Before you’ll be able to start putting together a Certification Package, you’ll need to acquire as much information as possible about the systems or applications you’ll be certifying.You need to be a good detective, and not lose faith when the details appear unclear.The more information you gather the clearer the details will become.You are about to put together an information technology jigsaw puzzle.

Initiating Your C&A Project

When you begin your C&A project, don’t expect everyone who has played a role in developing and administering the application or systems you are certifying to start volunteering information for you to use.You will need to take the initiative to go out and collect as much documentation as you can, and conduct interviews with the appropriate staff. If you are a consultant, first you will need to figure out who the appropriate staff are that you need to talk to. You are going to have to ask a lot of questions.The sponsoring manager that signed you up for completing the C&A is the best person to start this.The sponsoring manager may be the system owner, the ISSO, the contracting officer, or an application development manager.

Put Together a Contact List

You first need to figure out who will have knowledge of all the security particularities of the information system.You should start by identifying the people involved.The sponsoring manager should be able to answer a lot of your questions.To find the appropriate people who understand the security of the information system or systems that require accreditation, you’ll need to ask the following questions:

 Was the application developed in-house or purchased from a vendor?

 If the application was purchased from a vendor was any customization done to it?

 Who did the customization?

 If the application was developed in-house, who designed it?

 Are there design specifications and documents? Who has them?

 Is the application hosted on-site or at a remote site?

 If the application is hosted remotely, who is responsible for its operations?

These questions are the “Who?” questions. From the answers to your questions, you should be able to start putting together a contact list of the people who have been a part of the design and implementation of the information system. Include their phone numbers and e-mail addresses because you’ll need to contact them often.

Some federal agencies are quite large, and due to the size of the operations, sometimes impersonal. When you contact the various people on your contact list, you’ll need to explain to them who you are and why you are contacting them. Don’t expect them to know that a C&A project is underway or even to know what C&A is about. If you contact them and say that you need to meet with them to discuss a C&A project, be prepared to tell them what C&A means since there is a good chance they may not have a clue what you are talking about.

Finding out all the information you will need to create a Certification Package is much like going on a treasure hunt. If you are an outside consultant, at the start of the project, it is altogether possible that no one except the sponsoring manager will know why you are on-site at the agency. It’s very unlikely that someone will come up to you and say, “I hear that you are onsite to put together a Certification Package for our information system. Here are all the security policies, design documents, and the security configuration of the system that you will need.” In large federal agencies, my experience has been that no one readily and quickly volunteers information about system security.

Hold a Kick-Off Meeting

Once you have found out who the key players are (the people that have been part of designing, developing, coding, and implementing the information system), you should schedule a Kick-off Meeting and invite them all. Do your best to form good relationships with these folks because you will become reliant on them for information. During the Kick-off Meeting introduce them to the C&A team, and explain to them briefly what C&A is all about. During this first meeting, you should tell them that you will need as much documentation as you can get on the particular information system that is slated for accreditation. Ask them if they can e-mail you documentation as soon as possible; otherwise they may take weeks to get it to you.You will need information on the design, development, implementation, configuration, network topology, and testing of the information system.You will need to review all this documentation to find the right bits of information to put into the Certification Package.

Obtain Any Existing Agency Guidelines

It is key to find out if the agency you are working for has a C&A Handbook. Agencies that have in the past scored well on their Federal Computer Security Report Cards probably have one. Agencies that have scored poorly on their report card may not have one. If a handbook exists, you must follow all the guidelines written in it when preparing your Certification Package—even if they are poor guidelines. If the evaluation team does its job properly, they will be evaluating the Certification Package for how well it follows the agency C&A Handbook and requirements.

If a handbook exists, and you think parts of it are so wrong that you shouldn’t follow it, you need to take this up with the ISSO and package evaluation team before making any decisions. When you are preparing a Certification Package is not necessarily the best time to try to get the agency to change their regulations and policies. If you think that some parts of it are incorrect, before you go ahead and decide to go your own way and create a more “correct” Certification Package, bring the issues to the attention of the ISSO and offer justification as to why you would like to proceed differently. Some agencies will fail your Certification Package if you don’t follow their handbook—even if the handbook is wrong.

