The certification and accreditation process has been formally implemented in U.S. military and government organizations as defense information technology security security certification and accreditation process (DITSCAP) and national information assurance (NIACAP). Security status is measured by determining whether certain security controls are documented, implemented, tested, verified and integrated into a cyclical audit/improvement program and whether unacceptable risks are identified and mitigated. Agencies should increase all assets to level 4 and, ultimately, to level 5. If a single system does not reach level 4, the authorities should determine whether the system meets the criteria of OMB Memorandum M00-07 (28 February 2000) “Integration and financing of security in investments in information systems”. The NIACAP provides instructions for the implementation of the NSTISSP. Directive 6, which requires federal departments and authorities to implement a C&A process for national safety systems. The requirements of NSTISSI No. 6 apply to all U.S.
government departments, authorities, and executive authorities and their contractors and consultants. The National Information Assurance Certification and Accreditation Process (NIACAP) formalizes the certification and accreditation process for the U.S. government`s national security information systems. NIACAP consists of four phases (definition, verification, validation and post-accreditation) that generally correspond to the DITSCAP phases. In addition, NIACAP defines three types of accreditation: NIACAP rollers are virtually identical to DITSCAP rollers. The four minimum roles required to perform a NIACAP security assessment are as follows: during the certification and accreditation process, it was possible for a system to be reduced to a phase prior to each stage of the process, based on decisions or discoveries about the system revealed at the current phase of the system. While this was possible, it was rare and the systems moved normally in the lock-step at each stage. In addition to the defects already mentioned, the C&A process did not contain a phase or process of decommissioning a system after reaching the end of its service life or began to switch to another version or system.
Plan the safety management system and create the policies that define it. The certification and accreditation process consists of a four-stage life cycle: initiation, certification, accreditation and continuous monitoring. During the four phases, several roles are involved in the process and each role is responsible for performing certain tasks. As a C&A professional, you are responsible for getting your tasks done, but to accomplish them, you need to make sure that everyone else who fills C&A roles collaborates effectively and effectively. It`s important to understand the whole process and understand how all the parts described in this chapter fit together to manage a C&A project. Accreditation is the formal declaration by a Defined Approach Authority (DAA) that an information system is authorised to operate in a given security mode using a mandatory set of security measures at an acceptable level of risk. Recertification and reaccredit are required in the event of a change in the system and/or its environment or after a defined period after accreditation. The DAA, which is not the certifier, determines the acceptable residual risk to a system and must be empowered to control the budget and operation of the systems within its area of competence. . .