CHAPTER TWO

THE FUNDAMENTALS

BASIC CONCEPTS ASSOCIATED WITH SECURITY CERTIFICATION AND ACCREDITATION

The purpose of this chapter is to describe the fundamentals of security certification and accreditation to include: (i) agency-level activities that can promote more cost-effective certification and accreditation processes; (ii) roles and responsibilities of key participants; (iii) approaches for determining accreditation boundaries; (iv) partitioning of security controls to facilitate reuse of assessment results; (v) types of security accreditation decisions; (vi) necessary documentation and supporting materials; and (vii) ongoing activities employed to monitor the effectiveness of security controls.

2.1 SECURITY CERTIFICATION AND ACCREDITATION

While security certification and accreditation are very closely related, they are indeed very distinct activities. Security accreditation is about the acceptance and management of risk-the risk to agency operations, agency assets, or individuals that results from the operation of an information system. Authorizing Officials must be able to determine the risk to operations, assets, or individuals and the acceptability of such risk given the mission or business needs of their agencies. Authorizing Officials must weigh the appropriate factors and decide to either accept or reject the risk to their respective agencies. To ensure that Authorizing Officials make credible, risk-based decisions, the following questions must be answered during the security certification and accreditation process:

Does the potential risk to agency operations, agency assets, or individuals described in the system security plan (or risk assessment) prior to security certification appear to be correct, and if so, would this risk be acceptable?
Are the security controls in the information system effective in achieving the desired level of protection as defined by the security requirements for the system?
What specific actions have been taken or are planned to correct any deficiencies in the security controls for the information system and to reduce or eliminate known vulnerabilities-and have resources been allocated to accomplish those actions?
How do the results of security certification translate into actual agency-level risk and is this risk acceptable?

Security certification directly supports security accreditation by providing Authorizing Officials with important information necessary to make credible, risk-based decisions on whether to place information systems into operation or continue their current operation. This information is produced by assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Security certification can include a variety of assessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and analyzing) and associated assessment procedures depending on the depth and breadth of assessment required by the agency.¹³

The determination as to whether the security controls selected are in fact adequate to meet the security requirements for the information system is made during the initiation phase of the system development life cycle. It is in this phase of the life cycle that security requirements are established, security controls selected, and the Authorizing Official and Senior Agency Information Security Officer approve the system security plan.¹⁴ For legacy information systems (i.e., systems that are currently in the operations and maintenance phase of the system development life cycle), the determination of security control adequacy is, once again, accomplished prior to security certification when the system security plan is approved.

Security certification does not include the determination of risk to agency operations, agency assets, or individuals. The determination of program-level or agency-level risk generally requires a broader, more strategic view of the agency than can be obtained from the more technically focused, system-level view of the information system that results from security certification. Authorizing Officials or their designated representatives are better positioned to make mission risk determinations based on the known vulnerabilities remaining in the information system after the implementation of an agreed-upon set of security controls. The ultimate decision on the acceptability of such risk is the responsibility of the Authorizing Official. Authorizing Officials or their designated representatives may, when needed, consult other individuals within the agency (e.g., Senior Agency Information Security Officers, Information System Owners, information system security officers, or certification agents), at any phase in the certification and accreditation process to obtain advice on the security of the information system. Figure 2.1 illustrates the relationship between information system vulnerabilities and program/agency-level, mission risk.

FIGURE 2.1 INFORMATION SYSTEM VULNERABILITIES AND MISSION RISK

Security accreditation is part of a dynamic, ongoing risk management process. An information system is authorized for operation at a specific point in time reflecting the current security state of the system. The inevitable changes to the information system (including hardware, firmware, software and people) and the potential impact those changes may have on agency operations, agency assets, or individuals, require a structured and disciplined process capable of monitoring the effectiveness of the security controls in the information system on an ongoing basis. Thus, the initial security accreditation must be supplemented and reinforced by a continuous monitoring process that: (i) tracks the changes to the information system; (ii) analyzes the security impact of those changes; (iii) makes appropriate adjustments to the security controls and the system security plan; and (iv) reports the security status of the system to appropriate agency officials. The following questions should be answered during the continuous monitoring process:

Could any of the changes to the information system affect the current, identified vulnerabilities in the system or introduce new vulnerabilities into the system?
If so, would the resulting risk to agency operations, agency assets, or individuals be unacceptable?
When will the information system need to be reaccredited in accordance with federal or agency policy?

