Realtime website analytics

 

  



FISMApedia


DoD Information Assurance Certification and Accreditation Process

Q/C&A Qualified/ Certification & Accreditation
Register Now!


Q/C&AThis 5-day session meets the objectives stated by the DoD 8500.1 and 8500.2 where government agencies are being held accountable to ensure the protection of their information & information systems.  In order to meet the requirements of these important laws & mandates, agencies must take necessary steps to implement key information security standards.  Attend this program to gain the management skills & standards necessary to meet the requirements of these mandates. Download SU's class schedule now!

Note: This class can be easily tailored to meet the certification and accreditation needs of any organization.

Class Fee: $2,995*
Time: 8:30am - 5pm
Location: Click here to view the class schedule
Learning Level: Beginner to experienced
CPE Credits: 40
Prerequisites: Contractors and govt and military that work for government IS or won a contract award to service the military IS .
   

We're here to help!
CALL NOW 877-357-7744

Who Should Attend

DoD Information Security and IT managers; Information Assurance Officers and Managers; Information Security Analysts, Consultants and Contractors; Security and Certification Officials responsible for developing C&A packages.

This course is designed for individuals who are responsible for meeting the Federal Information Security Management Act (FISMA) requirements for their agency.Committee on National Security Systems

What You Will Learn

Upon successful completion of the DIACAP training class, each attendee will be able to:

  • Understand the guidelines presented in and documentation required by the DIACAP.
  • Describe the process of identifying/defining an information system for the purpose of C&A.
  • Appreciate how compliance with the government's C&A process standards is beneficial to an organization's short- and long-term information assurance strategy.
  • Complete a certification and accreditation effort.

Preparing for C&A

The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.

A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.

In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

  • System Categorization Statement
  • System Description with System Boundaries Noted
  • Network Diagram and Data Flows
  • Software and Hardware Inventory
  • Business Risk Assessment
  • System Risk Assessment
  • Contingency Plan
  • Self-Assessment
  • System Security Plan
Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

Levels of Certification and Starting the Review

There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:

Business Needs / Course Goals for C&A
Understanding Roles & Responsibilities
Phases 1-4 of C&A
Phases 1-9 of RA
Classification of System
Understanding Legislation
FISMA, SOX 404, HIPAA
Understanding C&A in Lifecycle
Development phase to RA and C&A
Identifying Risk Assessment in C&A
Boundary Accreditation in a system environment
Identifying a system boundary
Accreditation Decision Model
Communicate what transpires in delivering a decision; IATO, Full Accreditation, Do Not Accredit
FISMA Scorecard
Positive and negative impacts
17 Baseline Management, Operational, & Technical Policies
Understanding policy source, relationships, procedures, controls, and testing

Guide for Developing Security Plans (NIST SP800-18)
System Analysis
System Boundaries
Information sensitivity
System Category
Major Applications
General Support System
Plan Development – All Systems
Plan Control
System Identification and sensitivity level
System Operational Status
General Description/Purpose
System Environment
System Interconnection/Information Sharing
Sensitivity of Information Handled
Laws, Regulations, and Policies Affecting the System requirements for confidentiality, integrity, or availability
Management Controls
Operational Controls
Documentation (MA Example)
Vendor-supplied documentation of hardware
Vendor-supplied documentation of software
Application requirements
Application security plan
General support system(s) security plan(s)
Application program documentation and specifications
Testing procedures and results
Standard operating procedures
Emergency procedures
Contingency plans
Memoranda of understanding with interfacing systems
Disaster recovery plans
User rules of behavior
User manuals
Risk assessment
Backup procedures
Authorize processing documents and statement
Technical Controls
Major Application Template
General Support System Template

Standards for Security Categorization (FIPS 199)

Determine National Security System Classification using NIST SP 800-59
Security Category for Confidentiality, Integrity, and Availability for:
Low Impact
Moderate Impact
High Impact

Selection and Specification of Security Controls (NIST 800-53) -> (FIPS 200)
Management Controls PL-1: Security Planning Policy and Procedures (82)
RA-1: Risk Assessment Policy and Procedures (87)
SA-1: System and Services Acquisition Policy and Procedures (89)
CA-1: Certification, Accreditation, and Security Assessments Policy and Procedures (54)
Operational Controls
AT-1: Security Awareness and Training Policy and Procedures (48)
CM-1: Configuration Management Policy and Procedures (57)
CP-1: Contingency Planning Policy and Procedures (60)
MP-1: Media Protection Policy and Procedures (73)
PE-1: Physical and Environmental Protection Policy and Procedures (76)
SI-1: System and Information Integrity Policy and Procedures (100)
IR-1: Incident Response Policy and Procedures (68) MA-1: System Maintenance Policy and Procedures (70)
PS-1: Personnel Security Policy and Procedures (84)
Technical Controls
AC-1: Access Control Policy and Procedures (40)
AU-1: Auditing and Accountability Policy and Procedures (50)
IA-1: Identification and Authentication Policy and Procedures (65)
SC-1: System and Communications Protection Policy and Procedures (93)

