Sign up for free at http://convocourses.com for deeper dives.
Many more videos on https://www.youtube.com/convocourses
short videos at https://www.tiktok.com/@convocourses?lang=en
Podcast version of the content:
Over the years I have noticed that not many people in IT know what Certification & Accreditation is. IT professionals specializing in some aspect of system, network or software security usually know of it by one of its many names. Some call it as assessments. A generic name would be a security check, but the new name the government will use will be Assessment & Authorization. Those of use who have had a chance to do it call it a pain in the ass!
I cannot complain too much about it because the work has paid my bills for years. I am doing mostly technical work right now, but I still keep a close eye on C&A.
For those of you who want to know more, here is a brief history of C&A:
In 1985 by the National Computer Security Center (NCSC) (now known as the National Security Agency) published the Trusted Computer Systems Evaluation Criteria (TCSEC), the “Orange Book.” It was apart of a series of computer security standards known as the Rainbow series. These books covered everything from cryptography, to authenticate to verification systems.
Information Technology Security Evaluation and Certification (ITSEC) in 1991, came later from Europe. These standards evolved into international standards known today as common criteria.
The Orange Book became DoDD 5200.28-STD, DoD Directive 5200.28, “Security Requirements for Automated Information Systems (AISs),” March 21, 1988, which is the basis of DoD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP). In 2002, DITSCAP was replaced with DoDD 8500.1. 8500 begat 8510, DIACAP … and Boaz begat Abraham and Abraham begat Choazz.. (ok.. a little KJV humor there).
But seriously, Department of Defense Instruction (DODI) 8510.01, DoD IA C&A Process, (DIACAP) comes from the Orange Book in the old Rainbow Series.
Now it has evolved again to become the Defense Information Assurance Risk Management Framework.
Defense Information Assurance Risk Management Framework Assessment & Authorization is similar to what certification and accreditation (C&A).
With DIACAP transition comes some new terms but essentially the same kinds of work. Risk management framework still does the comprehensive evaluation of security features but calls it assessment instead of ceritification. Where DIACAP had the Designating Authorizing Authority (DAA) to formally accredit a system, DIARMF has an Authorizing Official (AO) to authorize a system.
So essentially, the terms “C&A” certification and accreditation is superseded by “A&A” assessment and authorization. Another term that has changed with the transition from DIACAP to DIARMF is “information assurance (IA) controls” which is now called “security controls”. The security controls mark one of the biggest differences between DIACAP and DIARMF since there are so many more security controls in NIST SP 800-53 than there are in DIACAP’s DOD 8500.2.
Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome. An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision
Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.
“The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.” – NIST SP 800-37 rev 1
DoD Certification and Accreditation. The standard DoD approach for identifying information security requirements, providing security solutions, and managing the security of DoD information systems.
— DoDI 8500.2, Information Assurance (IA) Implementation http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf
If you have an important system (an asset) that is producing, processing, storing or distributing important data then you need to make sure that it is protected. You need a high level of confidence that your asset and its data is secure, not tampered with stolen or corrupted.
If you go through IT Security training, we are talking about confidentiality, integrity, and availability (aka CIA). You want to make sure your data has confidentiality (trade secrets are protected), available to users and that the data has integrity (not corrupted).
The process of ensuring assets are secure is known as certification and accreditation (aka C&A). The C&A process consists of evaluating the system for security and then having someone in charge take responsibility for the remaining risks to that system.
Certification – a comprehensive evaluation and validation of a DoD IS to establish the degree to which it complies with assigned IA controls based on standardized procedure (8510.01, E2.10)
Accreditation Decision – a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) (8510.01, E2.2).
The C&A process has been done by most major companies and organizations in the private sector and governments. They may have different names for it and slightly different methods, but they are are essentially doing the same thing. They have to do it because their enterprise gets so big that its impossible to stop every threat and quickly remove everyone weakness. The best they can do is create a process to manage the risk. That is what C&A is supposed to do.
The problem with certification and accreditation is that it is inefficient often taking months to do thousands of hours and millions of dollars. Since there is so much documentation involved and coordination its often ignored or not done thoroughly.
The certification and accreditation process has been automated (somewhat) with online databases and there has been a move to do away with C&A all together and move to a risk management framework.