CHAPTER ONE

INTRODUCTION

THE NEED FOR SECURITY CERTIFICATION AND ACCREDITATION

The E-Government Act (Public Law 107-347) passed by the one hundred and seventh Congress and signed into law by the President in December 2002 recognized the importance of information security¹ to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems² that support the operations³ and assets of the agency, including those provided or managed by another agency, contractor, or other source. The information security program must include:

• Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;
• Policies and procedures that are based on risk assessments, cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each agency information system;
• Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate;
• Security awareness training to inform personnel (including contractors and other users of information systems that support the operations and assets of the agency) of the information security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks;
• Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and security controls⁴ to be performed with a frequency depending on risk, but no less than annually;
• A process for planning, implementing, evaluating, and documenting remedial actions to address any deficiencies in the information security policies, procedures, and practices of the agency;
• Procedures for detecting, reporting, and responding to security incidents; and
• Plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

FISMA, the Paperwork Reduction Act of 1995, and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasize a risk-based policy for cost- effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies⁵ within the federal government to:

• Plan for security;
• Ensure that appropriate officials are assigned security responsibility;
• Review the security controls in their information systems; and
• Authorize system processing prior to operations and periodically thereafter.

These management responsibilities presume that responsible agency officials understand the risks and other factors that could adversely affect their missions. Moreover, these officials must understand the current status of their security programs and the security controls planned or in place to protect their information and information systems in order to make informed judgments and investments that appropriately mitigate risk to an acceptable level. The ultimate objective is to conduct the day-to-day operations of the agency and to accomplish the agency's stated missions with what OMB Circular A-130, Appendix III, defines as adequate security, or security commensurate with risk, including the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.

Security accreditation⁶ is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals⁷ based on the implementation of an agreed-upon set of security controls. The senior agency official should have the authority to oversee the budget and business operations of the information system. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation.

The assessment of risk and the development of system security plans are two important activities in an agency's information security program that directly support security accreditation and are required by FISMA and OMB Circular A-130, Appendix III. risk assessments influence the development of the security controls for information systems and generate much of the information needed for the associated system security plans. risk assessments can be accomplished in a variety of ways depending on the specific needs of the agency. Some agencies may choose to assess risk informally. Other agencies may choose to employ a more formal and structured approach. In either case, the assessment of risk is a process that should be incorporated into the system development life cycle. At a minimum, documentation should be produced that describes the process employed and the results obtained. system security plans provide an overview of the information security requirements and describe the security controls in place or planned for meeting those requirements. system security plans can include as references or attachments, other important security-related documents (e.g., risk assessments, contingency plans, incident response plans, security awareness and training plans, information system rules of behavior, configuration management plans, security configuration checklists, privacy impact assessments, system interconnection agreements) produced as part of an agency's information security program.⁸

In addition to risk assessments and system security plans, security assessments play an important role in security accreditation. It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls⁹ in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an Authorizing Official to render a security accreditation decision.

By accrediting an information system, an agency official accepts the risks associated with operating the system and the associated implications on agency operations, agency assets, or individuals. Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.¹⁰

1.1 PURPOSE AND APPLICABILITY

The purpose of this publication is to provide guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. The guidelines have been developed to help achieve more secure information systems within the federal government by:

• Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems;
• Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and
• Creating more complete, reliable, and trustworthy information for Authorizing Officials-to facilitate more informed security accreditation decisions.

The guidelines provided in this special publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.¹¹ The guidelines have been broadly developed from a technical perspective so as to be complementary to similar guidelines for national security systems. This publication provides augmented, updated security certification and accreditation information to federal agencies and will functionally replace Federal Information Processing Standards (FIPS) 102, Guidelines for Computer Security Certification and Accreditation, September 1983, when it is rescinded. State, local, and tribal governments, as well as private sector organizations comprising the critical infrastructure of the United States, are encouraged to consider the use of these guidelines, as appropriate.

1.2 SYSTEM DEVELOPMENT LIFE CYCLE

All federal information systems, including operational systems, systems under development, and systems undergoing some form of modification or upgrade, are in some phase of what is commonly referred to as the system development life cycle.¹² There are many activities occurring during the life cycle of an information system dealing with the issues of cost, schedule, and performance. In addition to the functional requirements levied on an information system, security requirements must also be considered. When fully implemented, the information system must be able to meet its functional requirements and do so in a manner that is secure enough to protect agency operations, agency assets, and individuals.

In accordance with the provisions of FISMA, agencies are required to have an agency-wide information security program and that program should be effectively integrated into the system development life cycle. For new information systems (or major upgrades to information systems), the security certification and accreditation tasks begin early in the system development life cycle during the initiation, development, and acquisition phases and are important in shaping and influencing the security capabilities of the system. For operational systems and older legacy systems, the certification and accreditation tasks may, by necessity, begin later in the system development life cycle during the operations and maintenance phase and be more costly to implement. In either situation, all of the tasks should be completed to ensure that:

• The information system has received the necessary attention with regard to security; and
• The Authorizing Official explicitly accepts the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls.

1.3 ORGANIZATION OF THIS SPECIAL PUBLICATION

The remainder of this special publication is organized as follows:

• Chapter 2 describes the fundamentals of security certification and accreditation and includes: (i) an agency-wide view on cost-effective implementation; (ii) the roles and responsibilities of key participants; (iii) the considerations for determining accreditation boundaries; (iv) an introduction to common security controls; (v) types of accreditation decisions; (vi) requirements for supporting documentation; and (vii) the need for continuous monitoring of security controls.
• Chapter 3 provides an overview of the different phases of the security certification and accreditation process and includes: (i) a description of the associated tasks and subtasks in each phase; (ii) the responsibilities of various participants in each subtask; (iii) guidance to help explain how to execute each subtask; (iv) supplemental guidance for low-impact information systems; and (v) appropriate references to supporting policies, standards, and guidelines.
• Supporting appendices provide more detailed security certification and accreditation-related information and include: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) summary of tasks and subtasks; and (v) sample accreditation transmittal and decision letters.