NIST SP 800-37 Chapter 3

From FISMApedia
Jump to: navigation, search

Contents

CHAPTER THREE

THE PROCESS

PHASES AND TASKS ASSOCIATED WITH SECURITY CERTIFICATION AND ACCREDITATION

The security certification and accreditation process consists of four distinct phases: (i) an Initiation Phase; (ii) a Security Certification Phase; (iii) a Security Accreditation Phase; and (iv) a Continuous Monitoring Phase. Each phase consists of a set of well-defined tasks and subtasks that are to be carried out, as indicated, by responsible individuals (e.g., the Chief Information Officer, Authorizing Official, Authorizing Official's designated representative, Senior Agency Information Security Officer, Information System Owner, information owner, Information System Security Officer Certification Agent, and User Representatives). The security certification and accreditation activities can be applied to an information system at appropriate phases in the system development life cycle. Additionally, the activities can be tailored to apply a level of effort and rigor that is most suitable for the information system undergoing security certification and accreditation. Figure 3.1 provides a high-level view of the security certification and accreditation process including the tasks associated with each phase in the process. A summary table of all security certification and accreditation tasks and subtasks and the individuals responsible for accomplishing those tasks and subtasks is provided in Appendix D.

FIGURE 3.1 SECURITY CERTIFICATION AND ACCREDITATION PROCESS

Scalability of the Security Certification and Accreditation Process

There is a general expectation that the level of effort for security certification and accreditation (expressed in terms of degree of rigor and formality) should be scalable to the FIPS 199 security category of the information system. The concept is straightforward-the agency information systems with greater sensitivity and/or criticality have greater potential for adversely affecting agency operations, agency assets, or individuals and therefore demand:

The FIPS 199 security category of an information system influences the initial selection of security controls from NIST Special Publication 800-53 and the initial selection of assessment methods and procedures from NIST Special Publication 800-53A. The level of effort applied to the security certification and accreditation tasks and subtasks should be commensurate with the strength of the security controls selected and the rigor and formality of the assessment methods and procedures selected. The tasks outlined in this chapter apply to all FIPS 199 security categories. However, the scalability of the security certification and accreditation process can be applied to low-impact information systems. As stated in FIPS 199:

"For a low-impact information system, the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on agency operations, agency assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals."

Since the agency-level risk in operating a low-impact information system is minimal, by definition, the level of effort applied to the security certification and accreditation of that system should be commensurate with that level of risk. While all of the certification and accreditation tasks apply to low-impact information systems, supplemental guidance is provided in the subtasks to address the appropriate level of effort (i.e., degree of rigor and formality) for the certification and accreditation process.38 The scalability of the certification and accreditation process for low- impact systems results in the elimination of the independent Certification Agent, the incorporation of self-assessment activities, and a reduction in the associated level of supporting documentation.

3.1 INITIATION PHASE

The Initiation Phase consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan analysis, update, and acceptance. The purpose of this phase is to ensure that the Authorizing Official and Senior Agency Information Security Officer are in agreement with the contents of the system security plan, including the system's documented security requirements, before the Certification Agent begins the assessment of the security controls in the information system. The early involvement of the Authorizing Official and Senior Agency Information Security Officer, with key participants such as the Information System Owner, information owner, Information System Security Officer Certification Agent, and User Representatives, is paramount to the success of the security certification and accreditation effort. A significant portion of the information needed for the Initiation Phase should have been previously generated by the Information System Owner during: (i) the initial risk assessment; (ii) the development of the system security plan; and (iii) the conduct of previous assessments (e.g., security testing and evaluation, independent verification and validation, independent audits). For new information systems or systems undergoing major upgrades, this information is typically produced during the initiation phase of the system development life cycle when system requirements are established. For legacy systems currently in the operations and maintenance phase of the system development life cycle, this information is obtained from the most recent system security plans and risk assessments. In most cases, risk assessments and system security plans have been previously reviewed and approved by agency officials. Thus, the subtasks in Task 1 (preparation task) should not require any additional work on the part of the Information System Owner above and beyond what has already been accomplished as part of the system development life cycle. Rather, the Initiation Phase of the security certification and accreditation process serves as a checkpoint to confirm that the system security plan and risk assessment have been completed. If an Information System Owner has not completed a risk assessment and a system security plan, those activities should be completed prior to proceeding with the security certification and accreditation process.

TASK 1: PREPARATION

The objective of the preparation task is to prepare for security certification and accreditation by reviewing the system security plan and confirming that the contents of the plan are consistent with an initial assessment of risk.

INFORMATION SYSTEM DESCRIPTION

SUBTASK 1.1: Confirm that the information system has been fully described and documented in the system security plan or an equivalent document.

RESPONSIBILITY: Information System Owner.39
GUIDANCE: A typical system description includes: (i) the name of the information system; (ii) a unique identifier for the information system; (iii) the status of the information system with respect to the system development life cycle; (iv) the name and location of the organization responsible for the information system; (v) contact information for the Information System Owner or other individuals knowledgeable about the information system; (vi) contact information for the individual(s) responsible for the security of the information system; (vii) the purpose, functions, and capabilities of the information system; (viii) the types of information processed, stored, and transmitted by the information system; (ix) the boundary of the information system for operational authorization (or security accreditation); (x) the functional requirements of the information system; (xi) the applicable laws, directives, policies, regulations, or standards affecting the security of the information and the information system; (xii) the individuals who use and support the information system (including their organizational affiliations, access rights, privileges, and citizenship, if applicable); (xiii) the architecture of the information system; (xiv) hardware and firmware devices (including wireless); (xv) system and applications software (including mobile code); (xvi) hardware, software, and system interfaces (internal and external); (xvii) information flows (i.e., inputs and outputs); (xviii) the network topology; (xix) network connection rules for communicating with external information systems; (xx) interconnected information systems and unique identifiers for those systems; (xxi) encryption techniques used for information processing, transmission, and storage; (xxii) public key infrastructures, certificate authorities, and certificate practice statements; (xxiii) the physical environment in which the information system operates; and (xxiv) web protocols and distributed, collaborative computing environments (processes, and applications). The level of detail provided in the system security plan depends on the availability of information to the organization preparing the plan and is also commensurate with the FIPS 199 security category of the information system (i.e., the level of detail in the system security plan increases as the potential impact on agency operations, agency assets, or individuals increases). Descriptive information about the information system is typically documented in the system identification section of the system security plan or in some cases, included in attachments to the plan. System identification information can also be provided by reference.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: NIST Special Publications 800-18, 800-30, or equivalents.

