In: Categories » Business » Branding and certification » What Are the C A Levels
| There are four different levels for which information systems can be certified and accredited.The four levels are known simply as Level 1, Level 2, Level 3, or Level 4.The information system owner is supposed to decide at what level to certify the information system, and then obtain buy-in on that level from the authorizing official.The ISSO and C&A prearation team should assist the information system owner in determining the proper level at which to certify and accredit the information system. Level 1 is for information systems that are not sensitive, and have few security requirements. Level 1A Level 1 C&A requires a minimal security review. A Level 1 Certification Package requires only a Security Plan, an Asset Inventory, and a completed Security Self-Assessment. Additionaly, security policies must be clearly defined. A sample self-assessment can be found in Appendix D. Some agencies may have different requirements for a Level 1 and you should of course always follow the existing agency guidelines. Information systems that typically may require a Level 1 C&A are systems that: ■ Publish general public information Level 2A Level 2 C&A requires a basic review and analysis of the security of the information system. A Level 2 C&A requires everything included in a Level 1, plus a full set of C&A documents, and a Security Test & Evaluation (ST&E), (but not test results). Security policies must be clearly defined and implemented. If an agency requires something different than what I recommend here, you should defer to the agency recommendations. Information systems that typically may require a Level 2 C&A are information systems that: ■ Are used for contracts, proposals, and legal proceedings Level 3A Level 3 C&A requires a detailed review and analysis of the security of the information system. A Level 3 C&A requires everything that is required in a Level 1 and 2 C&A, plus a network vulnerability scan, as well as tests that show that have been correctly implemented security policies. Some agencies may have different requirements for a Level 3 and you should always use the agency guidelines and follow the recommendations in their handbook. ■ Monitor information or physical security Level 4A Level 4 C&A requires an extensive review and analysis of the security of the information system. All items required for Levels 1, 2, and 3 are required for a Level 4, plus a penetration test, and confirmation that all security tests were passed. Some agencies may have different requirements for a Level 4 and just as with a Level 1, 2, or 3, you should always defer to the agency guidance. Information systems that typically may require a Level 4 C&A are information systems that: ■ Operate and monitor nuclear power plants Determining the level of the Certification Package up front is one of the most often-overlooked parts of C&A.There are numerous organizations that don’t perform this step until the entire Certification Package has been developed, which is the absolute wrong way to go about this. One of the reasons for determining the level up front is because the level determines what types of information need to be included in the Certification Package.The Certification Package is evidence that security risks have been understood and mitigated properly.The higher level of Certification that one seeks, the more evidence is required. For example, network vulnerability scanning is required for Level 3 Certification, but not for Level 2. If you are seeking Level 3 Certification, you need to complete a network vulnerability scan and address the resulting risks identified and include this information as part of the Certification Package.
|
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
Before you’ll be able to start putting together a Certification Package, you’ll need to acquire as much information as possible about the systems or applications you’ll be certifying.You need to be a good detective, and not lose faith when the details appear unclear.The more information you gather the clearer the details will become.You are about to put together an information technology jigsaw puzzle. Initiating Your C&A Project When you begin your C&A project, don&rs...
2. DCID 6.3
DCID 6/3 is the certification and accreditation process used by federal agencies working on intelligence projects (e.g., the CIA). Specifically, information technology projects that require that anyone working on them has a Top Secret, Sensitive Compartmentalized Information (SCI) clearance use the DCID 6/3 process. DCID stands for Director of Central Intelligence Directive and 6/3 refers to the process described in section 6, part 3 of the compendious Director of Central Intelligence Directives.5 The certification ...
3. Creditation and Acreditation Handbook Development
In developing the program, you’ll need to write a C&A Handbook that instructs your agency or bureau on how to prepare a Certification Package. The idea is to standardize the development of all Certification Packages that are submitted for evaluation.Without a handbook and a specified process, the Certification Packages will have a different look and feel. If 50 different Certification Packages all have the right information in it, but in different formats, it is going to be very difficult for the...
4. Criteria to Use for Determining the Certification and Accreditation Levels
In order to determine the level at which your information should be certified and accredited, there are seven criteria you should take into consideration: ■ Confidentiality ■ Integrity ■ Availability ■ Interconnection State ■ Processing State ■ Complexity State ■ Mission Criticality I am going to show you how to assign risk and impact ...
5. What Is Certification and Accreditation
Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accredit...
6. The NIACAP Process
As you recall, the NIACAP C&A model was developed by the CNSS, and its intent is to be used as guidance for the C&A of national security systems. National Security Systems are systems that contain National Security Information (NSI). Classified NSI includes information determined to be either “Top Secret,”“Secret,” or “Confidential” under Executive order 12958,4 which was released by the White House office of the Press Secretary in April 1995. However, NSI may also inc...
7. NIACAP and NIST Phases Differences and Similarities
The NIST process was designed for unclassified information, more commonly known as Sensitive But Unclassified (SBU) information. The framework for the NIST C&A methodology is described in a publication known as NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. A copy of it is available online at http://csrc.nist. gov/publications/nistpubs/800-37/SP800-37-final.pdf. Both NIST and NIACAP establish a framework to provide ac...
8. DITSCAP Phases
DITSCAP was developed for evaluating and accrediting Department of Defense systems and also includes four phases. DITSCAP was developed and is published by the Defense Information Systems Agency (DISA) and it applies to the acquisition, operation, and on-going support of any Department of Defense system that collects, stores, transmits, or processes unclassified or classified information. It is mandatory for use by all defense agencies. The DITSCAP guidance is described in a document known as DoDI 5200.40...
9. Recognizing the Need for Certification
All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems. One of the primary objectives of C&A is to force the authorizing official to und...