The Accreditation Phase

Overview

After the Certification Phase is complete, the Accreditation Phase begins. The purpose of this phase is to make the final determination of the inherent risk in operating the system. Once that level of risk has been determined, the Designated Approving Authority (DAA) makes the decision to either authorize the system, allow the system to operate in a modified form, or deny authorization of the system to operate.

According to NIST 800-37, the Security Accreditation Phase consists of two tasks:

  1. Security Accreditation Decision
  2. Security Accreditation Documentation

The purpose of the Security Accreditation Phase is to determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk to agency operations, agency assets, or individuals.

Upon successful completion of this phase, the information system owner will have either:

  1. Authorization to operate the information system
  2. An interim authorization to operate the information system under specific terms and conditions
  3. Denial of authorization to operate the information system

Security Accreditation Decision

The objective of the Security Accreditation Decision task is to:

The DAA, working with information from the information system owner, information system security officer, and certification agent produced during the Certification Phase, will have identified vulnerabilities in the information system and a list of planned or completed corrective actions to reduce or eliminate those vulnerabilities. Using that information, the acceptability of the risk to the agency is determined.

Final Risk Assessment

The vulnerabilities in the information system should be assessed to determine how those particular vulnerabilities translate into risk to operations, assets, or individuals. This risk is characterized by conducting a final risk assessment involving:

The DAA should judge which information system vulnerabilities are of greatest concern to the agency and which vulnerabilities can be tolerated without creating unreasonable risk. The DAA may consult the information system owner, certification agent, or other agency officials before making the final risk determination.

The plan of action and milestones (i.e., actions taken or planned to correct deficiencies in the security controls and reduce or eliminate vulnerabilities) submitted by the information system owner should also be considered in determining the risk to the agency.

LOW-IMPACT SYSTEMS

For low-impact systems, a simplified process for risk determination is recommended by NIST. The level of effort by the DAA in determining risk should be minimal, since the potential impact on agency operations, agency assets, and/or individuals has already been determined to be low. An independent certification agent may not be required to participate in the process in this case.

Accreditation Decision

After the final risk assessment, the DAA receives the final security accreditation package from the information system owner. The DAA then determines the risk to agency operations, agency assets, or individuals based on the vulnerabilities in the information system and any planned or completed corrective actions to reduce or eliminate those vulnerabilities. The DAA must consider many factors when deciding whether the risk is acceptable, such as balancing security considerations with mission and operational needs.

The DAA then issues one of three determinations: Authorization to Operate (ATO), Interim Authorization to Operate (IATO), or Not Authorized (NA). The DAA renders this accreditation decision after reviewing all the relevant information and consulting with key agency officials.

Authorization to Operate (ATO)

If the DAA deems that the agency-level risk is acceptable, an Authorization to Operate (ATO) is issued. The information system is accredited without any restrictions or limitations on its operation.

Interim Authorization to Operate (IATO)

If the DAA deems that the agency-level risk is unacceptable, but there is an important mission-related need to place the information system into operation, an Interim Authorization to Operate (IATO) may be issued. The IATO is a limited authorization under specific terms and conditions, which include corrective actions to be taken by the information system owner and a required timeframe for completion of those actions.

A detailed plan of action and milestones should be submitted by the information system owner and approved by the DAA before the IATO takes effect.

Not Authorized (NA)

If the DAA deems that the agency-level risk is unacceptable, the information system is not authorized for operation and is not accredited.

IATO TIME FRAME

It’s important to remember that the information system is not actually accredited during the IATO. The information system owner is responsible for completing the corrective actions identified in the plan of action and milestones and resubmitting an updated security accreditation package upon completion of those actions. A clearly defined time limit must be defined with the IATO.

The Security Accreditation Decision Letter

The DAA’s designated representative or administrative staff prepares the final security accreditation decision letter. The security accreditation letter is included in the final accreditation package. The letter includes:

The accreditation decision letter indicates to the information system owner whether the system is authorized to operate (ATO), authorized to operate on an interim basis under strict terms and conditions (IATO), or not authorized to operate (NA).