SECURITY CATEGORIZATION

SUBTASK 1.2: Confirm that the security category of the information system has been determined and documented in the system security plan or an equivalent document.

RESPONSIBILITY: Information System Owner.
GUIDANCE: Consult NIST Special Publication 800-59 to confirm that the information system is other than a national security system. For other than national security systems, FIPS 199 establishes three potential impact levels (low, moderate, and high) for each of the stated security objectives (confidentiality, integrity, and availability) relevant to securing federal information systems. These impact levels focus on the potential impact and magnitude of harm that the loss of confidentiality, integrity, or availability would have on agency operations, agency assets, or individuals. It is recognized that an information system may contain more than one type of information (e.g., privacy information, medical information, proprietary information, financial information, contractor sensitive information, system security information), each of which is subject to security categorization. The security category of an information system that processes, stores, or transmits multiple types of information should be at least the highest impact level that has been determined for each type of information for each security objective of confidentiality, integrity, and availability. The FIPS 199 security category should be considered during the risk assessment to help guide the Information System Owner's selection of security controls for the information system. Security categorization information is typically documented in the system identification section of the system security plan or included as an attachment to the plan.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: FIPS 199; NIST Special Publications 800-18, 800-30, 800-59, 800-60, or equivalents.

THREAT IDENTIFICATION

SUBTASK 1.3: Confirm that potential threats that could exploit information system flaws or weaknesses have been identified and documented in the system security plan, risk assessment, or an equivalent document.

RESPONSIBILITY: Information System Owner.
GUIDANCE: It is important to consider all potential threats that could cause harm to an information system, ultimately affecting the confidentiality, integrity, or availability of the system. Threats can be natural (floods, earthquakes, tornadoes, landslides, avalanches, electrical storms), human (events that are either enabled by or caused by human beings), or environmental (long-term power failures, pollution, chemicals, liquid leakage). It should be noted that all possible threats that might be encountered in the environment need not be listed-only those that are relevant to the security of the information system. Threat information (including capabilities, intentions, and resources of potential adversaries) for a specific information system is generally nonspecific or incomplete at best. Recognizing the highly networked nature of the current federal computing environment, there exists an acknowledged set of baseline threats to all information systems. In other words, in today's interconnected and interdependent information systems environment, which encompasses many common platforms and technologies, there is a high likelihood of a variety of threats (both intentional and unintentional) acting to compromise the security of agency information systems. In addition to this generalized assumption about threats, specific threat information, if available, should be used during the risk assessment to help guide the selection of security controls for the information system. Threat information should be coordinated with the Senior Agency Information Security Officer and Authorizing Official to facilitate reuse and sharing with other Information System Owners, agency-wide. The level of effort (i.e., degree of rigor and formality) applied to the threat identification process should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases). Threat identification information is typically documented in the risk assessment, which should be included in the system security plan either by reference or as an attachment.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: NIST Special Publications 800-18, 800-30, or equivalents.

VULNERABILITY IDENTIFICATION

SUBTASK 1.4: Confirm that flaws or weaknesses in the information system that could be exploited by potential threat sources have been identified and documented in the system security plan, risk assessment, or an equivalent document.

RESPONSIBILITY: Information System Owner.
GUIDANCE: Flaws or weaknesses in an information system that could be exploited by potential threats determine the potential vulnerabilities in that system. Vulnerability identification can be conducted at any phase in the system development life cycle. If the system is under development, the search for vulnerabilities focuses on the organization's security policies, planned security procedures, system requirement definitions, and developer security product analyses. If the system is being implemented, the identification of vulnerabilities is expanded to include more specific information, such as the planned security features described in the security design documentation and the results of the developmental security test and evaluation. If the system is operational, the process of identifying vulnerabilities includes an analysis of the system security controls employed to protect the system. The identification of vulnerabilities can be accomplished in a variety of ways using questionnaires, on-site interviews, document reviews, and automated scanning tools. Vulnerability sources include, for example: (i) previous risk assessment documentation; (ii) audit reports; (iii) system anomaly reports; (iv) security reviews; (v) self assessments; (vi) results of vulnerability scans and penetration tests; (vii) security test and evaluation reports; (viii) previous assessment reports from security certifications; (ix) vulnerability lists; (x) security advisories; (xi) vendor advisories; (xii) commercial computer incident/emergency response teams and post lists; (xiii) information security vulnerability alerts and bulletins; and (xiv) hardware, software, or firmware security analyses. Vulnerability information associated with system- specific and common security controls should be coordinated with the Senior Agency Information Security Officer and Authorizing Officials to facilitate reuse and sharing with other Information System Owners agency-wide. The level of effort (i.e., degree of rigor and formality) applied to the vulnerability identification process should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases). Vulnerability identification information is typically documented in the risk assessment report, which should be included in the system security plan either by reference or as an attachment.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: NIST Special Publications 800-18, 800-30, or equivalents.

SECURITY CONTROL IDENTIFICATION

SUBTASK 1.5: Confirm that the security controls (either planned or implemented) for the information system have been identified and documented in the system security plan or an equivalent document.

