CTEP-ESYS-FIPS Assessment

FIPS 199/NIST 800-60 System Categorization
SYSTEM INFORMATION
System Name

NCI Cancer Therapy Evaluation Program Enterprise System
(CTEP-ESYS)

IC

NCI

System Type

☐ General Support System ☒ Major Application ☐ Tier 2, 3, or 4

Date

12/4/2017

SDLC Status

Operational

Overall System Security Category
Overall Impact Levels (High Water Mark)

Page 1 of 5

Moderate
Confidentiality

Integrity

Availability

Moderate

Moderate

Moderate

FIPS 199/NIST 800-60 System Categorization

Template Rev. March 2017

The purpose of the National Cancer Institute (NCI) Cancer Therapy Evaluation Enterprise System(CTEPESYS) is to assure patient safety, meet the NCI CTEP scientific, administrative and operational program
mission, and all regulatory requirements for NCI CTEP clinical trials. Specifically, it is used to document,
track, monitor, and evaluate NCI clinical research activities. CTEP-ESYS project is the primary data
collection mechanism for NCI's vast clinical trials program. CTEP-ESYS collects safety and clinical results
data on ongoing cancer clinical trials (trials not yet completed). Data reporting and analysis in real time are
critical to ensuring adequate monitoring of the ongoing clinical research. CTEP-ESYS collects safety and
clinical results data on 1,500 ongoing cancer clinical trials (trials not yet completed) that monitor more than
30,000 patients per year in more than 17 disease areas. Timely data reporting and analysis also assure
effective planning for the required successor studies, thus accelerating the evaluation of promising new
agents and regimens for patients with cancer.
CTEP-ESYS does not collect any patient health information, but does collect non-identifiable patient metadata (i.e, zip codes, patient initials, and month/year of birth).
System Description

Page 2 of 5

FIPS 199/NIST 800-60 System Categorization

Template Rev. March 2017

System Contacts

Name
IC Chief Information Officer
Name
IC Information System Security Officer
Name
CTEP-ESYS Project Manager

Name
CTEP-ESYS System Owner
Name
IC Privacy Coordinator

Address

Phone

Email

Jeff Shilling

240-276-5549

shillinj@nih.gov

Bruce Woodcock

240-276-5050

woodcocb@nih.gov

Mike Montello

240-276-6080

Mike.montello@nih.gov

Scharla Estep

240-276-6325

Scharla.estep@nih.gov

Suzanne Milliard

240-781-3340

milliars@nih.gov

SIGNATURES

Page 3 of 5

X

X

M ik e M o n te llo
C TE P-E SYS Pro je ct M a n a g e r

Scharla Estep
CTEP-ESYS System Owner

X

X

Bruce Woodcock
Information System Security Officer

Su za n n e M illia rd
Priva cy C o o rd in a to r

FIPS 199/NIST 800-60 System Categorization

Template Rev. March 2017

INFORMATION TYPE(S), PROVISIONAL IMPACT LEVEL(S), ADJUSTED IMPACT LEVEL(S), RATIONALE
Category of Information (800-60)

Provisional Impact Levels
Confidentiality

Integrity

Availability

Confidentiality

Integrity

Availability

Low

Moderate

Low

Moderate

Moderate

Moderate

D.20.1 Research and Development

Rationale

Confidentiality was raised because of the presence of proprietary R&D information that should not be accessible to the public, and because
its unauthorized release or access could cause serious adverse impacts to the NCI, individuals, or agency assets. Integrity was also raised
because the reliability of the information contained in CTEP-ESYS must be high enough to ensure there are no serious disruptions or delays
of research activities that rely on the data. Effects on future funding could also be seriously impacted if the data in the system are unreliable.
Availability was raised to moderate due to the adverse event reporting requirements within the stipulated timeframe and also to ensure that
there are no serious delays or disruptions to the information system availability that could have a serious adverse impact on research
activities.

D.19.1 Scientific and Technical Research and
Innovation

Rationale

Low

Moderate

Low

Moderate

Moderate

Low

Confidentiality was raised because of the types of information available in the enterprise system, including protocols and protocol
attributes, drug inventory and site distribution records, adverse event reports, site audit reports, Investigational New Drug (IND)
submission records, Investigator registration details, and patient accrual details. Note that no patient identifying information is
stored in the system.

D.14.5 Health Care Research and Practitioner
Education

Page 4 of 5

Adjusted Impact Levels

Low

Moderate

Low

Moderate

Moderate

Low

FIPS 199/NIST 800-60 System Categorization

Template Rev. March 2017

INFORMATION TYPE(S), PROVISIONAL IMPACT LEVEL(S), ADJUSTED IMPACT LEVEL(S), RATIONALE
Category of Information (800-60)

Rationale

Rationale

Rationale

Page 5 of 5

Provisional Impact Levels

Adjusted Impact Levels

Confidentiality was raised to ensure adequate protection of the PII data that is collected, stored, and processed in the system. Most
of which is used for compliance reporting, program monitoring and planning purposes. Some of these data elements are for internal
use only and are reported to the FDA as required by law.