Security Accreditation Documentation

The completion of security accreditation documentation task concludes the Security Accreditation Phase of the security certification and accreditation process. The objective of this task is to:

Accreditation Package Transmission

The DAA provides copies of the final security accreditation package, including the accreditation decision letter (in either paper or electronic form), to the information system owner and any other agency officials having “need to know” the security of the information system.

Upon receipt, the information system owner must accept the terms and conditions of the authorization and keep the original package on file. The DAA and ISSO also retain copies of the letter and the accreditation package.

ACCREDITATION PACKAGE SECURITY

The accreditation package, including all supporting documents, should be retained in accordance with the agency’s document retention policy. The accreditation package contains important documents and should be appropriately safeguarded and stored. Also, the package must be accessible, and it should be readily available to auditors and oversight agencies upon request.

System Security Plan Update

After the accreditation has been delivered, the Information System Owner should update the system security plan based on the final risk determination and any changes in the information system resulting from the Security Accreditation Phase. Also noted in the plan should be any conditions set forth in the accreditation decision, such as IATO conditions. However, any changes to the system security plan at this phase in the security certification and accreditation process should be minimal.

DITSCAP Accreditation Phases

Using DITSCAP as our example as we did in Chapter 13, let’s examine Phase 3 and Phase 4, which will finalize the accreditation. Although DITSCAP Phase 4 contains tasks that would fit better in the next chapter, “Continuous Monitoring Process,” we feel it makes sense to discuss both phases together here.

Phase 3 Validation

This phase consists of activities that culminate in the accreditation of the IS (for systems in development, this phase occurs after system integration). Phase 3 activities validate that the preceding work has produced an IS that operates in a specified computing environment with an acceptable level of residual risk.

As shown in Figure 14-1, Phase 3 activities include:

  1. Continue to review and refine the SSAA
  2. Perform certification evaluation of the integrated system
  3. Develop recommendation to the DAA
  4. Certification and accreditation decision

Figure 14-1: DITSCAP Phase 3Validation.

Refine the SSAA

Phase 3 begins with a review of the SSAA to ensure that its requirements and agreements still apply. That review continues throughout Phase 3. At each stage of the validation process, details are added to the document, reflecting the current state of the system and refining the SSAA. Required changes must be submitted to the DAA, certifier, program manager, and user representative so that the revised agreement may be approved and implemented.

Certification Evaluation of the Integrated System

This activity certifies that the fully integrated and operational system complies with the requirements stated in the SSAA and that the system operates with an acceptable level of residual risk. During this activity, certification tasks are performed to ensure that the IS is functionally ready for operational deployment. The certification tasks and their extent will depend on the level of certification analysis in the SSAA.

NIACAP LEVELS OF CERTIFICATION

NIACAP has four levels of certification to ensure that the appropriate C&A are performed for varying schedule and budget limitations. To determine the appropriate level of certification, the certifier must analyze the system’s business functions; national, departmental, and agency security requirements; criticality of the system to the organizational mission; software products; computer infrastructure; types of data processed; and types of users. After analyzing this information, the certifier determines the degree of confidentiality, integrity, availability, and accountability required for the system. Based on this analysis, the certifier recommends one of the following certification levels:

Phase 3 certification tasks must include certification of the software, firmware, and hardware and inspections of operational sites to ensure their compliance with the physical security, procedural security, TEMPEST, and COMSEC requirements. Phase 3 includes tasks to certify the compatibility of the computing environment with the description provided in the SSAA. DITSCAP flexibility permits the certification actions to be scaled to the type of IS being evaluated and tailored to the program strategy used in the development or modification of the system.

Phase 3 certification tasks include:

Develop Recommendation to the DAA

This begins after completion of all certification tasks. Its purpose is to consolidate the findings developed during certification of the integrated system and submit the certifier’s report to the DAA.

