Certification and Accreditation
Encyclopedia
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP
NIACAP
The National Information Assurance Certification and Accreditation Process is the minimum-standard process for the certification and accreditation of computer and telecommunications systems that handle U.S. national-security information...

, DIACAP and DCID 6/3.

NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," transforms the traditional Certification and Accreditation (C&A) process into the six-step Risk management framework
Risk management framework
NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," developed by the Joint Task Force Transformation Initiative Working Group, transforms the traditional Certification and Accreditation process into the six-step Risk...

 (RMF).

Definitions

Certification
Certification
Certification refers to the confirmation of certain characteristics of an object, person, or organization. This confirmation is often, but not always, provided by some form of external review, education, assessment, or audit...

 is a comprehensive evaluation of the technical and non-technical security controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

 (safeguards) of an information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...

 to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.

Accreditation
Accreditation
Accreditation is a process in which certification of competency, authority, or credibility is presented.Organizations that issue credentials or certify third parties against official standards are themselves formally accredited by accreditation bodies ; hence they are sometimes known as "accredited...

 is the formal declaration by a senior agency official (Designated Accrediting Authority (DAA) or Principal Accrediting Authority (PAA)) that an information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...

 is approved to operate at an acceptable level of risk
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

, based on the implementation of an approved set of technical, managerial, and procedural security controls
Security controls
Security controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...

(safeguards).

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK