Note: This class can be easily tailored to meet the certification and accreditation needs of any organization.

Who Should Attend

DoD Information Security and IT managers; Information Assurance Officers and Managers; Information Security Analysts, Consultants and Contractors; Security and Certification Officials responsible for developing C&A packages.

This course is designed for individuals who are responsible for meeting the Federal Information Security Management Act (FISMA) requirements for their agency.

What You Will Learn

Upon successful completion of the Qualified Certification & Accreditation training class, each attendee will be able to:

• Understand the guidelines presented in and documentation required by the DIACAP, NICAP, FISMA & NIST C&A.
• Describe the process of identifying/defining an information system for the purpose of C&A.
• Appreciate how compliance with the government's C&A process standards is beneficial to an organization's short- and long-term information assurance strategy.
• Complete a certification and accreditation effort.  
  

The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.

A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.

In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

• System Categorization Statement
• System Description with System Boundaries Noted
• Network Diagram and Data Flows
• Software and Hardware Inventory
• Business Risk Assessment
• System Risk Assessment
• Contingency Plan
• Self-Assessment
• System Security Plan

Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

Levels of Certification and Starting the Review

There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:

• FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems
  
• Special Publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories  
  

Business Needs / Course Goals for C&A 
Understanding Roles & Responsibilities  
Phases 1-4 of C&A  
Phases 1-9 of RA  
Classification of System  
Understanding Legislation  
FISMA, SOX 404, HIPAA  
Understanding C&A in Lifecycle  
Development phase to RA and C&A  
Identifying Risk Assessment in C&A  
Boundary Accreditation in a system environment  
Identifying a system boundary  
Accreditation Decision Model  
Communicate what transpires in delivering a decision; IATO, Full Accreditation, Do Not Accredit  
FISMA Scorecard 
Positive and negative impacts  
17 Baseline Management, Operational, & Technical Policies  
Understanding policy source, relationships, procedures, controls, and testing

Guide for Developing Security Plans (NIST SP800-18) 
System Analysis  
System Boundaries  
Information sensitivity  
System Category  
Major Applications  
General Support System  
Plan Development – All Systems  
Plan Control  
System Identification and sensitivity level  
System Operational Status  
General Description/Purpose  
System Environment  
System Interconnection/Information Sharing  
Sensitivity of Information Handled  
Laws, Regulations, and Policies Affecting the System requirements for confidentiality, integrity, or availability  
Management Controls  
Operational Controls  
Documentation (MA Example)  
Vendor-supplied documentation of hardware  
Vendor-supplied documentation of software  
Application requirements  
Application security plan  
General support system(s) security plan(s)  
Application program documentation and specifications  
Testing procedures and results  
Standard operating procedures  
Emergency procedures  
Contingency plans  
Memoranda of understanding with interfacing systems  
Disaster recovery plans  
User rules of behavior  
User manuals  
Risk assessment  
Backup procedures  
Authorize processing documents and statement  
Technical Controls  
Major Application Template  
General Support System Template

Standards for Security Categorization (FIPS 199)  
 
Determine National Security System Classification using NIST SP 800-59  
Security Category for Confidentiality, Integrity, and Availability for:  
Low Impact  
Moderate Impact  
High Impact

Selection and Specification of Security Controls (NIST 800-53) -> (FIPS 200) 
Management Controls PL-1: Security Planning Policy and Procedures (82)  
RA-1: Risk Assessment Policy and Procedures (87)  
SA-1: System and Services Acquisition Policy and Procedures (89)  
CA-1: Certification, Accreditation, and Security Assessments Policy and Procedures (54)  
Operational Controls  
AT-1: Security Awareness and Training Policy and Procedures (48)  
CM-1: Configuration Management Policy and Procedures (57)  
CP-1: Contingency Planning Policy and Procedures (60)  
MP-1: Media Protection Policy and Procedures (73)  
PE-1: Physical and Environmental Protection Policy and Procedures (76)  
SI-1: System and Information Integrity Policy and Procedures (100)  
IR-1: Incident Response Policy and Procedures (68) MA-1: System Maintenance Policy and Procedures (70)  
PS-1: Personnel Security Policy and Procedures (84)  
Technical Controls  
AC-1: Access Control Policy and Procedures (40)  
AU-1: Auditing and Accountability Policy and Procedures (50)  
IA-1: Identification and Authentication Policy and Procedures (65)  
SC-1: System and Communications Protection Policy and Procedures (93)