RESPONSIBILITY: Information System Owner.
GUIDANCE: Security controls for information systems are listed in NIST Special Publication 800-53, Recommended Security Controls for Federal information systems. These predefined sets of security controls (targeted to the security categories defined in FIPS 199) provide a baseline or starting point for agencies in addressing the necessary safeguards and countermeasures required for their information systems. Common security controls should be identified during a collaborative agency-wide process with the involvement of the Senior Agency Information Security Officer, Authorizing Officials, Information System Owners, and information system security officers (or by the developmental program manager in the case of common security controls for common hardware software and/or firmware). Agencies should perform additional analyses to determine if adjustments to the baseline set of security controls are needed. These adjustments to the baseline set of security controls should be based on specific threat and vulnerability information generated during the risk assessment for the information system and the agency's determination of acceptable risk. Adjustments to the baseline set of security controls should be reasonable, appropriate, and fully documented in the system security plan with supporting rationale. Upon completion of the security control identification process, the agreed-upon set of controls should adequately protect the confidentiality, integrity, and availability of the system and its information. The level of effort (i.e., degree of rigor and formality) applied to the security control selection process should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases). Security controls are typically documented in the system security plan.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: NIST Special Publications 800-18, 800-30, 800-53, or equivalents.

INITIAL RISK DETERMINATION

SUBTASK 1.6: Confirm that the risk to agency operations, agency assets, or individuals has been determined and documented in the system security plan, risk assessment, or an equivalent document.

RESPONSIBILITY: Information System Owner.
GUIDANCE: FISMA and OMB Circular A-130, Appendix III, require risk assessments as part of a risk-based approach to determining adequate, cost-effective security for an information system. The methods used to assess risk should include consideration of the major factors in risk management including: (i) threats to and vulnerabilities in the information system; (ii) potential impact and magnitude of harm to agency operations, agency assets, or individuals that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and the information system; and (iii) the effectiveness of current or proposed security controls. It is impractical, in most cases, to plan for or implement security controls that address all potential vulnerabilities. Vulnerabilities resulting from the absence of security controls or the ineffectiveness of controls (i.e., controls not implemented correctly, not operating as intended, or not producing the desired outcome with respect to meeting system security requirements) provide the basis for determining the agency-level risk posed by the operation of the information system. The level of effort (i.e., degree of rigor and formality) applied to the risk assessment should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases). Assessing agency-level risk should be an ongoing activity to ensure that as new threats and vulnerabilities are identified, adequate security controls are implemented. agency-level risk is typically documented in the risk assessment, which should be included in the system security plan either by reference or as an attachment.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: FISMA; OMB Circular A-130, Appendix III; NIST Special Publication 800-30, or equivalent.

TASK 2: NOTIFICATION AND RESOURCE IDENTIFICATION

The objective of the notification and resource identification task is to: (i) provide notification to all concerned agency officials as to the impending security certification and accreditation of the information system; (ii) determine the resources needed to carry out the effort; and (iii) prepare a plan of execution for the certification and accreditation activities indicating the proposed schedule and key milestones.

NOTIFICATION

SUBTASK 2.1: Inform the Senior Agency Information Security Officer, Authorizing Official, Certification Agent, User Representatives, and other interested agency officials that the information system requires security certification and accreditation support.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The initial notification of key agency officials is an important activity to establish the security certification and accreditation process as an integral part of the system development life cycle. The notification also serves as an early warning to help prepare potential participants for the upcoming tasks that will be necessary to plan, organize, and conduct the security certification and accreditation. In some instances, the Authorizing Official or Senior Agency Information Security Officer provides the initial notification to the Information System Owner and other key agency officials. This typically occurs when a specified time period has elapsed and the information system must undergo reaccreditation in accordance with federal or agency policy.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified notification procedure is recommended. The Information System Owner notifies the Authorizing Official and Senior Agency Information Security Officer that a self-assessment of the information system security controls is planned and provides an estimated completion date.
REFERENCE: OMB Circular A-130, Appendix III.

PLANNING AND RESOURCES

SUBTASK 2.2: Determine the level of effort and resources required for the security certification and accreditation of the information system (including organizations involved) and prepare a plan of execution.

RESPONSIBILITY: Authorizing Official; Senior Agency Information Security Officer; Information System Owner; Certification Agent.
GUIDANCE: The level of effort required for security certification depends on: (i) the size and complexity of the information system; (ii) the FIPS 199 security category of the system; (iii) the security controls employed to protect the system; and (iv) the specific methods and procedures used to assess the security controls in the system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Identifying appropriate resources (e.g., supporting organizations, funding, and individuals with critical skills) needed for the security certification effort is an essential aspect of the initial preparation activities and is typically integrated within the system development life cycle and capital planning and budgeting processes. Once a Certification Agent is selected (or certification services procured), an execution plan for conducting the security certification and accreditation is prepared by the Certification Agent and approved by the Information System Owner, Authorizing Official, and Senior Agency Information Security Officer. The execution plan contains specific tasks, milestones, and delivery schedule. This information can be included in a system development/change plan during the initiation phase of the system development life cycle and need not be repeated in a separate plan of execution.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified planning procedure is recommended. The Information System Owner estimates the level of effort required for a self-assessment of the information system security controls. The Authorizing Official, Senior Agency Information Security Officer, and independent Certification Agent are not required to participate in the process.
REFERENCE: OMB Circular A-130, Appendix III.

TASK 3: SYSTEM SECURITY PLAN ANALYSIS, UPDATE, AND ACCEPTANCE

The objective of the system security plan analysis, update, and acceptance task is to: (i) perform an independent review of the FIPS 199 security categorization; (ii) obtain an independent analysis of the system security plan; (iii) update the system security plan as needed based on the results of the independent analysis; and (iv) obtain acceptance of the system security plan by the Authorizing Official and Senior Agency Information Security Officer prior to conducting an assessment of the security controls in the information system. The completion of this task concludes the Initiation Phase of the security certification and accreditation process.

