Scribd
Upload
34 views16 pages

Module 9 - 3 Accrediation

The security certification and accreditation process consists of four phases: initiation, security certification, security accreditation, and continuous monitoring. Each phase has defined tasks to assess security controls, identify vulnerabilities, make risk-based decisions about system security, and continuously monitor the system to ensure controls continue to function properly over time.

Uploaded by

sasanaravi2020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
34 views16 pages

Module 9 - 3 Accrediation

The security certification and accreditation process consists of four phases: initiation, security certification, security accreditation, and continuous monitoring. Each phase has defined tasks to assess security controls, identify vulnerabilities, make risk-based decisions about system security, and continuously monitor the system to ensure controls continue to function properly over time.

Uploaded by

sasanaravi2020
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

THE SECURITY

CERTIFICATION AND
ACCREDITATION
PROCESS
1
INTRODUCTION

The security certification and accreditation process consists


of four distinct phases:
(i) an Initiation Phase
(ii) a Security Certification Phase
(iii) a Security Accreditation Phase
(iv) a Continuous Monitoring Phase.
Each phase consists of a set of well-defined tasks and
subtasks that are to be carried out by responsible
individuals such as,
 The chief information officer,
 Authorizing official,
 Authorizing official’s designated representative,
senior agency information security officer,
 Information system owner,
 Information owner,
 Information system security officer,
 Certification agent, and user representatives.
SECURITY CERTIFICATION AND ACCREDITATION PROCESS
INITIATION PHASE
The Initiation Phase consists of three tasks:
(i) Preparation;
(ii) Notification and resource identification;
(iii) System security plan analysis, update, and acceptance.
PURPOSE OF THE PHASE :
To ensure that the authorizing official and senior agency
information security officer are in agreement with the contents of
the system security plan, including the system’s documented
security requirements, before the certification agent begins the
assessment of the security controls in the information system.
OBJECTIVE
Preparation:
To prepare documents by reviewing the system security plan and confirming that the
contents of the plan are consistent with an initial assessment of risk.
Notification and resource identification:
(i) To provide notification to all concerned agency officials
(ii) To determine the resources needed to carry out the effort
(iii) To prepare a plan of execution for the certification and accreditation activities
indicating the proposed schedule and key milestones.
System security plan analysis, update, and acceptance
(I) To Obtain an independent analysis of the system security
plan;
(II) To update the system security plan as needed based on the
results of the independent analysis
(III)To obtain acceptance of the system security plan by the
authorizing official and senior agency information
security officer prior to conducting an assessment of the
security controls in the information system.
Security Certification Phase
THE SECURITY CERTIFICATION PHASE CONSISTS OF
TWO TASKS:
(i) security control assessment;
(ii) security certification documentation.
PURPOSE OF THE PHASE :
 To determine the extent to which the security controls in the information system
are implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security requirements for the system.
 This phase also addresses specific actions taken or planned to correct deficiencies
in the security controls and to reduce or eliminate known vulnerabilities in the
information system.
OBJECTIVE
Security control assessment :
(i) To prepare for the assessment of the security controls in the
information system
(ii) To conduct the assessment of the security controls
(iii) To document the results of the assessment.
 Preparation for security assessment involves gathering appropriate
planning and supporting materials, system requirements and design
documentation, security control implementation evidence, and
results from previous security assessments, security reviews, or
audits.
 Preparation also involves developing specific methods and
procedures to assess the security controls in the information system.
Security certification documentation:
(i) To provide the certification findings and recommendations to
the information system owner
(ii) To update the system security plan as needed
(iii) To prepare the plan of action and milestones
(iv) To assemble the accreditation package.
 The completion of this task concludes the security certification
phase.
Security Accreditation Phase

THE SECURITY ACCREDITATION PHASE CONSISTS


OF TWO TASKS:
(i) security accreditation decision
(ii) security accreditation documentation.
Purpose of the phase :
 To determine if the remaining known vulnerabilities in
the information system (after the implementation of an
agreed-upon set of security controls) exhibits an acceptable
level of risk to agency operations, agency assets, or
individuals.
OBJECTIVE

Security accreditation decision:


(I) To determine the risk to agency operations, agency assets, or
individuals
(II) To determine if the agency-level risk is acceptable.
Security accreditation documentation
(i) To transmit the final security accreditation package to the
appropriate individuals and organizations.
(ii) To update the system security plan with the latest information
from the accreditation decision.
The completion of this task concludes the security accreditation
phase of the security certification and accreditation process.
Continuous Monitoring Phase

THE CONTINUOUS MONITORING PHASE CONSISTS OF


THREE TASKS:
(i) configuration management and control;
(ii) security control monitoring;
(iii) status reporting and documentation.
Purpose of the phase :
 To provide oversight and monitoring of the security controls in
the information system on an on-going basis and to inform the
authorizing official when changes occur which may impact on
the security of the system.
OBJECTIVE
Configuration management and control :
(i) To document the proposed or actual changes to the information
system
(ii) To determine the impact of proposed or actual changes on the
security of the system.
Documenting information system changes and assessing the potential
impact on the security of the system on an on-going basis is an
essential aspect of maintaining the security accreditation.
Security control monitoring :
(i) To select an appropriate set of security controls in the
information system to be monitored
(ii) To assess the designated controls using methods and procedures
selected by the information system owner.
 The continuous monitoring of security controls helps to identify
potential security-related problems in the information system that
are not identified during the security impact analysis conducted
as part of the configuration management and control process.
Status reporting and documentation:
(i) To update the system security plan to reflect the proposed or
actual changes to the information system
(ii) To update the plan of action and milestones based on the
activities carried out during the continuous monitoring phase
(iii) To report the security status of the information system to the
authorizing official and senior agency information security
officer.

You might also like