fisma certification and accreditation handbook phần 2 potx

Certification and Accreditation processes formally evaluate the security of an information system, determine the risk of operating the information system, and then either accept or not a

At the time of this writing, there is a group of industry experts that areworking on transforming much of NIST’s guidance used for informationsecurity management, including certification and accreditation, to documenta-tion that fits better for private industry NIST publishes excellent guidance oninformation security management, though it is directed at federal agencies.Although the C&A methodologies they describe can be adopted by anyone,private industry will more readily familiarize themselves with their guidanceonce the term “federal agency” has been replaced by “enterprises.”

Any organization that processes sensitive information should have a

methodology for evaluating and accrediting the security of their systems.Toprotect individuals from having their medical information exposed, Congressenacted the Health Insurance Portability and Accountability Act (HIPAA) in

1996 Sarbanes-Oxley became law in January of 2002 to regulate accountingpractices and standards of publicly traded companies Although accountingmay seem like just a financial matter, keep in mind that Integrity of informa-tion can be ensured only by strict security controls.Therefore, Sarbanes-Oxleyhas become an information technology problem

Sarbanes-Oxley and the HIPAA were passed to hold certain covered ties accountable for the security of their systems, but what these regulationslack are standardized methodologies A law is one thing, and a standardizedprocess or methodology for complying with the law is quite another FISMA,HIPAA, and Sarbanes-Oxley are merely laws What has evolved out of

enti-FISMA, which has not yet evolved out of HIPAA and Sarbanes-Oxley, is thatstandardized certification and accreditation processes now exist that enableFISMA compliance HIPAA and Sarbanes-Oxley both need standardized cer-tification and accreditation processes.The way that HIPAA and Sarbanes-Oxley are complied with today depends on who you ask—all organizationsare attempting to comply with HIPAA and Sarbanes-Oxley differently,

according to whatever way they know how While attempting to comply withthese laws is meritorious, trying to apply oversight to the compliance processwill be difficult until standardized C&A processes that are unique to each lawevolve

Certification and Accreditation processes formally evaluate the security of an

information system, determine the risk of operating the information system,

and then either accept or not accept that risk.There are generally four

dif-ferent methodologies for performing C&A: NIACAP, NIST, DITSCAP, and

DCID 6/3.These different methodologies were developed for four different

audiences within the federal community: national security systems,

nonna-tional security information systems, defense agency information systems, and

information systems operated by the intelligence community Despite the

dif-ferent nuances in these methodologies, they all have the goal of accomplishing

the same task of certifying and accrediting information systems, and as such,

there are many similarities between them Although none of these models was

developed for the private sector, laws such as Sarbanes-Oxley, HIPAA, and

others hold certain private sector enterprises responsible for maintaining basic

levels of information security.Therefore, drawing from these four models to

develop private sector C&A processes can help businesses achieve compliance

with these laws

Notes

1 National Information Assurance Certification and Accreditation Process (NIACAP).

NSTISSI No 1000 National Security Telecommunications and Information

Systems Security Committee (www.cnss.gov/Assets/pdf/nstissi_1000.pdf )

2 R Ross, M.Swanson, G Stoneburner, S Katzke, and A Johnson Guide for

the Security Certification and Accreditation of Federal Information Systems NIST

Special Publication 800-37 National Institute of Standards and Technology,

May 2004

(http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf )

3 Department of Defense Information Technology Security Certification and

Accreditation Process (DITSCAP) Application Manual DoD 8510.1-M United

States Department of Defense, July 31, 2000

(www.dtic.mil/whs/directives/corres/pdf/85101m_0700/p85101m.pdf )

4 Executive Order 12958 The White House Office of the Press Secretary,

April 17, 1995 (www.fas.org/sgp/clinton/eo12958.html)

5 DCIDs: Director of Central Intelligence Directives Federation of American

Scientists Intelligence Resource Program, Updated August 28, 2006

(www.fas.org/irp/offdocs/dcid.htm)

6 According to its Web site, “The Federation of American Scientists is a profit, tax-exempt, 501c3 organization founded in 1945 as the Federation ofAtomic Scientists FAS is the oldest organization dedicated to ending theworldwide arms race and avoiding the use of nuclear weapons for any purpose.”

non-PV27

Understanding the Certification and Accreditation Process

“You say it as you understand it.”