All agencies are supposed to have a handbook and templates to standardize the C&A process. However, some agencies are less prepared than others, and if you embark on a C&A project, and find out that no handbook or templates exist, you’ll have to do without.You can still put together a solid Certification Package without a handbook or templates, and if you do a good job, perhaps you will be enlisted as a future contributor to develop the much needed handbook and templates. If a C&A handbook is not present, then see if the parent agency has one. For example a bureau or agency department may not have their own handbook, but the parent agency might. If no C&A handbook at all exists, figure out which methodology your agency should be using (NIST, DITSCAP, NIACAP, DCID 6/3) and look to that for guidance.

Analyze Your Research

Once you have received the various documents from the information system developers and administrators, you’ll need to analyze these documents to see if they include the kind of information that you’ll need to include in the Certification Package. It is likely that much of the information you need for the Certification Package will not be included in the various documents you receive. If the information system(s) that are up for C&A have been previously accredited, then a prior Certification Package should exist.You should make it a point to review the prior Certification Package, and use any information from it that is still relevant. If anything appears incorrect in the prior Certification Package, you should correct it, even if it was not cited for defi- ciencies in the prior Accreditation.

Put together a list of questions regarding the kinds of things you still need to find out from the information system developers and administrators, and schedule meetings with the folks that you think can best answer your questions. Keep meeting with the team and contacting them on the phone and by e-mail until all your questions are answered. It often takes several rounds of inquiries before you receive all the appropriate information.

Preparing the Documents

Although there are likely no regulations that require you to put together the Certification Package documents in any particular order, I happen to think that the order in which you put the documents together is important. For example, if you put together the Hardware and Software Inventory up front, it will help you in writing the descriptive text about the accreditation boundaries that are required in the System Security Plan. In some cases, it may make sense for you to change the order of these documents when putting together your Certification Package. The main point to take away is that if a document contains information that is dependent on a prior document, develop the prior document first. It will be hard to know how to rate the outage impact of the assets listed in the Business Impact Assessment if you don’t yet know what the assets are—if the Hardware and Software Inventory has not yet been completed.

It’s Okay to Be Redundant

Many of the documents in the Certification Package include information that is redundant from one document to the next.The reason for this is because each document needs to be able to stand on its own. Some of the information that you find for some of the earlier documents can and should be used in subsequent documents.You want to give the impression that all the documents are consistent with each other and support each other.Though in many forms of writing being redundant is not desirable, in crafting Certification Packages, it is necessary. One of the things that the evaluators look for are inconsistencies between the various Certification Package documents. Any inconsistencies usually raise a flag and call for closer inspection.

Different Agencies Have Different Requirements

Not all agencies require the exact same documents for C&A. FISMA allows for flexibility, and one agency may require certain documents that other agencies don’t require.Though it could be argued that this is inequitable, FISMA was designed to allow each agency to determine its own needs within the boundaries of the stipulation.

Including Multiple Applications and Systems in One Package

You can include multiple applications and information systems in one Certification Package.To be sure, it makes no sense at all to create a Certification Package for each and every system that exists at your agency. You should define the accreditation boundaries of your C&A package as broadly as you possibly can. Determining the accreditation boundaries is sometimes the trickiest part of putting together a Certification Package.You need to understand where the accreditation starts and stops. In general, you should pick a boundary determination that is large and logical. For example, if you are accrediting general support systems, you may want to define your boundary by network domains. If you are accrediting major applications, you will need to include all the pieces of the infrastructure that the application touches.

