There are four high-level phases to the C&A process.To get from one phase to another, a lot of stuff happens along the way. Let me help you understand how to get from one phase to the next.

The Initiation Phase

The Initiation Phase is usually informally managed by the information system owner and the ISSO. Although all information system owners should be aware of the fact that FISMA requires new information systems to be positively accredited, this may not be at the forefront of their minds.Therefore, it is altogether likely that the ISSO may bring the need for C&A to the attention of the information system owner. Whether the need for C&A is initiated by the information system owner, or the ISSO, some sort of acknowledgment between these two individuals that a C&A needs to take place should occur. The acknowledgment does not have to be formal, or even written. A simple hallway conversation can suffice as long as both parties come to agree that it’s time to get a C&A project started.

During the Initiation Phase, the information system owner and the ISSO should agree on what resources to use to for the C&A prepare team. Decisions need to be made on whether to hire outside contractors, or use inhouse staff. Since C&A, if done properly, is usually a much bigger job than most people realize, I cannot emphasize enough the value in using outside consultants. Putting together a Certification Package is a full-time job and usually the results will be insufficient if the government office tries to doubleup its existing staff to perform C&A duties in conjunction with their existing daily routine.

In outsourcing the preparation of a Certification Package to outside consultants, it is important for the ISSO to ensure that he or she is hiring capable individuals with the appropriate expertise.The ISSO should ask numerous questions to a potential contract company and its staff before enlisting the Contractor Officer (COTR) to close an agreement. Questions that may assist an ISSO in determining the expert C&A capabilities of potential consultants might be:

For what other agencies have you performed C&A?

Do you have a track record in obtaining positive Accreditations?

 Can you name the C&A documents that you are experienced in preparing?

Will you be able to make numerous trips on site to meet with our staff?

 Can you provide resumes for the available consultants?

 Do you have a description of your C&A preparation services?

Can you provide references from other agencies?

Not all C&A consulting services are the same. One clear indication that a contracting company does not fully understand C&A is if they list only a few document types in their C&A service description. Some companies claim to understand C&A, but for example, will list that their C&A service consists of a Self-Assessment and a Vulnerability Assessment (which of course is only part of the picture).You really want to hire consultants that understand the entire ball of wax and can develop all the documents required for C&A.

It will only slow down and complicate the process if you hire, say, one company to develop part of the deliverables and another company to develop the other part. When it comes to C&A, finding a contracting company that offers one-stop-shopping is really the most efficient way to go. One good way to find out how well a candidate contracting company understands C&A is to ask them for a project proposal with milestones built into it. By comparing different project proposals side-by-side, it should become clear which of the candidate contracting companies offer the best expertise.

Last but not least, before preparing a Certification Package, the ISSO should have some understanding of whether or not the proposed Certification Package will result in a positive accreditation. If the ISSO knows up front that proper security controls have not been put into place, that security is improperly configured, and that security policies have not been adhered to, it is better to fix these problems before beginning the C&A process.This does not mean that C&A is optional. What I am suggesting is that if you know of weaknesses that require correction, start correcting them immediately. Don’t wait for C&A time to come along before making the necessary corrections.

NIST advises that the information System Security Plan be analyzed during the initiation phase. Although there is nothing theoretically wrong with this approach, it is often the case that for a new information system, a System Security Plan does exist. In putting together the Certification Package, it is a more likely scenario that the System Security Plan will be either written for the first time, or revised and updated during the Certification Phase. During a recertification of a package that has been previously accredited, an old System Security Plan would of course already exist.

Initiation Phase Milestones

During the initiation phase, you should be asking these questions:

Have C&A preparers been identified?

Have known security weaknesses been addressed?

Has the of the FIPS 199 security categorization been completed?

The Certification Phase

The Certification Phase is the time period in which the Certification Package is prepared. It is during this phase that the C&A preparers (or review team) gather all the supporting evidence and documentation, and develop the new documents required for the Certification Package.