SECURITY CATEGORIZATION REVIEW

SUBTASK 3.1: Review the FIPS 199 security categorization described in the system security plan to determine if the assigned impact values with respect to the potential loss of confidentiality, integrity, and availability are consistent with agency's actual mission requirements.

RESPONSIBILITY: Authorizing Official; Senior Agency Information Security Officer; Certification Agent.
GUIDANCE: FIPS 199 is used as part of an agency's risk management program to help ensure that appropriate security controls are applied to each information system and that the controls are adequately assessed to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The review of the security categorization ensures that the Information System Owner has adequately reflected the importance (including criticality and sensitivity) of the information system in supporting the operations and assets of the agency. Independent review of the security categorization by the Certification Agent, Authorizing Official, and Senior Agency Information Security Officer is performed as needed to ensure appropriate categorization.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, an independent Certification Agent is not required to participate in the process.
REFERENCES: FIPS 199; NIST Special Publication 800-60, or equivalent.

SYSTEM SECURITY PLAN ANALYSIS

SUBTASK 3.2: Analyze the system security plan to determine if the vulnerabilities in the information system and the resulting risk to agency operations, agency assets, or individuals are actually what the plan would produce, if implemented.

RESPONSIBILITY: Authorizing Official; Senior Agency Information Security Officer; Certification Agent.
GUIDANCE: The system security plan provides an overview of the information system security requirements and describes the security controls in place or planned for meeting those requirements. The independent review of the system security plan by the Certification Agent, Authorizing Official, and Senior Agency Information Security Officer determines if the plan is complete and consistent with the requirements document for the information system. The Certification Agent, Authorizing Official, and Senior Agency Information Security Officer also determine, at the level of analysis possible only with available planning or operational documents and information from the risk assessment, if the vulnerabilities in the information system and resulting agency-level risk appear to be correct and reasonable. Based on the results of this independent review and analysis, the Certification Agent, Authorizing Official and Senior Agency Information Security Officer may recommend changes to the system security plan. Whenever possible, these changes should be reflected in the requirements document for the information system.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified review process is recommended. The Authorizing Official and Senior Agency Information Security Officer conduct a limited review of the system security plan to determine the validity of the plan. Minimal analysis is required. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-18, or equivalent.

SYSTEM SECURITY PLAN UPDATE

SUBTASK 3.3: Update the system security plan based on the results of the independent analysis and recommendations of the Certification Agent, Authorizing Official, and Senior Agency Information Security Officer.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The Information System Owner reviews the changes recommended by the Certification Agent, Authorizing Official, and Senior Agency Information Security Officer and consults with other agency representatives (e.g., information owner, Information System Security Officer or User Representatives) prior to making any final modifications to the system security plan. The modifications to the system security plan may include any of the areas described in Task 1 (e.g., adjusting security controls, changing vulnerabilities, or modifying the agency-level risk).
Supplemental Guidance for Low-Impact Systems: For low-impact systems, an independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-18, or equivalent.

SYSTEM SECURITY PLAN ACCEPTANCE

SUBTASK 3.4: Review the system security plan to determine if the risk to agency operations, agency assets, or individuals is acceptable.

RESPONSIBILITY: Authorizing Official; Senior Agency Information Security Officer.
GUIDANCE: If the agency-level risk described in the system security plan (or risk assessment) is deemed unacceptable, the Authorizing Official and Senior Agency Information Security Officer send the plan back to the Information System Owner for appropriate action. If the agency-level risk described in the system security plan (or risk assessment) is deemed acceptable, the Authorizing Official and Senior Agency Information Security Officer accept the plan. The acceptance of the system security plan and agency-level risk assessment represents an important milestone in the security certification and accreditation of the information system. The Authorizing Official and Senior Agency Information Security Officer, by accepting the system security plan, are agreeing to the set of security controls proposed to meet the security requirements for the information system. This agency-level agreement allows the security certification and accreditation process to advance to the next phase (i.e., the actual assessment of the security controls). The acceptance of the system security plan also approves the level of effort and resources required to successfully complete the associated security certification and accreditation activities.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified review process is recommended. The Authorizing Official and Senior Agency Information Security Officer conduct a limited review of the system security plan to determine the acceptability of agency-level risk. Minimal analysis is required.
REFERENCE: NIST Special Publication 800-30, or equivalent.

Key Milestone

The following questions should be answered before proceeding to the Security Certification Phase-

3.2 SECURITY CERTIFICATION PHASE

The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the Authorizing Official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals-and thus will be able to render an appropriate security accreditation decision for the information system.

TASK 4: SECURITY CONTROL ASSESSMENT

The objective of the security control assessment task is to: (i) prepare for the assessment of the security controls in the information system; (ii) conduct the assessment of the security controls; and (iii) document the results of the assessment. Preparation for security assessment involves gathering appropriate planning and supporting materials, system requirements and design documentation, security control implementation evidence, and results from previous security assessments, security reviews, or audits. Preparation also involves developing specific methods and procedures to assess the security controls in the information system. The Certification Agent40, at the completion of this task, will be able to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the information system. The Certification Agent will also be in a position to make recommendations on corrective actions for security control deficiencies and offer advice to the Information System Owner and Authorizing Official on how the known vulnerabilities in the system translate into agency-level risk.

DOCUMENTATION AND SUPPORTING MATERIALS

SUBTASK 4.1: Assemble any documentation and supporting materials necessary for the assessment of the security controls in the information system; if these documents include previous assessments of security controls, review the findings, results, and evidence.

