The Definitive Guide to the C&A Transformation Process

The Definitive Guide to the C&A Transformation Process: The First Publication of a Comprehensive View of the C&A Transformation

JULIE E. MEHAN
WAYLON KRUSH
Copyright Date: 2009
Published by: IT Governance Publishing
Pages: 601
https://www.jstor.org/stable/j.ctt5hh7fz
  • Cite this Item
  • Book Info
    The Definitive Guide to the C&A Transformation Process
    Book Description:

    The Definitive Guide to the C&A Transformation provides an authoritative guide to authorization for persons with knowledge of information systems and/or information systems security, but not necessarily the same level of expertise with certification and accreditation (C&A) standards and best practices; it points to references for further knowledge. It is scoped to present the information needed to meaningfully recognize, implement, and manage authorization requirements and achieve compliance with federal, local and agency laws and policies.

    eISBN: 978-1-84928-007-5
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. PREFACE
    (pp. 5-7)
    Julie E. Mehan and Waylon Krush
  3. ABOUT THE AUTHORS
    (pp. 8-11)
  4. ACKNOWLEDGEMENTS
    (pp. 12-12)
  5. Table of Contents
    (pp. 13-16)
  6. INTRODUCTION
    (pp. 17-24)

    For over three decades, the authors of this book have been deeply involved in developing C&A policy, but more importantly in actually providing hands-on help to organizations, ranging from large federal agencies to commercial entities, to successfully navigate the C&A process. We continue to be directly and intensely involved in the C&A transformation, including the transition in terminology from C&A to authorization. We share a driving thought: to do whatever is necessary to protect the information systems of our clients.

    This basic purpose of this book is to provide a definitive guide to authorization for persons with knowledge of information...

  7. CHAPTER 1: AN ABRIDGED HISTORY OF INFORMATION TECHNOLOGY AND INFORMATION SYSTEMS SECURITY
    (pp. 25-34)

    Information security⁸ itself is not a new concept – decision makers have taken steps to protect critical information since the emergence of governments and supporting infrastructures. New technologies, however, have forever changed the way information is developed, stored, published, and shared. In order to help you to understand the value of information today and the role of information systems security authorization in its protection, we need to take a walk back in time and engage in a short retrospective of information, information systems, and information systems security.

    Until the relatively recent emergence of information systems (otherwise known as computers), information⁹...

  8. CHAPTER 2: THE ESSENTIAL INFORMATION SYSTEMS SECURITY REGULATIONS
    (pp. 35-86)

    The events of 11 September 2001 changed the security landscape in many visible and long-lasting ways. While the terrorist attacks of that date were not directly targeted against information systems, there were nevertheless several security related lessons learned. Businesses and other agencies developed a heightened awareness of the vulnerability of information systems in the event of disaster and the costs of recovery. But the primary result was a flood of security related legislation, much of it focused on information systems security.

    The field of security is now awash in laws, regulations, and guidance. As you read through the abstracts to...

  9. CHAPTER 3: THE AUTHORIZATION PROCESS FRAMEWORK
    (pp. 87-97)

    Certification and accreditation (C&A) or the authorization to operate an information system is a process. Despite all of the legislative and regulatory confusion we presented in Chapter 2,it’s really that simple. You need to understand the supporting laws, regulations, and policies. But after that – if you approach it as a process – you will find that the authorization process can be manageable and produce valid security results.

    But before we look at the authorization process, let’s discuss some of the most commonly occurring deficiencies found in many of the audits conducted by the General Accounting Office (GAO).

    In...

  10. CHAPTER 4: THE AUTHORIZATION PROCESS – ESTABLISHING A FOUNDATION
    (pp. 98-127)

    Two years ago, the authors were called in by a major international corporation to help them certify and accredit one of their major information systems as a pre-requisite for sales to the US Government. During initial meetings, we discovered that the system development team had included security considerations in their design. We also discovered that this team was working in a security vacuum – there was no corporate level security program that could assist in coordinating all of the efforts essential to effective authorization. As a result, each authorization was an individual, heroic venture – an individual process limited to...

  11. CHAPTER 5: PRE-AUTHORIZATION ACTIVITIES – THE FUNDAMENTALS
    (pp. 128-193)

    The primary objective of the pre-certification activities is to set the stage for the authorization activities to follow. Certain activities, executed early, will minimize effort later and facilitate the authorization process. These include:

    Establish the authorization team.

    Train the authorization team.

    Define the information system.

    Define the accreditation boundary, which includes identifying the approving authority.

    Conduct the risk assessment.

    Align with the system life cycle.

    It is important to note that these activities do not necessarily have to occur in sequence. Some may pre-exist the initiation of an authorization process, such as the authorization team or the overall accreditation boundary....

  12. CHAPTER 6: PLAN, INITIATE AND IMPLEMENT AUTHORIZATION – PREPARING FOR AUTHORIZATION
    (pp. 194-243)

    While many may have a different opinion, we believe that this phase is one of the most important – and challenging – parts of the actual authorization process. That doesn’t mean that all the activities done up to this point are unimportant. They are extremely critical, since they provide the overall structure that supports the authorization process.

    But here is where the rubber meets the road, at least in terms of actually certifying and accrediting an information system. If the activities in this phase are done correctly, you should breeze through the actual accreditation decision and be able to maintain...

  13. CHAPTER 7: VERIFY, VALIDATE & AUTHORIZE – CONDUCTING THE AUTHORIZATION
    (pp. 244-308)

    The previous phase ended with the implementation of a set of security controls as defined in the system security plan. This phase begins with a review of the initial SSP and the independent assessment of the security controls and ends with a risk-based decision to either authorize or deny the operation of an information system.