If the proposed C&A is for a brand new information system, no prior Certification Package will exist. If the C&A is for an older information system, a prior Certification Package should exist and be available for review. New C&As are required every three years. Certification for an information system that previously has been accredited is referred to as a “recertification.” Recertifications require the same suite of documents that new Certification Packages require. When working on a recertification, the prior Certification Package should be reviewed thoroughly to ensure that all risks previously cited in the old Certification Package have been mitigated.

The C&A review team will need to come on site to the agency’s office to be available to interview the information system’s development and management team. It is critical for the C&A review team to learn as much about the information system as possible and ask as many questions as necessary.The information system owner should advise his or her development staff to accommodate the C&A review team and provide them with as much information as possible about the design and configuration of the system slated for C&A.

C&A review teams may consist of anywhere from a few people, up to a dozen or more depending on the complexity of the information system slated for C&A. What should determine the number of individuals on the C&A team is the scope of the project, and timeframe of the project. As you increase the scope, and decrease the timeframe, the need for a bigger C&A review team increases. Most C&A review teams require at least three months minimum to assemble an adequate Certification Package. It would not be out of the question, however, for a C&A review team to take six months to prepare a Certification Package for a large and complex infrastructure. C&A Best Practices…

Certification Phase Milestones

Design and architecture documents are reviewed.

Vulnerabilities are identified.

Evidence of risk mitigation is identified.

Certification documents are written.

Analysis of acceptable risk to agency is completed.

The Accreditation Phase

The Accreditation Phase begins when the Certification Package has been completed.The evaluation team reads through the Certification Package in its entirety, and validates if the findings are accurate, and if all the required information is present. A Certification Package can easily be in excess of 500 pages. At least two to four weeks should be allotted for the Accreditation Phase.

Most evaluation teams will have already prepared checklists of particular criteria they expect to find in the Certification Package before they actually begin the evaluation.

If a Certification Package passes muster with the evaluators, a recommendation will be made that the package be positively accredited.The Certifying Agent will review the recommendation, and as long as it appears justified, will sign a formal letter of Accreditation.The accreditation letter will also need to be signed by the ISSO, the information owner, the authorizing official, and then will be sent to the CIO.The CIO is supposed to acknowledge receipt of the letter by signing it. C&A Best Practices…

Accreditation Milestones

Submission of package to evaluators

Review and comment resolution

Recommendation to Accredit (or not)

The Continuous Monitoring Phase

Once an information system has been accredited, it should be continuously monitored. Configuration management changes should be an on-going and well-managed process with approval mechanisms built in. Dates of changes and versions of code changes should all be documented. Security controls should also be monitored and any changes made to them should be documented. If firewall policies are changed, the changes and reasons for the changes should be documented. If intrusion detection configuration changes are made, they should be fully described and the reasons for the changes should documented.

It is often the case that not nearly enough time is put into the Continuous Monitoring Phase, since once a positive Accreditation has been made, most ISSOs and information system owners tend to breathe a sigh of relief and seem to like to put the entire C&A process behind them. Putting together a Certification Package and obtaining an Accreditation is a daunting task and doing more of it, after the job is done, is not usually high on anyone’s agenda after the fact. However, keeping the documents up to date will make any future recertifications much easier. Unless the information system is decommissioned, it in fact will need to be recertified in three years. The documents that are a part of the Certification Package are considered live documents, and can be updated at any time. It is best to update the documents as soon as changes are made to the information systems since that is when the new information is most fresh in everyone’s mind. Updating documentation never seems to be high on the list of important tasks to complete, and for that reason, I recommend that updating Certification Package documents be built into the change management process. Each time a document is updated, it should be reviewed and approved through the change control process and then archived both locally and at an offsite location. C&A Best Practices

Continuous Monitoring Milestones

Reconciliation of POA&M citations

Documentation of changes to system

Ongoing monitoring of security controls