What Is Certification and Accreditation

by Carl Wilson.
Share
|
Homepage | Submit your article | Contact | TOS
More articles on branding and certification  

You are here: Categories » Business » Branding and certification

Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C&A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accreditation is the ultimate output of a C&A initiative, and a system or application cannot be accredited unless it meets specific security guidelines, clearly the goal of C&A is to force federal agencies to put into production systems and applications that are secure.

FISMA, also known as Title III of the E-Government Act (Public Law 107-347), mandates that all U.S. federal agencies develop and implement an agency-wide information security program that explains its security requirements, security policies, security controls, and risks to the agency.The requirements, policies, controls, and risks are explained formally in a collection of documents known as a Certification Package.The Certification Package consists of a review and analysis of applications, systems, or a site—basically whatever it is that the agency wants accredited. New applications and systems require accreditation before they can be put into production, and existing applications and systems require accreditation every three years. Each agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…

—Federal Information Security Management Act of 2002 Laws for U.S. federal departments and agencies mandate C&A; however, private organizations can also take advantage of C&A methodologies to help mitigate risks on their own information systems and networks. In fact, about 90 percent of the nation’s critical infrastructure is on private networks that are not part of any U.S. federal department or agency.The nation’s critical infrastructure includes those information technology systems that run electrical systems, chemical systems, nuclear systems, transportation systems, telecommunication systems, banking and financial systems, and agricultural and food and water supply systems to name only a few.

The entire C&A process is really nothing more than a standardized security audit, albeit a very complete standardized security audit. Having worked in both private industry and on government networks, my experience indicates that contrary to what you read in the news, most private and public companies do not put nearly as much time, effort, and resources into documenting their security as government agencies do. All the C&A methodologies can be adopted and used by private industry. Though federal departments and agencies seem to get repeated criticisms belittling their security initiatives, it’s my experience and belief that the criticisms are largely exaggerated and that their security conscientiousness far exceeds that of private industry.

The C&A model is a methodology for demonstrating due-diligence in mitigating risks and maintaining appropriate security controls.Any enterprise organization can adopt best practice C&A methodologies. A special license is not required, and no special tools are required to make use of the model—it is simply a way of doing things related to security.

Certification refers to the preparation and review of an application’s, or system’s, security controls and capabilities for the purpose of establishing whether the design or implementation meets appropriate security requirements. Accreditation refers to the positive evaluation made on the Certification and Accreditation Package by the evaluation team. Different documents written by different federal agencies have their own definitions of certification and accreditation, and though the definitions are similar, they are each slightly different. NIST Special Publication 800-371 defines certification as:

A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

The guidance written by NIST is intended for information systems that process unclassified data, more commonly known as SBU data—Sensitive But Unclassified.The Committee on National Security Systems, Chaired by the Department of Defense, defines certification in the National Information Assurance Glossary, Revision June 2006 as:

A comprehensive evaluation of the technical and nontechnical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

You can see that even experts among us don’t necessarily agree on a concrete definition. However, since experts in most professions typically bring their own uniqueness to the table, I don’t see the differences in definitions as being a show stopper for getting the job done.The definitions are similar enough.

An evaluation team reviews a suite of documents known as a Certification Package and makes recommendations on whether it should be accredited.The evaluation team may be referred to by different names in different agencies. You should think of the evaluators as specialized information security auditors; often they are referred to as certifying agents. Each agency may refer to their own auditors with slightly different names, so you shouldn’t get hung up on what to call these folks.The main thing to know is that each agency has their own set of auditors that have the power either to pass or fail the different elements of a Certification Package, and provide a recommendation either to accredit the package or not. The term “Certification” can be confusing because a Certification Package does not mean that any part of the infrastructure described in the package has been certified by anyone for anything.The Certification Package itself is not, and does not, get certified. However, it does get reviewed by certifying agents.A more apropos name might have been a Security Package but that isn’t the name our friendly federal regulators wanted to use so we won’t be using it here.

Once a Certification Package has been evaluated, a positive accreditation indicates that a senior agency official has formally made the decision that the documented risks to the agency, assets, and individuals are acceptable. Senior agency officials employ large teams of information assurance oversight staff that go over the Certification Packages with fine-toothed combs. Accreditation does not come lightly, and occurs only after each Certification Package has undergone a scrupulous review. By accrediting an information system, the senior agency official agrees to take responsibility for the accuracy of the information in the certification package and consents to be held accountable for any security incidents that may arise related to the system. NIST Special Publication 800-37 refers to accreditation as:

The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.

And the National Information Assurance Glossary refers to accreditation as a:

Formal declaration by a Designated Accrediting Authority (DAA) that an IS is approved to operation at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards. Much of the terminology that federal agencies use in developing C&A programs and processes comes from the Office of Management and Budget (OMB) Circular A-130, Appendix III (listed in Appendix B).To view this document, go to www.syngress.com.The OMB is part of the Executive Office of the President of the United States. Aside from assisting the president with the budget, the OMB’s mission is also to create and oversee information and regulatory policies.The OMB was created in 1970, and essentially replaced the Bureau of Budget.The fact that the OMB plays a significant regulatory role in C&A shows just how important information security has become to our national infrastructure. It also means that C&A initiatives will have a budget and are clearly a priority to the Executive Office of the President of the United States—and that’s a good thing.

Share
Leave a comment or ask a question
Total comments: 0

Branding and certification Disclaimer

  • The e-articles directory is not responsible for any and all copyright infringements by writers and authors. If you suspect the information contained by this page for any copyright infringements, please contact us to investigate the issue
Tips and techniques to get through the CISA certification test - Acquiring a worldwide recognition CISA (certified information systems auditor) certification has become a preference for Information S (more...)
Textile Pattern designing - Patterns are creative styles which brings feature of success in designing. We all know that designing is not only specific to any particular domain. It is spread all around at least in the fashion (more...)
Branding: How to succeed - Brand Management Overview The application of marketing methods in respect of a particular product, range of pr (more...)
Buying and selling Rolex watches - Today, millions of people are buying and selling Rolex watches and other fine timepieces over the internet. It is said that Rolex produces around 650,000 to 800,000 watches annually. Sadly enough (more...)
Building Your Brand - Branding is an advertising and promoting pursuit. As such, it occupies some of the most creative professionals in business. Each branding guru has his or her own idea about the definition of bran (more...)
Getting the Most Out of Workshops - There are four levels by which workshops are evaluated: Level 1 — Did participants enjoy the experience? Level 2 — Did participants learn? Lev (more...)
What Is a Brand - A brand is not a name or a logo or a color scheme or a design layout or a tag line or an advertising theme. A brand lives in the customer’s perception. A brand is not what the markete (more...)
The Nature of Brands - To ensure a sojourn at the branding altar free from sin, it's vital to understand what a brand is. First, it is not, nor can it ever be, a product or service. This is a concept difficult for (more...)
The Sins of Branding - Even those who have learned that a brand is a symbol, often fall into error by failing to understand that a brand can only arise from two sources. The first is as a result of product success. M (more...)
A LOGO Means Your Brand Identity - A graphic logo design is your company's first and last impression on customers, potential consumers and partners alike. It establishes your brand's identity and serves as brand recall. In short, (more...)
 
free content
    Copyright © 2006 - 2012 e-articles.info.
The texts, articles and tutorials in the directory are property of their respective owners and authors.