In: Categories » Business » Branding and certification » Creditation and Acreditation Handbook Development
|
In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the evaluators to find the information. If the packages have different types of information in them, it is going to be very hard for the evaluators to review the packages according to the same standards. Writing the handbook is a big job.A good handbook is likely to be around 200 pages long.The handbook has to include very specific information on what your agency evaluators need to see in every Certification Package. It should instruct the folks preparing the Certification Packages on what documents they will be required to submit, and what should be included in each document.The best way to ensure that each document includes the right kind of information is to create templates. What to Include in Your HandbookEach agency’s handbook will be somewhat different and take on slightly different organizational formats. However, it is highly advisable that all handbooks include sections in the following areas: Background, purpose, scope Regulatory citations Reference to associated internal security policies System lifecycle information An overview of the process Roles and responsibilities Definition and explanation of Certification Levels Information on the required Certification Package documents How to define security requirements How to understand accreditation boundaries Threat and risk assessment guidelines Security controls Required security tests Evaluation checklists Plan of Action & Milestones Acronyms Glossary References and related publications An Appendix for each template Who Should Write the Handbook? There are no restrictions on who can write a C&A Handbook. An agency can use its own staff, or outside consultants. However, the development of the handbook should probably be done under the authority of the department that will oversee the evaluators. It makes sense that the Certifying Agent should designate the appropriate staff to write the handbook since he or she will need to live by its guidelines and accredit packages according to its stipulations. There is nothing that says the Certifying Agent cannot author the handbook. However, given the daily day-to-day responsibilities of the Certifying Agent, the time it takes to development the handbook may require that it be done by an appointed staff, or outside consultants. Template Development Certification Packages consist of a set of documents that all go together and complement one another.A Certification Package is voluminous, and without standardization, it takes an inordinate amount of time to evaluate it to make sure all the right information is included.Therefore, agencies should have templates for all the documents that they require in their Certification Packages. Agencies without templates should work on creating them. If an agency does not have the resources in-house to develop these templates, they should consider outsourcing this initiative to outside consultants. A template should be developed using the word processing application that is the standard within the agency. All of the relevant sections that the evaluation team will be looking for within each document should be included.Text that will remain constant for a particular document type also should be included. An efficient and effective C&A program will have templates for the following types of C&A documents: Categorization and Certification Level Recommendation Hardware and Software Inventory Self-Assessment Security Awareness and Training Plan End-User Rules of Behavior Incident Response Plan Security Test and Evaluation Plan Privacy Impact Assessment Business Risk Assessment Business Impact Assessment Contingency Plan Configuration Management Plan System Risk Assessment System Security Plan Security Assessment Report Templates should include guidelines for what type of content should be included, and also should have built-in formatting.The templates should be as complete as possible, and any text that should remain consistent and exactly the same in like document types should be included.Though it may seem redundant to have the exact same verbatim text at the beginning of, say, each Business Risk Assessment from a particular agency, each document needs to be able to stand alone and make sense if it is pulled out of the Certification Package for review. Having similar wording in like documents also shows that the packages were developed consistently using the same methodology and criteria. With established templates in hand, it makes it much easier for the C&A review team to understand what it is that they need to document. Even expert C&A consultants need and appreciate document templates. Finding the right information to include the C&A documents can by itself by extremely difficult without first having to figure out what it is that you are supposed to find—which is why the templates are so very important. It’s often the case that a large complex application is distributed and managed throughout multiple departments or divisions and it can take a long time to figure out not just what questions to ask, but who the right people are who will know the answers. Provide Package Delivery Instructions Your C&A program should include information on how specifically the ISSO should submit the final Certification Package to the evaluation team.The evaluation team needs to understand whether to expect the package by email, CD, or to look on a protected network share. It’s a good idea for agencies to require that both hardcopy and software documents be submitted to the evaluation team. Hardcopy documents should be bound together. I recommend using a three-ring binder because it is easy to update a single piece of the package and insert it easily after removing the outdated pages. Most of these documents will contain sensitive information, and for that reason, they should not be e-mailed to anyone over the Internet unless they are protected by 128 bit encryption—either by file encryption or through a Virtual Private Network (VPN). Before e-mailing C&A documents out of the agency over any external