All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems.

One of the primary objectives of C&A is to force the authorizing official to understand the risks an information system poses to agency operations. Only after understanding the risks can an authorizing official ensure that the information system has received adequate attention to mitigate unacceptable risks. Evaluating risk and documenting the results is something that should be incorporated throughout a system or application’s system development lifecycle. NIST has defined the system development lifecycle to consist of five phases:

1. System initiation

2. Development and acquisition

3. Implementation

4. Operation and maintenance

5. Disposal

FISMA mandates that new systems and applications need to be fully certi- fied and accredited before they can be put into production.The best time to begin the C&A of new systems and applications is while they are still in development. It is easiest to design security into a system that has not yet been built. When new information systems are being proposed and designed, part of the development should include discussions on “What do we need to do to ensure that this information system can be certified and accredited?” After a new application is built and ready to be implemented is not the time to figure out if it will withstand a comprehensive certification review.

Legacy systems that are already in their operational phase are harder to certify and accredit because it is altogether possible that they were put into production with little to no security taken into consideration. In putting together the Certification Package for a legacy system, it may be discovered that adequate security controls have not been put into place. If it becomes clear that adequate security controls have not been put into place, the C&A project leader may decide to temporarily put on hold the development of the Certification Package while adequate security controls are developed and implemented. It makes little sense to spend the resources to develop a Certification Package that recommends that an information system not be accredited. However, coming to an understanding that an information system has not been properly prepared for accreditation is precisely one reason why C&A exists—it is a process that enables authorizing officials to discover the security truths about their infrastructure so that informed decisions can be made.