RESPONSIBILITY: Information System Owner; Certification Agent.
GUIDANCE: The Information System Owner should assist the Certification Agent in gathering all relevant documents and supporting materials from the agency that will be required during the assessment of the security controls. Descriptive information about the information system is typically documented in the system identification section of the system security plan or in some cases, included by reference or as attachments to the plan. Supporting materials such as procedures, reports, logs, and records showing evidence of security control implementation should be identified as well. Assessing the security controls in an information system can be a very costly and time-consuming process. In order to make the security certification and accreditation process as timely and cost-effective as possible, the reuse of previous evaluation results, when reasonable and appropriate, is strongly recommended. For example, a recent audit of an information system may have produced important information about the effectiveness of selected security controls. Another opportunity, as appropriate, to reuse previous assessment results comes from programs that test and evaluate the security features of commercial information technology products. And finally, if prior assessment results from the system developer are available, the Certification Agent, under appropriate circumstances may incorporate those results into the security certification. Certification agents should maximize the use of previous assessment results in determining the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the Information System Owner may employ the services of the Information System Security Officer or other designated individuals (including contractors) to assist in: (i) the assembly of documentation and supporting materials necessary for a self-assessment of the information system security controls; and (ii) the review of findings, results, and evidence from previous assessments of the security controls. An independent Certification Agent is not required to participate in the process.
REFERENCES: Documents and supporting materials included or referenced in the system security plan; NIST Special Publication 800-53A, or equivalent; audits; security certifications; security reviews; self-assessments; security test and evaluation reports; privacy impact assessments; ISO/IEC 15408 (Common Criteria) validations; FIPS 140-2 validations.

METHODS AND PROCEDURES

SUBTASK 4.2: Select, or develop when needed, appropriate methods and procedures to assess the management, operational, and technical security controls in the information system.

RESPONSIBILITY: Certification Agent.
GUIDANCE: In lieu of developing unique or specialized methods and procedures to assess the security controls in the information system, certification agents should consult NIST Special Publication 800-53A, which provides standardized methods and procedures for assessing the security controls listed in NIST Special Publication 800-53. The Certification Agent, if so directed by the Information System Owner, Authorizing Official, or Senior Agency Information Security Officer, can supplement these assessment methods and procedures. Assessment methods and procedures may need to be created for those security controls employed by the agency that are not contained in NIST Special Publication 800-53. Additionally, assessment methods and procedures may need to be tailored for specific system implementations.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the Information System Owner may employ the services of the Information System Security Officer or other designated individuals (including contractors) to select or develop when needed, the appropriate methods and procedures necessary to conduct a self-assessment of the information system security controls. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-53A, or equivalent.

SECURITY ASSESSMENT

SUBTASK 4.3: Assess the management, operational, and technical security controls in the information system using methods and procedures selected or developed.

RESPONSIBILITY: Certification Agent.
GUIDANCE: Security assessment determines the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of the security assessment, including recommendations for correcting any deficiencies in the security controls, are documented in the security assessment report.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the Information System Owner may employ the services of the Information System Security Officer or other designated individuals (including contractors) to conduct a self-assessment of the information system security controls. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-53A, or equivalent.

SECURITY ASSESSMENT REPORT

SUBTASK 4.4: Prepare the final security assessment report.

RESPONSIBILITY: Certification Agent.
GUIDANCE: The security assessment report contains: (i) the results of the security assessment (i.e., the determination of the extent to which the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system); and (ii) recommendations for correcting deficiencies in the security controls and reducing or eliminating identified vulnerabilities. The security assessment report is part of the final accreditation package along with the updated system security plan and plan of action and milestones. The security assessment report is the certification agent's statement regarding the security status of the information system.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the Information System Owner may employ the services of the Information System Security Officer or other designated individuals (including contractors) to prepare the security assessment report containing the results of the self-assessment of the information system security controls. The security assessment report can be a short and concise document synopsizing the self- assessment results and highlighting those areas that need further attention. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-53A, or equivalent.

TASK 5: SECURITY CERTIFICATION DOCUMENTATION

The objective of the security certification documentation task is to: (i) provide the certification findings and recommendations to the Information System Owner; (ii) update the system security plan as needed; (iii) prepare the plan of action and milestones; and (iv) assemble the accreditation package. The Information System Owner has an opportunity to reduce or eliminate vulnerabilities in the information system prior to the assembly and compilation of the accreditation package and submission to the Authorizing Official. This is accomplished by implementing corrective actions recommended by the Certification Agent. The Certification Agent should assess any security controls modified, enhanced, or added during this process. The completion of this task concludes the Security Certification Phase.

FINDINGS AND RECOMMENDATIONS

SUBTASK 5.1: Provide the Information System Owner with the security assessment report.

RESPONSIBILITY: Certification Agent.
GUIDANCE: The Information System Owner relies on the security expertise and the technical judgment of the Certification Agent to: (i) assess the security controls in the information system; and (ii) provide specific recommendations on how to correct deficiencies in the controls and reduce or eliminate identified vulnerabilities. The Information System Owner may choose to act on selected recommendations of the Certification Agent before the accreditation package is finalized if there are specific opportunities to correct deficiencies in security controls and reduce or eliminate vulnerabilities in the information system. To ensure effective allocation of resources agency-wide, any actions taken by the Information System Owner prior to the final accreditation decision should be coordinated with the Authorizing Official and Senior Agency Information Security Officer. The Certification Agent assesses any changes made to the security controls in response to corrective actions by the Information System Owner and updates the assessment report, as appropriate.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the Information System Security Officer or other designated individuals (including contractors) provide the Information System Owner with the security assessment report containing the summarized results of the self-assessment of the information system security controls. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-30, or equivalent.

SYSTEM SECURITY PLAN UPDATE

SUBTASK 5.2: Update the system security plan (and risk assessment) based on the results of the security assessment and any modifications to the security controls in the information system.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The system security plan should reflect the actual state of the security controls after the security assessment and any modifications by the Information System Owner in addressing the recommendations for corrective actions from the Certification Agent. At the completion of the Security Certification Phase, the security plan and risk assessment should contain an accurate list and description of the security controls implemented and a list of identified vulnerabilities (i.e., controls not implemented).
Supplemental Guidance for Low-Impact Systems: For low-impact systems, an independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-18, or equivalent.

PLAN OF ACTION AND MILESTONES PREPARATION

SUBTASK 5.3: Prepare the plan of action and milestones based on the results of the security assessment.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The plan of action and milestones document, one of the three key documents in the security accreditation package, describes actions taken or planned by the Information System Owner to correct deficiencies in the security controls and to address remaining vulnerabilities in the information system (i.e., reduce, eliminate, or accept the vulnerabilities). The plan of actions and milestones document identifies: (i) the tasks needing to be accomplished; (ii) the resources required to accomplish the elements of the plan; (iii) any milestones in meeting the tasks; and (iv) scheduled completion dates for the milestones.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: OMB Memorandum 02-01.

ACCREDITATION PACKAGE ASSEMBLY

SUBTASK 5.4: Assemble the final security accreditation package and submit to Authorizing Official.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The Information System Owner is responsible for the assembly and compilation of the final security accreditation package with inputs from the Information System Security Officer and the Certification Agent. The accreditation package contains: (i) the security assessment report from the Certification Agent providing the results of the independent assessment of the security controls and recommendations for corrective actions; (ii) the plan of action and milestones from the Information System Owner indicating actions taken or planned to correct deficiencies in the controls and to reduce or eliminate vulnerabilities in the information system; and (iii) the updated system security plan with the latest copy of the risk assessment. Certification Agent input to the final accreditation package provides an unbiased and independent view of the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The Information System Owner may also wish to consult with other key agency participants (e.g., the User Representatives) prior to submitting the final accreditation package to the Authorizing Official. The Authorizing Official will use this information during the Security Accreditation Phase to determine the risk to agency operations, agency assets, or individuals. The accreditation package can be submitted in either paper or electronic form. The contents of the accreditation package should be protected appropriately in accordance with agency policy.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, the security accreditation package consists of: (i) the updated system security plan; (ii) an abbreviated security assessment report (i.e., a brief summary of the self-assessment results); and (iii) a plan of action and milestones.
REFERENCE: OMB Circular A-130, Appendix III.

Key Milestone

3.3 Security Accreditation Phase

The Security Accreditation Phase consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation. The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the Information System Owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system.

TASK 6: SECURITY ACCREDITATION DECISION

The objective of the security accreditation decision task is to: (i) determine the risk to agency operations, agency assets, or individuals; and (ii) determine if the agency-level risk is acceptable. The Authorizing Official, working with information from the Information System Owner, Information System Security Officer and Certification Agent produced during the previous phase, has independent confirmation of the identified vulnerabilities in the information system and a list of planned or completed corrective actions to reduce or eliminate those vulnerabilities. It is this information that is used to determine the final risk to the agency and the acceptability of that risk.

FINAL RISK DETERMINATION

SUBTASK 6.1: Determine the risk to agency operations, agency assets, or individuals based on the vulnerabilities in the information system and any planned or completed corrective actions to reduce or eliminate those vulnerabilities.

RESPONSIBILITY: Authorizing Official.
GUIDANCE: The Authorizing Official receives the final security accreditation package from the Information System Owner. The vulnerabilities in the information system confirmed by the Certification Agent should be assessed to determine how those particular vulnerabilities translate into risk to agency operations, agency assets, or individuals. The Authorizing Official or designated representative should judge which information system vulnerabilities are of greatest concern to the agency and which vulnerabilities can be tolerated without creating unreasonable agency-level risk. The plan of action and milestones (i.e., actions taken or planned to correct deficiencies in the security controls and reduce or eliminate vulnerabilities) submitted by the Information System Owner should also be considered in determining the risk to the agency. The Authorizing Official may consult the Information System Owner, Certification Agent, or other agency officials before making the final risk determination.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified process for risk determination is recommended. The level of effort by the Authorizing Official in determining risk should be minimal since the potential impact on agency operations, agency assets, and/or individuals has already been determined to be low. An independent Certification Agent is not required to participate in the process.
REFERENCE: NIST Special Publication 800-30, or equivalent.

RISK ACCEPTABILITY

SUBTASK 6.2: Determine if the risk to agency operations, agency assets, or individuals is acceptable and prepare the final security accreditation decision letter.

RESPONSIBILITY: Authorizing Official.
GUIDANCE: The Authorizing Official should consider many factors when deciding if the risk to agency operations, agency assets, or individuals is acceptable. Balancing security considerations with mission and operational needs is paramount to achieving an acceptable accreditation decision. The Authorizing Official renders an accreditation decision for the information system after reviewing all of the relevant information and, where appropriate, consulting with key agency officials.
If, after assessing the results of the security certification, the Authorizing Official deems that the agency-level risk is acceptable, an authorization to operate is issued. The information system is accredited without any restrictions or limitations on its operation.
If, after assessing the results of the security certification, the Authorizing Official deems that the agency-level risk is unacceptable, but there is an important mission- related need to place the information system into operation, an interim authorization to operate may be issued. The interim authorization to operate is a limited authorization under specific terms and conditions including corrective actions to be taken by the Information System Owner and a required timeframe for completion of those actions. A detailed plan of action and milestones should be submitted by the Information System Owner and approved by the Authorizing Official prior to the interim authorization to operate taking effect. The information system is not accredited during the period of limited authorization to operate. The Information System Owner is responsible for completing the corrective actions identified in the plan of action and milestones and resubmitting an updated security accreditation package upon completion of those actions.
If, after assessing the results of the security certification, the Authorizing Official deems that the agency-level risk is unacceptable, the information system is not authorized for operation and thus is not accredited.
The Authorizing Official's designated representative or administrative staff prepares the final security accreditation decision letter. The letter includes the accreditation decision, the rationale for the decision, the terms and conditions for information system operation, and required corrective actions, if appropriate. The accreditation decision letter indicates to the Information System Owner whether the system is: (i) authorized to operate; (ii) authorized to operate on an interim basis under strict terms and conditions; or (iii) not authorized to operate. The supporting rationale provides the Information System Owner with the justification for the Authorizing Official's decision. The terms and conditions for the authorization provide a description of any limitations or restrictions placed on the operation of the information system that must be adhered to by the Information System Owner. The security accreditation letter is included in the final accreditation package. The contents of the accreditation package should be protected appropriately in accordance with agency policy.
Supplemental Guidance for Low-Impact Systems: For low-impact systems, a simplified process for the determination of risk acceptability is recommended. The level of effort by the Authorizing Official in determining risk acceptability should be minimal since the potential impact on agency operations, agency assets, and/or individuals has already been determined to be low.
REFERENCE: OMB Circular A-130, Appendix III.