—Johann Friedrich vonSchiller, famous Germandramatist and poet

Topics in this chapter:

■ Recognizing the Need for C&A

■ Roles and Responsibilities

■ Stepping through the Process

Chapter 3

25

The Certification and Accreditation (C&A) process begins when an tion system owner recognizes that either an application, system, group of sys-tems, or site requires Accreditation.The information systems owner might be

informa-an IT operations director, informa-an IT operations minforma-anager, a security officer, or informa-anapplication development manager When the need for C&A is recognized, it

is time to put in motion a plan to carry out and oversee the C&A process

Recognizing the Need for C&A

All general support systems and major applications are required by FISMA

and the Office of Management and Budget (OMB) Circular A-130, Appendix

III (see Appendix B) to be fully certified and accredited before they are put

into production Production systems and major applications are required to bereaccredited every three years Going forward we will refer to systems thatrequire C&A (e.g., general support systems and major applications) simply asinformation systems

One of the primary objectives of C&A is to force the authorizing official

to understand the risks an information system poses to agency operations.Only after understanding the risks can an authorizing official ensure that theinformation system has received adequate attention to mitigate unacceptablerisks Evaluating risk and documenting the results is something that should beincorporated throughout a system or application’s system development life-cycle NIST has defined the system development lifecycle to consist of fivephases:

begin the C&A of new systems and applications is while they are still in

development It is easiest to design security into a system that has not yet

been built When new information systems are being proposed and designed,

part of the development should include discussions on “What do we need to

do to ensure that this information system can be certified and accredited?”

After a new application is built and ready to be implemented is not the time

to figure out if it will withstand a comprehensive certification review

Legacy systems that are already in their operational phase are harder tocertify and accredit because it is altogether possible that they were put into

production with little to no security taken into consideration In putting

together the Certification Package for a legacy system, it may be discovered

that adequate security controls have not been put into place If it becomes

clear that adequate security controls have not been put into place, the C&A

project leader may decide to temporarily put on hold the development of

the Certification Package while adequate security controls are developed

and implemented It makes little sense to spend the resources to develop a

Certification Package that recommends that an information system not be

accredited However, coming to an understanding that an information

system has not been properly prepared for accreditation is precisely one

reason why C&A exists—it is a process that enables authorizing officials to

discover the security truths about their infrastructure so that informed

deci-sions can be made

Roles and Responsibilities

C&A involves a lot of different people all working together on different tasks

There are the folks who develop the C&A program, the folks who prepare

Certification Packages, the folks who are held accountable for the

Certification Packages, the agency auditors who evaluate the Certification

Packages prior to accreditation, and the federal inspectors who audit the

agency to make sure that they are doing C&A the right way

Chief Information Officer

The agency Chief Information Officer (CIO) is the most obvious person

held accountable for a successful information security program and C&A

program It is the CIO’s responsibility to make sure that an information rity program, including a C&A program, exists and is implemented However,most agency CIOs don’t play a hands-on role in developing these programs.Usually the CIO will designate the development of these programs to theSenior Agency Information Security Officer However, delegating the pro-gram development does not mean that the CIO does not need to understandthe process If the CIO does not understand all the elements of a successfulC&A program there is little chance that the CIO will be able to hold theSenior Agency Information Security Officer responsible for developing acomplete program Without understanding the particulars of what a programshould include, the CIO will not know if the Senior Agency InformationSecurity Officer has left anything out.

