Security certification and
accreditation are important activities that support a risk management
process and are an integral part of an agencys information security
program. Security accreditation is the official management
decision given by a senior agency official to authorize operation of
an information system and to explicitly accept the risk to agency
operations, agency assets, or individuals based on the implementation
of an agreed-upon set of security controls.
The C&A process aids in and requires:
Creation of and maintenance of a plan for security;
Ensure that appropriate officials
are assigned security responsibility;
Review the security controls in
their information systems; and
Authorize system processing prior to
operations and periodically thereafter.
It also employs a third-party
auditor/arbitrator concept in the form of the Certifier.
The NIST
800 Approach
The improved NIST
Special Publication 800-37 is the first in a series of standards that
will be produced during Phase I of the NIST Information System
Security Project. The purpose of this publication is to provide
guidelines for the security accreditation of information systems
supporting the executive agencies of the Federal government, including
their contractors.
These guidelines
were developed to:
Enable more
consistent, comparable, and repeatable evaluations of security
controls applied to federal information systems;
Promote a
better understanding of enterprise-wide mission risks resulting from
the operation of information systems;
Create more
complete, reliable, and trustworthy information for authorizing
officials---- facilitating more informed security accreditation
decisions; and
Help achieve
more secure information systems within the Federal government
including the critical infrastructure of the United States.
The guidelines
provided in Special Publication 800-37 are applicable to all Federal
information systems other than those systems designated as national
security systems as defined in 44 U.S.C., Section 3542. The guidelines
have been broadly developed from a technical perspective so as to be
complementary to similar guidelines issued by agencies and offices
operating or exercising control over national security systems. This
publication is intended to provide guidelines to Federal agencies in
lieu of Federal Information Processing Standards (FIPS) Publication
102, Guidelines for Computer Security Certification and Accreditation,
September 1983, which is being rescinded. State, local, and tribal
governments as well as private sector organizations comprising the
critical infrastructure of the United States are also encouraged or
may be required to consider the use of these guidelines, as
appropriate.
The C&A Process -
see below for our enhanced Certification And Accreditation Process
map.
Tim McGuinness, Ph.D.
and Associates have a long history of C&A security process
experience. In fact, Dr. McGuinness is both a DISA Certified
Approval Authority and Certifier un DITSCAP - The Department of
Defense C&A process (click
here for more information about DITSCAP) As seasoned security
and compliance professionals, they can meet your needs by providing
full support for the C&A process, or assist in specific C&A
challenges. The C&A process is unique to each situation, so
each project is approached with the team required for that project.
Additionally, many C&A projects overlap upon other regulatory
schemas, such as HIPAA, GLBA, and others, and their team can provide leading edge
cost-effective compliance solutions in a broad range of regulatory
schemas. Our extensive first hand experience in performing
Certification & Accreditation in multiple industry sectors give us
unique perspectives into the processes and the challenges created by
the approving authorities (agency official), that can be
readily applied to your certification project!
For information of
our Certification and Accreditation Security Services,
please contact us.
Our Enhanced C&A
Certification And Accreditation Process Map
Based Upon
NIST 800-37 & DITSCAP, and our Experience!
Phase One
Phase One
Phase One
Phase 1 Task 1
Phase 1 Task 2
Phase 1 Task 3
Initiation
Initiation
Initiation
Responsible Party: System Owner
Responsible Party: System Owner
Responsible Party: System Owner
Prepare
Documentation
Notify Officials &
Identify
Resources
Analyze, Update
& Accept System
Security Plan
Initiation
NIST 800-37 Phase 1
Planning
NIST 800-37 Phase 3
Multiple
NIST 800-37 Phases 4-6
Describe the System
Categorize Risks &
Vulnerabilities
Identify Threats to it
Identify its Vulnerabilities
Identify In-Place and
Planned Security Controls
Determine its Initial Risks
Notify Program Officials
Identify Resources Needed and
Plan execution of Activities
Development And Implement
Corrective Action Plan
Review Security
Categorizations
Analyze Security Plan
Update Security Plan
Obtain Authorizing
Official Acceptance of
Security Plan
Please
contact us to explore your specific
regulatory challenges. Remember, regulatory deadlines don't
wait! It's the LAW!
Call Us Today!
+1-347-412-0574
Legal Notice:
We recognize that SOX (Sarbanes Oxley), GCP (Good Clinical Practice), HIPAA, CLIA, GLBA
(Gramm Leach Bliley), DITSCAP, COPPA and other regulations and statutes are
law, and that all interpretation of law should involve licensed attorneys
in good standing with their local Bar Association. No matter which
services firm you select, be sure that their work is performed under the
requirements of your state, in conformance with the law, and reviewed by
your own attorney for your protection. It is the covered entity
subject to the jurisdiction of the regulation(s) that
bears ALL liability for compliance with these laws. We do strongly
recommend the services of an independent validator/certifier to review your
compliance prior to the appropriate deadline if appropriate or completion
of the regulated project.
The above
believed to be accurate and factual; please notify us
immediately of any errors or omissions. The above is
intended for introductory and educational purposes only, and is not
intended to be complete or comprehensive. Neither can we
be responsible for the accuracy of the information since it is
(in whole or in part) derived from multiple sources.
Please refer to source governmental sources as appropriate. The
reader assumes all risk in the use of any information
displayed or presented through this website,
This website,
webpage, or linked documents do not constitute legal advice and is for
educational purposes only. The provider (Regulatory Compliance
Associates and their staff) accepts no
responsibility for its accuracy, review, distribution, or use in any way.
This website, webpage, and or linked documents are based on currently
understood HIPAA, ASCA, and/or Federal, State, and Local Statutes, rules,
regulations, standards, and/or implementation guides and is subject to
change without notice, as changes in HIPAA/ASCA rules and regulations or
subsequent interpretative guidance by courts or other bodies. You assume
responsibility for understanding this material and its applicability
and/or use. This website, webpage, and/or linked document is designed to
conform with GLBA, GCP, CLIA, HIPAA/ASCA, or other rules and regulations, as understood, and may need to
be interpreted by your attorney as needed to conform with state law where
that state law is more stringent than the federal rules or other state -
you’re use of this information must always be reviewed and approved by
your own attorney prior to use. Please refer to our Terms and Conditions
page for additional limitations and restrictions.
Click here for additional Terms & Conditions for Use of this
Website
Privacy Policy: This website
collects minimal personal information at this time. We do not engage in
mass mails or disclosure your information to third-parties unless
requested. Email links are provided as a convenience for professional
communications only, and are beyond the responsibility of the website
operator. The user accepts all responsibility when using any and all
links provided on this site, and it is acknowledged that different website
may have different privacy policies. The user should review the privacy
policies of each website visited. This website is not intended for
children, and children should not use it. This website does not use
cookies. Blocking cookies will not affect your use of this website.
Click here for our full Privacy Policy
Vendors and 3rd parties
listed are not affiliated in any way unless indicated, and are listed,
displayed or linked for the convenience of the visitor for informational
purposes only. 3rd party trademarks & registered trademarks
acknowledged
C&A SECURITY PROCESS