The successful completion of the security certification and accreditation process provides agency officials with the necessary confidence that the information system has adequate security controls, that any vulnerabilities in the system have been considered in the risk-based decision to authorize processing, and that appropriate plans and funds have been identified to correct any deficiencies in the information system.

An agency-wide Perspective

When considering the prospect of accrediting agency information systems, it is important to put these activities into perspective with respect to the agency's mission and operational responsibilities. Employing more secure information systems is critical to the success of an agency in carrying out its mission and conducting its day-to-day functions. However, security is only one of many factors that must be considered by agency officials in the design, development, acquisition, operation, and maintenance of information systems. In the end, agencies must have systems that provide a high degree of functionality and adequate security so as not to place their respective missions at unacceptable levels of risk. The increasing costs required to adequately protect agency information systems necessitates an agency-wide view of security to make the costs more manageable.¹⁵ Agencies must consider their entire inventory of information systems when developing appropriate strategies and programs for protecting those systems and managing agency-level risks. The cost of accrediting large numbers of information systems with varying degrees of complexity is a critical issue facing agencies today. The solution to this problem can be found in part, by creating and maintaining an agency- wide information security program that promotes the reuse and sharing of security control development, implementation, and assessment-related information including:

Employment of standardized security controls and methods for assessing those controls;
Development of standardized assessment plans, methods and procedures to be used in security certifications and accreditations;
Adoption, specification, and promulgation of standardized policies, procedures, and documentation for common security program areas (e.g., rules of behavior, system administration, auditing, system monitoring, vulnerability scanning, management of user accounts, configuration management, incident response, contingency planning, and system maintenance);
Refinement of policies, procedures, and documentation on a system-by-system basis, as needed, by preparing amendments or adding system-specific appendices;
Adoption, publication, and distribution (preferably in an online database) of agency prescribed or developed security implementation guidance;
Establishment of a protected central repository, preferably online, for all certification and accreditation documentation, acquisition-related information, risk and vulnerability assessments, compliance surveys, security incident reporting and remediation results, external security audits, and making these easily accessible by appropriate agency personnel; and
Procurement of agency-wide licenses for automated tools such as vulnerability scanners, online security monitoring tools, audit reduction tools, and certification and accreditation support tools.

Since the cost of security certification and accreditation can be substantial, it is important to leverage the results of previous assessments and audits that have been conducted on an agency's information system or the particular components comprising that system. Several potential sources for consideration include: (i) commercial product testing and evaluation programs;¹⁶ (ii) privacy impact assessments; (iii) physical security assessments; (iv) self-assessments;¹⁷ and (v) internal and external audits.¹⁸ These assessments and audits can support the security certification and accreditation process in two important ways. First, the assessment and audit results can be used to gauge the preparedness of an information system for security certification and accreditation by examining the status of key security controls in the system. Second, the results produced during these assessments and audits can be considered and potentially reused, when appropriate, during the security certification and accreditation process.¹⁹ Bringing in assessment and audit results from multiple sources that the security controls in an information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system, not only reduces the potential cost of security certification and accreditation but also increases the overall confidence in the final results.

Reuse and sharing of security control development, implementation, and assessment-related information can significantly reduce agency security costs in new acquisitions, certifications and accreditations of similar information systems, and reaccreditations of existing systems-and can ultimately result in a more consistent application of security solutions, agency-wide.