Based on the certifiers’ findings, one of three activities will occur:

  1. If the certifier concludes that the integrated IS satisfies the SSAA security requirements, the certifier issues a system certification statement. This certifies that the IS has complied with the documented security requirements. Supplemental recommendations also may be made to improve the system’s security posture. Such recommendations should provide input to future system enhancements and change management decisions.
  2. In some cases, the certifier may uncover security deficiencies but continue to believe that the short-term system operation is within the bounds of acceptable risk. The certifier may recommend an IATO, with the understanding that deficiencies will be corrected in a time period specified by the DAA.
  3. If the certifier determines that the system does not satisfy the security requirements and that short-term risks place the system operation or information in jeopardy, the certifier must recommend that the IS not be accredited.

The Certification and Accreditation Decision

After receipt of the certifier’s recommendation, the DAA reviews the SSAA and makes an accreditation determination. The final SSAA accreditation package includes the certifier’s recommendation, the DAA authorization to operate, and supporting documentation.

If the decision is to accredit, the decision must include the security parameters under which the information system is authorized to operate. When a decision is made to accredit the system, the DITSCAP begins Phase 4.

If the system does not meet the requirements stated in the SSAA but mission criticality mandates that the system become operational, an IATO may be issued. The DAA, certifier, program manager, and user representative must agree to the proposed solutions, schedule, security actions, milestones, and maximum length of time for the IATO validity.

If the decision is made to not authorize the system to operate, the DITSCAP process reverts to Phase 1 and the DAA, certifier, program manager, and user representative must agree to the proposed solutions necessary to meet an acceptable level of risk. The decision must state the specific reasons for denial and, if possible, provide suggested solutions.

Phase 4 Post Accreditation

Phase 4 begins after the system has been accredited in Phase 3. This phase contains the activities required to continue to operate and manage the system, ensuring that it will maintain an acceptable level of residual risk.

The primary post-accreditation activities (see Figure 14-2) include:

  1. System operations and security operations
  2. Maintenance of the SSAA
  3. Change management
  4. Compliance validation

Figure 14-2: DITSCAP Phase 4Post Accreditation.

Phase 4 continues until either:

System and Security Operations

The system operation activity concerns the secure operation of the IS and the associated computing environment. System maintenance tasks ensure that the IS continues to operate within the stated parameters of the accreditation. Site operations staff and the ISSO are responsible for maintaining an acceptable level of residual risk.

Secure System Management

Secure system management is an ongoing process that manages risk against the IS, the computing environment, and its resources. Effective management of the risk continuously evaluates the threats that the system is exposed to, evaluates the capabilities of the system and environment to minimize the risk, and balances the security measures against cost and system performance. Secure system management preserves an acceptable level of residual risk based on the relationship of the mission, the environment, and the architecture of the information system and its computing environment. Secure system management is a continuous review and approval process that involves the users, ISSOs, acquisition or maintenance organizations, configuration management officials, and the DAA.

SSAA Maintenance

Phase 4 involves ongoing review of the SSAA to ensure that it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

Change Management

After an IS is approved for operation, changes to the IS must be controlled. Change management is required to maintain an acceptable level of residual risk, because changes may adversely affect the overall security posture of the infrastructure and the IS.

The ISSO and system users must support the system configuration management process. They must be involved in the change management process to ensure that changes do not have an adverse affect on the security posture of the system and its associated IS.

During Phase 4, the ISSO is responsible for:

Users are responsible for operating the system under the security guidelines established in the SSAA.

