Intranet Journal   Earthweb  
Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts

   Intranet Journal Subjects
Search Earthweb

Privacy Policy



internet.com
IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet commerce
Be a Commerce Partner
















 

[ Home | Discussion Forum | How Do I... | Lotus Notes Intranets | Microsoft SharePoint | Products | Shopping  ]

free news!


Security Certification and Accreditation 101

Laura Taylor
6/23/2004

Go to page: 1 2 

Printer Friendly Version

All federal agencies in the United States must have their IT systems and infrastructure certified and accredited. Among industry experts, this certification and accreditation process is more informally known as C&A. It is a picayune process where auditors inspect reams of security documentation on an agency's IT systems and infrastructure, and either pass them or fail them.

Background and Purpose

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) requires that all federal agencies develop and implement an agency-wide information security program designed to safeguard IT assets and data of the respective agency. FISMA is specific in its requirements and it stipulates that the information security program must include documentation and reports that clearly describe the following:

  • Periodic risk assessments
  • Information security policies and procedures
  • An assessment of threats, including their likelihood and impact
  • Policies and procedures for detecting security vulnerabilities
  • Evaluation and periodic testing of how well security policies are working
  • An inventory of software and hardware assets
  • Security awareness training and expected rules of behavior for end-users
  • An evaluation of the technical, management, and operational security controls
  • Procedures for reporting and responding to security incidents
  • A process for addressing any deficiencies reported
  • Contingency plans to ensure continuity of operations in the face of a disaster
FISMA forces federal agencies to understand the security of their systems and holds them accountable for resolving deficiencies. The methodologies that have evolved to address FISMA stipulations are sound ones and, though only federal agencies are required to abide by them, it would behoove financial institutions to adopt these methodologies to assess the security of their own systems.

C&A Methodology

There are generally three methodologies used for C & A initiatives:

  • DITSCAP
  • NIACAP
  • NIST
DITSCAP is an acronym for Defense Information Technology Systems Certification and Accreditation Process. It is based on a publication known as Defense Information Systems Certification and Accreditation regulation Department of Defense (DoD) 5200.40. DITSCAP is typically used only for defense agencies, although civilian agencies may opt to apply DITSCAP principles to their own customized C&A process.

NIACAP stands for National Information Assurance Certification and Accreditation Process. It is based on a process published by the National Security Telecommunications and Information System Security Instruction known as NSTISSI No. 1000.

NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. While many civilian agencies have traditionally used either the NIACAP or NIST methodologies, the current trend is that most agencies are moving away from NIACAP to embrace the new NIST methodology.

All three methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint. In short, the C&A process is a manual audit of policies, procedures, controls, and contingency planning. While some information security reports can be obtained about systems and networks from an online penetration test, an online penetration test cannot tell you if an organization has security policies and procedures in place, and if they are following these policies and procedures. The C&A process is much more cumbersome than a network penetration test (sometimes referred to as a security scan or online vulnerability assessment).

Preparing for C&A

The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.

A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.

In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

  • System Categorization Statement
  • System Description with System Boundaries Noted
  • Network Diagram and Data Flows
  • Software and Hardware Inventory
  • Business Risk Assessment
  • System Risk Assessment
  • Contingency Plan
  • Self-Assessment
  • System Security Plan
Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

Go to page: 1 2

Printer Friendly Version
Of Interest
Intranet eXchange Discussion Board
Security Policies 101
Securing From Within

email this page

Tutorials
and more at:
Intranet Journal's Tutorials
Intranet Journal Favorites

Creating a PHP-Based Content Management System

The Spyware Guide

Introduction to Microsoft SharePoint Portal

Intranet Journal
Part of the EarthWeb Network

Managing Editor
Intranet Journal
Tom Dunlap

EarthWeb Home Page
Jupitermedia Home Page

Media Kit



internet.commediabistro.comJusttechjobs.comGraphics.com

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Whitepaper: Introducing the Azure Services Platform
Whitepaper: Introduction to Microsoft .NET Services for Developers
Whitepaper: Securing Microsoft's Cloud Infrastructure
Internet.com eBook: Becoming a Better Project Manager
Microsoft Partner Portal: What Azure Means for Microsoft Partners
 Internet.com eBook: Web Development Frameworks for Java
Internet.com eBook: Developing a Content Management System Strategy
Article: Ten Things IT Professionals Should Know About Windows 7
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Get Started with .NET Services
 MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Amyuni: PDF & PDF/A Engine for .NET and ActiveX Apps
Red Gate Free Trial: SQL Toolbelt
Iron Speed Designer Application Generator
 Download Award-Winning Red Gate SQL Backup Pro
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products
Internet.com Hot List: Java EE 6 Platform Highlights the JavaOne Conference
 MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES