EXECUTIVE SUMMARY

The purpose of this publication is to provide guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. The guidelines have been developed to help achieve more secure information systems within the federal government by:

• Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems;
• Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and
• Creating more complete, reliable, and trustworthy information for Authorizing Officials-to facilitate more informed security accreditation decisions.

Security certification and accreditation are important activities that support a risk management process and are an integral part of an agency's information security program.

Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation.

It is essential that agency officials have the most complete, accurate, and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk- based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an Authorizing Official to render a security accreditation decision.

The security certification and accreditation process consists of four distinct phases:

• Initiation Phase;
• Security Certification Phase;
• Security Accreditation Phase; and
• Continuous Monitoring Phase.

Each phase in the security certification and accreditation process consists of a set of well-defined tasks and subtasks that are to be carried out, as indicated, by responsible individuals (e.g., the Chief Information Officer, Authorizing Official, Authorizing Official's designated representative, Senior Agency Information Security Officer, Information System Owner, Information Owner, Information System Security Officer Certification Agent, and User Representatives). The Initiation Phase consists of three tasks: (i) preparation; (ii) notification and resource identification; and (iii) system security plan analysis, update, and acceptance. The purpose of this phase is to ensure that the Authorizing Official and Senior Agency Information Security Officer are in agreement with the contents of the system security plan, including the system's documented security requirements, before the Certification Agent begins the assessment of the security controls in the information system.

The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the Authorizing Official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals-and thus, will be able to render an appropriate security accreditation decision for the information system.

The Security Accreditation Phase consists of two tasks: (i) security accreditation decision; and (ii) security accreditation documentation. The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the Information System Owner will have: (i) authorization to operate the information system; (ii) an interim authorization to operate the information system under specific terms and conditions; or (iii) denial of authorization to operate the information system.

The Continuous Monitoring Phase consists of three tasks: (i) configuration management and control; (ii) security control monitoring; and (iii) status reporting and documentation. The purpose of this phase is to provide oversight and monitoring of the security controls in the information system on an ongoing basis and to inform the Authorizing Official when changes occur that may impact on the security of the system. The activities in this phase are performed continuously throughout the life cycle of the information system.

Completing a security accreditation ensures that an information system will be operated with appropriate management review, that there is ongoing monitoring of security controls, and that reaccreditation occurs periodically in accordance with federal or agency policy and whenever there is a significant change to the system or its operational environment.