TASK 7: SECURITY ACCREDITATION DOCUMENTATION

The objective of the security accreditation documentation task is to: (i) transmit the final security accreditation package to the appropriate individuals and organizations; and (ii) update the system security plan with the latest information from the accreditation decision. The completion of this task concludes the Security Accreditation Phase of the security certification and accreditation process.

SECURITY ACCREDITATION PACKAGE TRANSMISSION

SUBTASK 7.1: Provide copies of the final security accreditation package including the accreditation decision letter (in either paper or electronic form), to the Information System Owner and any other agency officials having an interest (i.e., need to know) in the security of the information system.

RESPONSIBILITY: Authorizing Official.
GUIDANCE: The security accreditation package including the accreditation decision letter is returned to the Information System Owner. Upon receipt of the security accreditation decision letter and accreditation package, the Information System Owner accepts the terms and conditions of the authorization. The original accreditation package is kept on file by the Information System Owner. The Authorizing Official and Senior Agency Information Security Officer also retain copies of the decision letter and accreditation package. The accreditation package contains important documents and as such, should be appropriately safeguarded and stored, whenever possible, in a centralized agency filing system to ensure accessibility. The accreditation package should also be readily available to auditors and oversight agencies upon request. The accreditation package including all supporting documents, should be retained in accordance with the agency's records retention policy.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: OMB Circular A-130, Appendix III.

SYSTEM SECURITY PLAN UPDATE

SUBTASK 7.2: Update the system security plan based on the final determination of risk to agency operations, agency assets, or individuals.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The system security plan should be updated to reflect any changes in the information system resulting from the Security Accreditation Phase. Any conditions set forth in the accreditation decision should also be noted in the plan. It is expected that the changes to the system security plan at this phase in the security certification and accreditation process would be minimal.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: NIST Special Publication 800-18, or equivalent.

Key Milestone

  • The following questions should be answered before proceeding to the Continuous Monitoring Phase-
  • How do the known vulnerabilities in the information system translate into agency-level risk- that is, risk to agency operations, agency assets, or individuals?
  • Is this agency-level risk acceptable?

3.4 CONTINOUS MONITORING PHASE

The Continuous Monitoring Phase consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the Authorizing Official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system. Reaccreditation may be required because of specific changes to the information system or because federal or agency policies require periodic reaccreditation of the information system.

TASK 8: CONFIGURATION MANAGEMENT AND CONTROL

The objective of the configuration management and control task is to: (i) document the proposed or actual changes to the information system; and (ii) determine the impact of proposed or actual changes on the security of the system. An information system will typically be in a constant state of migration with upgrades to hardware, software, or firmware and possible modifications to the system environment. Documenting information system changes and assessing the potential impact on the security of the system on an ongoing basis is an essential aspect of maintaining the security accreditation.

DOCUMENTATION OF INFORMATION SYSTEM CHANGES

SUBTASK 8.1: Using established agency configuration management and control procedures, document proposed or actual changes to the information system (including hardware, software, firmware, and surrounding environment).

RESPONSIBILITY: Information System Owner.
GUIDANCE: An orderly and disciplined approach to managing, controlling, and documenting changes to an information system is critical to the continuous assessment of the security controls that protect the system. It is important to record any relevant information about the specific proposed or actual changes to the hardware, firmware, or software such as version or release numbers, descriptions of new or modified features or capabilities, and security implementation guidance. It is also important to record any changes to the information system environment such as modifications to the physical plant. The Information System Owner and Information System Security Officer should use this information in assessing the potential security impact of the proposed or actual changes to the information system. Significant changes to the information system should not be undertaken prior to assessing the security impact of such changes.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: Agency policies/procedures on configuration management and control.

SECURITY IMPACT ANALYSIS

SUBTASK 8.2: Analyze the proposed or actual changes to the information system (including hardware, software, firmware, and surrounding environment) to determine the security impact of such changes.

RESPONSIBILITY: Information System Owner.
GUIDANCE: Changes to the information system may affect the security controls currently in place, produce new vulnerabilities in the system, or generate requirements for new security controls that were not needed previously. If the results of the security impact analysis indicate that the proposed or actual changes to the information system will affect or have affected the security of the information system, corrective actions should be initiated and the plan of action and milestones revised. The Information System Owner or Information System Security Officer may wish to consult with the User Representatives or other agency officials prior to implementing any security-related changes to the information system. Conducting a security impact analysis is part of the ongoing assessment of risk within the agency. The level of effort (i.e., degree of rigor and formality) applied to the security impact analysis should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases).
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: NIST Special Publication 800-30, or equivalent.

TASK 9: SECURITY CONTROL MONITORING

The objective of the security control monitoring task is to: (i) select an appropriate set of security controls in the information system to be monitored; and (ii) assess the designated controls using methods and procedures selected by the Information System Owner. The continuous monitoring of security controls helps to identify potential security-related problems in the information system that are not identified during the security impact analysis conducted as part of the configuration management and control process.

