News

Consulting

Products/Technology

Clients

Partners

Contacts

e-Business

CyberSecurity

Biz Continuity

Federal C&A

NIST/Commercial C&A

NIST/Commercial Compliant Certification and Accreditation Support Overview

Argosy’s staff can assist IT organization and enterprises with all phases of their certification and accreditation (C&A) efforts to comply with all related regulations and guidance, including:

Argosy’s methodology provides our clients with State-of-Art/Practice low risk and cost effective approach to IT/IS Certification and Accreditation.  Argosy’s staff has the capabilities to assist IT organization and enterprises with all phases of their certification and accreditation efforts to comply with all DoD and government regulations and guidance.  Argosy can provide C&A program planning, life cycle implementation, and compliance assessment support.  The process of supporting a certification and accreditation project requires the coordination of many departments and other entities.  If properly planned and performed, an enterprise C&A effort can result in a well-executed efficient project.

Argosy’s methodology is in direct correlation with industry best practice and consistent with the National Institute of Standards and Technology (NIST) security certification and accreditation process guidance, (NIST Special Publication 800-37-Guide for the Security Certification and Accreditation of Federal Information Systems), which consists of the following distinct phases:

  • ·          Initiation Phase;

  • ·          Security Certification Phase;

  • ·          Security Accreditation Phase; and

  • ·          Continuous Monitoring Phase.

Figure-1 below provides a high-level view of the security certification and accreditation process including the tasks associated with each phase in the process:

EXHIBIT 1 SECURITY CERTIFICATION AND ACCREDITATION PROCESS

Initiation Phase

The Initiation Phase consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan analysis, update, and acceptance.  The purpose of this phase is to ensure that the authorizing official and senior agency information security officer are in agreement with the contents of the system security plan, including the system’s documented security requirements, before the certification agent begins the assessment of the security controls in the information system.

Security Certification Phase

The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation.  The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.  This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system.  Upon successful completion of this phase, the authorizing official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals—and thus, will be able to render an appropriate security accreditation decision for the information system.

Security Accreditation Phase

The Security Accreditation Phase consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation.  The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals.  Upon successful completion of this phase, the information system owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system.

Continuous Monitoring Phase

The Continuous Monitoring Phase consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation.  The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the authorizing official when changes occur that may impact on the security of the system.  The activities in this phase are performed continuously throughout the life cycle of the information system.

Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccredidation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.

 
 

Copyright Argosy Omnimedia, Inc. 1997 - 2008 - support@argoc.com