2.2 ROLES AND RESPONSIBILITIES

The following sections describe the roles and responsibilities of key participants involved in an agency's security certification and accreditation process.²⁰ Recognizing that agencies have widely varying missions and organizational structures, there may be differences in naming conventions for certification and accreditation-related roles and how the associated responsibilities are allocated among agency personnel (e.g., multiple individuals filling a single role or one individual filling multiple roles²¹). However, the basic functions remain the same. The security certification and accreditation process described in this special publication is flexible, allowing agencies to effectively accomplish the intent of the specific tasks within their respective organizational structures to best manage the risks to agency operations, agency assets, or individuals.

Chief Information Officer

The Chief Information Officer ²² is the agency official responsible for: (i) designating a Senior Agency Information Security Officer; (ii) developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements; (iii) training and overseeing personnel with significant responsibilities for information security; (iv) assisting senior agency officials concerning their security responsibilities; and (v) in coordination with other senior agency officials, reporting annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions. The Chief Information Officer, with the support of the Senior Agency Information Security Officer, works closely with Authorizing Officials and their designated representatives to ensure that an agency- wide security program is effectively implemented, that the certifications and accreditations required across the agency are accomplished in a timely and cost-effective manner, and that there is centralized reporting of all security-related activities.

To achieve a high degree of cost effectiveness with regard to security, the Chief Information Officer encourages the maximum reuse and sharing of security-related information including: (i) threat and vulnerability assessments; (ii) risk assessments; (iii) results from common security control assessments; and (iv) any other general information that may be of assistance to Information System Owners and their supporting security staffs. In addition to the above duties, the Chief Information Officer and Authorizing Officials determine the appropriate allocation of resources dedicated to the protection of the agency's information systems based on organizational priorities. In certain instances, the Chief Information Officer may be designated as the Authorizing Official for agency-wide general support systems or as a co-Authorizing Official with other senior officials for selected agency information systems.

Authorizing Official

The Authorizing Official (or designated approving/accrediting authority as referred to by some agencies) is a senior management official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations, agency assets, or individuals.²³ Through security accreditation, the Authorizing Official assumes responsibility and is accountable for the risks associated with operating an information system. The Authorizing Official should have the authority to oversee the budget and business operations of the information system within the agency and is often called upon to approve system security requirements, system security plans, and memorandums of agreement and/or memorandums of understanding. In addition to authorizing operation of an information system, the Authorizing Official can also: (i) issue an interim authorization to operate the information system under specific terms and conditions; or (ii) deny authorization to operate the information system (or if the system is already operational, halt operations) if unacceptable security risks exist. With the increasing complexities of agency missions and organizations, it is possible that a particular information system may involve multiple Authorizing Officials. If so, agreements should be established among the Authorizing Officials and documented in the system security plan. In most cases, it will be advantageous to agree to a lead Authorizing Official to represent the interests of the other Authorizing Officials. The Authorizing Official has inherent U.S. government authority and, as such, must be a government employee.

Authorizing Official Designated Representative

Due to the breadth of organizational responsibilities and significant demands on time, an Authorizing Official cannot always be expected to participate directly in the planning and technical meetings that occur during the security certification and accreditation process. The Authorizing Official's designated representative is an individual acting on the Authorizing Official's behalf in coordinating and carrying out the necessary activities required during the security certification and accreditation of an information system. The Authorizing Official's designated representative interacts with the Senior Agency Information Security Officer, Information System Owner, Information System Security Officer, Certification Agent, User Representative(s), and other interested parties during the security certification and accreditation process. The designated representative can be empowered by the Authorizing Official to make certain decisions with regard to the planning and resourcing of the security certification and accreditation activities, the acceptance of the system security plan, and the determination of risk to agency operations, agency assets, and individuals. The designated representative may also be called upon to prepare the final security accreditation package, obtain the Authorizing Official's signature on the security accreditation decision letter, and transmit the accreditation package to the appropriate agency officials. The only activity that cannot be delegated by the Authorizing Official is the security accreditation decision and the signing of the associated accreditation decision letter (i.e., the acceptability of risk to the agency). If a designated representative is not selected, the Authorizing Official is responsible for carrying out the activities described above.

