At the time of this writing, there is a group of industry experts that are working on transforming much of NIST’s guidance used for information security management, including certification and accreditation, to documenta- tion that fits better for private industry. NIST publishes excellent guidance on information security management, though it is directed at federal agencies. Although the C&A methodologies they describe can be adopted by anyone, private industry will more readily familiarize themselves with their guidance once the term “federal agency” has been replaced by “enterprises.” Any organization that processes sensitive information should have a methodology for evaluating and accrediting the security of their systems.To protect individuals from having their medical information exposed, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Sarbanes-Oxley became law in January of 2002 to regulate accounting practices and standards of publicly traded companies.Although accounting may seem like just a financial matter, keep in mind that Integrity of informa- tion can be ensured only by strict security controls.Therefore, Sarbanes-Oxley has become an information technology problem. Sarbanes-Oxley and the HIPAA were passed to hold certain covered enti- ties accountable for the security of their systems, but what these regulations lack are standardized methodologies. A law is one thing, and a standardized process or methodology for complying with the law is quite another. FISMA, HIPAA, and Sarbanes-Oxley are merely laws. What has evolved out of FISMA, which has not yet evolved out of HIPAA and Sarbanes-Oxley, is that standardized certification and accreditation processes now exist that enable FISMA compliance. HIPAA and Sarbanes-Oxley both need standardized cer- tification and accreditation processes.The way that HIPAA and Sarbanes- Oxley are complied with today depends on who you ask—all organizations are attempting to comply with HIPAA and Sarbanes-Oxley differently, according to whatever way they know how. While attempting to comply with these laws is meritorious, trying to apply oversight to the compliance process will be difficult until standardized C&A processes that are unique to each law evolve. www.syngress.com 22 Chapter 2 • Types of Certification and Accreditation 409_Cert_Accred_02.qxd 11/2/06 1:24 PM Page 22 Summary Certification and Accreditation processes formally evaluate the security of an information system, determine the risk of operating the information system, and then either accept or not accept that risk.There are generally four dif- ferent methodologies for performing C&A: NIACAP, NIST, DITSCAP, and DCID 6/3.These different methodologies were developed for four different audiences within the federal community: national security systems, nonna- tional security information systems, defense agency information systems, and information systems operated by the intelligence community. Despite the dif- ferent nuances in these methodologies, they all have the goal of accomplishing the same task of certifying and accrediting information systems, and as such, there are many similarities between them. Although none of these models was developed for the private sector, laws such as Sarbanes-Oxley, HIPAA, and others hold certain private sector enterprises responsible for maintaining basic levels of information security.Therefore, drawing from these four models to develop private sector C&A processes can help businesses achieve compliance with these laws. Notes 1. National Information Assurance Certification and Accreditation Process (NIACAP). NSTISSI No. 1000. National Security Telecommunications and Information Systems Security Committee (www.cnss.gov/Assets/pdf/nstissi_1000.pdf ). 2. R. Ross, M.Swanson, G. Stoneburner, S. Katzke, and A. Johnson. Guide for the Security Certification and Accreditation of Federal Information Systems. NIST Special Publication 800-37. National Institute of Standards and Technology, May 2004 (http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37- final.pdf ). 3. Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) Application Manual. DoD 8510.1-M. United States Department of Defense, July 31, 2000 (www.dtic.mil/whs/directives/corres/pdf/85101m_0700/p85101m.pdf ). 4. Executive Order 12958. The White House Office of the Press Secretary, April 17, 1995 (www.fas.org/sgp/clinton/eo12958.html). www.syngress.com Types of Certification and Accreditation • Chapter 2 23 409_Cert_Accred_02.qxd 11/2/06 1:24 PM Page 23 5. DCIDs: Director of Central Intelligence Directives. Federation of American Scientists Intelligence Resource Program, Updated August 28, 2006 (www.fas.org/irp/offdocs/dcid.htm). 6. According to its Web site,“The Federation of American Scientists is a non- profit, tax-exempt, 501c3 organization founded in 1945 as the Federation of Atomic Scientists. FAS is the oldest organization dedicated to ending the worldwide arms race and avoiding the use of nuclear weapons for any purpose.” www.syngress.com 24 Chapter 2 • Types of Certification and Accreditation PV27 409_Cert_Accred_02.qxd 11/2/06 1:24 PM Page 24 Understanding the Certification and Accreditation Process “You say it as you understand it.” —Johann Friedrich von Schiller, famous German dramatist and poet Topics in this chapter: ■ Recognizing the Need for C&A ■ Roles and Responsibilities ■ Stepping through the Process Chapter 3 25 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 25 Introduction The Certification and Accreditation (C&A) process begins when an informa- tion system owner recognizes that either an application, system, group of sys- tems, or site requires Accreditation.The information systems owner might be an IT operations director, an IT operations manager, a security officer, or an application development manager. When the need for C&A is recognized, it is time to put in motion a plan to