Usually application infrastructure is managed by a different organization than the underlying general support systems. Operating systems and network typically have different information system owners than the applications. C&A is about holding information system owners accountable, and therefore, the boundaries need to lie within the jurisdiction over which the information system owner has control. If you are certifying an application that is depending on general support systems that the application gets installed on top of, then this should be clearly stated in the Certification Package.An underlying general support system usually has a different Certification Package than the applications that are installed on top of it. When your Certification Package and the security of your systems is in part dependent on other systems, that needs to be specifically stated.You can reference other Certification Packages and other systems that are not within your accreditation boundaries in your documentation. It would be perfectly plausible to insert a statement such as:

The major applications described in this Certification Package are dependent on the underlying general support systems that have been previously accredited at Level 4.

You should list the formal Certification Package name of any other packages that you reference. If you don’t know the package name, try to find it out. It’s even better to obtain a copy of it if you can. In some cases, it may be against the security policies of the agency to share such information between one information owner to another. However at the very least, an outside information owner should be able to share with you the official document name and publication date of the related Certification Package.

Verify Your Information

Once you have completed a document, before submitting it to the ISSO, send it out first to the information system developers and administrators that are most familiar with the information systems you are seeking to Accredit. Ask them to review it and inform you of any factual errors. Network diagrams should also be reviewed for accuracy. If something doesn’t make sense, it’s probably either not well-documented or plain wrong. Certification and Accreditation is a time of ensuring that everything is accurate.

In reviewing design documents that you receive, do not just assume that information contained in them is how the application or information systems were actually developed. Designs go awry and management changes their minds about requirements halfway into a project. Just because an information system was supposed to turn out one way, doesn’t mean it didn’t turn out a different way.You need to take everything you read with a grain of salt, and ask questions about things that don’t make sense.

Retain Your Ethics

In most agencies, all the information system owner wants the Certification review team to do is to get the information systems certified.They don’t necessarily want to know how you will go about doing this as long as you get it done. Even though you should do everything possible to make that happen, by all means do not compromise your ethics. C&A Best Practices…

Hold Fast to Your Ethics

Never compromise your ethics. Under no circumstances should you invent security controls that do not exist, or document that risks have been mitigated if they haven’t. If the information owner or ISSO pressures you to document items that are obviously not true, you should refrain from doing so and report the problem to your management. If in the course of preparing the Certification documents you find that certain security controls that should have been implemented were not, report that to the ISSO and recommend that they get implemented as soon as possible. As long as they are implemented before the Certification Package is submitted, your documentation will not be incorrect. If you feel that there is absolutely no way the information systems will obtain a positive Accreditation, discuss this with the ISSO. It is not your job as a Certification document preparer to resolve security problems that should have been put in place previously. The information system owner and ISSO are likely both aware that security controls are mandated by law, and need to be in place. If they are responsible individuals with ethics of their own, they will not expect you to resolve agency security problems that you have no control over.

Most agency information systems can likely obtain a Level 1 Accreditation with a properly documented Certification Package. However, if security controls on information systems appear to be so poorly implemented as to not even warrant a Level 1 Accreditation you should meet with the information system owner and the ISSO and advise them of this. Be sure to include justification as to what you feel is so terribly wrong. If a Level 1 cannot be justifiably obtained, there are really two choices:

 Stop the C&A process and put in place the necessary security Controls

 Continue with the C&A process, documenting the accurate existing security information, and hope the evaluator will grant the business owner an Interim Authority to Operate.

An Interim Authority to Operate (IATO) is basically like a consolation Accreditation, and in most cases IATOs expire after six months. An IATO means that you have convinced the evaluators that the information owner is at least putting forth a good effort in trying to implement proper security controls. And for that reason, the Certifying Agent gives you six months to come into compliance. An IATO usually will include a list of security controls that will need to be in place when the IATO expires. At that time, if the requirements of the IATO have been met, the system usually will receive an Authority to Operation (ATO), but if not, the systems can be shut down. Without an Accreditation in hand, the GAO or the agency OIG can come in and shut your systems down. However, although the GAO or OIG could require the systems to be shut down, for practical purposes, in real life this rarely happens. Certainly an IATO is better than no accreditation at all.