Compliance Validation

Compliance validation consists of a periodic review of the operational system and its computing environment occurring at predefined intervals. This ensures the continued compliance with the security requirements, current threat assessment, and concept of operations as stated and documented in the SSAA. During compliance validation the following minimum tasks should be completed:

DIACAP Accreditation Phases

Since we discussed the DIACAP certification phases in the last chapter, let’s look at the DIACAP accreditation phases here. The phase of DIACAP that addresses accreditation is the DIACAP Phase 3: Make C&A Decisions. This phase consists of three primary elements:

  1. Analyze Residual Risk
  2. Issue Certification Determination
  3. Make Accreditation Decision

These tasks respond roughly to the NIST and DITSCAP accreditation tasks. Similar to the final risk assessment in DITSCAP, the CA, also referred to as the Information Assurance Manager (IAM), assesses residual risk to the DoD Component information environment, to the information exposed to the DoD information system, and to the mission being supported by the DoD information system.

DIACAP RESIDUAL RISK

DIACAP describes residual risk as the risk remaining after risk mitigation has occurred (i.e., application of countermeasures, security controls, or the implementation of corrective actions).

The IAM/CA then makes certification accreditation recommendations to the DAA, and the DAA issues one of four accreditation determinations:

The contents of DIACAP documentation package the DAA presents to make the case for the determination typically includes:

End of the Accreditation Phase

At the end of the Accreditation Phase, and before proceeding to the Continuous Monitoring Phase, NIST says two important questions need to be answered: How do the known vulnerabilities in the information system translate into agency-level risk (risk to agency operations, agency assets, or individuals)? Is this agency-level risk acceptable?

Assessment Questions

You can find the answers to the following questions in Appendix A.

1. 

What happens to the SSAA after the DITSCAP accreditation?

  1. The SSAA becomes the baseline security configuration document.
  2. The SSAA is discarded as the project is finished.
  3. The SSAA cannot be reviewed or changed.
  4. The ISSO can revise the SSAA independently.

2. 

Which choice best describes DITSCAP Phase 3, Accreditation?

  1. The objective of Phase 3 is to ensure that the fully integrated system will be ready for certification testing.
  2. The objective of Phase 3 is to agree on the security requirements, C&A boundary, schedule, level of effort, and resources required.
  3. The objective of Phase 3 is to ensure secure system management, operation, and maintenance to preserve an acceptable level of residual risk.
  4. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system (accreditation or Interim Approval to Operate [IATO]).

3. 

During which DITSCAP phase does the Security Test and Evaluation (ST&E) occur?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

4. 

What does DATO refer to?

  1. The information system is accredited without any restrictions or limitations.
  2. A determination that a DoD information system cannot operate.
  3. A limited authorization under specific terms and conditions.
  4. A temporary approval to conduct system testing.

5. 

Which of the following choices is the best description of IATO?

  1. A determination that a DoD information system cannot operate.
  2. The agency-level risk is unacceptably high for accreditation.
  3. The information system is accredited without any restrictions or limitations on its operation.
  4. A limited authorization under specific terms and conditions, which include corrective actions to be taken and a required timeframe for completion of those actions.

6. 

Which choice is the best description of the objective of the Security Accreditation Decision task?

  1. To accredit the information system without any restrictions or limitations on its operation
  2. To indicate the DAA’s accreditation decision
  3. To determine whether the agency-level risk is acceptable
  4. To approve revisions to the SSAA

7. 

Which choice is not a responsibility of the ISSO during DITSCAP Phase 4?

  1. Obtaining approval of security-relevant changes
  2. Documenting the implementation of security-relevant changes in the SSAA
  3. Approving revisions to the SSAA
  4. Determining the extent that a change affects the security posture of the information system

8. 

Which choice best describes the final security accreditation decision letter?

  1. The accreditation decision letter documents the implementation of security-relevant changes in the SSAA.
  2. The accreditation decision letter deems that the agency-level risk is unacceptably high.
  3. The accreditation decision letter indicates to the information system owner the DAA’s accreditation decision.
  4. The accreditation decision letter determines whether the remaining known vulnerabilities in the information system pose an acceptable level of risk.

9. 

Change management is initiated under which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

10. 

Why would the DAA issue an accreditation determination of Not Authorized (NA)?