carry out and oversee the C&A process. Recognizing the Need for C&A All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) Circular A-130, Appendix III (see Appendix B) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems. One of the primary objectives of C&A is to force the authorizing official to understand the risks an information system poses to agency operations. Only after understanding the risks can an authorizing official ensure that the information system has received adequate attention to mitigate unacceptable risks. Evaluating risk and documenting the results is something that should be incorporated throughout a system or application’s system development life- cycle. NIST has defined the system development lifecycle to consist of five phases: 1. System initiation 2. Development and acquisition 3. Implementation 4. Operation and maintenance 5. Disposal FISMA mandates that new systems and applications need to be fully certi- fied and accredited before they can be put into production.The best time to www.syngress.com 26 Chapter 3 • Understanding the Certification and Accreditation Process 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 26 begin the C&A of new systems and applications is while they are still in development. It is easiest to design security into a system that has not yet been built. When new information systems are being proposed and designed, part of the development should include discussions on “What do we need to do to ensure that this information system can be certified and accredited?” After a new application is built and ready to be implemented is not the time to figure out if it will withstand a comprehensive certification review. Legacy systems that are already in their operational phase are harder to certify and accredit because it is altogether possible that they were put into production with little to no security taken into consideration. In putting together the Certification Package for a legacy system, it may be discovered that adequate security controls have not been put into place. If it becomes clear that adequate security controls have not been put into place, the C&A project leader may decide to temporarily put on hold the development of the Certification Package while adequate security controls are developed and implemented. It makes little sense to spend the resources to develop a Certification Package that recommends that an information system not be accredited. However, coming to an understanding that an information system has not been properly prepared for accreditation is precisely one reason why C&A exists—it is a process that enables authorizing officials to discover the security truths about their infrastructure so that informed deci- sions can be made. Roles and Responsibilities C&A involves a lot of different people all working together on different tasks. There are the folks who develop the C&A program, the folks who prepare Certification Packages, the folks who are held accountable for the Certification Packages, the agency auditors who evaluate the Certification Packages prior to accreditation, and the federal inspectors who audit the agency to make sure that they are doing C&A the right way. Chief Information Officer The agency Chief Information Officer (CIO) is the most obvious person held accountable for a successful information security program and C&A www.syngress.com Understanding the Certification and Accreditation Process • Chapter 3 27 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 27 program. It is the CIO’s responsibility to make sure that an information secu- rity program, including a C&A program, exists and is implemented. However, most agency CIOs don’t play a hands-on role in developing these programs. Usually the CIO will designate the development of these programs to the Senior Agency Information Security Officer. However, delegating the pro- gram development does not mean that the CIO does not need to understand the process. If the CIO does not understand all the elements of a successful C&A program there is little chance that the CIO will be able to hold the Senior Agency Information Security Officer responsible for developing a complete program. Without understanding the particulars of what a program should include, the CIO will not know if the Senior Agency Information Security Officer has left anything out. A piece of C&A that cannot be overlooked is the need for the CIO to develop a budget for C&A. C&A is very time intensive, and a typical C&A takes on average six months to do a thorough job, replete with all the required information.The CIO works together with the authorizing official to ensure that there is enough of a budget to staff the resources necessary to put together the certification program. If CIOs do not budget for C&A, C&A may not get done.The CIO enables C&A to take place by fully under- standing the federal budgetary process as documented in a publication put out by the White House known as Circular No.A-11 Part 7 Planning, Budgeting, Acquisition, and Management of Capital Assets.This publication is currently avail- able at www.whitehouse.gov/omb/circulars/a11/2002/part7.pdf. A-11 Part 7 references other budgetary guidelines that the CIO should also become familiar with, including one known as OMB Exhibit 300. OMB Exhibit 300 is currently available at www.cio.gov/archive/S300_05_ draft_0430.pdf. It is ultimately the CIO that is likely to be held responsible and account- able if the agency receives a poor grade on the annual Federal Computer Security Report Card. One of the responsibilities of the CIO is to care about the annual Federal Computer Security Report Card grade. If an agency receives a failing grade, then clearly there is something wrong with either the C&A program itself, or how the program is implemented. If an agency receives a top score on the annual Federal Computer Security Report