important acronyms

Important acronyms

AO = authorizing officialISO = information system ownerCA = certification agent

NIST 800-37

National Institute of Standards and Technology, US Department of Commerce

Guide for the Security Certification and Accreditation of Federal Information Systems

National Policy

Office of Management and Budget Circular A-130,Management of Federal Information Resourcesrequires federal agencies to:

National Policy


Plan for security

National Policy


Plan for security

Ensure that appropriate officials are assigned security responsibility

National Policy


Plan for security

Ensure that appropriate officials are assigned security responsibility

Review security controls

Security Controls

• The countermeasures used to protect assets and manage the confidentiality, integrity, and availability of assets.– Anti-virus software– Network Firewall– User awareness training– Access controls

800-37 Purpose

• Provide guidelines for the security certification and accreditation of information systems supporting executive agencies of the US federal government.

800-37 Purpose

• Enable consistent and repeatable assessments of information systems

800-37 Purpose


• Promote an understanding of risks involved in operating information systems

800-37 Purpose



• Create complete and reliable information used by professionals to make an informed certification/accreditation decision.

800-37 Purpose



• Create complete and reliable information used by professionals to make an informed certification/accreditation decision.

• Assignment of responsibility and accountability to the individuals overseeing the information system.

Risk Management

Adversaries attack the weakest link…where is yours?

Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Physical security Personnel security Security assessments Security accreditation

Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Firewalls and network security mechanisms Intrusion detection systems Anti-malware Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls

Managing Agency RiskKey activities in managing agency-level risk—risk resulting from the operation

of an information system:

Select a set of security controls Document security controls in the system security plan Implement the security controls in the information system Assess the security controls Determine risk acceptability Authorize information system operation Monitor security controls on a continuous basis

Certification vs Accreditation

Certification Definition

• Certification occurs when security controls in the information system are: – implemented correctly,


• Certification occurs when security controls in the information system are – implemented correctly, – operate as intended, and


• Certification occurs when security controls in the information system are – implemented correctly, – operate as intended, and – produce the desired outcome

Accreditation Definition

• An acknowledgment of risk acceptance.Accreditation occurs when the agency has

determined that an accepted level of risk to assets and operations has been achieved.

The Primary Officials’ Titles

• With regard to the Certification and Accreditation process, …– There are titles assigned to individuals within an

agency undergoing Cert-Acc. Many of the titles can be artificially assigned to meet the suggested requirements.

– These titles come with a well defined group of responsibilities.

The Primary Officials and Their Titles

• Authorizing Official, The AO• Information System Owner, the ISO.

– AKA System Owner

• Certification Agent, The CA

Authorizing Official Senior management position

Formally assumes responsibility for operating an information system at an acceptable level of risk to an agency’s assets and operations. (primary role)

Is accountable for the risks associated with operating an information system.

Oversees the budget and business operations of the information system

Authorizing Official

• The industry equivalent could include job titles like VP of Information Technology.

• The AO would report to the CIO

Information System Owner Procures, develops, integrates, modifies, operates or

maintains an information system (primary role)


maintains an information system (primary role) Responsible for development and maintenance of the

system security plan.



system security plan. Ensures the system is deployed and operated according to

the agreed upon security requirements.


maintains an information system (primary role) Responsible for development and maintenance

(sustainability cycle) of the system security plan. Ensures the system is deployed and operated according to

the agreed upon security requirements. Grants access (and their respective privileges) to the

information system.





information system. Provide users and support staff with appropriate security

training.





information system. Provide users and support staff with appropriate security

training. Ensures the appropriate resources are available for

certification and accreditation, and reports this to the AO.

Certification Agent Provides an independent assessment of the system

security plan (primary role)



Assesses the security controls in the information system to determine the extent to which the controls are: Implemented correctly;

Operating as intended; and

Producing the desired outcome



Assesses the security controls in the information system to determine the extent to which the controls are: Implemented correctly;

Operating as intended; and

Producing the desired outcome with respect to meeting the security requirements

Provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system

Certification Agent

• Independent from the persons directly responsible for the development and maintenance of the information system’s operation.– See FIPS-199 to determine an appropriate level of

independence.

Other Roles• Authorizing Official Designated Representative,

reports to the AO.• Chief Information Officer, appoints the SAISO• Senior Agency Information Security Officer,

liason between the CIO and the AO.• Information System Security Officer, reports to

the AO or the ISO.• User Representatives, those using the

information systems.

Delegation of Roles

• At the discretion of senior agency officials, roles may be delegated and appropriately documented.

• Officials may appoint qualified individuals including contractors or regular employees.

– exceptions Chief Information Officer & Authorizing Official.