secu-A piece of C&secu-A that cannot be overlooked is the need for the CIO todevelop a budget for C&A C&A is very time intensive, and a typical C&Atakes on average six months to do a thorough job, replete with all the

required information.The CIO works together with the authorizing official

to ensure that there is enough of a budget to staff the resources necessary toput together the certification program If CIOs do not budget for C&A, C&Amay not get done.The CIO enables C&A to take place by fully under-

standing the federal budgetary process as documented in a publication put out

by the White House known as Circular No A-11 Part 7 Planning, Budgeting,

Acquisition, and Management of Capital Assets.This publication is currently

avail-able at www.whitehouse.gov/omb/circulars/a11/2002/part7.pdf

A-11 Part 7 references other budgetary guidelines that the CIO shouldalso become familiar with, including one known as OMB Exhibit 300 OMBExhibit 300 is currently available at www.cio.gov/archive/S300_05_

draft_0430.pdf

It is ultimately the CIO that is likely to be held responsible and able if the agency receives a poor grade on the annual Federal ComputerSecurity Report Card One of the responsibilities of the CIO is to care aboutthe annual Federal Computer Security Report Card grade If an agencyreceives a failing grade, then clearly there is something wrong with either theC&A program itself, or how the program is implemented If an agency

account-receives a top score on the annual Federal Computer Security Report Card,then as far as C&A goes, the process is being worked the right way As the

Federal Computer Security Report Cards get more and more public

atten-tion each year, a poor score on the report card can be a career-limiting

expe-rience for any agency CIO

I will discuss the Federal Computer Security Report Cards more inChapter 23

Authorizing Official

The authorizing official is a generic term for a senior management official

within an agency who authorizes operations of an information system,

declaring that the risks associated with it are acceptable It is unlikely that any

person would hold the title of “authorizing official,” hence I am not

punctu-ating it here with capital letters.There may be multiple authorizing officials

within each agency, all responsible for their own designated areas In many

agencies, the authorizing official is referred to as the Designated Accrediting

Authority (DAA)

The authorizing official usually has budgetary responsibilities for ensuringthat a certain amount of resources are set aside for overseeing the C&A pro-

cess Usually the agency CIO reports to the authorizing official However, in

large agencies, where some bureau CIOs report to the agency CIO, it can be

the case that a CIO is the authorizing official In other cases the authorizing

official may be the Commissioner or an Assistant Commissioner If the

autho-rizing official and CIO are two different people, they must work together to

make sure that an adequate budget has been set aside for C&A

The authorizing official should, according to the National Institute of

Standards, Special Publication 800-37 (May 2004), be an employee of the U.S.

government and cannot be a contractor or consultant However, the

autho-rizing official may designate a representative to carry out the various tasks

related to C&A, and the designated representative can be a contractor or

con-sultant However, the final security accreditation decision and its

accompa-nying accreditation decision letter must be owned and signed by the U.S

government employee that is the authorizing official

Senior Agency Information Security Officer

The Senior Agency Information Security Officer (SAISO) is the person thatthat CIO holds accountable to oversee all of the agency’s information secu-rity initiatives The SAISO is akin to a Chief Information Security Officer

in private industry It’s possible that CIOs may perform this role themselves,

in which case there wouldn’t be a separate individual holding these

The SAISO provides management oversight to the Certification Agentand works with him or her to ensure that the C&A process is well thoughtout, and includes all the necessary documentation and guidance.The SAISOappoints the Certification Agent and holds them accountable for performingtheir duties It is very important for the SAISO to choose their CertificationAgent(s) carefully because they will need to rely on their accreditation rec-ommendations

The SAISO may wish to review all the Certification Packages that areprocessed within the agency; however, as a practical matter, it is next to

impossible to do this In most agencies, there are far too many CertificationPackages for one individual to review and validate Due to this very reason,the SAISO employs a Certification Agent (or agents) to read packages, per-form evaluations, write recommendations, and produce a document called a

Security Assessment Report.The Security Assessment Report is basically an

evalua-tion summary and should justify and support the recommendaevalua-tion on

whether or not to accredit the package.The Security Assessment Report should

have all the information that the SAISO needs to justify signing the tion letter, and escalate the recommendation upward to the authorizing offi-cial as to whether or not they should sign the accreditation letter

accredita-Senior Agency Privacy Official

Each agency is supposed to have a Senior Agency Privacy Official For a large

agency, a Senior Agency Privacy Official might be a full time job However,

for a small agency, it’s possible that the responsibilities of this official may be

