy exception. All waiver types are addressed: Account Lifecycle, Laptop Encryption, Risk Mitigation, Firewall, End of Life, Multifactor Exception, and General Waivers.

Scope
This guidance applies to all NIH IT resources/systems whether maintained by the NIH or by a contractor on behalf of the NIH, and all NIH staff, including employees, contractors, and all other categories of authorized users.

Guidance

 * 1) All waivers must be submitted through the IRT Portal at https://irtportal.ocio.nih.gov and will be evaluated by the NIH Chief Information Security Officer (CISO).
 * 2) Justifications and compensating controls are the key elements of all waiver requests. The strength of the justification and the level of compensating controls required are directly related to the degree of risk posed by the waivered system. See Appendix A below for further information.
 * 3) The Waiver Owner can be an Institute /Center Information System Security Officer (ISSO), system owner, or system user. This individual must have an NIH Active Directory account in order to access the IRT Portal.
 * 4) The automated IRT Portal workflow process ushers the request through the chain of approvals that are required based on the type of waiver. The submitters detailed information about the users and/or systems affected by the waiver request is used by the NIH Information Security Program to evaluate the request and to ensure that it meets the NIH standards for the acceptance of risk (at the IC, and if appropriate, the NIH level).
 * 5) When waiver request is granted, the CISO is in effect accepting that risk for the entire NIH. Since most systems are interconnected, risk must be managed at the NIH level as well as at the IC level. This increases the need for a solid business case justification and strong compensating controls beyond what might be needed if the system were considered in isolation.
 * 6) Systems that contain personally identifiable information (PII) require a stronger justification and strict compensating controls. Requests for laptop encryption waivers are generally not approved if they process or store PII. For assistance in determining if your system or data includes PII, please see the Guide for Identifying and Handling Sensitive Information at the NIH.

Waiver Options
For more details on each waiver type, click the waiver name.