Certification & Accreditation

iStock 000020540885_ExtraSmallWe understands the National and DoD certification and accreditation (C&A) processes, and can successfully execute the activities required by those guidelines (e.g., DoD Information Technology Security Certification and Accreditation Process (DITSCAP), National Information Assurance Certification and Accreditation Process (NIACAP), National Information Security Certification and Accreditation Process (NISCAP), the National Institute Standards and Technology (NIST) 800 series) and security best practices (i.e,. SANS)..  As necessary, we can tailor the C&A processes to the individual agency or site, identify the most effective accreditation option (e.g. site, system or type) and develop the appropriate security documentation (e.g. System Security Authorization Agreement (SSAA), Security Plan, Security Appendices).  We will work with you to define your security requirements, develop and execute the security test and evaluation (ST&E) and successfully complete your C&A.  The C&A activities may include a risk assessment utilizing NIST, NSA or local requirements, ST&E plan and procedures, and vulnerability assessments.  Our vulnerability assessments will be tailored to your needs, such as non-intrusive, penetration or periodic tests.  We can even provide post-accreditation maintenance of your infrastructure.  Our IA experts can provide the best C&A activities and support to meet your needs.

Basic Process

Phase 1:

Definition  Focused on understanding the IS business case, environment, and architecture to determine the security requirements and level of effort necessary to achieve certification and accreditation.  Objective – Agree on the security requirements, C&A boundary, schedule, level of effort, and resources required                         

Phase 2:

Verification Verifies the evolving or modified system’s compliance with the information in the System Security Authorization Agreement (SSAA). Objective – Ensure the fully integrated system will be ready for certification testing.

Phase 3:

Validation Validates compliance of the fully integrated system with the security policy and requirements stated in the SSAA.  Objective – To produce the required evidence to support the Designated Approval Authority (DAA)  in making an informed decision to grant approval to operate the system (Full Accreditation), Interim Authority to Operate (Interim Accreditation), or Accreditation Disapproval.

Elements of Certification Package

  • Security Plan
  • Security Test & Evaluation Reports
  • Final Risk Assessment Report
  • Certifier’s Statement
  • System Support Documentation

Elements of Accreditation Package

  • Accreditation Letter
  • Security Plan
  • Report Documenting the Basis for the Accreditation Decision

Phase 4:

Post Accreditation Includes the activities necessary for the continuing operation of the Fully Accredited IS its computing environment and to address the changing threats and small scale changes that a systems faces throughout its life cycle.  Objective – Ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.