C&A involves a lot of different people all working together on different tasks. There are the folks who develop the C&A program, the folks who prepare Certification Packages, the folks who are held accountable for the Certification Packages, the agency auditors who evaluate the Certification Packages prior to accreditation, and the federal inspectors who audit the agency to make sure that they are doing C&A the right way.

Chief Information Officer

The agency Chief Information Officer (CIO) is the most obvious person held accountable for a successful information security program and C&A program. It is the CIO’s responsibility to make sure that an information security program, including a C&A program, exists and is implemented. However, most agency CIOs don’t play a hands-on role in developing these programs. Usually the CIO will designate the development of these programs to the Senior Agency Information Security Officer. However, delegating the program development does not mean that the CIO does not need to understand the process. If the CIO does not understand all the elements of a successful C&A program there is little chance that the CIO will be able to hold the Senior Agency Information Security Officer responsible for developing a complete program. Without understanding the particulars of what a program should include, the CIO will not know if the Senior Agency Information Security Officer has left anything out.

A piece of C&A that cannot be overlooked is the need for the CIO to develop a budget for C&A. C&A is very time intensive, and a typical C&A takes on average six months to do a thorough job, replete with all the required information.The CIO works together with the authorizing official to ensure that there is enough of a budget to staff the resources necessary to put together the certification program. If CIOs do not budget for C&A, C&A may not get done.The CIO enables C&A to take place by fully understanding the federal budgetary process as documented in a publication put out by the White House known as Circular No.A-11 Part 7 Planning, Budgeting, Acquisition, and Management of Capital Assets.This publication is currently available at www.whitehouse.gov/omb/circulars/a11/2002/part7.pdf. A-11 Part 7 references other budgetary guidelines that the CIO should also become familiar with, including one known as OMB Exhibit 300. OMB Exhibit 300 is currently available at www.cio.gov/archive/S300_05_ draft_0430.pdf.

It is ultimately the CIO that is likely to be held responsible and accountable if the agency receives a poor grade on the annual Federal Computer Security Report Card. One of the responsibilities of the CIO is to care about the annual Federal Computer Security Report Card grade. If an agency receives a failing grade, then clearly there is something wrong with either the C&A program itself, or how the program is implemented. If an agency receives a top score on the annual Federal Computer Security Report Card, then as far as C&A goes, the process is being worked the right way. As the Federal Computer Security Report Cards get more and more public attention each year, a poor score on the report card can be a career-limiting experience for any agency CIO.

Authorizing Official

The authorizing official is a generic term for a senior management official within an agency who authorizes operations of an information system, declaring that the risks associated with it are acceptable. It is unlikely that any person would hold the title of “authorizing official,” hence I am not punctuating it here with capital letters.There may be multiple authorizing officials within each agency, all responsible for their own designated areas. In many agencies, the authorizing official is referred to as the Designated Accrediting Authority (DAA).

The authorizing official usually has budgetary responsibilities for ensuring that a certain amount of resources are set aside for overseeing the C&A process. Usually the agency CIO reports to the authorizing official. However, in large agencies, where some bureau CIOs report to the agency CIO, it can be the case that a CIO is the authorizing official. In other cases the authorizing official may be the Commissioner or an Assistant Commissioner. If the authorizing official and CIO are two different people, they must work together to make sure that an adequate budget has been set aside for C&A. The authorizing official should, according to the National Institute of Standards, Special Publication 800-37 (May 2004), be an employee of the U.S. government and cannot be a contractor or consultant. However, the authorizing official may designate a representative to carry out the various tasks related to C&A, and the designated representative can be a contractor or consultant. However, the final security accreditation decision and its accompanying accreditation decision letter must be owned and signed by the U.S. government employee that is the authorizing official.

Senior Agency Information Security Officer

The Senior Agency Information Security Officer (SAISO) is the person that that CIO holds accountable to oversee all of the agency’s information security initiatives.The SAISO is akin to a Chief Information Security Officer in private industry. It’s possible that CIOs may perform this role themselves, in which case there wouldn’t be a separate individual holding these responsibilities.

The SAISO works with the agency authorizing officials to ensure that they are in agreement on the security requirements of the information system as well as the key documents contained in the Certification Package such as the risk assessments and the Security Plan. In working together, the SAISO and the authorizing officials should be sure to take into consideration the mission and business requirements of the agency.