performed by the CIO, the CIO’s staff, or the SAISO.The person in this role

could hold the title of Chief Privacy Officer—he or she does not necessarily

have to be called the Senior Agency Privacy Official What’s most important

is that someone is designated to perform the duties of safeguarding

confiden-tial and private information

Certification Agent/Evaluation Team

The Certification Agent reviews the Certification Packages, making

recom-mendations as to whether they warrant a positive Accreditation or not

Essentially, Certification Agents act as an auditor.They comb through the

unwieldy Certification Packages looking for missing information and

infor-mation that doesn’t make sense.Their goal is to determine if the package is in

compliance with the agency’s documented C&A Handbook, process, security

policies, and the information system’s security requirements In some agencies,

there are so many packages to evaluate that the Certification Agent is

com-prised of an evaluation team.The team may have a departmental name such as

Mission Assurance, Information Assurance, or Compliance.The organizational

name is for the most part irrelevant as it could be different from agency to

agency

After reviewing the C&A packages, the Certification Agent, or evaluationteam, makes recommendations to the internal accrediting authorities—the

SAISO and authorizing official—on whether or not a package should be

accredited or not In most cases, the SAISO and authorizing official accepts

the recommendation of the Certification Agent, and signs the accreditation

letter based solely on a recommendation of the Certification Agent Along

with the recommendation, the Certification Agent also produces and includes

the Security Assessment Report.The Security Assessment Report should justify the

recommendation I will talk more about the Security Assessment Report in

Chapter 21

When the Certification Agent is a team of people, they usually split upthe different tasks that need to be accomplished in order to expedite the pro-cess For example, one person might evaluate packages for the General

Support Systems, another person might evaluate packages for Major

Applications, another person might create and update templates, and anotherperson might update the handbook

The Certification Agent is also responsible for developing the internalC&A process, and all the documentation that describes this process—thehandbook and the templates The documentation that the CertificationAgent develops for evaluating the packages are checklists and score cards.The checklists and score cards should be consistent with the templates and

the handbook The checklists help the Certification Agent write the Security

Assessment Report.

It is possible that the Certification Agent and the Senior Agency

Information Security Officer may be the same person since some small cies may not have the internal resources to have two different staff membersassigned to these roles If the Certification Agent and SAISO are one in thesame person, then the Certification Agent makes the accreditation recom-mendation to the authorizing official.The Certification Agent does not makethe final decision on whether a C&A package should be accredited—he orshe makes recommendations only on whether or not the package should beaccredited

agen-In order to demonstrate objectivity, it is often the case that the evaluationteam consists of outside consultants FISMA, § 3454 states:

Each year each agency shall have performed an independentevaluation of the information security program and practices

of that agency to determine the effectiveness of such gram and practices

pro-If an agency decides to use its own staff, it should be sure that there is aclear separation of duties between the evaluators and the organizations thatare presenting the C&A packages for evaluation

Business Owner

The business owner is a generic reference to the information system owner, and

it is likely that there are no employees of the agency with the title

“informa-tion system owner,” which is why I am not capitalizing the terminology here

The information system owner could be a Program Manager, an Application

Manager, an IT Director, or an Engineering Director for example In short, it

is the person who is responsible for the development and operations of the

information system

The information system owner is the one who typically gets the ballrolling for a new C&A project Information system owners need to ensure

that their information system is fully accredited before being put into

produc-tion Once an information system is in production, it needs to be recertified

and accredited every three years

It is the information system owner’s responsibility to appoint someone to

be the Information System Security Officer for the system requiring C&A

System Owner

The system owner is the person responsible for administering the systems that

the C&A application runs on A system owner can be one lone systems

administrator, or a systems department In a large distributed application, it is

possible that the different systems that are a piece of the application

infras-tructure have different system owners When a large distributed application

has different system owners, sometimes the different system owners can be

different geographic locations or different buildings

All C&A packages, whether it is a package for a Major Application, or theGeneral Support Services infrastructure that the application runs on, should

specify who the system owner is.The system owners are the folks who

pro-vide the systems support.The system owner should be indicated in the Asset

Inventory.The contact information for the system owners should be indicated

in the Contingency Plan and the Business Impact Assessment.

