EPA systems/applications must comply with federal information security requirements and standards including, but not limited to the Federal Information Security Modernization Act (FISMA) of 2014 (pdf), Federal Information Processing Standards (FIPS), and National Institute of Standards and Technology (NIST) Special Publications and EPA Security Information Directives.
EPA begins security planning and system categorization activities from the beginning of the system development lifecycle and continues security assessment and monitoring activities through implementation and operations and maintenance. Before EPA systems/applications can be deployed, they must be reviewed and approved through Agency Assessment and Authorization processes. Ensuring compliance with EPA security policies/procedures is usually the responsibility of the federal project lead. Refer to EPA's Information Security – Security Assessment and Authorization Procedures for more information. EPA's Security-related policies and procedures are available on the IT/IM Information Directives site.