Problems of Not Having a Certification / Accreditation Program

written by: Hemant Baidwan; article published: year 2007, month 03;



In: Categories » Business » Branding and certification » Problems of Not Having a Certification / Accreditation Program

If your agency does not have a standardized C&A program, you can expect the C&A process to become extremely confusing and overly complicated. C&A preparers will not know what should be included in each package, and evaluators will not know if anything is missing.

Missing Information

Without a C&A program, different Certification Packages will include different types of information. For example, without a prescribed and standardized C&A program, one Certification Package might have an Information Technology Contingency Plan (ITCP) and others might not. One Certification Package might include a network topology map, and others might not. When it comes time to evaluate the entire Certification Package, it is hard to fail a package for not having an information technology Contingency Plan if no policy or organizational process ever required one to exist in the first place. It is very hard to hold the information system owners and the ISSOs accountable for putting together adequate Certification Packages if your agency has not yet defined what exactly constitutes an adequate Certification Package.

Lack of Organization

Though specifying the right information to include in a Certification Package is of primary importance, the format of the package should not be overlooked. A Certification Package can be 500 pages long. Unless each one is organized the same way, it will be very cumbersome for the evaluators to wade through the voluminous information and check to see if all the right material has been included. It’s best to make things easiest for the evaluators. Evaluators who can’t make heads or tails out of the information presented to them, and can’t find key pieces of information, are going to be reluctant to recommend that a package be accredited.

Inconsistencies in the Evaluation Process

You want each Certification Package to be evaluated the same way. One agency may have many different evaluators.Without any sort of standard for Certification Package content or format, you are leaving the entire evaluation up to the subjective opinion of one (or a small group) of people. Different evaluators may put emphasis on different areas. If each package has the same organizational format, it improves the chances that different evaluators will evaluate the packages in the same way because they will look for, and expect the same type of information.

Unknown Security Architecture and Configuration

Without a Certification Package, it may be the case that the security architecture and configuration of your information infrastructure is not known. By working through the C&A process, you will become aware of whether this is the case or not. If the security architecture is well documented, C&A serves as an opportunity to make sure the architecture diagrams and network maps are correct. If it’s not well documented, or not documented at all, this is something you’ll want to research and diagram.The same holds true for the security configuration. All software requires configurations. When operating systems and applications are installed, even if they are installed securely, are the security settings documented? If the security settings are not documented, they are basically unknown. Even expert and seasoned systems administrators cannot usually remember every little thing they have done to a system when configuring it because today’s operating systems and applications are so feature rich.That is why security architecture and configuration documentation is critical.The C&A process is designed to find the unknowns of the security architecture and configuration settings and then resolve the unknowns by creating the necessary documentation along the way.

Unknown Risks

Federal laws aside, the primary reason for understanding the security posture of your information systems is to identify risks, understand them, and take mitigating actions.With C&A left undefined, you are leaving the risks that you want your agency to look for open to speculation. Maybe the agency ISSOs will identify all the key risks, but maybe they won’t. One ISSO may put emphasis on disaster recovery planning, and another might put emphasis on system risks. It is unlikely that they all will put the same emphasis on all aspects of information security. When it comes to identifying risks, there are numerous items to take into consideration.There are business risks, system risks, training risks, policy risks, inventory risks, and so on.A well-defined C&A program ensures that all the relevant types of risks are taken into consideration.

Laws and Report Cards

You may be surprised to find out that the words “certification” and “accreditation” are not used in the Federal Information Security Act of 2002. However, the law very clearly states the requirement of an information security program, and also names the required elements of that program. Many of the required elements of the mandated information security program are those that have evolved to be now known as “Certification and Accreditation.” Even if the agency-wide program were called something else—say “The Security Validation Program”—all the same elements of the program would be required.You should not get hung up on the fact that you don’t see the terms “certification” or “accreditation” in the written law.The named elements of the program are required by law no matter how you entitle them. Without these elements, and without an information security program, agencies are breaking the law. What’s more, agencies that don’t have the right elements included in their information security program will obtain poor Federal Computer Security Report Card grades.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Designing a self assessment Survey
Before you start to design a self-assessment survey, check to see if your agency has a self-assessment template that already exists that they would like you to use. Since you’re probably under a deadline, don’t recreate a brand-new self-assessment survey if a pretty good one already exists at your agency. Also, it may be against the agency security policies to use a survey that is different than the one they provide. If your agency does not have a self-assessment survey template, you will need to develop one before you can...

2. How to Develop a Certification Package
Before you’ll be able to start putting together a Certification Package, you’ll need to acquire as much information as possible about the systems or applications you’ll be certifying.You need to be a good detective, and not lose faith when the details appear unclear.The more information you gather the clearer the details will become.You are about to put together an information technology jigsaw puzzle. Initiating Your C&A Project When you begin your C&A project, don&rs...

3. DCID 6.3
DCID 6/3 is the certification and accreditation process used by federal agencies working on intelligence projects (e.g., the CIA). Specifically, information technology projects that require that anyone working on them has a Top Secret, Sensitive Compartmentalized Information (SCI) clearance use the DCID 6/3 process. DCID stands for Director of Central Intelligence Directive and 6/3 refers to the process described in section 6, part 3 of the compendious Director of Central Intelligence Directives.5 The certification ...

4. Creditation and Acreditation Handbook Development
In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the...

5. Criteria to Use for Determining the Certification and Accreditation Levels
In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration: ■   Confidentiality ■   Integrity ■   Availability ■   Interconnection State ■   Processing State ■   Complexity State ■   Mission Criticality I am going to show you how to assign risk and impact ...

6. What Is Certification and Accreditation
Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accredit...

7. The NIACAP Process
As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems. National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also inc...

8. NIACAP and NIST Phases Differences and Similarities
The NIST process was designed for unclassified information, more commonly known as Sensitive But Unclassified (SBU) information. The framework for the NIST C&A methodology is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. A copy of it is available online at http://csrc.nist. gov/publications/nistpubs/800-37/SP800-37-final.pdf. Both NIST and NIACAP establish a framework to provide ac...

9. DITSCAP Phases
DITSCAP was developed for evaluating and accrediting Department of Defense systems and also includes four phases. DITSCAP was developed and is published by the Defense Information Systems Agency (DISA) and it applies to the acquisition, operation, and on-going support of any Department of Defense system that collects, stores, transmits, or processes unclassified or classified information. It is mandatory for use by all defense agencies. The DITSCAP guidance is described in a document known as DoDI 5200.40...

10. Recognizing the Need for Certification
All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems. One of the primary objectives of C&A is to force the authorizing official to und...