Information Owner

The information owner is the person who owns the data.The information

owner is concerned about the integrity of the data, and communicates with

the system owner about issues related to the security controls of the system or

databases that the data resides on.The person, or department, that owns thedata is not always the same as the system owner, though it could be In manycases, the system owner maintains the data for the information owner.Theinformation owner is often someone who reports to the business owner andcould be a database manager, or an application manager It is possible that insome organizations the information owner and the business owner are thesame person.

It is possible that the data on the system slated for C&A falls under a ferent jurisdiction than that of the system owner It is also possible that theinformation owner and the system owner are one in the same person

dif-Sometimes databases may be administered and managed by someone that hasexpert credentials in the area If the system owner and information owners arenot one in the same people, this should be noted in the Certification Package

in the Asset Inventory.

Information System Security Officer

The Information System Security Officer (ISSO) is responsible for managingthe security of the information system that is slated for C&A.The ISSOinsures that the information systems configuration is in compliance with theagency’s information security policy All the certification package documentsare prepared either by the ISSO, or for the ISSO, by staff or contractors.Typically ISSOs have a large plate of responsibilities and they likely will need

to augment their staff with contractors to prepare a Certification Packageexpeditiously It is not uncommon for one ISSO to be responsible for thepreparation of half a dozen C&A packages Since one C&A package couldeasily take a year for a well-versed security expert to prepare, it is consideredstandard and acceptable for ISSOs to hire consultants from outside the agency

to prepare the Certification Package It also improves the objectivity of theCertification Package to have it prepared by third-party individuals that arenot part of the agency’s own staff

Once a Certification Package is complete, the ISSO presents it to an uation team who then proceeds to validate the findings.The evaluation team

eval-is an extension of the certifying agent If the certifying agent does not appoint

or assemble an evaluation team, the certifying agent should be prepared to

evaluate the Certification Package and make a recommendation on whether

to issue a positive Accreditation

C&A Preparers

The C&A preparers, sometimes referred to as the C&A review team,

pre-pare the Certification Packages for submission to the evaluation team In

many cases, the C&A preparers are outside consultants The C&A preparers

can also be a mixed team of outside consultants and internal agency staff

The C&A preparers work for the information system owner, but usuallyunder the direction of the Information System Security Officer When it

comes to putting together the Certification Package, it is the C&A preparers

that perform the bulk of the work The C&A preparers need to have an

expert background in information security with a breadth of understanding

the various facets of security architecture, information Confidentiality,

infor-mation Integrity, inforinfor-mation Availability, security policies, and FISMA

reg-ulations

Agency Inspectors

To prepare for visits from the GAO, all agencies, and some bureaus, have

their own inspectors that come on site to agency offices to periodically

assess if proper FISMA compliance is taking place In most cases, the agency

inspectors are not required to give much advanced notification and their

visits can take place without warning The agency internal inspectors come

from the agency Office of Inspector General (OIG) Many agency OIG

offices have their own Web sites, and you can read more about the different

responsibilities of the OIG there A short list of a few OIG Web sites is

listed in Table 3.1

Table 3.1Agency OIG Web Sites

The goal of the agency OIG is to catch any problems and resolve them sothat they do not show up as deficiencies on GAO reports.The OIG officeshave their own investigation and review process and different OIG officesmay perform their audits in different ways OIG offices that are more vigilant

in their audit and review process are more likely to prevent the agency frombeing cited as deficient by GAO inspectors

GAO Inspectors

Oversight auditors from the GAO visit federal agencies on an annual basis,and review accredited Certification Packages to make sure that they havebeen accredited properly.The GAO also reviews the agency’s C&A process todetermine if it is acceptable If the GAO discovers that Certification Packageswere inappropriately accredited, or if the agency’s C&A process is deficient inany way, agency officials will document the findings and the agency willreceive poor grades on the annual Federal Computer Security Report Card.The Federal Computer Security Report Card is published each year by theU.S Committee on Government Reform