public networks, you should really check the security policies of your particular agency to find out what the requirements are for protecting sensitive information. If outside consultants are being used to prepare a Certification Package, it may very well be that the only safe way to exchange documents with them is for them to come on site. Most agencies will not set up a VPN to outside consultants, and getting approvals to use file encryption or certificates can take more time than the time it takes to create the entire Certification Package.Though it may seem trailing-edge, sometimes exchanging documents in person using a CD or a USB flash drive is the easiest way to exchange C&A documents. Create an Evaluation Process The evaluation of a Certification Package should be a standardized procedure. Before going through the Certification Package, the evaluation team should know up front exactly what it is that they are looking for. Agencies that do not have a standardized methodology for evaluating Certification Packages will not score well on the annual Federal Computer Security Report Card. The standardized process should be different depending on the security category (level) of the Certification Package.There are four possible security levels that Certification Packages can be prepared in accordance with, and these different levels have slightly different requirements.The level is determined using guidance from the U.S. Federal Information Processing Standard (FIPS) 199. Authority and Endorsement It is important that a C&A program be developed and endorsed at a high level within the agency.The purpose of the program will be completely defeated if individual departments each try to create their own C&A program. The idea is to create a standard, and a standard means one process.The program should be spearheaded by the CIO or authorizing official, even if all the work is delegated to the certifying agent.That doesn’t mean that the technical staff within various departments can’t contribute to the program’s development. Some of the best ideas often come from the technical staff that takes the most interest in a project.The development of the program, however, needs to be organized and endorsed at the level of the CIO, authorizing offi- cial, and certifying agent.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration: ■ Confidentiality ■ Integrity ■ Availability ■ Interconnection State ■ Processing State ■ Complexity State ■ Mission Criticality I am going to show you how to assign risk and impact ...
2. What Is Certification and Accreditation
Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accredit...
3. The NIACAP Process
As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems. National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also inc...
4. NIACAP and NIST Phases Differences and Similarities
The NIST process was designed for unclassified information, more commonly known as Sensitive But Unclassified (SBU) information. The framework for the NIST C&A methodology is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. A copy of it is available online at http://csrc.nist. gov/publications/nistpubs/800-37/SP800-37-final.pdf. Both NIST and NIACAP establish a framework to provide ac...
DITSCAP was developed for evaluating and accrediting Department of Defense systems and also includes four phases. DITSCAP was developed and is published by the Defense Information Systems Agency (DISA) and it applies to the acquisition, operation, and on-going support of any Department of Defense system that collects, stores, transmits, or processes unclassified or classified information. It is mandatory for use by all defense agencies. The DITSCAP guidance is described in a document known as DoDI 5200.40...
6. Recognizing the Need for Certification
All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems. One of the primary objectives of C&A is to force the authorizing official to und...
7. Roles and Responsibilities in Creditation and Accreditation CA
C&A involves a lot of different people all working together on different tasks. There are the folks who develop the C&A program, the folks who prepare Certification Packages, the folks who are held accountable for the Certification Packages, the agency auditors who evaluate the Certification Packages prior to accreditation, and the federal inspectors who audit the agency to make sure that they are doing C&A the right way. Chief Information Officer The agency Chief Information Officer (CIO) ...
8. Stepping through the Certification Process
There are four high-level phases to the C&A process.To get from one phase to another, a lot of stuff happens along the way. Let me help you understand how to get from one phase to the next. The Initiation Phase The Initiation Phase is usually informally managed by the information system owner and the ISSO. Although all information system owners should be aware of the fact that FISMA requires new information systems to be positively accredited, this may not be at the forefront of their minds.Therefo...
9. Problems of Not Having a Certification / Accreditation Program
If your agency does not have a standardized C&A program, you can expect the C&A process to become extremely confusing and overly complicated. C&A preparers will not know what should be included in each package, and evaluators will not know if anything is missing. Missing Information Without a C&A program, different Certification Packages will include different types of information. For example, without a prescribed and standardized C&A program, one Certification Package might have a...
10. What Are the C A Levels
There are four different levels for which information systems can be certified and accredited.The four levels are known simply as Level 1, Level 2, Level 3, or Level 4.The information system owner is supposed to decide at what level to certify the information system, and then obtain buy-in on that level from the authorizing official.The ISSO and C&A prearation team should assist the information system owner in determining the proper level at which to certify and accredit the information system. Level 1 is for information ...