Senior Agency Information Security Officer

The Senior Agency Information Security Officer is the agency official responsible for: (i) carrying out the Chief Information Officer responsibilities under FISMA; (ii) possessing professional qualifications, including training and experience, required to administer the information security program functions; (iii) having information security duties as that official's primary duty; and (iv) heading an office with the mission and resources to assist in ensuring agency compliance with FISMA. The Senior Agency Information Security Officer (or supporting staff member) may also serve as the Authorizing Official's designated representative. The Senior Agency Information Security Officer serves as the Chief Information Officer's primary liaison to the agency's Authorizing Officials, Information System Owners, and information system security officers.

Information System Owner

The Information System Owner ²⁴ is an agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. The Information System Owner is responsible for the development and maintenance of the system security plan and ensures the system is deployed and operated according to the agreed-upon security requirements. The Information System Owner is also responsible for deciding who has access to the information system (and with what types of privileges or access rights) and ensures that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior). The Information System Owner informs key agency officials of the need to conduct a security certification and accreditation of the information system, ensures that appropriate resources are available for the effort, and provides the necessary system-related documentation to the Certification Agent.²⁵ The Information System Owner receives the security assessment results from the Certification Agent. After taking appropriate steps to reduce or eliminate vulnerabilities, the Information System Owner assembles the security accreditation package and submits the package to the Authorizing Official or the Authorizing Official's designated representative for adjudication.²⁶

Information Owner

The Information Owner is an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. The Information Owner is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with other organizations. The owner of the information stored within, processed by, or transmitted by an information system may or may not be the same as the Information System Owner. Also, a single information system may utilize information from multiple information owners. Information owners should provide input to Information System Owners regarding the security requirements and security controls for the information systems where the information resides.

Information System Security Officer

The Information System Security Officer is the individual responsible to the Authorizing Official, Information System Owner, or the Senior Agency Information Security Officer for ensuring the appropriate operational security posture is maintained for an information system or program. The Information System Security Officer also serves as the principal advisor to the Authorizing Official, Information System Owner, or Senior Agency Information Security Officer on all matters (technical and otherwise) involving the security of the information system. The Information System Security Officer typically has the detailed knowledge and expertise required to manage the security aspects of the information system and, in many agencies, is assigned responsibility for the day-to-day security operations of the system. This responsibility may also include, but is not limited to, physical security, personnel security, incident handling, and security training and awareness. The Information System Security Officer may be called upon to assist in the development of the system security policy and to ensure compliance with that policy on a routine basis. In close coordination with the Information System Owner, the Information System Security Officer often plays an active role in developing and updating the system security plan as well as in managing and controlling changes to the system and assessing the security impact of those changes.

Certification Agent

The Certification Agent is an individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The Certification Agent also provides recommended corrective actions to reduce or eliminate vulnerabilities in the information system. Prior to initiating the security assessment activities that are a part of the certification process, the Certification Agent provides an independent assessment of the system security plan to ensure the plan provides a set of security controls for the information system that is adequate to meet all applicable security requirements.

To preserve the impartial and unbiased nature of the security certification, the Certification Agent should be in a position that is independent from the persons directly responsible for the development of the information system and the day-to-day operation of the system. The Certification Agent should also be independent of those individuals responsible for correcting security deficiencies identified during the security certification. The independence of the Certification Agent is an important factor in assessing the credibility of the security assessment results and ensuring the Authorizing Official receives the most objective information possible in order to make an informed, risk-based, accreditation decision. The security category of the information system as defined in FIPS 199 should guide the degree of independence of the Certification Agent. When the potential impact on agency operations, agency assets, or individuals is low, a self-assessment activity may be reasonable and appropriate and not require an independent Certification Agent. When the potential agency-level impact is moderate or high, Certification Agent independence is needed and justified.

User Representatives

Users are found at all levels of an agency. Users are responsible for the identification of mission/operational requirements and for complying with the security requirements and security controls described in the system security plan. User Representatives are individuals that represent the operational interests of the user community and serve as liaisons for that community throughout the system development life cycle of the information system. The User Representatives assist in the security certification and accreditation process, when needed, to ensure mission requirements are satisfied while meeting the security requirements and employing the security controls defined in the system security plan.