Levels of Audit

Taking into consideration the evaluation team, the OIG inspectors, and theGAO inspectors, you can see that the FISMA process undergoes rigorouslevels of audit (see Figure 3.1) Usually there are no less than three levels ofaudit Some agencies may even have an additional level of audit After theevaluation team reviews the Certification Package, it is possible that another

internal compliance organization may review the Certification Package again

to see if the evaluation team did their job correctly.The original evaluation

team and an ancillary compliance team may not in fact agree on whether a

Certification Package should be accredited, and often the two internal audit

organizations will have to have numerous discussions among themselves to

come to an agreement on the final Accreditation recommendation

Having so many levels of audit can in fact seem like overkill; however, theagencies that seem to indulge in these audit redundancies, and separation of

duties, often fare the best on the Federal Computer Security Report Card

Figure 3.1FISMA Levels of Audit for Reviewing the Certification Package

GAO Inspectors

OIG Inspectors

Certifying Agent

Evaluation Team

Certification Package

Stepping through the Process

As you recall from Chapter 2, there are four high-level phases to the C&A

process.To get from one phase to another, a lot of stuff happens along the

way Let me help you understand how to get from one phase to the next

The Initiation Phase

The Initiation Phase is usually informally managed by the information system

owner and the ISSO Although all information system owners should be

aware of the fact that FISMA requires new information systems to be

posi-tively accredited, this may not be at the forefront of their minds.Therefore, it

is altogether likely that the ISSO may bring the need for C&A to the

atten-tion of the informaatten-tion system owner Whether the need for C&A is initiated

by the information system owner, or the ISSO, some sort of acknowledgment

between these two individuals that a C&A needs to take place should occur.The acknowledgment does not have to be formal, or even written A simplehallway conversation can suffice as long as both parties come to agree that it’stime to get a C&A project started.

During the Initiation Phase, the information system owner and the ISSOshould agree on what resources to use to for the C&A prepare team

Decisions need to be made on whether to hire outside contractors, or use house staff Since C&A, if done properly, is usually a much bigger job thanmost people realize, I cannot emphasize enough the value in using outsideconsultants Putting together a Certification Package is a full-time job andusually the results will be insufficient if the government office tries to double-

in-up its existing staff to perform C&A duties in conjunction with their existingdaily routine

In outsourcing the preparation of a Certification Package to outside sultants, it is important for the ISSO to ensure that he or she is hiring capableindividuals with the appropriate expertise.The ISSO should ask numerousquestions to a potential contract company and its staff before enlisting theContractor Officer (COTR) to close an agreement Questions that may assist

con-an ISSO in determining the expert C&A capabilities of potential consultcon-antsmight be:

■ For what other agencies have you performed C&A?

■ Do you have a track record in obtaining positive Accreditations?

■ Can you name the C&A documents that you are experienced inpreparing?

■ Will you be able to make numerous trips on site to meet with our staff?

■ Can you provide resumes for the available consultants?

■ Do you have a description of your C&A preparation services?

■ Can you provide references from other agencies?

Not all C&A consulting services are the same One clear indication that acontracting company does not fully understand C&A is if they list only a fewdocument types in their C&A service description Some companies claim to

understand C&A, but for example, will list that their C&A service consists of

a Self-Assessment and a Vulnerability Assessment (which of course is only part

of the picture).You really want to hire consultants that understand the entire

ball of wax and can develop all the documents required for C&A

It will only slow down and complicate the process if you hire, say, onecompany to develop part of the deliverables and another company to develop

the other part When it comes to C&A, finding a contracting company that

offers one-stop-shopping is really the most efficient way to go One good way

to find out how well a candidate contracting company understands C&A is to

ask them for a project proposal with milestones built into it By comparing

different project proposals side-by-side, it should become clear which of the

candidate contracting companies offer the best expertise

Last but not least, before preparing a Certification Package, the ISSOshould have some understanding of whether or not the proposed

Certification Package will result in a positive accreditation If the ISSO knows

up front that proper security controls have not been put into place, that

secu-rity is improperly configured, and that secusecu-rity policies have not been adhered

to, it is better to fix these problems before beginning the C&A process.This

does not mean that C&A is optional What I am suggesting is that if you

know of weaknesses that require correction, start correcting them

immedi-ately Don’t wait for C&A time to come along before making the necessary

corrections

NIST advises that the information System Security Plan be analyzedduring the initiation phase Although there is nothing theoretically wrong

with this approach, it is often the case that for a new information system, a

System Security Plan does exist In putting together the Certification

Package, it is a more likely scenario that the System Security Plan will be

either written for the first time, or revised and updated during the

Certification Phase During a recertification of a package that has been

previ-ously accredited, an old System Security Plan would of course already exist

C&A Best Practices…

Initiation Phase Milestones

During the initiation phase, you should be asking these questions:

completed?