Card, then as far as C&A goes, the process is being worked the right way.As the www.syngress.com 28 Chapter 3 • Understanding the Certification and Accreditation Process 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 28 Federal Computer Security Report Cards get more and more public atten- tion each year, a poor score on the report card can be a career-limiting expe- rience for any agency CIO. I will discuss the Federal Computer Security Report Cards more in Chapter 23. Authorizing Official The authorizing official is a generic term for a senior management official within an agency who authorizes operations of an information system, declaring that the risks associated with it are acceptable. It is unlikely that any person would hold the title of “authorizing official,” hence I am not punctu- ating it here with capital letters.There may be multiple authorizing officials within each agency, all responsible for their own designated areas. In many agencies, the authorizing official is referred to as the Designated Accrediting Authority (DAA). The authorizing official usually has budgetary responsibilities for ensuring that a certain amount of resources are set aside for overseeing the C&A pro- cess. Usually the agency CIO reports to the authorizing official. However, in large agencies, where some bureau CIOs report to the agency CIO, it can be the case that a CIO is the authorizing official. In other cases the authorizing official may be the Commissioner or an Assistant Commissioner. If the autho- rizing official and CIO are two different people, they must work together to make sure that an adequate budget has been set aside for C&A. The authorizing official should, according to the National Institute of Standards, Special Publication 800-37 (May 2004), be an employee of the U.S. government and cannot be a contractor or consultant. However, the autho- rizing official may designate a representative to carry out the various tasks related to C&A, and the designated representative can be a contractor or con- sultant. However, the final security accreditation decision and its accompa- nying accreditation decision letter must be owned and signed by the U.S. government employee that is the authorizing official. www.syngress.com Understanding the Certification and Accreditation Process • Chapter 3 29 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 29 Senior Agency Information Security Officer The Senior Agency Information Security Officer (SAISO) is the person that that CIO holds accountable to oversee all of the agency’s information secu- rity initiatives.The SAISO is akin to a Chief Information Security Officer in private industry. It’s possible that CIOs may perform this role themselves, in which case there wouldn’t be a separate individual holding these responsibilities. The SAISO works with the agency authorizing officials to ensure that they are in agreement on the security requirements of the information system as well as the key documents contained in the Certification Package such as the risk assessments and the Security Plan. In working together, the SAISO and the authorizing officials should be sure to take into consideration the mission and business requirements of the agency. The SAISO provides management oversight to the Certification Agent and works with him or her to ensure that the C&A process is well thought out, and includes all the necessary documentation and guidance.The SAISO appoints the Certification Agent and holds them accountable for performing their duties. It is very important for the SAISO to choose their Certification Agent(s) carefully because they will need to rely on their accreditation rec- ommendations. The SAISO may wish to review all the Certification Packages that are processed within the agency; however, as a practical matter, it is next to impossible to do this. In most agencies, there are far too many Certification Packages for one individual to review and validate. Due to this very reason, the SAISO employs a Certification Agent (or agents) to read packages, per- form evaluations, write recommendations, and produce a document called a Security Assessment Report.The Security Assessment Report is basically an evalua- tion summary and should justify and support the recommendation on whether or not to accredit the package.The Security Assessment Report should have all the information that the SAISO needs to justify signing the accredita- tion letter, and escalate the recommendation upward to the authorizing offi- cial as to whether or not they should sign the accreditation letter. www.syngress.com 30 Chapter 3 • Understanding the Certification and Accreditation Process 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 30 Senior Agency Privacy Official Each agency is supposed to have a Senior Agency Privacy Official. For a large agency, a Senior Agency Privacy Official might be a full time job. However, for a small agency, it’s possible that the responsibilities of this official may be performed by the CIO, the CIO’s staff, or the SAISO.The person in this role could hold the title of Chief Privacy Officer—he or she does not necessarily have to be called the Senior Agency Privacy Official. What’s most important is that someone is designated to perform the duties of safeguarding confiden- tial and private information. Certification Agent/Evaluation Team The Certification Agent reviews the Certification Packages, making recom- mendations as to whether they warrant a positive Accreditation or not. Essentially, Certification Agents act as an auditor.They comb through the unwieldy Certification Packages looking for missing information and infor- mation that doesn’t make sense.Their goal is to determine if the package is in compliance with the agency’s documented C&A Handbook, process, security policies, and the information system’s security requirements. In some agencies, there