In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the evaluators to find the information. If the packages have different types of information in them, it is going to be very hard for the evaluators to review the packages according to the same standards.

Writing the handbook is a big job.A good handbook is likely to be around 200 pages long.The handbook has to include very specific information on what your agency evaluators need to see in every Certification Package. It should instruct the folks preparing the Certification Packages on what documents they will be required to submit, and what should be included in each document.The best way to ensure that each document includes the right kind of information is to create templates.

What to Include in Your Handbook

Each agency’s handbook will be somewhat different and take on slightly different organizational formats. However, it is highly advisable that all handbooks include sections in the following areas:

 Background, purpose, scope

 Regulatory citations

 Reference to associated internal security policies

 System lifecycle information

 An overview of the process

 Roles and responsibilities

 Definition and explanation of Certification Levels

 Information on the required Certification Package documents

 How to define security requirements

 How to understand accreditation boundaries

 Threat and risk assessment guidelines

 Security controls

 Required security tests

 Evaluation checklists

 Plan of Action & Milestones

 Acronyms

 Glossary

 References and related publications

 An Appendix for each template

Who Should Write the Handbook?

There are no restrictions on who can write a C&A Handbook. An agency can use its own staff, or outside consultants. However, the development of the handbook should probably be done under the authority of the department that will oversee the evaluators. It makes sense that the Certifying Agent should designate the appropriate staff to write the handbook since he or she will need to live by its guidelines and accredit packages according to its stipulations. There is nothing that says the Certifying Agent cannot author the handbook. However, given the daily day-to-day responsibilities of the Certifying Agent, the time it takes to development the handbook may require that it be done by an appointed staff, or outside consultants.

Template Development

Certification Packages consist of a set of documents that all go together and complement one another.A Certification Package is voluminous, and without standardization, it takes an inordinate amount of time to evaluate it to make sure all the right information is included.Therefore, agencies should have templates for all the documents that they require in their Certification Packages. Agencies without templates should work on creating them. If an agency does not have the resources in-house to develop these templates, they should consider outsourcing this initiative to outside consultants. A template should be developed using the word processing application that is the standard within the agency. All of the relevant sections that the evaluation team will be looking for within each document should be included.Text that will remain constant for a particular document type also should be included. An efficient and effective C&A program will have templates for the following types of C&A documents:

 Categorization and Certification Level Recommendation

 Hardware and Software Inventory

 Self-Assessment

 Security Awareness and Training Plan

 End-User Rules of Behavior

 Incident Response Plan

 Security Test and Evaluation Plan

 Privacy Impact Assessment

 Business Risk Assessment

 Business Impact Assessment

 Contingency Plan

 Configuration Management Plan

 System Risk Assessment

 System Security Plan

 Security Assessment Report

Templates should include guidelines for what type of content should be included, and also should have built-in formatting.The templates should be as complete as possible, and any text that should remain consistent and exactly the same in like document types should be included.Though it may seem redundant to have the exact same verbatim text at the beginning of, say, each Business Risk Assessment from a particular agency, each document needs to be able to stand alone and make sense if it is pulled out of the Certification Package for review. Having similar wording in like documents also shows that the packages were developed consistently using the same methodology and criteria.

With established templates in hand, it makes it much easier for the C&A review team to understand what it is that they need to document. Even expert C&A consultants need and appreciate document templates. Finding the right information to include the C&A documents can by itself by extremely difficult without first having to figure out what it is that you are supposed to find—which is why the templates are so very important. It’s often the case that a large complex application is distributed and managed throughout multiple departments or divisions and it can take a long time to figure out not just what questions to ask, but who the right people are who will know the answers.

Provide Package Delivery Instructions

Your C&A program should include information on how specifically the ISSO should submit the final Certification Package to the evaluation team.The evaluation team needs to understand whether to expect the package by email, CD, or to look on a protected network share. It’s a good idea for agencies to require that both hardcopy and software documents be submitted to the evaluation team. Hardcopy documents should be bound together. I recommend using a three-ring binder because it is easy to update a single piece of the package and insert it easily after removing the outdated pages.

Most of these documents will contain sensitive information, and for that reason, they should not be e-mailed to anyone over the Internet unless they are protected by 128 bit encryption—either by file encryption or through a Virtual Private Network (VPN). Before e-mailing C&A documents out of the agency over any external public networks, you should really check the security policies of your particular agency to find out what the requirements are for protecting sensitive information. If outside consultants are being used to prepare a Certification Package, it may very well be that the only safe way to exchange documents with them is for them to come on site. Most agencies will not set up a VPN to outside consultants, and getting approvals to use file encryption or certificates can take more time than the time it takes to create the entire Certification Package.Though it may seem trailing-edge, sometimes exchanging documents in person using a CD or a USB flash drive is the easiest way to exchange C&A documents.

Create an Evaluation Process

The evaluation of a Certification Package should be a standardized procedure. Before going through the Certification Package, the evaluation team should know up front exactly what it is that they are looking for. Agencies that do not have a standardized methodology for evaluating Certification Packages will not score well on the annual Federal Computer Security Report Card. The standardized process should be different depending on the security category (level) of the Certification Package.There are four possible security levels that Certification Packages can be prepared in accordance with, and these different levels have slightly different requirements.The level is determined using guidance from the U.S. Federal Information Processing Standard (FIPS) 199.

Authority and Endorsement

It is important that a C&A program be developed and endorsed at a high level within the agency.The purpose of the program will be completely defeated if individual departments each try to create their own C&A program. The idea is to create a standard, and a standard means one process.The program should be spearheaded by the CIO or authorizing official, even if all the work is delegated to the certifying agent.That doesn’t mean that the technical staff within various departments can’t contribute to the program’s development. Some of the best ideas often come from the technical staff that takes the most interest in a project.The development of the program, however, needs to be organized and endorsed at the level of the CIO, authorizing offi- cial, and certifying agent.