The Certification Phase

The Certification Phase is the time period in which the Certification Package

is prepared It is during this phase that the C&A preparers (or review team)gather all the supporting evidence and documentation, and develop the newdocuments required for the Certification Package

If the proposed C&A is for a brand new information system, no priorCertification Package will exist If the C&A is for an older information

system, a prior Certification Package should exist and be available for review.New C&As are required every three years Certification for an informationsystem that previously has been accredited is referred to as a “recertification.”Recertifications require the same suite of documents that new CertificationPackages require When working on a recertification, the prior CertificationPackage should be reviewed thoroughly to ensure that all risks previouslycited in the old Certification Package have been mitigated

The C&A review team will need to come on site to the agency’s office to

be available to interview the information system’s development and ment team It is critical for the C&A review team to learn as much about theinformation system as possible and ask as many questions as necessary.Theinformation system owner should advise his or her development staff to

manage-accommodate the C&A review team and provide them with as much

infor-mation as possible about the design and configuration of the system slated for

C&A

C&A review teams may consist of anywhere from a few people, up to adozen or more depending on the complexity of the information system slated

for C&A What should determine the number of individuals on the C&A

team is the scope of the project, and timeframe of the project As you increase

the scope, and decrease the timeframe, the need for a bigger C&A review

team increases Most C&A review teams require at least three months

min-imum to assemble an adequate Certification Package It would not be out of

the question, however, for a C&A review team to take six months to prepare

a Certification Package for a large and complex infrastructure

C&A Best Practices…

Certification Phase Milestones

The Accreditation Phase

The Accreditation Phase begins when the Certification Package has been

completed.The evaluation team reads through the Certification Package in its

entirety, and validates if the findings are accurate, and if all the required

infor-mation is present A Certification Package can easily be in excess of 500

pages At least two to four weeks should be allotted for the Accreditation

Phase

Most evaluation teams will have already prepared checklists of particularcriteria they expect to find in the Certification Package before they actuallybegin the evaluation In Chapter 21 I will discuss what these checklists typi-cally look like.

If a Certification Package passes muster with the evaluators, a dation will be made that the package be positively accredited.The CertifyingAgent will review the recommendation, and as long as it appears justified, willsign a formal letter of Accreditation.The accreditation letter will also need to

recommen-be signed by the ISSO, the information owner, the authorizing official, andthen will be sent to the CIO.The CIO is supposed to acknowledge receipt ofthe letter by signing it

C&A Best Practices…

Accreditation Milestones

The Continuous Monitoring Phase

Once an information system has been accredited, it should be continuouslymonitored Configuration management changes should be an on-going andwell-managed process with approval mechanisms built in Dates of changesand versions of code changes should all be documented Security controlsshould also be monitored and any changes made to them should be docu-mented If firewall policies are changed, the changes and reasons for thechanges should be documented If intrusion detection configuration changesare made, they should be fully described and the reasons for the changesshould documented