The SAISO provides management oversight to the Certification Agent and works with him or her to ensure that the C&A process is well thought out, and includes all the necessary documentation and guidance.The SAISO appoints the Certification Agent and holds them accountable for performing their duties. It is very important for the SAISO to choose their Certification Agent(s) carefully because they will need to rely on their accreditation recommendations. The SAISO may wish to review all the Certification Packages that are processed within the agency; however, as a practical matter, it is next to impossible to do this. In most agencies, there are far too many Certification Packages for one individual to review and validate. Due to this very reason, the SAISO employs a Certification Agent (or agents) to read packages, perform evaluations, write recommendations, and produce a document called a Security Assessment Report.The Security Assessment Report is basically an evaluation summary and should justify and support the recommendation on whether or not to accredit the package.The Security Assessment Report should have all the information that the SAISO needs to justify signing the accreditation letter, and escalate the recommendation upward to the authorizing offi- cial as to whether or not they should sign the accreditation letter.

Senior Agency Privacy Official

Each agency is supposed to have a Senior Agency Privacy Official. For a large agency, a Senior Agency Privacy Official might be a full time job. However, for a small agency, it’s possible that the responsibilities of this official may be performed by the CIO, the CIO’s staff, or the SAISO.The person in this role could hold the title of Chief Privacy Officer—he or she does not necessarily have to be called the Senior Agency Privacy Official. What’s most important is that someone is designated to perform the duties of safeguarding confidential and private information.

Certification Agent/Evaluation Team

The Certification Agent reviews the Certification Packages, making recommendations as to whether they warrant a positive Accreditation or not.

Essentially, Certification Agents act as an auditor.They comb through the unwieldy Certification Packages looking for missing information and information that doesn’t make sense.Their goal is to determine if the package is in compliance with the agency’s documented C&A Handbook, process, security policies, and the information system’s security requirements. In some agencies, there are so many packages to evaluate that the Certification Agent is comprised of an evaluation team.The team may have a departmental name such as Mission Assurance, Information Assurance, or Compliance.The organizational name is for the most part irrelevant as it could be different from agency to agency.

After reviewing the C&A packages, the Certification Agent, or evaluation team, makes recommendations to the internal accrediting authorities—the SAISO and authorizing official—on whether or not a package should be accredited or not. In most cases, the SAISO and authorizing official accepts the recommendation of the Certification Agent, and signs the accreditation letter based solely on a recommendation of the Certification Agent. Along with the recommendation, the Certification Agent also produces and includes the Security Assessment Report.The Security Assessment Report should justify the recommendation.

When the Certification Agent is a team of people, they usually split up the different tasks that need to be accomplished in order to expedite the process. For example, one person might evaluate packages for the General Support Systems, another person might evaluate packages for Major Applications, another person might create and update templates, and another person might update the handbook.

The Certification Agent is also responsible for developing the internal C&A process, and all the documentation that describes this process—the handbook and the templates.The documentation that the Certification Agent develops for evaluating the packages are checklists and score cards. The checklists and score cards should be consistent with the templates and the handbook.The checklists help the Certification Agent write the Security Assessment Report.

It is possible that the Certification Agent and the Senior Agency Information Security Officer may be the same person since some small agencies may not have the internal resources to have two different staff members assigned to these roles. If the Certification Agent and SAISO are one in the same person, then the Certification Agent makes the accreditation recommendation to the authorizing official.The Certification Agent does not make the final decision on whether a C&A package should be accredited—he or she makes recommendations only on whether or not the package should be accredited.

In order to demonstrate objectivity, it is often the case that the evaluation team consists of outside consultants. FISMA, § 3454 states: Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices.

If an agency decides to use its own staff, it should be sure that there is a clear separation of duties between the evaluators and the organizations that are presenting the C&A packages for evaluation.

Business Owner

The business owner is a generic reference to the information system owner, and it is likely that there are no employees of the agency with the title “information system owner,” which is why I am not capitalizing the terminology here. The information system owner could be a Program Manager, an Application Manager, an IT Director, or an Engineering Director for example. In short, it is the person who is responsible for the development and operations of the information system.

The information system owner is the one who typically gets the ball rolling for a new C&A project. Information system owners need to ensure that their information system is fully accredited before being put into production. Once an information system is in production, it needs to be recertified and accredited every three years.

It is the information system owner’s responsibility to appoint someone to be the Information System Security Officer for the system requiring C&A.

System Owner

The system owner is the person responsible for administering the systems that the C&A application runs on. A system owner can be one lone systems administrator, or a systems department. In a large distributed application, it is possible that the different systems that are a piece of the application infrastructure have different system owners. When a large distributed application has different system owners, sometimes the different system owners can be different geographic locations or different buildings. All C&A packages, whether it is a package for a Major Application, or the General Support Services infrastructure that the application runs on, should specify who the system owner is.The system owners are the folks who provide the systems support.The system owner should be indicated in the Asset Inventory.The contact information for the system owners should be indicated in the Contingency Plan and the Business Impact Assessment.

