Certification and Accreditation of Pontius Research Paper

Security categorizations are defined as per the level of effort needed for certification. Three categorization levels of security exist and are defined as follows:

This table has the definitions the three main security categorizations degree of effort based on them

This table shows the required SSP sections that are needed for systems in each of security categorizations.

When the initiation phase comes to an end, then the certification phase commences.

Certification

06/01

In this phase, the team mandated with certification evaluates the entire information system in order to determine whether the security requirements have been satisfied. They then proceed to identify any deficiencies or vulnerabilities. The corrections of the deficiencies/vulnerabilities that are severe enough to prevent system operation from being approved are a responsibility of the System Owner

System Security Plan. The SSP must bear a reflection the current system status. If there are modifications to the system security controls due to the certification evaluation process, then the System Owner is supposed to update the SSP in order to reflect these modifications.

Security Assessment Report. This is the report compiled by thecertification team detailing the security evaluation, and the extent to which the idesigned nformation system can satisfy the security requirements.

Plan of Action and Milestones. This is a description of all the measures that are implemented or planned in order to correct the deficiencies and to reduce or eliminate totally the vulnerabilities. The System Owner then makes a documentation of the deficiencies/vulnerabilities that identified by the certification team. For the deficiencies or vulnerabilities that are not severe enough to require immediate solution, the System Owner then is forced to documents the corrective action that is planned for completion when the evaluated system gets a teemporary authorization in order to operate from the DAA.

When the certification phase ends and the System Owner is then ready to send the accreditation package to the DAA.What begins next is the accreditation phase

Accreditation

The accreditation phase has the purpose to determining if the information system satisfies the security requirements sufficient to it to be allowed to operate.The System Owner then transmits the package for accreditation to the DAA. When the security accreditation package by the DAA, he or evaluates status of the system the makes a decision. The DAA can the issue decisions:

Authorization to Operate (ATO). The information system is given the go ahead to operate without any form of limitations or restrictions.

Interim Authorization to Operate (IATO). The information system is allowed to operate within limited period of time at a greater risk to PONTIUS, errors are corrected in the process.

Denial of Authorization to Operate (DATO). The information system is never allowed to operate.

Certification and Accreditation Flow chart

This drawing illustrates the four phases that are involved in a C & a processes as described in this document. Each phase is color coded so as to correspond to the first chart found that is found on this article paper.

References

Public Law (1995.), Paperwork Reduction Act of 1995.

FIPS PUB 199 (2003), Standards for Security Categorization of Federal Information and Information Systems, December 2003.

NIST SP 800-18 (1998), Guide for Developing Security Plans for Information Systems, December, 1998.

NIST SP 800-30 (2002), Risk Management Guide for Information Technology Systems, January 2002.

NIST SP 800-37 (2004), Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.

NIST SP 800-53, Recommended Security Controls for Federal Information Systems DRAFT.

NIST SP 800-59 (2003), Guideline for Identifying an Information System as a National Security System, August 2003.

NIST SP 800-60(2005), Guide for Mapping Types of Information and Information Systems to Security Categories Version 2.0, Volume I, Volume II Appendixes, June 2005. And OMB Circular a-130 (2000), Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.

OMB Memorandum 02-01(2001),….....