Delegation of Roles

At the discretion of senior agency officials, certain security certification and accreditation roles may be delegated and if so, appropriately documented. Agency officials may appoint appropriately qualified individuals, to include contractors, to perform the activities associated with any security certification and accreditation role with the exception of the Chief Information Officer and Authorizing Official. The Chief Information Officer and Authorizing Official have inherent United States Government authority, and those roles should be assigned to government personnel only. Individuals serving in delegated roles are able to operate with the authority of agency officials within the limits defined for the specific certification and accreditation activities. Agency officials retain ultimate responsibility, however, for the results of actions performed by individuals serving in delegated roles.

2.3 ACCREDITATION BOUNDARIES

One of the most difficult and challenging problems for Authorizing Officials and Senior Agency Information Security Officers is identifying appropriate security accreditation boundaries for agency information systems. Accreditation boundaries for agency information systems need to be established before the conduct of initial risk assessments and development of system security plans. Boundaries that are unnecessarily expansive (i.e., including too many hardware, software, and firmware components) make the security certification and accreditation process extremely unwieldy and complex. Boundaries that are unnecessarily limited (i.e., including too few hardware, software, and firmware components) increase the number of security certifications and accreditations that must be conducted and thus drive up the total security costs for the agency. The guidelines in the following sections are provided to assist agencies in defining information system boundaries to strike a balance between the costs and benefits of security certification and accreditation.

Establishing Information System Boundaries

The process of uniquely assigning information resources²⁷ to an information system defines the security accreditation boundary for that system. Agencies have great flexibility in determining what constitutes an information system (i.e., major application or general support system) and the resulting security accreditation boundary that is associated with that system. If a set of information resources is identified as an information system, the resources should generally be under the same direct management control.²⁸ Direct management control does not necessarily imply that there is no intervening management. It is quite possible for multiple information systems to be validly considered subsystems²⁹ of a single, larger system provided all of these subsystems fall under the same higher management authority. This situation may arise in many agencies when other than major applications (i.e., minor applications) are coalesced for purposes of security certification and accreditation into a general support system. In addition to the consideration of direct management control, it may also be helpful for agencies to consider if the information resources being identified as an information system:

Have the same function or mission objective and essentially the same operating characteristics and security needs; and
Reside in the same general operating environment (or in the case of a distributed information system, reside in various locations with similar operating environments).

While the above considerations may be useful to agencies in determining information system boundaries for purposes of security accreditation, they should not be viewed as limiting the agency's flexibility in establishing common sense boundaries that promote effective information security within the available resources of the agency. Authorizing Officials and Senior Agency Information Security Officers should consult with prospective Information System Owners when establishing information system and security accreditation boundaries. The process of establishing boundaries for agency information systems and the associated security certification and accreditation implications, is an agency-level activity that should include careful negotiation among all key participants-taking into account the mission/business requirements of the agency, the technical considerations with respect to information security, and the programmatic costs to the agency.

Supplementing the above considerations, FIPS 199, Standards for Security Categorization of Federal Information and information systems, defines security categories for information systems based on potential impact on organizations or individuals should there be a breach of security-that is, a loss of confidentiality, integrity (including authenticity and non-repudiation), or availability.³⁰ FIPS 199 security categories can play an important part in defining accreditation boundaries by partitioning the agency's information systems according to the criticality or sensitivity of the systems and the importance of those systems in accomplishing the agency's mission. The partitioning process facilitates the cost-effective application of security controls to achieve adequate security commensurate with the mission/business functions being supported by the respective information systems.

Boundaries for Large and Complex information systems

The application of security controls within large and complex information systems, even when using FIPS 199 to categorize those systems, may be cost-prohibitive and technically infeasible for the agency. Accordingly, any attempt to assess the security controls in such systems may also be cost-prohibitive and unrealistic. To make this problem more manageable, Authorizing Officials should examine the nature of the information systems being considered for security certification and accreditation and the feasibility of decomposing the systems into more manageable components. The decomposition of large and complex systems into multiple components, or subsystems, facilitates the application of the security certification and accreditation process in a more cost-effective manner.

