By Doug Stemper, e-Management
Certification and Accreditation…what is it, you ask? C&A can either be the most excruciatingly dull thing you have ever done in your life, or it can be a valuable tool to managing the security of your government IT system. While C&A has been through its changes over time, it all boils down to one primary purpose: To document the security controls, or lack thereof, and what you are doing about it.
That’s it. Really. Since I know you want more C&A, here is my crash course, C&A for Dummies.
Enters FIPS
Back in 1983, FIPS102, Guidelines for Computer Security Certification and Accreditation came along; FIPS are Federal Information Processing Standards, the things you have to do. As time went on, other guidelines sprung up like the Department of Defense’s DoD Information Technology Security Certification and Accreditation Process (DITSCAP), for defense-related national security systems, National Information Assurance Certification and Accreditation Process (NIACAP), developed by the National Security Agency, and the Central Intelligence Agency’s Director of Central Intelligence Directive 6/3, Protecting Sensitive Compartmented Information within Information Systems. Organizations were pretty much free to choose which method they wanted to implement.
There’s a New Law in Town
Following FIPS, the federal government enacted the Federal Information Security Management Act of 2002 (FISMA). This new law mandated that system security be documented and managed. Along with certain documentation requirements, security was to be planned for and implemented during the life cycle of the system. In its original version, the required documentation artifacts were the system security plan(SSP), the contingency plan(CP), the contingency plan test report, the security test and evaluation(ST&E) plan, and the risk assessment. As time went on, more requirements were added throughout government and locally, but these documents were the first basic requirements.
With C&A, Less is Better
Properly executed, and properly written, the documentation for a full C&A should not exceed 75-100 pages for the entire package. Many organizations tend to believe that more is better. Since a C&A is meant to be a living, working document, the less that needs to be reviewed and updated, the better. Excessive content only gets in the way of effective management of the SSP. But, that does not mean that any required aspects of the package should be neglected.
…but WAIT! There’s more!
The above has been the environment (and way of thinking) for the last five to eight years; with the goal of obtaining an Authority to Operate (ATO) from the Designated Approval Authority (DAA). Within the last year, however, there has been a shift in thinking that includes the Risk Management Framework. While it is still important to document the system security in a comprehensive SSP, the emphasis has turned to technical security controls. There really isn’t a standard system for tracking management and operational controls, but technical controls can be measured and tracked automatically because they either work, or they don’t. And there are numerous products available to test and report security status. So, from a technical standpoint, security can be implemented and measured so that weaknesses can be identified, prioritized, and addressed. This is the basis of the “new” C&A process.
The New ATO
The new guideline for obtaining a “Security Authorization” (the new ATO) is NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. For those familiar with the C&A process, this changes the approach to documenting system security and changes, or actually consolidates, the required documentation. The new security authorization package contains: the security plan; the security assessment report; and the plan of action and milestones (POA&M).
All of this is a consolidation of process steps and applies a project management-type framework to ensuring the documentation and implementation of security controls throughout the life cycle of the system. Along with the security authorization, the major operative aspect of the new Risk Management Framework is a “continuous monitoring” function that tracks and records security changes in the system. If new security risks are found, they are recorded on a POA&M and managed until either mitigated or the risk is accepted as part of the normal operating environment.
A key element of the new process is that there is no longer a fast requirement for the security authorization to expire. With a viable, robust continuous monitoring program, the authorizing official will be able to comprehend the level of risk at all times and react appropriately.
So there you have it…
C&A as we have known it is no more. Long live security authorization and continuous monitoring!
C&A Q&A
Has this blog posting helped to clarifying the role of C&A in federal agencies? What security controls do you have in place to protect your agency? What IT security issues are the biggest for your organization?
I look forward to your responses and/or questions.