195
13
Validating the enterpriSe
Certification and Accreditation Process
e security certification and accreditation (C&A) process consists of
four distinct phases
• Initiation phase
• Security certification phase
• Security accreditation phase
• Continuous monitoring phase
Each phase in the security certification and accreditation process
consists of a set of well-defined tasks and subtasks that are to be
carried out, as indicated, by responsible individuals (e.g., the chief
information officer, authorizing official, authorizing officials des-
ignated representative, senior agency information security officer,
information system owner, information owner, information system
security officer, certification agent, and user representatives).
e initiation phase consists of three tasks:
1. Preparation
2. Notification and resource identication
3. System security plan review, analysis, and acceptance
e purpose of this phase is to ensure that the authorizing official
and senior agency information security officer are in agreement with
the contents of the system security plan before the certification agent
begins the assessment of the security controls in the information system.
e security certification phase consists of two tasks:
1. Security control assessment
2. Security certification documentation
e purpose of this phase is to determine the extent to which the
security controls in the information system are implemented correctly,
operating as intended, and producing the desired outcome with respect
196
develoPIng a seCure foundatIon
to meeting the security requirements for the system. is phase also
addresses specific actions taken or planned to correct deficiencies in
the security controls and to reduce or eliminate known vulnerabili-
ties in the information system. Upon successful completion of this
phase, the authorizing official will have the information needed from
the security certification to determine the risk to agency operations,
agency assets, or individuals, and thus will be able to render an appro-
priate security accreditation decision for the information system.
e security accreditation phase consists of two tasks:
1. Security accreditation decision
2. Security accreditation documentation
e purpose of this phase is to determine if the remaining known
vulnerabilities in the information system (after the implementation of
an agreed upon set of security controls) pose an acceptable level of risk
to agency operations, agency assets, or individuals.
Upon successful completion of this phase, the information system
owner will have the following:
1. Authorization to operate the information system
2. An interim authorization to operate the information system
under specific terms and conditions
3. Denial of authorization to operate the information system
e continuous monitoring phase consists of three tasks:
1. Configuration management and control
2. Security control monitoring
3. Status reporting and documentation
e purpose of this phase is to provide oversight and monitoring of
the security controls in the information system on an ongoing basis and
to inform the authorizing official when changes occur that may impact
on the security of the system. e activities in this phase are performed
continuously throughout the life cycle of the information system.
Figure13.1 identifies the phase I steps and governing regulations.
Accreditation Decisions
e security accreditation package documents the results of the
security certification and provides the authorizing official with the
197
valIdatIng the enterPrIse
PHASE I C&A MethodologyFederal Regulations that Impact or Guide the Process
Define the Scope of C&A
Identify Security Controls
System Security Plan
Risk Assessment
Develop Security Controls
Compliance Matrix (SCCM)
* NIST SP 800
26
* NIST SP 800
27
* NIST SP 800
53
* FIPS 200 * DR 3555
001
* NIST SP 800
18
* NIST SP 800
37
* NIST SP 800
53
* FIPS 200
* NIST SP 800
26
* NIST SP 800
30
* NIST SP 800
53
* FIPS 200
* NIST SP 800
26
* NIST SP 800
53
* FIPS 199
* FIPS 200
* NIST SP 800
18
* NIST SP 800
53
* FIPS 200
Figure 13.1 Phase I methodology and NIST reference.

Get Enterprise Architecture and Information Assurance now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.