  1. If the system requires more testing to determine the level of risk.
  2. If the DAA deems that the agency-level risk is unacceptably high.
  3. If the system is mission-critical and requires an interim authority to operate.
  4. The information system is always accredited without any restrictions or limitations on its operation.

11. 

Which choice is the best definition of the DIACAP Interim Approval to Test (IATT) accreditation determination?

  1. It’s a temporary approval to conduct system testing.
  2. It’s a temporary approval to operate.
  3. It’s a denial of approval to operate.
  4. No such accreditation determination exists.

12. 

Which of the following best describes the objective of the Security Test and Evaluation (ST&E)?

  1. The objective of the ST&E is to update the SSAA to include changes made during system development and the results of the certification analysis.
  2. The objective of the ST&E is to evaluate the integration of COTS software, hardware, and firmware.
  3. The objective of the ST&E is to verify that change control and configuration management practices are in place.
  4. The objective of the ST&E is to assess the technical implementation of the security design.

13. 

Who makes the final accreditation decision?

  1. ISSO
  2. CA
  3. Information System Owner
  4. DAA

14. 

Penetration Testing is part of which DITSCAP phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

15. 

Which choice is the best description of the purpose of the Security Accreditation Phase?

  1. To assesses the system’s ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities
  2. To determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk
  3. To conduct a final risk assessment by the Information System Owner
  4. To help prepare the final security accreditation decision letter

16. 

SSAA maintenance continues under which phase?

  1. Phase 1
  2. Phase 2
  3. Phase 3
  4. Phase 4

17. 

How many determination options does the authorizing official have in a DIACAP process?

  1. 2
  2. 3
  3. 4
  4. 5

18. 

How many levels of certification does NIACAP specify to ensure that the appropriate C&A is performed for varying schedule and budget limitations?

  1. Two
  2. Three
  3. Four
  4. Five

19. 

Which choice is the best description of DIACAP residual risk?

  1. The remaining risk to the information system after risk mitigation has occurred.
  2. To assess the technical implementation of the security design.
  3. The information system is not authorized for operation and is not accredited.
  4. Authorization to operate the information system.

20. 

Which choice is not an accreditation decision the DITSCAP DAA can make?

  1. ATO
  2. IATO
  3. NCO
  4. NA

21. 

When does the DAA make the accreditation determination?

  1. After reviewing all the relevant information and consulting with key agency officials
  2. Before determining the acceptability of the risk to the agency
  3. After preparing the final security accreditation decision letter
  4. After the Information System Owner updates the system security plan

Answers

1. 

Answer: a

After accreditation, the SSAA becomes the baseline security configuration document. Phase 4 involves ongoing review of the SSAA to ensure it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

2. 

Answer: d

Phase 3, Validation, validates compliance of the fully integrated system with the security policy and requirements stated in the SSAA. The objective of Phase 3 is to produce the required evidence to support the DAA in making an informed decision to grant approval to operate the system. Answer a describes the objectives of Phase 2. Answer b describes the objectives of Phase 1. Answer c describes the objectives of Phase 4.

3. 

Answer: c

The Security Test and Evaluation (ST&E) is a major activity in Phase 3.

4. 

Answer: b

DIACAP’s Denial of Approval to Operate (DATO) is a determination that a DoD information system cannot operate because of an inadequate IA design or failure to implement assigned IA controls.

5. 

Answer: d

If the DAA deems that the agency-level risk is unacceptable, but there is an important mission-related need to place the information system into operation, an Interim Authorization to Operate (IATO) may be issued.

The IATO is a limited authorization under specific terms and conditions, which include corrective actions to be taken by the information system owner and a required time frame for completion of those actions.

6. 

Answer: c

The objective of the Security Accreditation Decision task is to determine the risk to agency operations, agency assets, or individuals and determine whether the agency-level risk is acceptable.

7. 