For large and complex information systems, the Authorizing Official and Senior Agency Information Security Officer may define subsystem components with established subsystem boundaries. The decomposition into subsystem components should be reflected in the system security plan for that large and complex information system. Each subsystem component is fully described in the system security plan, an appropriate security category assigned in accordance with FIPS 199, and an appropriate set of security controls identified. The extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system, can be determined by combining security assessments at the subsystem level and adding system-level considerations. This facilitates a more cost-effective certification and accreditation process by enabling scaling of the effort at the subsystem level in accordance with that subsystem's security category and allowing for reuse of certification results at the system level.

To illustrate a simple example of system decomposition and the resulting subsystems, consider a general support system that contains a system guard that monitors the flow of information between two local area networks. The general support system, in this case, can be partitioned into three subsystem components: (i) local area network Alpha; (ii) local area network Bravo; and (iii) the system guard separating the two networks.³¹ When all subsystems within the information system have completed the security certification process, an additional certification is performed on the system-level security controls not covered by the individual subsystem certifications, and the results are bundled together into the accreditation package and presented as evidence to the Authorizing Official. Figure 2.2 illustrates the concept of information system decomposition and the security certification and accreditation process for a large and complex system.

FIGURE 2.2 DECOMPOSITION OF LARGE AND COMPLEX INFORMATION SYSTEMS

2.4 COMMON SECURITY CONTROLS

An agency-wide view of the security program facilitates the identification of common security controls that can be applied to one or more agency information systems. Common security controls can apply to: (i) all agency information systems; (ii) a group of information systems at a specific site (sometimes associated with the terms site certification/accreditation); or (iii) common information systems, subsystems, or applications (i.e., common hardware, software, and/or firmware) deployed at multiple operational sites (sometimes associated with the terms type certification/accreditation). Common security controls, typically identified during a collaborative agency-wide process with the involvement of the Chief Information Officer, Senior Agency Information Security Officer, Authorizing Officials, Information System Owners, and information system security officers (and by developmental program managers in the case of common security controls for common hardware, software, and/or firmware) have the following properties:

The development, implementation, and assessment of common security controls can be assigned to responsible agency officials or organizational elements (other than the Information System Owners whose systems will implement or use those common security controls); and
The results from the assessment of the common security controls can be used to support the security certification and accreditation processes of agency information systems where those controls have been applied.

Many of the management and operational controls (e.g., contingency planning controls, incident response controls, security training and awareness controls, personnel security controls, and physical security controls) needed to protect an information system may be excellent candidates for common security control status. The objective is to reduce security costs by centrally managing the development, implementation, and assessment of the common security controls designated by the agency-and subsequently, sharing assessment results with the owners of information systems where those common security controls are applied. Security controls not designated as common controls are considered system-specific controls and are the responsibility of the Information System Owner. system security plans should clearly identify which security controls have been designated as common security controls and which controls have been designated as system-specific controls.

2.5 ACCREDITATION DECISIONS

Security accreditation decisions resulting from security certification and accreditation processes should be conveyed to Information System Owners. To ensure the agency's business and operational needs are fully considered, the Authorizing Official should meet with the Information System Owner prior to issuing the security accreditation decision to discuss the security certification findings and the terms and conditions of the authorization. There are three types of accreditation decisions that can be rendered by Authorizing Officials:

Authorization to operate;
Interim authorization to operate; and
Denial of authorization to operate.

Authorization to Operate

If, after assessing the results of the security certification, the Authorizing Official deems that the risk to agency operations, agency assets, or individuals is acceptable, an authorization to operate is issued for the information system. The information system is authorized without any significant restrictions or limitations on its operation. Although not affecting the security accreditation decision, Authorizing Officials should take specific actions to reduce or eliminate identified vulnerabilities, where it is cost-effective to do so. The Information System Owner should establish a disciplined and structured process to monitor the effectiveness of the security controls in the information system and the progress of any corrective actions on a continuous basis. Security reaccreditation occurs at the discretion of the Authorizing Official when significant changes have taken place in the information system or when a specified time period has elapsed in accordance with federal or agency policy.

