Argosy’s staff can assist federal agencies with all phases of their certification and accreditation (C&A) efforts to comply with all government regulations and guidance, including:

• DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
• National Information Assurance Certification and Accreditation Process (NIACAP)
• The Defense Information Assurance Certification and Accreditation Process (DIACAP)
• OMB Circular A-130

Argosy can provide C&A program planning, life cycle implementation, and compliance assessment support. The process of supporting a certification and accreditation (C&A) project requires the coordination of many departments and other entities. If properly planned and performed, a C&A effort can result in a well-executed efficient project.

Details

Argosy will work with a government agency or government contractor to plan and coordinate the C&A effort. Argosy can act as the project manager for planning and tracking of the project, coordination of with other departments and agencies, monitoring progress, taking corrective action, meeting planning, and creating progress reports. In addition, our staff of security engineers develop or review required documentation, interface with the certification lab, support product testing, and support marketing efforts based on the certification

A typical engagement will include four phases:

• Definition: This phase defines the C&A level of effort, identifies the DAA and the CA, and culminates with an agreement, by the program manager, the DAA, the CA, and the user representative, on the method for implementing the security requirements. That agreement is documented and describes the system mission, target environment, target architecture, security requirements, and applicable data access policies. The agreement describes the applicable set of planning and certification actions, resources, and documentation required for the C&A. The agreement is the vehicle that guides the implementation of requirements and the resulting C&A actions.
• Verification: The objective of the verification phase is to verify the evolving system's compliance with the requirements agreed on in the agreement. This phase consists of activities that occur between the signing of the initial version of the agreement and the formal C&A of the system, such as continuing refinement of the agreement, system development or modification, certification analysis, and analysis of the certification results.
• Validation: The objective of this phase is to, validate that the preceding work has produced an information system that operates in a specified computing environment with an acceptable level of residual risk. This phase consists of process activities that occur after the system is integrated and culminates in the accreditation of the IT system, such as a review of the agreement, or an evaluation of the integrated IT system, certification, and accreditation.
• Post Accreditation: This phase contains process activities necessary to continue to operate and manage the system so that it will maintain an acceptable level of residual risk. Post-accreditation process activities include ongoing maintenance of the agreement, system operations, change management, and compliance validation.

Getting Started

For more information or to discuss an opportunity, please contact us using the information on our contact page.

Government Agencies

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) requires that all federal agencies develop and implement an agency-wide information security program designed to safeguard IT assets and data of the respective agency.

FISMA utilizes NIST Special Publication (SP) 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems” as its compliance standard. NIST SP 800-37 provides guidelines for certifying and accrediting information systems supporting the executive agencies of the federal government. NIST SP 800-37 applies to all federal information systems other than those systems designated as national security systems as defined in FISMA.

There are generally two methodologies used for C&A initiatives: DITSCAP and NIST. Building on our DITSCAP expertise, we have established a methodology to meet FISMA C&A requirements.

FISMA utilizes NIST Special Publication (SP) 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems” as its compliance standard. NIST SP 800-37 provides guidelines for certifying and accrediting information systems supporting the executive agencies of the federal government. NIST SP 800-37 applies to all federal information systems other than those systems designated as national security systems as defined in FISMA.

The certification and accreditation package consists of the following documents:

• System security plan
• Security assessment report
• Plan of action and milestones

The key document for the certification and accreditation process is the System Security Plan (SSP), detailed in NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems.” The purpose of the SSP is to:

• Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements
• Delineate responsibilities and expected behavior of all individuals who access the system.

Argosy can help you comply with your FISMA requirements by performing the following tasks:

• Categorize the information system
• Select set of minimum (baseline) security controls
• Refine the security control set based on risk assessment
• Document security controls in system security plan
• Implement the security controls in the information system
• Assess the security controls
• Determine agency-level risk and risk acceptability
• Provide documentation to support authorizing information system operation
• Monitor security controls on a continuous basis