Certification and Accreditation of Pontius

¶ … certification and accreditation of PONTIUS Information systems C Certification and Accreditation (C&a) Certification and accreditation is the process of assessing information system in order to determine if the system meets the optimum security requirements for the particular mission function and the corresponding sensitivity of the information being handled. This process is performed only after the development of the information is completed. Certification and Accreditation are carried out throughout the life cycle of the information system; they also aid in the process of risk management.

The chart below shows an overview of the Certification and Accreditation process. The process is developed in four phases: Initiation, Certification, Accreditation and finally Continuous Monitoring. Every phase is then broken down in order to realize higher standard and supporting documents -- System Security Plan (SSP; Security;Agreement Report (SAR); ); Plan of Action & Milestones (POA&M) and Accreditation Letter (AL) -- that are necessary for that phase. The graphic above represents four phases of a flowchart that describe the use of the System element including the.

Designated Approving Authority for each phase and the Owner, Certification Team. The phases are color coded. The color codes are; Initiation -- red, Accreditation -- Green, and Continuous, Certification -- Yellow, Monitoring -- Blue. Initiation is the phase where the System Owner starts preparing for the activities of certification. This involves the preparation of the needed documentation, notification the Agency officials that the new system is prepared for C&a, and making sure that the SSP is up-to-date.

Certification is the phase under which a certification team Comprehensively evaluates the information system's both technical and non- echnical security functions and other measures to establish the level to which the information system meets the specified content of the security requirements. After the information system has passed certification, the System Owner prepares the accreditation package. This is made up of SAR, the POA&M and the updated SSP.

Accreditation is the phase where submission of the accreditation package is submitted by the System Owner to a Designated Approving Authority (DAA), who decides if the system operation will be authorized or not. Through a letter, the DAA makes the decision and transmits back to the System Owner along with the accreditation package. The System Owner then may deploy the system for the production process or for further modification as required in order to get necessary authorization to operate.

Continuous monitoring is the final phase that takes place after the information system gets the authority to operate, in which the System Owner is supposed to monitor and track changes to the information system's security controls over a period of time. When a significant change occurs, reaccreditation must be carried out to the Information system or after every three years.

In case a significant change requires to be tested by the certification team, the system may need recertification Reaccreditation requirement may also be, if a newly assigned authorizing official is posted to the information system. The process of certification and accreditation for System Owners / Administrators, ISSOs, DAAs, and the Certification Team are shown in Section 3 diagram of the flow chart. The first phase (initiation) is described in the next section.

Initiation The purpose of the initiation phase is to ensure that security needs and requirements for the information system are well documented and then the DAA and CISO accept them prior to formal Certification. Majority of the information required is gathered during the first risk assessment of the information system.At the time of the initiation phase, the SSP is reviewed by the System Owner so as to ensure that it is and up-to-date complete.

An overview of the security requirements is carried out by the SSP for the information system which describes the security controls that are in position to meet those requirements. The SSP contents vary according to the category of the security system. Security categorizations are defined as per the level of effort needed for certification.

Three categorization levels of security exist and are defined as follows: This table has the definitions the three main security categorizations degree of effort based on them This table shows the required SSP sections that are needed for systems in each of security categorizations. When the initiation phase comes to an end, then the certification phase commences. Certification 06/01 In this phase, the team mandated with certification evaluates the entire information system in order to determine whether the security requirements have been satisfied.

They then proceed to identify any deficiencies or vulnerabilities. The corrections of the deficiencies/vulnerabilities that are severe enough to prevent system operation from being approved are a responsibility of the System Owner System Security Plan. The SSP must bear a reflection the current system status. If there are modifications to the system security controls due to the certification evaluation process, then the System Owner is supposed to update the SSP in order to reflect these modifications. Security Assessment Report.

This is the report compiled by thecertification team detailing the security evaluation, and the extent to which the idesigned nformation system can satisfy the security requirements. Plan of Action and Milestones. This is a description of all the measures that are implemented or planned in order to correct the deficiencies and to reduce or eliminate totally the vulnerabilities. The System Owner then makes a documentation of the deficiencies/vulnerabilities that identified by the certification team.

For the deficiencies or vulnerabilities that are not severe enough to require immediate solution, the System Owner then is forced to documents the corrective action that is planned for completion when the evaluated system gets a teemporary authorization in order to operate from the DAA.

When the certification phase ends and the System Owner is then ready to send the accreditation package to the DAA.What begins next is the accreditation phase Accreditation The accreditation phase has the purpose to determining if the information system satisfies the security requirements sufficient to it to be allowed to operate. The System Owner then transmits the package for accreditation to the DAA. When the security accreditation package by the DAA, he or evaluates status of the system the makes a decision. The DAA.