Certification is the comprehensive evaluation of the technical and nontechnical security features of an information system and the other safeguards created in support of the accreditation process, to establish the extent in which a particular design and implementation meets the set of specified security requirements.
Accreditation is the formal declaration by a Designated Approving Authority (DAA) that an information system is approved to operate in a particular security mode by using a prescribed set of safeguards at an acceptable level of risk. Recertification and reaccreditation are required when changes occur in the system and/or its environment, or after a defined period of time after accreditation.
C&A is required for all federal government departments and agencies, as determined by the National Policy on Certification and Accreditation of National Security Telecommunications and Information Systems, issued April 8, 1994. The policy is intended to provide the national security community with standard methodologies for C&A processes, assign authority and responsibilities, and lay a basis for mutual recognition of certification results in order to ensure the security of national security systems. Its goals are the development of cost-effective policies, procedures, and methodologies for the C&A of national telecommunications and information systems.
Two of the most used C&A standards are the aforementioned NIACAP and DITSCAP. As mentioned in the previous section of this chapter, the Defense Information Assurance Certification and Accreditation Process (DIACAP) was recently developed to replace DITSCAP, and is intended to make DoD C&A easier. We will describe each of these processes in detail later in the subsection on C&A phases.
NIST C&A Documents
NIST has developed a suite of documents for conducting C&A, including:
· Special Publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems”
· Special Publication 800-53, “Security Controls for Federal Information Systems (interim guidance)”
· Special Publication 800-53A, “Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems”
· NIST Special Publication 800-59, “Guideline for Identifying an Information System as a National Security System”
· NIST Special Publication 800-60, “Guide for Mapping Types of Information and Information Systems to Security Objectives and Risk Levels”
C&A Roles and Responsibilities
Many roles are involved in the C&A process. Several of these roles, such as the system owner, system manager, configuration manager, systems administrator, and risk analyst, are defined in other chapters of this book.
Using the DITSCAP as a model, the four minimum roles needed to perform a C&A are the:
1. IS program manager
2. Designated Approving Authority (DAA), also referred to as the accreditor
3. Certification agent (certifier)
4. User representative
The individuals in these roles tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, and schedule of the system. These individuals resolve critical schedule, budget, security, functionality, and performance issues. We’ll examine these roles in more detail in the following subsections.
Additional roles may be added to increase the integrity and objectivity of C&A decisions. For example, the Information Systems Security Officer (ISSO) usually performs a key role in the maintenance of the security posture after the accreditation and may also play a key role in the C&A of the system.
Program Manager
The program manager represents the interests of the system in areas such as:
· Acquisition
· Life cycle schedules
· Funding responsibility
· System operation
· System performance
· Maintenance
Which organization the program manager represents is determined by the phase in the life cycle of the system. The program manager coordinates all aspects of the system from initial concept, through development, to implementation and system maintenance. The DAA, certifier, and user representative give advice, information, and guidance to the program manager throughout the C&A.
The program manager:
· Is the primary authorization advocate
· Is responsible for the IS throughout the life cycle (cost, schedule, and performance of the system development)
· Ensures that the security requirements are integrated in a way that will result in an acceptable level of risk to the operational infrastructure as documented in the System Security Authorization Agreement (SSAA)
· Keeps all C&A participants informed of life cycle actions, security requirements, and documented user needs
Additionally, the program manager provides details of the system and its life cycle management to the DAA, certifier, and user representative during Phase 2. The program manager must verify that the implementation of the system is consistent with the system security characteristics reflected in the SSAA.
As additional system details become available, the program manager ensures the SSAA is updated. At the end of Phase 2, the program manager ensures that a configuration management procedure is in place and that the system is properly controlled during the certification process.
The PM also ensures that the certification-ready system is under configuration management during Phase 3. The DAA, certifier, and user representative validate that the operational environment and system configuration are consistent with the security characteristics reflected in the SSAA.
Designated Approving Authority (DAA)
The DAA is the primary government official responsible for implementing system security. The DAA is an executive with the authority and ability to balance the needs of the system with the security risks. He or she determines the acceptable level of residual risk for a system and must have the authority to oversee the budget and IS business operations of systems under his or her purview.
Based on the information available in the SSAA, the DAA can grant the accreditation, an Interim Approval to Operate (IATO), or may determine that the system’s risks are not at an acceptable level and it is not ready to be operational. In reaching these decisions, the DAA is supported by all the documentation provided in the SSAA.
Certification Agent
The certifier (or certification team) provides the technical expertise to conduct the certification throughout the system’s life cycle based on the security requirements documented in the SSAA. The certifier determines the existing level of residual risk and makes an accreditation recommendation to the DAA. The certifier is the technical expert who documents tradeoffs among security requirements, cost, availability, and schedule to manage security risk.
The certifier determines whether a system is ready for certification and conducts the certification process – a comprehensive evaluation of the technical and nontechnical security features of the system. At the completion of the certification effort, the certifier reports the status of certification and recommends to the DAA whether to accredit the system based on documented residual risk.