Interim Authorization to Operate

If, after assessing the results of the security certification, the Authorizing Official deems that the risk to agency operations, agency assets, or individuals is unacceptable, but there is an overarching mission necessity to place the information system into operation or continue its operation, an interim authorization to operate may be issued. An interim authorization to operate is rendered when the identified security vulnerabilities in the information system resulting from deficiencies in the planned or implemented security controls are significant but can be addressed in a timely manner.³² An interim authorization provides a limited authorization to operate the information system under specific terms and conditions and acknowledges greater risk to the agency for a specified period of time. The terms and conditions, established by the Authorizing Official, convey limitations on information system operations.

In accordance with OMB policy, an information system is not accredited during the period of limited authorization to operate. The duration established for an interim authorization to operate should be commensurate with the risk to agency operations, agency assets, or individuals associated with the operation of the information system. When the security-related deficiencies have been adequately addressed, the interim authorization should be lifted and the information system authorized to operate. Security reaccreditation occurs at the discretion of the Authorizing Official when significant changes have taken place in the information system or when a specified time period has elapsed in accordance with federal or agency policy. The time period for reaccreditation is calculated from the date the information system receives its authorization to operate.

The plan of action and milestones submitted by the Information System Owner is used by the Authorizing Official to monitor the progress in correcting deficiencies noted during the security certification. In addition to executing the plan of action and milestones, Information System Owners should also establish a disciplined and structured process to monitor the effectiveness of the security controls in the information system during the period of limited authorization to operate. Monitoring activities should focus on the specific vulnerabilities in the information system identified during the security certification. Significant changes in the security state of the information system that occur during the period of limited authorization to operate should be reported immediately to the Authorizing Official.

Denial of Authorization to Operate

If, after assessing the results of the security certification, the Authorizing Official deems that the risk to agency operations, agency assets, or individuals is unacceptable, the authorization to operate the information system is denied. The information system is not accredited and should not be placed into operation. If the information system is currently in operation, all activity should be halted. Failure to receive authorization to operate, or an interim authorization to operate, usually indicates that there are major deficiencies in the security controls in the information system. The Authorizing Official or designated representative should work with the Information System Owner to revise the plan of action and milestones to ensure that proactive measures are taken to correct the security deficiencies in the information system.

Previous Authorizations

In the event that a new Authorizing Official is assigned responsibility for the information system, the newly assigned Authorizing Official should review the current security accreditation package (i.e., accreditation decision, decision rationale, and terms and conditions) and the current status reports from the continuous monitoring process to determine if a reaccreditation action is warranted. If the new Authorizing Official is willing to accept the currently documented risk, then reaccreditation occurs only when there is a significant change to the information system or when a specified time period has elapsed in accordance with federal or agency policy.

2.6 SUPPORTING DOCUMENTATION

The security accreditation package documents the results of the security certification and provides the Authorizing Official with the essential information needed to make a credible, risk- based decision on whether to authorize operation of the information system. Unless specifically designated otherwise by the Chief Information Officer or Authorizing Official, the Information System Owner is responsible for the assembly, compilation, and submission of the security accreditation package. The Information System Owner receives inputs from the Information System Security Officer, Certification Agent, and Senior Agency Information Security Officer during the preparation of the security accreditation package. The security accreditation package contains the following documents:

Approved system security plan;³³
Security assessment report; and
Plan of action and milestones.

The system security plan, prepared by the Information System Owner and previously approved by the Authorizing Official and/or Senior Agency Information Security Officer, provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. The plan can also contain as supporting appendices or as references, other key security-related documents for the information system such as the risk assessment, privacy impact assessment, contingency plan, incident response plan, configuration management plan, security configuration checklists, and any system interconnection agreements.

The security assessment report, prepared by the Certification Agent, provides the results of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The security assessment report can also contain a list of recommended corrective actions.

