Privacy & Security Regulations and More! Compliance Help Now! Get The Right Help! It's The Law! click here for our Main RegulatoryPro.us page and to select specific regulations click for information about Tim McGuinness, Ph.D. and Associates click here for the RegulatoryPro.us master index and site map Professional compliance services helping you cope in a world of complex privacy and security regulatory compliance click here for information about Tim McGuinness, Ph.D. & Associates, based in the Tampa Bay Area, Florida - serving the world RegulatoryCompliance.us - Helping You Cope In A World Of Regulatory Compliance
CERTIFICATION & ACCREDITATION Subject Home

C&A CERTIFICATION AND ACCREDITATION
 SECURITY PROCESS
DITSCAP / NIACAP / NIST 800

THE NEED FOR SECURITY CERTIFICATION AND ACCREDITATION

The E-Government Act (Public Law 107-347) passed by the one hundred and seventh Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information security program must include:

  • Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;
  • Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system;
  • Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
  • Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks;
  • Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls to be performed with a frequency depending on risk, but no less than annually;
  • A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;
  • Procedures for detecting, reporting, and responding to security incidents; and
  • Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

FISMA, the Paperwork Reduction Act of 1995, and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasize a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

  • Plan for security;
  • Ensure that appropriate officials are assigned security responsibility;
  • Review the security controls in their information systems; and
  • Authorize system processing prior to operations and periodically thereafter.

These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency’s stated missions with what OMB Circular A-130, Appendix III, defines as adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. The senior agency official should have the authority to oversee the budget and business operations of the information system. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation.

The assessment of risk and the development of system security plans are two important activities in an agency’s information security program that directly support security accreditation and are required by FISMA and OMB Circular A-130, Appendix III. Risk assessments influence the development of the security controls for information systems and generate much of the information needed for the associated system security plans. Risk assessments can be accomplished in a variety of ways depending on the specific needs of the agency. Some agencies may choose to assess risk informally. Other agencies may choose to employ a more formal and structured approach. In either case, the assessment of risk is a process that should be incorporated

into the system development life cycle. At a minimum, documentation should be produced that describes the process employed and the results obtained. System security plans provide an overview of the information security requirements and describe the security controls in place or planned for meeting those requirements. System security plans can include as references or attachments, other important security-related documents (e.g., risk assessments, contingency plans, incident response plans, security awareness and training plans, information system rules of behavior, configuration management plans, security configuration checklists, privacy impact assessments, system interconnection agreements) produced as part of an agency’s information security program.

In addition to risk assessments and system security plans, security assessments play an important role in security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.

By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.

 

For more information about us, please click here.

Please contact us to explore your specific regulatory challenges.  Remember, regulatory deadlines don't wait!  It's the LAW!

Call Us Today! +1-347-412-0574


Legal Notice:  
 We recognize that SOX (Sarbanes Oxley), GCP (Good Clinical Practice), HIPAA, CLIA, GLBA (Gramm Leach Bliley), DITSCAP, COPPA and other regulations and statutes are law, and that all interpretation of law should involve licensed attorneys in good standing with their local Bar Association.  No matter which services firm you select, be sure that their work is performed under the requirements of your state, in conformance with the law, and reviewed by your own attorney for your protection.  It is the covered entity subject to the jurisdiction of the regulation(s) that bears ALL liability for compliance with these laws.  We do strongly recommend the services of an independent validator/certifier to review your compliance prior to the appropriate deadline if appropriate or completion of the regulated project.

The above believed to be accurate and factual; please notify us immediately of any errors or omissions.  The above is intended for introductory and educational purposes only, and is not intended to be complete or comprehensive.  Neither can we be responsible for the accuracy of the information since it is (in whole or in part) derived from multiple sources.  Please refer to source governmental sources as appropriate.  The reader assumes all risk in the use of any information displayed or presented through this website,

This website, webpage, or linked documents do not constitute legal advice and is for educational purposes only.  The provider (Regulatory Compliance Associates and their staff) accepts no responsibility for its accuracy, review, distribution, or use in any way.  This website, webpage, and or linked documents are based on currently understood HIPAA, ASCA, and/or Federal, State, and Local Statutes, rules, regulations, standards, and/or implementation guides and is subject to change without notice, as changes in HIPAA/ASCA rules and regulations or subsequent interpretative guidance by courts or other bodies.  You assume responsibility for understanding this material and its applicability and/or use. This website, webpage, and/or linked document is designed to conform with GLBA, GCP, CLIA, HIPAA/ASCA, or other rules and regulations, as understood, and may need to be interpreted by your attorney as needed to conform with state law where that state law is more stringent than the federal rules or other state - you’re use of this information must always be reviewed and approved by your own attorney prior to use. Please refer to our Terms and Conditions page for additional limitations and restrictions.  Click here for additional Terms & Conditions for Use of this Website

Privacy Policy:  This website collects minimal personal information at this time.  We do not engage in mass mails or disclosure your information to third-parties unless requested.  Email links are provided as a convenience for professional communications only, and are beyond the responsibility of the website operator.  The user accepts all responsibility when using any and all links provided on this site, and it is acknowledged that different website may have different privacy policies.  The user should review the privacy policies of each website visited.  This website is not intended for children, and children should not use it.  This website does not use cookies.  Blocking cookies will not affect your use of this website.  Click here for our full Privacy Policy

Site Meter

Vendors and 3rd parties listed are not affiliated  in any way unless indicated, and are listed, displayed or linked for the convenience of the visitor for informational purposes only.   3rd party trademarks &  registered trademarks acknowledged

The term "Help Now!" when used in context with regulatory compliance, as example "HIPAA Help Now", is and are trademark(s), all rights reserved.  Click Here for our trademark and copyright information

Please note:  RegulatoryPro.us & RegulatoryCompliance.us and all variations are Trademarks regardless of domain registration.


Verified Website Operator