Information Security Governance Papers
| Paper Title | Certification, Accreditation, and Security Assessments |
|---|---|
| The Abstract of The Paper |
Security certification and accreditation are important activities that support a risk management process and an integral part of an agency's information security program. The security certification and accreditation process is designed to ensure that an information system will operate with the appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically.
Required by Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources, security certification and accreditation serves a function similar to quality control. It is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk on behalf of the agency. In this vein, it makes senior officials who accept risk fully accountable for their decisions, and in doing so, encourages diligence in the decision-making process. The Federal Information Security Management Act (FISMA) and OMB Circular A-130, Appendix III, both require that federal agencies perform IT security risk assessments and prepare security plans for all systems. Both risk assessments and security plans are essential components of the security certification and accreditation process. Whether formal or informal, risk assessments provide much of the data needed to formulate a security plan that addresses the risks identified for a given system. Both the risk assessment and the development and maintenance of a security plan that accurately reflects the security requirements and controls in place for a particular system must be incorporated into the system development life cycle (SDLC).70 In addition to risk assessments and system security plans, security assessments have an important role in security accreditation. It is essential that agency officials have the most complete and accurate information possible on the security status of their information systems in order to make timely and sound risk-based decisions. The information and supporting evidence needed for security accreditation are developed during a detailed security evaluation of a system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision. By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or agency individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccredidation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment. In May, 2004, the Information Technology Laboratory (ITL) published National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. It provides specific recommendations on how to certify and accredit information systems, and it is applicable to all federal information systems other than those systems designated as national security systems as defined in 44 United States Code (U.S.C.), Section 3542. 11. State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate. The goals of the guidelines are as follows: • Enable more consistent, comparable, and repeatable assessments of security controls in federal information systems; • Promote a better understanding of agency-related mission risks resulting from the operation of information systems; and • Create more complete, reliable, and trustworthy information for authorizing officials to facilitate more informed security accreditation decisions. NIST SP 800-37 provides augmented, updated security certification and accreditation information to federal agencies and replaced Federal Information Processing Standard (FIPS) 102, Guidelines for Computer Security Certification and Accreditation, September 1983, when it was rescinded in February 2005. |
| Web Link | http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf |