By: Professor Sam Musa 2/10/2014

Certification and Accreditation

(AKA: Assessment and Authorization)

Certification and Accreditation is a two-step process that ensures security of information systems.
Certification is the process of evaluating, testing, and examining security controls that have been
pre-determined based on the data type in an information system. The evaluation compares the
current systems’ security posture with specific standards. The certification process ensures that
security weaknesses are identified and plans for mitigation strategies are in place. On the other
hand, accreditation is the process of accepting the residual risks associated with the continued
operation of a system and grating approval to operate for a specified period of time.

C&A is a six-step risk management process. It provides closely controlled and structured
processes that integrate information security and risk management activities. These steps are
System Categorization, Security Controls, Implementation of the Security Controls, Controls
Assessment, Authorization to Operate (ATO), and Continuous Monitoring.

Organizations are highly encouraged to complete and deliver the following artifacts as part of the
C&A process.

1. Privacy Impact Assessment (PIA)

2. Security Test and Evaluation (ST&E) Results

3. System Security Plan (SSP)

4. Risk Assessment Report (RAR)

5. System Contingency Plan (CP)

6. Plan of Action and Milestones (POA&M)

7. Continuous Monitoring Plan (CMP)

8. Penetration Testing and Vulnerability Assessment Reports

10. List of System Inventory (Hardware/Software)

11. Interconnection Security Agreements (ISA) / Service Level Agreement (SLA)

12. System Diagram

13. Benchmarks scoring reports

14. System policies and procedures

15. Approval to Operate Letter