SECURITY CONTROL SELECTION

SUBTASK 9.1: Select the security controls in the information system to be monitored on a continuous basis.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The criteria established by the Information System Owner for selecting which security controls will be monitored should reflect the agency's priorities and importance of the information system to the agency. For example, certain security controls may be considered more critical than other controls because of the potential impact on the information system if those controls were subverted or found to be ineffective. The security controls being monitored should be reviewed over time to ensure that a representative sample of controls is included in the ongoing security assessments. The Authorizing Official and Information System Owner should agree on the subset of security controls in the information system that should be monitored as well as the frequency of such monitoring activity. The level of effort (i.e., degree of rigor and formality) applied to the security control selection process should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases).
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: FISMA; OMB Circular A-130, Appendix III; NIST Special Publication 800-53.

SELECTED SECURITY CONTROL ASSESSMENT

SUBTASK 9.2: Assess an agreed-upon set of security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The continuous monitoring of security controls can be accomplished in a variety of ways including security reviews, self-assessments, security testing and evaluation, or audits. The methods and procedures employed to assess the security controls during the monitoring process are at the discretion of the Information System Owner. In lieu of developing unique or specialized methods and procedures to assess the security controls in the information system, Information System Owners should consult NIST Special Publication 800-53A, which provides standardized assessment methods and procedures for the security controls listed in NIST Special Publication 800-53. The monitoring process should be documented and available for review by the Authorizing Official or Senior Agency Information Security Officer, upon request. If the results of the security assessment indicate that selected controls are less than effective in their application and are affecting the security of the information system, corrective actions should be initiated and the plan of action and milestones updated. The level of effort (i.e., degree of rigor and formality) applied to the assessment of security controls should be commensurate with the FIPS 199 security category of the information system (i.e., the level of effort increases as the potential impact on agency operations, agency assets, or individuals increases).
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: FISMA; OMB Circular A-130, Appendix III; NIST Special Publication 800-53A.

TASK 10: STATUS REPORTING AND DOCUMENTATION

The objective of the status reporting and documentation task is to: (i) update the system security plan to reflect the proposed or actual changes to the information system; (ii) update the plan of action and milestones based on the activities carried out during the continuous monitoring phase; and (iii) report the security status of the information system to the Authorizing Official and Senior Agency Information Security Officer. The information in the security status reports (typically conveyed through updated plans of action and milestones) should be used to determine the need for security reaccreditation and to satisfy FISMA reporting requirements.

SYSTEM SECURITY PLAN UPDATE

SUBTASK 10.1: Update the system security plan based on the documented changes to the information system (including hardware, software, firmware, and surrounding environment) and the results of the continuous monitoring process.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The system security plan should contain the most up-to-date information about the information system. Changes to the information system should be reflected in the system security plan. The frequency of system security plan updates is at the discretion of the Information System Owner. The updates should occur at appropriate intervals to capture significant changes to the information system, but not so frequently as to generate unnecessary paperwork. The Chief Information Officer, Senior Agency Information Security Officer, Authorizing Official, Information System Owner, Information System Security Officer and Certification Agent will be using the system security plan to guide any future security certification and accreditation activities, when required.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: NIST Special Publication 800-18, or equivalent.

PLAN OF ACTION AND MILESTONES UPDATE

SUBTASK 10.2: Update the plan of action and milestones based on the documented changes to the information system (including hardware, software, firmware, and surrounding environment) and the results of the continuous monitoring process.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The plan of action and milestones is used by the Authorizing Official to monitor the progress in correcting deficiencies noted during the security certification. The plan of action and milestones should: (i) report progress made on the current outstanding items listed in the plan; (ii) address vulnerabilities in the information system discovered during the security impact analysis or security control monitoring; and (iii) describe how the Information System Owner intends to address those vulnerabilities (i.e., reduce, eliminate, or accept the identified vulnerabilities). The frequency of the plan of action and milestones updates is at the discretion of the Information System Owner. The updates should occur at appropriate intervals to capture significant changes to the information system, but not so frequently as to generate unnecessary paperwork. The Chief Information Officer, Senior Agency Information Security Officer, Authorizing Official, Information System Owner, Information System Security Officer and Certification Agent will be using the plan of action and milestones to guide any future security certification and accreditation activities, when required.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCE: OMB Memorandum 02-01.

STATUS REPORTING

SUBTASK 10.3: Report the security status of the information system to the Authorizing Official and Senior Agency Information Security Officer.

RESPONSIBILITY: Information System Owner.
GUIDANCE: The security status report (which can be submitted in the form of an updated plan of action and milestones) should describe the continuous monitoring activities employed by the Information System Owner. The security status report addresses vulnerabilities in the information system discovered during the security certification, security impact analysis, and security control monitoring and how the Information System Owner intends to address those vulnerabilities (i.e., reduce, eliminate, or accept the vulnerabilities). The frequency of security status reports is at the discretion of the agency. The status reports should occur at appropriate intervals to transmit significant security-related information about the system, but not so frequently as to generate unnecessary paperwork. The Authorizing Official and the senior agency Information System Security Officer should use the security status reports to determine if a security reaccreditation is necessary. The Authorizing Official should notify the Information System Owner if there is a decision to require a reaccreditation of the information system. A decision to reaccredit the information system should begin, as in the original security accreditation, with the Initiation Phase. The security status report should be marked and handled in accordance with agency policy. At the discretion of the agency, the security status reports on agency information systems can be used to help satisfy the FISMA reporting requirement for documenting remedial actions for any security-related deficiencies.
Supplemental Guidance for Low-Impact Systems: None.
REFERENCES: FISMA; OMB Circular A-130, Appendix III.

Key Milestone

Retrieved from "http://fismapedia.org/index.php?title=NIST_SP_800-37_Chapter_3&oldid=2257"