Information Owner

The information owner is the person who owns the data.The information owner is concerned about the integrity of the data, and communicates with the system owner about issues related to the security controls of the system or databases that the data resides on.The person, or department, that owns the data is not always the same as the system owner, though it could be. In many cases, the system owner maintains the data for the information owner.The information owner is often someone who reports to the business owner and could be a database manager, or an application manager. It is possible that in some organizations the information owner and the business owner are the same person.

It is possible that the data on the system slated for C&A falls under a different jurisdiction than that of the system owner. It is also possible that the information owner and the system owner are one in the same person. Sometimes databases may be administered and managed by someone that has expert credentials in the area. If the system owner and information owners are not one in the same people, this should be noted in the Certification Package in the Asset Inventory.

Information System Security Officer

The Information System Security Officer (ISSO) is responsible for managing the security of the information system that is slated for C&A.The ISSO insures that the information systems configuration is in compliance with the agency’s information security policy. All the certification package documents are prepared either by the ISSO, or for the ISSO, by staff or contractors. Typically ISSOs have a large plate of responsibilities and they likely will need to augment their staff with contractors to prepare a Certification Package expeditiously. It is not uncommon for one ISSO to be responsible for the preparation of half a dozen C&A packages. Since one C&A package could easily take a year for a well-versed security expert to prepare, it is considered standard and acceptable for ISSOs to hire consultants from outside the agency to prepare the Certification Package. It also improves the objectivity of the Certification Package to have it prepared by third-party individuals that are not part of the agency’s own staff.

Once a Certification Package is complete, the ISSO presents it to an evaluation team who then proceeds to validate the findings.The evaluation team is an extension of the certifying agent. If the certifying agent does not appoint or assemble an evaluation team, the certifying agent should be prepared to evaluate the Certification Package and make a recommendation on whether to issue a positive Accreditation.

C&A Preparers

The C&A preparers, sometimes referred to as the C&A review team, prepare the Certification Packages for submission to the evaluation team. In many cases, the C&A preparers are outside consultants.The C&A preparers can also be a mixed team of outside consultants and internal agency staff. The C&A preparers work for the information system owner, but usually under the direction of the Information System Security Officer. When it comes to putting together the Certification Package, it is the C&A preparers that perform the bulk of the work.The C&A preparers need to have an expert background in information security with a breadth of understanding the various facets of security architecture, information Confidentiality, information Integrity, information Availability, security policies, and FISMA regulations.

Agency Inspectors

To prepare for visits from the GAO, all agencies, and some bureaus, have their own inspectors that come on site to agency offices to periodically assess if proper FISMA compliance is taking place. In most cases, the agency inspectors are not required to give much advanced notification and their visits can take place without warning.The agency internal inspectors come from the agency Office of Inspector General (OIG). Many agency OIG offices have their own Web sites, and you can read more about the different responsibilities of the OIG there.

Environmental Protection Agency www.epa.gov/oigearth/

Federal Communications Commission www.fcc.gov/oig/

Dept. of Agriculture www.usda.gov/oig/

Dept. of Health and Human Services http://oig.hhs.gov/

Social Security Administration www.ssa.gov/oig/

United States Postal Service www.uspsoig.gov/

The goal of the agency OIG is to catch any problems and resolve them so that they do not show up as deficiencies on GAO reports.The OIG offices have their own investigation and review process and different OIG offices may perform their audits in different ways. OIG offices that are more vigilant in their audit and review process are more likely to prevent the agency from being cited as deficient by GAO inspectors.

GAO Inspectors

Oversight auditors from the GAO visit federal agencies on an annual basis, and review accredited Certification Packages to make sure that they have been accredited properly.The GAO also reviews the agency’s C&A process to determine if it is acceptable. If the GAO discovers that Certification Packages were inappropriately accredited, or if the agency’s C&A process is deficient in any way, agency officials will document the findings and the agency will receive poor grades on the annual Federal Computer Security Report Card. The Federal Computer Security Report Card is published each year by the U.S. Committee on Government Reform.

Levels of Audit

Taking into consideration the evaluation team, the OIG inspectors, and the GAO inspectors, you can see that the FISMA process undergoes rigorous levels of audit (see Figure 3.1). Usually there are no less than three levels of audit. Some agencies may even have an additional level of audit. After the evaluation team reviews the Certification Package, it is possible that another internal compliance organization may review the Certification Package again to see if the evaluation team did their job correctly. The original evaluation team and an ancillary compliance team may not in fact agree on whether a Certification Package should be accredited, and often the two internal audit organizations will have to have numerous discussions among themselves to come to an agreement on the final Accreditation recommendation. Having so many levels of audit can in fact seem like overkill; however, the agencies that seem to indulge in these audit redundancies, and separation of duties, often fare the best on the Federal Computer Security Report Card.

FISMA Levels of Audit for Reviewing the Certification Package

GAO Inspectors
¬
OIG Inspectors
¬
Certifying Agent
¬
Evaluation Team
¬
Certification Package