Four phases to the security certification and accreditation process1. Initiation

Four phases to the security certification and accreditation process1. Initiation2. Certification

Four phases to the security certification and accreditation process1. Initiation2. Certification3. Accreditation

Four phases to the security certification and accreditation process1. Initiation2. Certification3. Accreditation4. Monitoring

Four phases to the security certification and accreditation process1. Initiation2. Certification3. Accreditation4. Monitoring• Each phase is broken up into tasks and each

task has a series of sub-tasks

Phases, Tasks, & Sub-Tasks

• There are a total of – 4 phases– 10 tasks– 31 sub-tasks

Phase 1: Initiation

• The purpose of this phase is to ensure the AO and ISO are in agreement with the contents of the– System security plan– System’s security requirements

• The CA begins the assessment of the security controls for the information system after phase 1 is completed.

Phase 1: Initiation Tasks

• Three tasks must be completed for the initiation phase:

1.Preparation2. 3. The ISO is responsible for all three tasks.



1.Preparation2.Notification and resource identification3. The ISO is responsible for all three tasks.



1.Preparation2.Notification and resource identification3.System security plan analysis update and

acceptanceThe ISO is responsible for all three tasks.

Initiation: Preparation Task 1

Include the following in a security plan:• Describe the system and define the boundary• Determine the security category of the system.• Identify threats• Identify vulnerabilities• Identify the security controls (safeguards to minimize

risks)• Determine initial risks

Task 1 Guidance Example

• Give the system a unique identification• Status with respect to the development life-cycle.• Location• Contact information• Purpose and function• Hardware and software used• Network topology• Etc.

Initiation: Notification and Resource Identification, Task 2

• ISO Notifies officials that the process of certification and accreditation procedure is progressing.

• AO prepares a plan of execution to identify the level of resources required for the certification and accreditation procedure.

Initiation: Analyze, Update and accept System Security Plan, Task-3

• Review of the appropriateness of the security plan by the AO and CA.

• Analyze security plan by the AO and CA.• Update security plan by the ISO. Updates are

based on recommendations of the CA and AO.• Obtain AO acceptance of the security plan.

Phase 2: Certification

Two Tasks of certification:1.Assess and evaluate security controls2.Document security certification

Phase 2: Certification

Two Tasks of certification:1.Assess and evaluate security controls2.Document security certification

The purpose of this phase is to determine if the security controls are implemented correctly, operating as intended, and produce the desired outcome.

Phase 2: Certification: Assess and evaluate security controls, Task-4

• Prepare documentation and supporting materials. This is completed by the ISO for the CA. Procedures, reports, and logs showing evidence of security controls are in place.



• Review methods and test procedures (CA)



• Review methods and test procedures (CA)• Assess and evaluate security controls. (CA)



• Review methods and test procedures (CA)• Assess and evaluate security controls. (CA)• Report security assessment results (CA). This is

part of the accreditation package.

Phase 2: Certification: document security certification, Task-5

• Provide findings and recommendations (CA)


• Provide findings and recommendations (CA)• Update security plan by the ISO.


• Provide findings and recommendations (CA)• Update security plan by the ISO.• The ISO prepares a plan of action and sets

milestones based on the CA recommendations.


• Provide findings and recommendations (CA)• Update security plan by the ISO.• The ISO prepares a plan of action and sets

milestones based on the CA recommendations.

• The ISO assembles the accreditation package and submits it to the Authorizing Official.

Phase 3: Accreditation

Two tasks completed by the AO• Make Security Accreditation decision• Document Security Accreditation

Accreditation: Make Security Accreditation Decision, Task 6

• AO determines final risk levels• AO then makes a decision about accepting

any residual risk.


Possible AO decisions:

1. Authorization to operate



1. Authorization to operate2. Interim authorization to operate under

specific terms and conditions (things to fix).



1. Authorization to operate2. Interim authorization to operate under

specific terms and conditions (things to fix).3. Denial of authorization to operate.

Phase 3: Accreditation: Document Security Accreditation, Task-7

• The AO transmits the Security Accreditation package along with the accreditation letter to the ISO and other officials.

• The ISO updates the security plan

Phase 4: Monitoring

Three tasks managed by the ISO1.Manage and control configuration2. 3. The purpose of this phase to provide oversight

and monitoring of the security controls in the information system on an ongoing basis.

Phase 4: Monitoring

Three tasks managed by the ISO1.Manage and control configuration2.Monitor security controls3. The purpose of this phase to provide oversight


Phase 4: Monitoring

Three tasks managed by the ISO1.Manage and control configuration2.Monitor security controls3.Report and document statusThe purpose of this phase to provide oversight


Phase 4: Monitoring: Manage and Control Configuration, Task-8

• The ISO documents system changes.

Phase 4: Monitoring: Manage and Control Configuration, Task-8

• The ISO documents system changes.• The ISO analyzes and documents security

impacts resulting from system changes.

Phase 4: Monitoring: Monitor security controls, Task 9

• Select in-place security controls to monitor

Phase 4: Monitoring: Monitor security controls, Task 9

• Select in-place security controls to monitor• Assess selected security controls to determine

if they operate as intended.

Phase 4: Monitoring: Status Reporting and Documentation, Task-10

• ISO updates the security plan as dictated by events over time.



• The ISO updates the plan of action and milestones



• The ISO updates the plan of action and milestones

• ISO sends the security status of the information system to the AO.

important acronyms

Documents