To avoid conflicts of interest, the certifier should be independent from the organization responsible for the system development or operation. Organizational independence of the certifier ensures the most objective information for the DAA to make accreditation decisions.
User Representative
The operational interests of system users are vested in the user representative. In the C&A process, the user representative is concerned with system availability, access, integrity, functionality, performance, and confidentiality as they relate to the mission environment.
Users and their representatives are found at all levels of an agency. As noted in the SSAA, the user representative:
· Is responsible for the identification of operational requirements
· Is responsible for the secure operation of a certified and accredited IS
· Represents the user community
· Assists in the C&A process
· Functions as the liaison for the user community throughout the life cycle of the system
· Defines the system’s operations and functional requirements
· Is responsible for ensuring that the user’s operational interests are maintained throughout system development, modification, integration, acquisition, and deployment
Information Systems Security Officer (ISSO)
The ISSO is the person responsible to the DAA for ensuring that security is provided for and implemented throughout the life cycle of an AS from the beginning of the system concept development phase through its design, development, operation, maintenance, and secure disposal. As per NIST 800-37, the ISSO is the agency official responsible for carrying out the Chief Information Officer responsibilities under FISMA.
NIACAP Roles
The NIACAP roles are virtually identical to the DITSCAP roles. The four minimum roles needed to perform a NIACAP security assessment are the:
· IS program manager
· Designated Approving Authority (DAA), also referred to as the accreditor
· Certification agent (certifier)
· User representative
The individuals in these roles tailor and scope the C&A efforts to the particular mission, environment, system architecture, threats, funding, and schedule of the system. These individuals resolve critical schedule, budget, security, functionality, and performance issues.
DIACAP ROLES
The DIACAP is intended to make C&A easier than either the DITSCAP or the NIACAP, as we will see in later chapters. The key participants in the DIACAP process are:
· DAA
· Information Assurance Manager
· Program Manager
· User Representative
· Certification Authority
NIST C&A Roles
NIST publication 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” describes these roles a little differently. For example, the DAA is referred to as the Authorizing Official.
NIST 800-37 also defines the role of Chief Information Officer. The Chief Information Officer is the agency official responsible for:
· Designating a senior agency information security officer
· Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements
· Training and overseeing personnel with significant responsibilities for information security
· Assisting senior agency officials concerning their security responsibilities
· Reporting annually, in coordination with other senior agency officials, to the agency head on the effectiveness of the agency information security program, including progress of remedial actions
C&A Phases
The phases of DITSCAP and NIACAP are also virtually identical. C&A is commonly composed of four phases:
1. Definition – This phase is focused on understanding the IS business case, the mission, environment, and architecture to determine the security requirements and level of effort necessary to achieve certification and accreditation. The objective of Phase 1 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
2. Verification – Phase 2 confirms the evolving or modified system’s compliance with the information in the SSAA (or the System Security Plan in NIACAP). The objective of Phase 2 is to ensure that the fully integrated system will be ready for certification testing.
3. Validation – Phase 3 confirms compliance of the fully integrated system with the security policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).
4. Post Accreditation – The Post Accreditation phase starts after the system has been certified and accredited for operations. Phase 4 includes those activities necessary for the continuing operation of the accredited IS in its computing environment and for addressing the changing threats and small-scale changes a system faces through its life cycle. The objective of Phase 4 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk. Phase 4 continues until the information system is removed from service (decommissioned), undergoes major revisions, or requires a periodic compliance validation.
Each phase consists of defined activities with specific tasks and procedures, as will be seen in later chapters.
DIACAP Phases
The DIACAP process is a little different from DITSCAP or NIACAP.
The overall process is similar to other C&A activities. The DIACAP process is expected to consist of five phases, with subordinate tasks:
1. Initiate and Plan IA C&A:
o Register system with DoD Component IA Program.
o Assign IA controls.
o Assemble DIACAP team.
o Develop DIACAP strategy.
o Initiate IA implementation plan.
2. Implement and Validate Assigned IA Controls:
o Execute and update IA implementation plan.
o Conduct validation activities.
o Combine validation results in DIACAP Scorecard.
3. Make Certification Determination and Accreditation Decisions:
o Analyze residual risk.
o Issue certification determination.
o Make accreditation decision.
4. Maintain Authority to Operate and Conduct Reviews:
o Initiate and update lifecycle implementation plan for IA controls.
o Maintain situational awareness.
o Maintain IA posture.
5. Decommission System:
o Conduct activities related to the disposition of the system data and objects.
PEOPLE FIND THIS PAGE BY THIS WORDS:
What is the role of the Certifier in the SSAA; what is a security professional; niacap ppt; NIACAP four phases; itil 2011 and c&a controls; filetype:xls process certification report; diacap process poster; DIACAP Phase 2 Certification and Accreditation; development national telecommunications and information systems security; certification-and-accreditation ppt; certification and accreditation replacement; certification and accreditation ppt; acreditation authorization security goals; accreditation standardization certification filetype: ppt;
