Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accreditation is the ultimate output of a C&A initiative, and a system or application cannot be accredited unless it meets specific security guidelines, clearly the goal of C&A is to force federal agencies to put into production systems and applications that are secure.

FISMA, also known as Title III of the E-Government Act (Public Law 107-347), mandates that all U.S. federal agencies develop and implement an agency-wide information security program that explains its security requirements, security policies, security controls, and risks to the agency.The requirements, policies, controls, and risks are explained formally in a collection of documents known as a Certification Package.The Certification Package consists of a review and analysis of applications, systems, or a site—basically whatever it is that the agency wants accredited. New applications and systems require accreditation before they can be put into production, and existing applications and systems require accreditation every three years. Each agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…

—Federal Information Security Management Act of 2002 Laws for U.S. federal departments and agencies mandate C&A; however, private organizations can also take advantage of C&A methodologies to help mitigate risks on their own information systems and networks. In fact, about 90 percent of the nation’s critical infrastructure is on private networks that are not part of any U.S. federal department or agency.The nation’s critical infrastructure includes those information technology systems that run electrical systems, chemical systems, nuclear systems, transportation systems, telecommunication systems, banking and financial systems, and agricultural and food and water supply systems to name only a few.

The entire C&A process is really nothing more than a standardized security audit, albeit a very complete standardized security audit. Having worked in both private industry and on government networks, my experience indicates that contrary to what you read in the news, most private and public companies do not put nearly as much time, effort, and resources into documenting their security as government agencies do. All the C&A methodologies can be adopted and used by private industry. Though federal departments and agencies seem to get repeated criticisms belittling their security initiatives, it’s my experience and belief that the criticisms are largely exaggerated and that their security conscientiousness far exceeds that of private industry.

The C&A model is a methodology for demonstrating due-diligence in mitigating risks and maintaining appropriate security controls.Any enterprise organization can adopt best practice C&A methodologies. A special license is not required, and no special tools are required to make use of the model—it is simply a way of doing things related to security.

Certification refers to the preparation and review of an application’s, or system’s, security controls and capabilities for the purpose of establishing whether the design or implementation meets appropriate security requirements. Accreditation refers to the positive evaluation made on the Certification and Accreditation Package by the evaluation team. Different documents written by different federal agencies have their own definitions of certification and accreditation, and though the definitions are similar, they are each slightly different. NIST Special Publication 800-371 defines certification as:

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The guidance written by NIST is intended for information systems that process unclassified data, more commonly known as SBU data—Sensitive But Unclassified.The Committee on National Security Systems, Chaired by the Department of Defense, defines certification in the National Information Assurance Glossary, Revision June 2006 as:

A comprehensive evaluation of the technical and nontechnical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

You can see that even experts among us don’t necessarily agree on a concrete definition. However, since experts in most professions typically bring their own uniqueness to the table, I don’t see the differences in definitions as being a show stopper for getting the job done.The definitions are similar enough.

An evaluation team reviews a suite of documents known as a Certification Package and makes recommendations on whether it should be accredited.The evaluation team may be referred to by different names in different agencies. You should think of the evaluators as specialized information security auditors; often they are referred to as certifying agents. Each agency may refer to their own auditors with slightly different names, so you shouldn’t get hung up on what to call these folks.The main thing to know is that each agency has their own set of auditors that have the power either to pass or fail the different elements of a Certification Package, and provide a recommendation either to accredit the package or not. The term “Certification” can be confusing because a Certification Package does not mean that any part of the infrastructure described in the package has been certified by anyone for anything.The Certification Package itself is not, and does not, get certified. However, it does get reviewed by certifying agents.A more apropos name might have been a Security Package but that isn’t the name our friendly federal regulators wanted to use so we won’t be using it here.

Once a Certification Package has been evaluated, a positive accreditation indicates that a senior agency official has formally made the decision that the documented risks to the agency, assets, and individuals are acceptable. Senior agency officials employ large teams of information assurance oversight staff that go over the Certification Packages with fine-toothed combs. Accreditation does not come lightly, and occurs only after each Certification Package has undergone a scrupulous review. By accrediting an information system, the senior agency official agrees to take responsibility for the accuracy of the information in the certification package and consents to be held accountable for any security incidents that may arise related to the system. NIST Special Publication 800-37 refers to accreditation as:

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

And the National Information Assurance Glossary refers to accreditation as a:

Formal declaration by a Designated Accrediting Authority (DAA) that an IS is approved to operation at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. Much of the terminology that federal agencies use in developing C&A programs and processes comes from the Office of Management and Budget (OMB) Circular A-130, Appendix III (listed in Appendix B).To view this document, go to www.syngress.com.The OMB is part of the Executive Office of the President of the United States. Aside from assisting the president with the budget, the OMB’s mission is also to create and oversee information and regulatory policies.The OMB was created in 1970, and essentially replaced the Bureau of Budget.The fact that the OMB plays a significant regulatory role in C&A shows just how important information security has become to our national infrastructure. It also means that C&A initiatives will have a budget and are clearly a priority to the Executive Office of the President of the United States—and that’s a good thing.