It is often the case that not nearly enough time is put into theContinuous Monitoring Phase, since once a positive Accreditation has been

made, most ISSOs and information system owners tend to breathe a sigh of

relief and seem to like to put the entire C&A process behind them Putting

together a Certification Package and obtaining an Accreditation is a daunting

task and doing more of it, after the job is done, is not usually high on

anyone’s agenda after the fact However, keeping the documents up to date

will make any future recertifications much easier Unless the information

system is decommissioned, it in fact will need to be recertified in three years

The documents that are a part of the Certification Package are consideredlive documents, and can be updated at any time It is best to update the docu-

ments as soon as changes are made to the information systems since that is

when the new information is most fresh in everyone’s mind Updating

docu-mentation never seems to be high on the list of important tasks to complete,

and for that reason, I recommend that updating Certification Package

docu-ments be built into the change management process Each time a document is

updated, it should be reviewed and approved through the change control

pro-cess and then archived both locally and at an offsite location

C&A Best Practices

Continuous Monitoring Milestones

The certification and accreditation process consists of a four-phase life cycle:initiation, certification, accreditation, and continuous monitoring.Throughoutall four phases there are several roles participating in the process, and each role

is responsible for the execution of specific tasks As a C&A professional youare responsible for the execution of your tasks, but in order to accomplishthem, you must ensure that all other individuals filling C&A roles are workingtogether effectively and efficiently as well It is critical to understand theoverall process, and how all the pieces described in this chapter fit together inorder to manage a C&A project

Establishing a C&A Program

“A bad beginning makes a bad ending.”

—Euripides

Topics in this chapter:

■ C&A Handbook Development

■ Template Development

■ Provide Package Delivery Instructions

■ Create an Evaluation Process

■ Authority and Endorsement

■ Authority and Endorsement

■ Improve Your C&A Program Each Year

■ Problems of Not Having a C&A Program

Chapter 4

45

If your agency or bureau doesn’t already have an information security gram established, chances are that it hasn’t scored well on the annual FederalComputer Security Report Card Since FISMA isn’t going to go away, andsenior executives will be held accountable for obtaining acceptable FederalComputer Security Report Card scores, now is the time to start putting intoplace an information security program.The C&A program is just a piece ofthe greater information security program, albeit a big piece.The informationsecurity program includes the whole ball of wax—security policies, proce-dures, requirements, C&A guidelines, and all the documentation that goeswith it.The C&A program is a well-thought-out process with documentation

pro-to support it It explains how C&A will be done within the agency

If your agency already has information security and C&A programs inplace, now might be a good time to start thinking about how you can

improve your program Once a C&A program has been developed, an astuteagency will find the need to update and revise the program each year.Themore your C&A program is used, the better it will become

The C&A program developers are often the same folks who are part ofthe agency evaluation team—however, they don’t have to be.There are nofederal restrictions on which people within the agency can participate indeveloping the C&A program.The agency itself, however, may set their ownpolicies on who is responsible for development of the C&A program Sincedeveloping the program is a big job, whoever manages the project to developthe program should reign in participants throughout the agency to help buildand document the program.To ensure a separation of duties and enforceobjectivity, some agencies may opt to, or be required to, hire outside consul-tants or contractors to help develop their C&A program

C&A Handbook Development

In developing the program, you’ll need to write a C&A Handbook that

instructs your agency or bureau on how to prepare a Certification Package.The idea is to standardize the development of all Certification Packages thatare submitted for evaluation Without a handbook and a specified process, the

Certification Packages will have a different look and feel If 50 different

Certification Packages all have the right information in it, but in different

for-mats, it is going to be very difficult for the evaluators to find the information

If the packages have different types of information in them, it is going to be

very hard for the evaluators to review the packages according to the same

standards

Writing the handbook is a big job A good handbook is likely to bearound 200 pages long.The handbook has to include very specific informa-

tion on what your agency evaluators need to see in every Certification

Package It should instruct the folks preparing the Certification Packages on

what documents they will be required to submit, and what should be

included in each document.The best way to ensure that each document

includes the right kind of information is to create templates

What to Include in Your Handbook

Each agency’s handbook will be somewhat different and take on slightly

dif-ferent organizational formats However, it is highly advisable that all

hand-books include sections in the following areas:

■ Background, purpose, scope

■ Regulatory citations (FISMA; FIPS 199; OMB Circular A-130

Appendix III)

■ Reference to associated internal security policies

■ System lifecycle information

■ An overview of the process

■ Roles and responsibilities

■ Definition and explanation of Certification Levels

■ Information on the required Certification Package documents

■ How to define security requirements

■ How to understand accreditation boundaries

■ Threat and risk assessment guidelines

■ Security controls