4.6: Certification and Accreditation

Certification and Accreditation

Other Information:

Certification is the comprehensive assessment of the technical and non-technical security features and other safeguards of a system associated with its use and environment to establish the extent to which a particular system meets a set of specified security requirements. Certification is in support of accreditation. Certification is an integral part of risk management and should be continually reviewed and updated throughout the system life-cycle. The Certification Phase of the C&A process includes a system analysis to identify weaknesses in operating the system with specified counter-measures in a particular environment, as well as an analysis of the potential vulnerabilities of these weaknesses through a rigorous systems test and evaluation (ST&E). Planning for accreditation should be implemented at the beginning of the system life-cycle to ensure that security protection mechanisms and safeguards are designed and integrated into the system and/or subsystems that security decisions are not delayed leading to costly retrofits and delays in operationally fielding the system, and that adequate resources are provided for C&A activities. Accreditation is the formal declaration by the Designated Approving Authority (DAA) that an automated information system (AIS) is approved to operate in a particular security mode using a prescribed set of safeguards, and should be strongly based on the residual risks identified during certification. The Accreditor has the formal responsibility in authorizing operation of the system. Since the risk to a system changes over the life of the system, the Accreditor must remain actively involved in the accreditation/reaccreditation process during the entire system life-cycle. The level of risk the Accreditor is willing to accept should be based upon the degrees of assurance. The C&A process allows the DAA, Program Manager, and User Representative to tailor the certification efforts to the particular system mission, threats, environment, degrees of assurance, and criticality of the system, as necessary, as long as they comply with network connection rules. With a standard approach established, reuse of both the technical and nontechnical analyses from the certification effort for recertification or certification of a similar system might be possible. The C&A process should encourage and preserve commonality in understanding, be consistent in application, be open to evolution and growth, employ feedback, and be applied continuously. This process should be scalable to the size of the system, repeatable, and predictable. The OCIO is in the process of certifying and accrediting all OPIC systems, both the systems infrastructure and the business systems that support OPIC users. This will provide the initial C&A for OPIC’s systems. In addition, OCIO plans to implement a continuous monitoring plan to ensure security and compliance between C&A refreshes, a repeatable process for conducting ST&Es, and future C&A at the network and system levels.

Indicator(s):

Indicator:1

Content