are so many packages to evaluate that the Certification Agent is com- prised of an evaluation team.The team may have a departmental name such as Mission Assurance, Information Assurance, or Compliance.The organizational name is for the most part irrelevant as it could be different from agency to agency. After reviewing the C&A packages, the Certification Agent, or evaluation team, makes recommendations to the internal accrediting authorities—the SAISO and authorizing official—on whether or not a package should be accredited or not. In most cases, the SAISO and authorizing official accepts the recommendation of the Certification Agent, and signs the accreditation letter based solely on a recommendation of the Certification Agent. Along with the recommendation, the Certification Agent also produces and includes the Security Assessment Report.The Security Assessment Report should justify the recommendation. I will talk more about the Security Assessment Report in Chapter 21. www.syngress.com Understanding the Certification and Accreditation Process • Chapter 3 31 409_Cert_Accred_03.qxd 11/2/06 1:28 PM Page 31 [...]... with the C&A handbook and process If you change the handbook, process, and templates every year, they will not become familiar with it Once you have a handbook and process in place that has been reviewed, edited, and published, it is best not to rewrite the handbook more often than every two years Of course if there are egregious errors, those may need to be addressed Developing a handbook and templates... person might create and update templates, and another person might update the handbook The Certification Agent is also responsible for developing the internal C&A process, and all the documentation that describes this process—the handbook and the templates.The documentation that the Certification Agent develops for evaluating the packages are checklists and score cards The checklists and score cards should... development of the program, however, needs to be organized and endorsed at the level of the CIO, authorizing official, and certifying agent www.syngress.com 51 409_Cert_Accred_04.qxd 52 11 /2/ 06 1 :29 PM Page 52 Chapter 4 • Establishing a C&A Program Improve Your C&A Program Each Year Once a handbook and templates are established, they should be improved upon and refined as necessary However, updating them every... Certification Package in its entirety, and validates if the findings are accurate, and if all the required information is present A Certification Package can easily be in excess of 500 pages At least two to four weeks should be allotted for the Accreditation Phase www.syngress.com 41 409_Cert_Accred_03.qxd 42 11 /2/ 06 1 :28 PM Page 42 Chapter 3 • Understanding the Certification and Accreditation Process Most evaluation... packages according to the same standards Writing the handbook is a big job A good handbook is likely to be around 20 0 pages long.The handbook has to include very specific information on what your agency evaluators need to see in every Certification Package It should instruct the folks preparing the Certification Packages on what documents they will be required to submit, and what should be included in each... program and practices of that agency to determine the effectiveness of such program and practices If an agency decides to use its own staff, it should be sure that there is a clear separation of duties between the evaluators and the organizations that are presenting the C&A packages for evaluation www.syngress.com 409_Cert_Accred_03.qxd 11 /2/ 06 1 :28 PM Page 33 Understanding the Certification and Accreditation. .. they should be fully described and the reasons for the changes should documented www.syngress.com 409_Cert_Accred_03.qxd 11 /2/ 06 1 :28 PM Page 43 Understanding the Certification and Accreditation Process • Chapter 3 It is often the case that not nearly enough time is put into the Continuous Monitoring Phase, since once a positive Accreditation has been made, most ISSOs and information system owners tend... reviewed and approved through the change control process and then archived both locally and at an offsite location C&A Best Practices Continuous Monitoring Milestones ■ Reconciliation of POA&M citations ■ Documentation of changes to system ■ Ongoing monitoring of security controls www.syngress.com 43 409_Cert_Accred_03.qxd 44 11 /2/ 06 1 :28 PM Page 44 Chapter 3 • Understanding the Certification and Accreditation. .. be prepared to www.syngress.com 409_Cert_Accred_03.qxd 11 /2/ 06 1 :28 PM Page 35 Understanding the Certification and Accreditation Process • Chapter 3 evaluate the Certification Package and make a recommendation on whether to issue a positive Accreditation C&A Preparers The C&A preparers, sometimes referred to as the C&A review team, prepare the Certification Packages for submission to the evaluation team... right kind of information is to create templates What to Include in Your Handbook Each agency’s handbook will be somewhat different and take on slightly different organizational formats However, it is highly advisable that all handbooks include sections in the following areas: ■ Background, purpose, scope ■ Regulatory citations (FISMA; FIPS 199; OMB Circular A-130 Appendix III) ■ Reference to associated . until standardized C&A processes that are unique to each law evolve. www.syngress.com 22 Chapter 2 • Types of Certification and Accreditation 409_Cert_Accred_ 02. qxd 11 /2/ 06 1 :24 PM Page 22 Summary Certification. and avoiding the use of nuclear weapons for any purpose.” www.syngress.com 24 Chapter 2 • Types of Certification and Accreditation PV27 409_Cert_Accred_ 02. qxd 11 /2/ 06 1 :24 PM Page 24 Understanding. HIPAA and Sarbanes-Oxley, is that standardized certification and accreditation processes now exist that enable FISMA compliance. HIPAA and Sarbanes-Oxley both need standardized cer- tification and accreditation