Print Page      Email Page
Back to Article List

Security Certification and Accredidation 101
By Laura Taylor
June 23, 2004

All federal agencies in the United States must have their IT systems and infrastructure certified and accredited. Among industry experts, this certification and accreditation process is more informally known as C&A. It is a picayune process where auditors inspect reams of security documentation on an agency's IT systems and infrastructure, and either pass them or fail them.

Background and Purpose

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) requires that all federal agencies develop and implement an agency-wide information security program designed to safeguard IT assets and data of the respective agency. FISMA is specific in its requirements and it stipulates that the information security program must include documentation and reports that clearly describe the following:

  • Periodic risk assessments
  • Information security policies and procedures
  • An assessment of threats, including their likelihood and impact
  • Policies and procedures for detecting security vulnerabilities
  • Evaluation and periodic testing of how well security policies are working
  • An inventory of software and hardware assets
  • Security awareness training and expected rules of behavior for end-users
  • An evaluation of the technical, management, and operational security controls
  • Procedures for reporting and responding to security incidents
  • A process for addressing any deficiencies reported
  • Contingency plans to ensure continuity of operations in the face of a disaster
FISMA forces federal agencies to understand the security of their systems and holds them accountable for resolving deficiencies. The methodologies that have evolved to address FISMA stipulations are sound ones and, though only federal agencies are required to abide by them, it would behoove financial institutions to adopt these methodologies to assess the security of their own systems.

C&A Methodology

There are generally three methodologies used for C & A initiatives:

  • NIST
DITSCAP is an acronym for Defense Information Technology Systems Certification and Accreditation Process. It is based on a publication known as Defense Information Systems Certification and Accreditation regulation Department of Defense (DoD) 5200.40. DITSCAP is typically used only for defense agencies, although civilian agencies may opt to apply DITSCAP principles to their own customized C&A process.

NIACAP stands for National Information Assurance Certification and Accreditation Process. It is based on a process published by the National Security Telecommunications and Information System Security Instruction known as NSTISSI No. 1000.

NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. While many civilian agencies have traditionally used either the NIACAP or NIST methodologies, the current trend is that most agencies are moving away from NIACAP to embrace the new NIST methodology.

All three methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint. In short, the C&A process is a manual audit of policies, procedures, controls, and contingency planning. While some information security reports can be obtained about systems and networks from an online penetration test, an online penetration test cannot tell you if an organization has security policies and procedures in place, and if they are following these policies and procedures. The C&A process is much more cumbersome than a network penetration test (sometimes referred to as a security scan or online vulnerability assessment).

Preparing for C&A

The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.

A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.

In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

  • System Categorization Statement
  • System Description with System Boundaries Noted
  • Network Diagram and Data Flows
  • Software and Hardware Inventory
  • Business Risk Assessment
  • System Risk Assessment
  • Contingency Plan
  • Self-Assessment
  • System Security Plan
Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

Levels of Certification and Starting the Review

There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:

The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.

It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground.

Outsourcing Your C&A Effort

It's often the case that federal agencies elect to outsource their C&A Review when their own resources are fatigued trying to meet other operational deadlines. There are a number of consultancies that specialize in assisting U.S. federal agencies with their C & A Review. If an agency is considering outsourcing the C&A Review, they should interview all potential consultancies and ask for references for other C&A initiatives the consultancy has previously completed. If a consultancy has successfully assisted agencies in obtaining full accreditation of their systems, this is a positive sign that they have a reputable track record.

Some consultancies, known as Federally Funded Research and Development Centers (FFRDC), are not-for-profit organizations that have a vested interest in working for the public benefit. FFRDCs, by charter, are only allowed to have federal agencies for customers, and they are not allowed to make a profit. Also by charter, FFRDCs are vendor-neutral and are not allowed to develop or sell products. Many industry experts believe that federal agencies can obtain a greater level of objectivity by using an FFRDC's consulting services instead of a traditional, privately held, for-profit consulting firm.

A Word to the Wise

Most U.S. federal agencies do not leave enough time to prepare a comprehensive C&A package. A medium-sized C&A effort requires six months for a team of three consultants who know what they are doing. If your project team is new at C & A, you can expect the process to take much longer. If you are the CIO of a U.S. federal agency, your systems will likely be shut down if they don't pass the accreditation process, which could become career limiting. Therefore, if you don't have enough in-house resources to get the job done, this is one particular case where you will definitely want to outsource the project to some expert consultants.


DITSCAP 5200.40, December 30, 1997

NSTISSI 1000, April 2000

NIST Special Publication 800-37, May 2004

DHTML Menu By Milonic JavaScript