NIST SP 800-37 Appendix D

From FISMApedia
Jump to: navigation, search

APPENDIX D

SUMMARY OF PHASES AND RESPONSIBILITIES LISTING BY SECURITY CERTIFICATION AND ACCREDITATION TASK AND SUBTASK
PHASES, TASKS, AND SUBTASKS
RESPONSIBILITY
Initiation Phase
Task 1: Preparation
Subtask 1.1: Information System Description Information System Owner
Subtask 1.2: Security Categorization Information System Owner
Subtask 1.3: Threat Identification Information System Owner
Subtask 1.4: Vulnerability Identification Information System Owner
Subtask 1.5: Security Control Identification Information System Owner
Subtask 1.6: Initial Risk Determination Information System Owner
Task 2: Notification and Resource Identification
Subtask 2.1: Notification Information System Owner
Subtask 2.2: Planning and Resources Authorizing Official, Senior Agency Information Security Officer, Information System Owner Certification Agent
Task 3: System Security Plan Analysis, Update, and Acceptance
Subtask 3.1: Security Categorization Review Authorizing Official, Senior Agency Information Security Officer, Certification Agent
Subtask 3.2: System Security Plan Analysis Authorizing Official, Senior Agency Information Security Officer, Certification Agent
Subtask 3.3: System Security Plan Update Information System Owner
Subtask 3.4: System Security Plan Acceptance Authorizing Official, Senior Agency Information Security Officer
Security Certification Phase
Task 4: Security Control Assessment
Subtask 4.1: Documentation and Supporting Materials Information System Owner, Certification Agent
Subtask 4.2: Methods and Procedures Certification Agent
Subtask 4.3: Security Assessment Certification Agent
Subtask 4.4: Security Assessment Report Certification Agent
Task 5: Security Certification Documentation
Subtask 5.1: Findings and Recommendations Certification Agent
Subtask 5.2: System Security Plan Update Information System Owner
Subtask 5.3: Plan of Action and Milestones Preparation Information System Owner
Subtask 5.4: Accreditation Package Assembly Information System Owner
Security Accreditation Phase
Task 6: Security Accreditation Decision
Subtask 6.1: Final Risk Determination Authorizing Official
Subtask 6.2: Risk Acceptability Authorizing Official
Task 7: Security Accreditation Documentation
Subtask 7.1: Security Accreditation Package Transmission Authorizing Official
Subtask 7.2: System Security Plan Update Information System Owner
Continuous Monitoring Phase
Task 8: Configuration Management and Control
Subtask 8.1: Documentation of Information System Changes Information System Owner
Subtask 8.2: Security Impact Analysis Information System Owner
Task 9: Security Control Monitoring
Subtask 9.1: Security Control Selection Information System Owner
Subtask 9.2: Selected Security Control Assessment Information System Owner
Task 10: Status Reporting and Documentation
Subtask 10.1: System Security Plan Update Information System Owner
Subtask 10.2: Plan of Action and Milestones Update Information System Owner
Subtask 10.3: Status Reporting Information System Owner
Retrieved from "http://fismapedia.org/index.php?title=NIST_SP_800-37_Appendix_D&oldid=2277"