The plan of action and milestones, which is prepared by the Information System Owner, describes the measures that have been implemented or planned: (i) to correct any deficiencies noted during the assessment of the security controls; and (ii) to reduce or eliminate known vulnerabilities in the information system. The Information System Owner submits the final security accreditation package to the Authorizing Official or designated representative.³⁴ Figure 2.3 illustrates the key sections of the security accreditation package.

FIGURE 2.3 CONTENTS OF THE SECURITY ACCREDITATION PACKAGE

The security accreditation decision letter transmits the security accreditation decision from the Authorizing Official to the Information System Owner. The Authorizing Official's designated representative prepares the final security accreditation decision letter for the Authorizing Official with authorization recommendations, as appropriate. The security accreditation decision letter contains the following information:

Security accreditation decision;
Supporting rationale for the decision; and
Terms and conditions for the authorization.

The security accreditation decision letter indicates to the Information System Owner whether the system is: (i) authorized to operate; (ii) authorized to operate on an interim basis under strict terms and conditions; or (iii) not authorized to operate. The supporting rationale provides the Information System Owner with the justification for the Authorizing Official's decision. The terms and conditions for the authorization provide a description of any limitations or restrictions placed on the operation of the information system that must be adhered to by the Information System Owner. The security accreditation decision letter is attached to the original accreditation package and returned to the Information System Owner.

Upon receipt of the security accreditation decision letter and accreditation package, the Information System Owner accepts the terms and conditions of the authorization. The Information System Owner keeps the original security accreditation decision letter and accreditation package on file. The Authorizing Official and Senior Agency Information Security Officer also retain copies of the security accreditation decision letter and accreditation package. The contents of security certification and accreditation-related documentation (especially information dealing with information system vulnerabilities) should be: (i) marked and protected appropriately in accordance with agency policy; and (ii) retained in accordance with the agency's record retention policy.

2.7 CONTINUOUS MONITORING

A critical aspect of the security certification and accreditation process is the post-accreditation period involving the continuous monitoring of security controls in the information system over time. An effective continuous monitoring program requires:

Configuration management and configuration control processes;
Security impact analyses on changes to the information system; and
Assessment of selected security controls in the information system and security status reporting to appropriate agency officials.³⁵

With regard to configuration management and control, it is important to document the proposed or actual changes to the information system and to subsequently determine the impact of those proposed or actual changes on the security of the system. information systems will typically be in a constant state of migration with upgrades to hardware, software, or firmware and possible modifications to the surrounding environment where the system resides. Documenting information system changes and assessing the potential impact those changes may have on the security of the system is an essential aspect of continuous monitoring and maintaining the security accreditation.

Realizing that it is not feasible or cost-effective to monitor all of the security controls in an information system on a continuous basis, the Information System Owner should select an appropriate subset of those controls for periodic assessment.³⁶ The criteria established by the Information System Owner for selecting which security controls will be monitored and for determining the frequency of such monitoring activity should reflect the agency's priorities and importance of the information system to agency operations, agency assets, or individuals.³⁷ The Authorizing Official and the Senior Agency Information Security Officer should approve the set of security controls that are to be monitored on a continuous basis as well as the monitoring frequency.

The results of continuous monitoring should be documented and reported to the Authorizing Official and Senior Agency Information Security Officer on a regular basis. The continuous monitoring results should also be considered with respect to any necessary updates to the system security plan and to the plan of action and milestones, since the Authorizing Official, Senior Agency Information Security Officer, Information System Owner, and Certification Agent will be using these plans to guide future security certification and accreditation activities. The plan of action and milestones should: (i) report progress made on the current outstanding items listed in the plan; (ii) address vulnerabilities in the information system discovered during the security impact analysis or security control monitoring; and (iii) describe how the Information System Owner intends to address those vulnerabilities (i.e., reduce, eliminate, or accept the identified vulnerabilities). The monitoring of security controls in the information system continues throughout the system development life cycle. Reaccreditation occurs when there are significant changes to the information system affecting the security of the system or when a specified time period has elapsed in accordance with federal or agency policy.

NIST SP 800-37 Chapter 2

Contents