Over the years I have noticed that not many people in IT know what Certification & Accreditation is. IT professionals specializing in some aspect of system, network or software security usually know of it by one of its many names. Some call it as assessments. A generic name would be a security check, but the new name the government will use will be Assessment & Authorization. Those of use who have had a chance to do it call it a pain in the ass!
I cannot complain too much about it because the work has paid my bills for years. I am doing mostly technical work right now, but I still keep a close eye on C&A.
For those of you who want to know more, here is a brief history of C&A:
In 1985 by the National Computer Security Center (NCSC) (now known as the National Security Agency) published the Trusted Computer Systems Evaluation Criteria (TCSEC), the “Orange Book.” It was apart of a series of computer security standards known as the Rainbow series. These books covered everything from cryptography, to authenticate to verification systems.
Information Technology Security Evaluation and Certification (ITSEC) in 1991, came later from Europe. These standards evolved into international standards known today as common criteria.
The Orange Book became DoDD 5200.28-STD, DoD Directive 5200.28, “Security Requirements for Automated Information Systems (AISs),” March 21, 1988, which is the basis of DoD 5200.40, DoD Information Technology Security Certification and Accreditation Process (DITSCAP). In 2002, DITSCAP was replaced with DoDD 8500.1. 8500 begat 8510, DIACAP … and Boaz begat Abraham and Abraham begat Choazz.. (ok.. a little KJV humor there).
But seriously, Department of Defense Instruction (DODI) 8510.01, DoD IA C&A Process, (DIACAP) comes from the Orange Book in the old Rainbow Series.
Now it has evolved again to become the Defense Information Assurance Risk Management Framework.