Intranet Journal
The online resource for intranet professionals
Security Certification and Accreditation 101
6/23/2004
|
|
All federal agencies in the United States must have their IT systems and infrastructure certified and accredited. Among industry experts, this certification and accreditation process is more informally known as C&A. It is a picayune process where auditors inspect reams of security documentation on an agency's IT systems and infrastructure, and either pass them or fail them.
Background and Purpose
Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) requires that all federal agencies develop and implement an agency-wide information security program designed to safeguard IT assets and data of the respective agency. FISMA is specific in its requirements and it stipulates that the information security program must include documentation and reports that clearly describe the following:
C&A Methodology
There are generally three methodologies used for C & A initiatives:
NIACAP stands for National Information Assurance Certification and Accreditation Process. It is based on a process published by the National Security Telecommunications and Information System Security Instruction known as NSTISSI No. 1000.
NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. While many civilian agencies have traditionally used either the NIACAP or NIST methodologies, the current trend is that most agencies are moving away from NIACAP to embrace the new NIST methodology.
All three methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint. In short, the C&A process is a manual audit of policies, procedures, controls, and contingency planning. While some information security reports can be obtained about systems and networks from an online penetration test, an online penetration test cannot tell you if an organization has security policies and procedures in place, and if they are following these policies and procedures. The C&A process is much more cumbersome than a network penetration test (sometimes referred to as a security scan or online vulnerability assessment).
Preparing for C&A
The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.
A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.
Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.
If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.
In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:
Levels of Certification and Starting the Review
There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:
The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.
It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground.
Outsourcing Your C&A Effort
It's often the case that federal agencies elect to outsource their C&A Review when their own resources are fatigued trying to meet other operational deadlines. There are a number of consultancies that specialize in assisting U.S. federal agencies with their C & A Review. If an agency is considering outsourcing the C&A Review, they should interview all potential consultancies and ask for references for other C&A initiatives the consultancy has previously completed. If a consultancy has successfully assisted agencies in obtaining full accreditation of their systems, this is a positive sign that they have a reputable track record.
Some consultancies, known as Federally Funded Research and Development Centers (FFRDC), are not-for-profit organizations that have a vested interest in working for the public benefit. FFRDCs, by charter, are only allowed to have federal agencies for customers, and they are not allowed to make a profit. Also by charter, FFRDCs are vendor-neutral and are not allowed to develop or sell products. Many industry experts believe that federal agencies can obtain a greater level of objectivity by using an FFRDC's consulting services instead of a traditional, privately held, for-profit consulting firm.
A Word to the Wise
Most U.S. federal agencies do not leave enough time to prepare a comprehensive C&A package. A medium-sized C&A effort requires six months for a team of three consultants who know what they are doing. If your project team is new at C & A, you can expect the process to take much longer. If you are the CIO of a U.S. federal agency, your systems will likely be shut down if they don't pass the accreditation process, which could become career limiting. Therefore, if you don't have enough in-house resources to get the job done, this is one particular case where you will definitely want to outsource the project to some expert consultants.
References
DITSCAP 5200.40, December 30, 1997
http://www.dtic.mil/whs/directives/corres/pdf/i520040_123097/i520040p.pdf
NSTISSI 1000, April 2000
http://www.nstissc.gov/Assets/pdf/nstissi_1000.pdf
NIST Special Publication 800-37, May 2004
http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf