In: Categories » Business » Branding and certification » Recognizing the Need for Certification
|
All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems. One of the primary objectives of C&A is to force the authorizing official to understand the risks an information system poses to agency operations. Only after understanding the risks can an authorizing official ensure that the information system has received adequate attention to mitigate unacceptable risks. Evaluating risk and documenting the results is something that should be incorporated throughout a system or application’s system development lifecycle. NIST has defined the system development lifecycle to consist of five phases: 1. System initiation 2. Development and acquisition 3. Implementation 4. Operation and maintenance 5. Disposal FISMA mandates that new systems and applications need to be fully certi- fied and accredited before they can be put into production.The best time to begin the C&A of new systems and applications is while they are still in development. It is easiest to design security into a system that has not yet been built. When new information systems are being proposed and designed, part of the development should include discussions on “What do we need to do to ensure that this information system can be certified and accredited?” After a new application is built and ready to be implemented is not the time to figure out if it will withstand a comprehensive certification review. Legacy systems that are already in their operational phase are harder to certify and accredit because it is altogether possible that they were put into production with little to no security taken into consideration. In putting together the Certification Package for a legacy system, it may be discovered that adequate security controls have not been put into place. If it becomes clear that adequate security controls have not been put into place, the C&A project leader may decide to temporarily put on hold the development of the Certification Package while adequate security controls are developed and implemented. It makes little sense to spend the resources to develop a Certification Package that recommends that an information system not be accredited. However, coming to an understanding that an information system has not been properly prepared for accreditation is precisely one reason why C&A exists—it is a process that enables authorizing officials to discover the security truths about their infrastructure so that informed decisions can be made.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Before you start to design a self-assessment survey, check to see if your agency has a self-assessment template that already exists that they would like you to use. Since you’re probably under a deadline, don’t recreate a brand-new self-assessment survey if a pretty good one already exists at your agency. Also, it may be against the agency security policies to use a survey that is different than the one they provide. If your agency does not have a self-assessment survey template, you will need to develop one before you can...
2. How to Develop a Certification Package
Before you’ll be able to start putting together a Certification Package, you’ll need to acquire as much information as possible about the systems or applications you’ll be certifying.You need to be a good detective, and not lose faith when the details appear unclear.The more information you gather the clearer the details will become.You are about to put together an information technology jigsaw puzzle. Initiating Your C&A Project When you begin your C&A project, don&rs...
3. DCID 6.3
DCID 6/3 is the certification and accreditation process used by federal agencies working on intelligence projects (e.g., the CIA). Specifically, information technology projects that require that anyone working on them has a Top Secret, Sensitive Compartmentalized Information (SCI) clearance use the DCID 6/3 process. DCID stands for Director of Central Intelligence Directive and 6/3 refers to the process described in section 6, part 3 of the compendious Director of Central Intelligence Directives.5 The certification ...
4. Creditation and Acreditation Handbook Development
In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the...
In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration: ■ Confidentiality ■ Integrity ■ Availability ■ Interconnection State ■ Processing State ■ Complexity State ■ Mission Criticality I am going to show you how to assign risk and impact ...
6. What Is Certification and Accreditation
Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accredit...
7. The NIACAP Process
As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems. National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also inc...