Certification and Accreditation C - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Certification and Accreditation C

Description:

Certification and Accreditation C – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 13
Provided by: NFC
Category:

less

Transcript and Presenter's Notes

Title: Certification and Accreditation C


1
Certification and Accreditation(CA)
  • USDA
  • National Finance Center

2
What is Certification?
  • Provides a comprehensive evaluation of technical
    and non-technical features of an information
    system
  • Establishes the extend to which a particular
    design and implementation meets a set of
    specified security requirements
  • Provides proof of compliance with security
    requirements
  • Leads to accreditation

3
What is Accreditation?
  • Formal declaration by the designated approving
    authority (DAA)
  • An information system is approved to operate
    using a prescribed set of safeguards
  • Based on the implementation of an approved set of
    technical, managerial, and procedural safeguards
  • Approval is granted to operate the system with
    the identified risk
  • Upon accreditation, the DAA formally accepts full
    responsibility for the security of the system

4
Requirements for CA
  • Federal requirements
  • Office of Management and Budget (OMB) Circular
    A-130, Appendix III
  • NIST Special Publication (SP) 800-37 (Draft),
    Guidelines for Certification and Accreditation
    of Federal Information Technology Systems
  • FIPS 102, Guidelines for Computer Security
    Certification and Accreditation
  • National Information Assurance Certification and
    Accreditation Process (NIACAP)
  • Federal Information Security Management Act
    (FISMA)

5
Purpose of CA
  • Establishes a uniform, standards based policy for
    the CA of USDA information systems
  • Provides a disciplined approach to managing
    information security consistent with processes
    used throughout the Federal Government and
    private sector
  • Integrates security into the USDA business cycle
  • Uses a life cycle management approach to help
    Program Managers implement CA
  • Identifies roles and responsibilities for CA

6
CA Benefits
  • Standard operating environment through
    utilization of baseline security requirements
  • Clearly defined system boundaries
  • Documented security plans
  • Defined contingency plans
  • Established configuration management processes
  • Heightened information security awareness
  • Validated security controls
  • Measured levels of risk based on identified
    threats and vulnerabilities
  • Formal approvals to operate
  • FISMA compliance

7
When is CA Conducted?
  • New systems must integrate CA requirements into
    all phases of the system development life cycle
  • Existing systems must be certified and accredited
    by July 1, 2004
  • After initial certification, CA must be
    conducted
  • Every three years, OR
  • When a major change to the system occurs

8
CA Process (Phase 1)
  • Determine security categorization based on
    required levels of confidentiality, integrity,
    and availability of data as high, medium, or low
  • Define the scope of the CA (assess all system
    documentation for security requirements)
  • Identify security controls technical,
    operational, and managerial
  • Security Controls Compliance Matrix
  • Create/review system security plan
  • Conduct/review risk assessment

9
CA Process (Phase 2)
  • Conduct independent Security Testing and
    Evaluation (STE) according to the Security
    Controls Compliance Matrix
  • Update the risk assessment to address new or
    changed risks and assess total residual risk
  • Update the system security plan to identify and
    schedule cost effective countermeasures to
    remediate risk areas
  • Document certification findings
  • Accreditation decision based on residual risk

10
Key Documentation for Testing
  • System Security Plan
  • Risk Assessment
  • Security Features Users Guide
  • Trusted Facility Manual
  • Contingency Plan
  • Configuration Management Plan
  • Privacy Impact Assessment

11
Accreditation Decision
  • Full accreditation the DAA finds residual risk
    low enough to accept responsibility for the
    system
  • Interim authority to operation the DAA is
    willing to accept responsibility for a limited
    time while security measures are installed or
    upgraded
  • Accreditation denied the DAA is unwilling to
    accept responsibility for the system in its
    current state based on excessive residual risk

12
NFC CA Schedule
  • Currently performing Risk assessments of all
    applications and the General Support Systems
  • Full Phase 1 documentation scheduled for
    completion prior to 6/15/2004
  • Compliance Matrices scheduled for completion by
    4/21/2004
  • Completion of STE and post testing documents
    resulting in accreditation decisions by 9/1/2004
  • Progress reported to OCIO and GAO quarterly
Write a Comment
User Comments (0)
About PowerShow.com