Web Site

Understanding C&A Phases, Requirements and Strategy

Overview

As more and more organizations share information electronically over the internet, it has become increasingly critical that organizations develop, implement, and monitor security programs for their IT systems. This white paper provides an overview of the work involved in performing a comprehensive Certification & Accreditation (C&A) for a major application or general support system. First, we must understand what transpires during the four phases of the C&A process and how it ensures the security of the protected system. Second, we must address the development of managerial, operational, and technical security requirements for the system, which establish the basis for the C&A tasks. Third, we must craft an effective strategy for performing C&A which maximizes the security while minimizing the resources consumed.

The Certification and Accreditation (C&A) Process

In NIST SP 800-37, the National Institute of Standards and Technology (NIST) has identified and developed principles, practices, and guidelines for developing and managing a C&A process, consisting of four phases:

Initiation Phase
Security Certification Phase
Security Accreditation Phase
Continuous Monitoring Phase

Regardless of where the protected system is in its life cycle, all four phases are addressed in every system accreditation. In this way, the accrediting authority can be assured that the managerial, technical, and operational security controls work as intended and there is a high degree of confidence that the information processed, store and transmitted with the system is protected.

Requirements

Addressing the development of managerial, operational, and technical security requirements for the protected system establishes the basis for the C&A tasks. Assembled at the same point in the system development lifecycle as the functional requirements, the security requirements are an extension of the system’s functional requirements.

System identification ensures that a full and accurate description of the protected system is generated, including such elements as system name, responsible organization, contact information, responsible individuals, status and the system’s operating environment. An important part of system identification is the boundary definition because it defines the extent of the protected system. Fuzzy boundary definitions leave fuzzy security barriers which are weaker than well defined ones.

The core of effective security is the development of baseline security requirements (BLSR) because security controls are measured against these requirements. Usually assembled into a matrix format, the extent of the requirements depend on the criticality of the system. In any case, NIST SP 800-53, Recommended Security Controls for Federal Information Systems, provides a good starting point for the initial set of minimal security requirements.

Summary

An effective C&A, in addition to making the system more secure, also enables the agency to secure additional funding to mitigate any shortcoming or weaknesses found during the C&A. The real value of the C&A is not in documents of the accreditation package but rather in the analysis that goes into developing the package. C&A activities require a comprehensive evaluation of the risks, in-place and planned controls, vulnerabilities and threats, which means taking a good, hard look at the system

Strategy

Strategy for performing a C&A begins by identifying resources, roles & responsibilities, and tasks to be performed during each phase. The strategy also includes an evaluation of the automated tools available to augment the manual analytical process. The successful approach includes a judicious mix of manual process and automated tools, supported by past efforts and guidance from standards organizations

A key parameter for the C&A is the security category of the system which in turn dictates the certification level. The certification level prescribes the thoroughness of the C&A effort and therefore the cost involved. The process for determining a system’s security category is described in FIPS 199, augmented with guidance from NIST SP 800-59 and NIST SP 800-60.

The documents in the C&A package detail all the activities that occurred during the first three phases of the C&A process and collectively provide, in one place, all of the critical information needed by the authorizing official to make an informed risk-based accreditation decision.