Risk Assessment and Management Process (NIST SP800-30)  
Risk Assessment Program and Methodology  
Key Roles  
Senior Management.  
Chief Information Officer (CIO).  
System and Information Owners.  
Business and Functional Managers.  
ISSO. IT security program managers  
IT Security Practitioners.  
Security Awareness Trainers (Security/Subject Matter Professionals)  
Assessment Tools  
Vulnerability Scanning  
Scanning & Enumeration  
War Dialing  
Wireless  
Privilege Escalation and Back Door  
Network Analyzers (sniffers)  
File Integrity Checkers  
Password Crackers  
Risk Analysis & Reporting Tools  
C&A Reporting Tools  
Risk Assessment  
Step 1 System Characterization – Operational and Processing Environment  
Step 2 Vulnerability Identification  
Step 3 Threat Identification  
Step 4 Operational, Technical, and Management Control Analysis  
Step 5 Threat Likelihood Determination  
Step 6 Impact and Loss of Confidentiality, Integrity, and Availability Analysis  
Step 7 Risk Determination  
Step 8 Control Recommendations  
Step 9 Results Documentation – Report recommendations and documentation  
Risk Mitigation  
Evaluation and Assessment

Guide for Mapping Types Information and Information Systems to Security Objectives and Risk Levels (NIST SP 800-60)Security Categorization of Information and Information Systems  
Security Categories and Objectives (Contents from FIPS 199)  
Impact Assessment (Contents from FIPS 199)  
Assignment of Impact Levels and Security Categorization  
Mapping Information Types to Security Controls and Impact Levels  
Information Type Identification  
Selection of Provisional Impact Levels  
Review and Adjustment and Finalization of Information Impact Levels  
Guidelines for System Security Categorization  
Guidelines for Assignment of Impact Levels to Mission-based Information  
Impact levels by type for the management and support information  
Management and Support Information and Information System Impact Levels  
Rationale and Factors for Services Delivery Support Information  
Rationale and Factors for Government Resource Management Information  
Impact Determination for Mission-based Information and Information Systems  
Legislative and Executive Sources establishing Sensitivity/criticality 
 
NIST Certification and Accreditation Process (NIST SP800-37)  
NIST SP800-37 C&A Process Overview  
Defining the Accreditation Package  
C&A Process Phases  
Initiation Phase  
Security Certification Phase  
Security Accreditation Phase  
Continuous Monitoring Phase  
Security Certification Package  
Updated System Security Plan  
Completed Security Risk Assessment  
Updated Configuration Management Plan  
Contingency Management Plans  
Security Test & Evaluation Report  
User Manual W/SFUG  
Interconnection Security Agreements  
Memorandums of Agreement  
Completed Privacy Impact Assessment  
Federal Register System of Record Notice  
Plan of Action and Milestones (POAM)  
Security Accreditation Package  
Security Assessment Report  
Security Accreditation Decision Letter  
System Security Plan  
Plan of Action & Milestones (POAM)  
Initiation Phase  
Preparation  
1-1 System Description (ISO, ISSO)  
1-2 Security Categorization Verification (ISO, ISSO)  
1-3 Risk Assessment Review (ISO, ISSO)  
Notification & Resource Identification  
2-1 Notification of C&A Support (ISO, ISSO)  
2-2 Planning & Resource Identification (CA)  
Security Program Documentation Analysis, Update & Acceptance  
3-1 Security Categorization Validation (CA)  
3-2 Security Program Documentation Analysis (CA)  
3-3 Security Program Documentation Update (ISO, ISSO)  
3-4 Acceptance of Security Program Documentation (ISO, ISSO)  
Security Certification Phase

Security Control Verification & Validation  
4-1 Documentation & Supporting Materials  
4-2 Reuse of Assessment Results  
4-3 C&A Methods & Procedures  
4-4 C&A Security Assessment  
4-5 Prepare Final Assessment Report  
Security Certification Documentation  
5-1 Certification Findings & Recommendations  
5-2 Security Documentation Update  
5-3 Plan of Action & Milestone Preparation  
5-4 Security Accreditation Package  
Security Accreditation Phase  
Security Accreditation Decision  
6-1 Final Risk Determination  
6-2 Residual Risk Acceptance  
Security Accreditation Documentation  
7-1 Security Accreditation Package Transmission  
7-2 C&A Documents and Plans Update  
Continuous Monitoring Phase  
Configuration & Change Management Control  
8-1 Documentation of Information System Changes  
8-2 Security Impact Analysis  
Ongoing Security Control Monitoring  
9-1 Security Control Selection  
9-2 Security Control Monitoring  
Status Reporting and Updating Security Program Documentation  
10-1 Security Program Documentation Update  
Status Reporting NIST SP800-37 C&A Process Summary

The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.

It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground.

 
Prerequisites 
Basic computer literacy.