    During the implementation activities in the previous phase, evidence and artifacts were collected to support the authorization decision process. These artifacts will be reviewed and tested during this phase to determine if they meet the published compliance standards. In addition, actual testing of the security...

  14. CHAPTER 8: OPERATE & MAINTAIN – MAINTAINING AUTHORIZATION
    (pp. 309-322)

    Wikipedia defines situational awareness as “the perception of environmental elements within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. It is also a field of study concerned with perception of the environment critical to decision makers in complex, dynamic areas.” More simply, situational awareness is knowing what’s happening around you and understanding its importance and relevance to your environment.

    This chapter revolves around the operation of the information system and ensuring that you maintain situational awareness at all times about the status of your system security.

    The...

  15. CHAPTER 9: REMOVE THE INFORMATION SYSTEM FROM OPERATION
    (pp. 323-332)

    The process of formally removing an information system from operation is a critical, but frequently overlooked, component of the system life cycle. Every information system has a system life cycle and an expiration date. Ideally, removing the system from operation – or decommissioning – should be an important consideration from the inception of the project, during its design and throughout its operation.

    A strategy for securely removing the information system from operation should be developed for each of the following circumstances:

    An information system is upgraded and the outdated system is scheduled to be sold, donated, discarded or recycled.

    An...

  16. CHAPTER 10: AUTHORIZATION PACKAGE AND SUPPORTING EVIDENCE
    (pp. 333-416)

    In the previous chapters, we presented a process for approaching information system authorization that will meet the requirements of federal agencies, most of the DOD and the Intelligence Community, and even the commercial sector.

    During the discussions, we talked about the “authorization package” and “supporting evidence.” Rather than just provide a high-level overview, it is necessary to give you more detailed guidance on format and content for each of the required package elements and for some of the other documents and processes you will have to present as evidence. We don’t, however, anticipate that we can provide all of the...

  17. CHAPTER 11: C&A IN THE US DEPARTMENT OF DEFENSE
    (pp. 417-485)

    In the preceding chapters, we provided you with a generic approach to the information system authorization process – one that could be used in federal agencies, the DOD, or even in the commercial sector. In the next few chapters you will notice similarities between elements of the generic process and the individual processes currently being used in different parts of the federal government. You will also notice the differences. So, let’s start with the processes used in the US DOD.

    The US Department of Defense (DOD) took the lead in the early 2000s in recognizing the need for a certification...

  18. CHAPTER 12: AUTHORIZATION IN THE FEDERAL GOVERNMENT
    (pp. 486-517)

    So where and how do we start the authorization process in accordance with FISMA? Well, first we need to define the boundary of the information system. We define the boundary through drawing real network boundaries, logical system boundaries, physical boundaries, management, or organizational/mission based boundaries. These boundaries are also known as authorization or accreditation boundaries.

    Draft NIST SP 800-37 Rev.1 states:

    Authorization boundaries need to be established before security categorization and the development of security plans. Authorization boundaries that are unnecessarily expansive (i.e. including too many system components) make the authorization process extremely unwieldy and complex. Boundaries that are unnecessarily...

  19. CHAPTER 13: THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)
    (pp. 518-533)

    We can truly say that an “A” on the FISMA scorecard does not always mean you are a more secure agency – but it is a start. When we started in C&A in the civilian federal agencies in 2002, it seemed to be an endless labor of developing security documentation for systems that could never meet the requirements. But that did not seem to matter – the systems were accredited anyway.

    By “accepting the risk,” DAAs or authorizing officials (often agency CIOs) were getting closer to a higher grade in security without doing more than producing more documentation about a...

  20. CHAPTER 14: AUTHORIZATION AND THE SYSTEM LIFE CYCLE (SLC)
    (pp. 534-543)

    When do you really have to start paying attention to security requirements for your information system? The answer is – from the very earliest stages of planning for the system to its final disposal. By considering security early in the information system life cycle (SLC)111, you might avoid higher costs later on and even have a more secure information system.

    Federal agencies spend millions of dollars each year on the acquisition, design, development, implementation, and maintenance of information systems essential to their mission and day-to-day operations. The need for safe, secure, and reliable information systems is heightened by the increased...

  21. CHAPTER 15: INFORMATION SYSTEMS SECURITY TRAINING AND CERTIFICATION
    (pp. 544-552)

    Organizations frequently focus on mitigating risk by investing in and implementing new technologies. But they often fail to leverage their most critical asset – people. Your personnel are both your greatest security resource and your greatest potential source of security vulnerability.

    They have access to your agency’s most vital information. They may either have the knowledge to circumvent the systems that have been put in place to protect the organization’s information, or a lack of knowledge about what is needed to protect this information.

    People can be the last line of defense in a network. But if they don’t have...

  22. CHAPTER 16: THE FUTURE – REVITALIZING AND TRANSFORMING C&A
    (pp. 553-571)

    There is a revolutionary top-to-bottom transformation of certification and accreditation (C&A)117in progress that is really about changing the way the entire national community manages security risk. One of the primary goals of the C&A transformation has been to break down unnecessary barriers between its members and to improve information sharing and reciprocity among the information systems security, information technology provider, and information technology user communities. The partnership encompasses the Department of Defense (DOD), the Director of National Intelligence (DNI), the Committee on National Security Systems (CNSS), the National Institute of Science and Technology (NIST), the Office of Management and...

  23. THE RESOURCE CD
    (pp. 572-583)
  24. GLOSSARY
    (pp. 584-592)
  25. ACRONYMS
    (pp. 593-599)
  26. ITG RESOURCES
    (pp. 600-601)