Risk Assessment and Management Process (NIST SP800-30)
Risk Assessment Program and Methodology
Key Roles
Senior Management.
Chief Information Officer (CIO).
System and Information Owners.
Business and Functional Managers.
ISSO. IT security program managers
IT Security Practitioners.
Security Awareness Trainers (Security/Subject Matter Professionals)
Assessment Tools
Vulnerability Scanning
Scanning & Enumeration
War Dialing
Wireless
Privilege Escalation and Back Door
Network Analyzers (sniffers)
File Integrity Checkers
Password Crackers
Risk Analysis & Reporting Tools
C&A Reporting Tools
Risk Assessment
Step 1 System Characterization – Operational and Processing Environment
Step 2 Vulnerability Identification
Step 3 Threat Identification
Step 4 Operational, Technical, and Management Control Analysis
Step 5 Threat Likelihood Determination
Step 6 Impact and Loss of Confidentiality, Integrity, and Availability Analysis
Step 7 Risk Determination
Step 8 Control Recommendations
Step 9 Results Documentation – Report recommendations and documentation
Risk Mitigation
Evaluation and Assessment

Guide for Mapping Types Information and Information Systems to Security Objectives and Risk Levels (NIST SP 800-60)Security Categorization of Information and Information Systems
Security Categories and Objectives (Contents from FIPS 199)
Impact Assessment (Contents from FIPS 199)
Assignment of Impact Levels and Security Categorization
Mapping Information Types to Security Controls and Impact Levels
Information Type Identification
Selection of Provisional Impact Levels
Review and Adjustment and Finalization of Information Impact Levels
Guidelines for System Security Categorization
Guidelines for Assignment of Impact Levels to Mission-based Information
Impact levels by type for the management and support information
Management and Support Information and Information System Impact Levels
Rationale and Factors for Services Delivery Support Information
Rationale and Factors for Government Resource Management Information
Impact Determination for Mission-based Information and Information Systems
Legislative and Executive Sources establishing Sensitivity/criticality

NIST Certification and Accreditation Process (NIST SP800-37)
NIST SP800-37 C&A Process Overview
Defining the Accreditation Package
C&A Process Phases
Initiation Phase
Security Certification Phase
Security Accreditation Phase
Continuous Monitoring Phase
Security Certification Package
Updated System Security Plan
Completed Security Risk Assessment
Updated Configuration Management Plan
Contingency Management Plans
Security Test & Evaluation Report
User Manual W/SFUG
Interconnection Security Agreements
Memorandums of Agreement
Completed Privacy Impact Assessment
Federal Register System of Record Notice
Plan of Action and Milestones (POAM)
Security Accreditation Package
Security Assessment Report
Security Accreditation Decision Letter
System Security Plan
Plan of Action & Milestones (POAM)
Initiation Phase
Preparation
1-1 System Description (ISO, ISSO)
1-2 Security Categorization Verification (ISO, ISSO)
1-3 Risk Assessment Review (ISO, ISSO)
Notification & Resource Identification
2-1 Notification of C&A Support (ISO, ISSO)
2-2 Planning & Resource Identification (CA)
Security Program Documentation Analysis, Update & Acceptance
3-1 Security Categorization Validation (CA)
3-2 Security Program Documentation Analysis (CA)
3-3 Security Program Documentation Update (ISO, ISSO)
3-4 Acceptance of Security Program Documentation (ISO, ISSO)
Security Certification Phase

Security Control Verification & Validation
4-1 Documentation & Supporting Materials
4-2 Reuse of Assessment Results
4-3 C&A Methods & Procedures
4-4 C&A Security Assessment
4-5 Prepare Final Assessment Report
Security Certification Documentation
5-1 Certification Findings & Recommendations
5-2 Security Documentation Update
5-3 Plan of Action & Milestone Preparation
5-4 Security Accreditation Package
Security Accreditation Phase
Security Accreditation Decision
6-1 Final Risk Determination
6-2 Residual Risk Acceptance
Security Accreditation Documentation
7-1 Security Accreditation Package Transmission
7-2 C&A Documents and Plans Update
Continuous Monitoring Phase
Configuration & Change Management Control
8-1 Documentation of Information System Changes
8-2 Security Impact Analysis
Ongoing Security Control Monitoring
9-1 Security Control Selection
9-2 Security Control Monitoring
Status Reporting and Updating Security Program Documentation
10-1 Security Program Documentation Update
Status Reporting NIST SP800-37 C&A Process Summary

The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.

It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground.

Prerequisites
Basic computer literacy.

*Class fees are subject to change

Top 
View Class Schedule
More Detection Classes
Current Schedule
Site Map SU Policies Webmaster Contact Us Opt-Out Testimonials Advertise Brochure
Copyright © 2010 Security University, Inc. All rights reserved.
Translate this page to