Answer: c

The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. The ISSO is responsible for:

  • Determining the extent that a change affects the security posture of either the information system or the computing environment
  • Obtaining approval of security-relevant changes
  • Documenting the implementation of that change in the SSAA and site operating procedures
  • Forwarding changes that significantly affect the system security posture to the DAA, certifier, user representative, and program manager

8. 

Answer: c

The accreditation decision letter indicates to the information system owner whether the system is authorized to operate (ATO), authorized to operate on an interim basis under strict terms and conditions (IATO), or not authorized to operate (NA).

9. 

Answer: d

After an IS is approved for operation in a specific computing environment, changes to the IS and the computing environment must be controlled. Although changes may adversely affect the overall security posture of the infrastructure and the IS, change is ongoing as it responds to the needs of the user and new technology developments. As the threats become more sophisticated or focused on a particular asset, countermeasures must be strengthened or added to provide adequate protection. Therefore, change management is required to maintain an acceptable level of residual risk.

10. 

Answer: b

If the DAA deems that the agency-level risk is unacceptable, the information system is not authorized for operation and is not accredited.

The DAA must consider many factors when deciding whether the risk is acceptable, such as balancing security considerations with mission and operational needs.

11. 

Answer: a

In DIACAP, the Interim Approval to Test (IATT) accreditation determination is temporary approval to conduct system testing based on an assessment of the implementation status of the assigned IA controls. Choice b describes IATO, and choice c describes DATO.

12. 

Answer: d

The objective of the ST&E is to assess the technical implementation of the security design; to ascertain that security software, hardware, and firmware features affecting confidentiality, integrity, availability, and accountability have been implemented as documented in the SSAA; and that the features perform properly. ST&E validates the correct implementation of identification and authentication, audit capabilities, access controls, object reuse, trusted recovery, and network connection rule compliance. The other answers are distracters.

13. 

Answer: d.

The DAA renders his or her accreditation decision after reviewing all the relevant information and consulting with key agency officials.

14. 

Answer: c

Penetration testing assesses the system’s ability to withstand intentional attempts to circumvent system security features by exploiting technical security vulnerabilities. Penetration testing may include insider and outsider penetration attempts based on common vulnerabilities for the technology being used.

15. 

Answer: b

The purpose of the Security Accreditation Phase is to determine whether the remaining known vulnerabilities in the information system pose an acceptable level of risk to agency operations, agency assets, or individuals.

16. 

Answer: d

Phase 4 involves ongoing review of the SSAA to ensure that it remains current. The user representative, DAA, certifier, and program manager must approve revisions to the SSAA. On approval, the necessary changes to the mission, environment, and architecture are documented in the SSAA.

17. 

Answer: c

In DIACAP, the DAA or other authorizing official issues one of four accreditation determinations:

  • Approval to Operate (ATO)
  • Interim Approval to Operate (IATO)
  • Interim Approval to Test (IATT)
  • Denial of Approval to Operate (DATO)

18. 

Answer: c

NIACAP has four levels of certification to ensure that the appropriate C&A is performed for varying schedule and budget limitations. To determine the appropriate level of certification, the certifier must analyze the system’s business functions; national, departmental, and agency security requirements; criticality of the system to the organizational mission; software products; computer infrastructure; the types of data processed by the system, and types of users. The levels are as follows:

  • Level 1 - Basic Security Review
  • Level 2 - Minimum Analysis
  • Level 3 - Detailed Analysis
  • Level 4 - Comprehensive Analysis

19. 

Answer: a

DIACAP describes residual risk as the risk remaining after risk mitigation has occurred (i.e., application of countermeasures, security controls, or the implementation of corrective actions).

20. 

Answer: c

The DITSCAP DAA issues one of three accreditation determinations: Authorization to Operate (ATO), Interim Authorization to Operate (IATO), or Not Authorized (NA).

21. 

Answer: a

The DAA renders the accreditation decision after reviewing all the relevant information and consulting with key agency officials.

Категории