When you begin your C&A project, don’t expect everyone who has played a role in developing and administering the application or systems you are certi- fying to start volunteering information for you to use.You will need to take the initiative to go out and collect as much documentation as you can, and conduct interviews with the appropriate staff. If you are a consultant, first you will need to figure out who the appropriate staff are that you need to talk to.
You are going to have to ask a lot of questions.The sponsoring manager that signed you up for completing the C&A is the best person to start this.The sponsoring manager may be the system owner, the ISSO, the contracting officer, or an application development manager.
Put Together a Contact List
You first need to figure out who will have knowledge of all the security par- ticularities of the information system.You should start by identifying the people involved.The sponsoring manager should be able to answer a lot of your questions.To find the appropriate people who understand the security of the information system or systems that require accreditation, you’ll need to ask the following questions:
■ Was the application developed in-house or purchased from a vendor?
■ If the application was purchased from a vendor was any customiza- tion done to it?
■ Who did the customization?
■ If the application was developed in-house, who designed it?
■ Are there design specifications and documents? Who has them?
■ Is the application hosted on-site or at a remote site?
■ If the application is hosted remotely, who is responsible for its operations?
These questions are the “Who?” questions. From the answers to your questions, you should be able to start putting together a contact list of the people who have been a part of the design and implementation of the infor- mation system. Include their phone numbers and e-mail addresses because you’ll need to contact them often.
Some federal agencies are quite large, and due to the size of the opera- tions, sometimes impersonal. When you contact the various people on your contact list, you’ll need to explain to them who you are and why you are contacting them. Don’t expect them to know that a C&A project is underway or even to know what C&A is about. If you contact them and say that you need to meet with them to discuss a C&A project, be prepared to tell them what C&A means since there is a good chance they may not have a clue what you are talking about.
Finding out all the information you will need to create a Certification Package is much like going on a treasure hunt. If you are an outside consul- tant, at the start of the project, it is altogether possible that no one except the sponsoring manager will know why you are on-site at the agency. It’s very unlikely that someone will come up to you and say, “I hear that you are on- site to put together a Certification Package for our information system. Here are all the security policies, design documents, and the security configuration of the system that you will need.” In large federal agencies, my experience has been that no one readily and quickly volunteers information about system security.
Hold a Kick-Off Meeting
Once you have found out who the key players are (the people that have been part of designing, developing, coding, and implementing the information system), you should schedule a Kick-off Meeting and invite them all. Do your best to form good relationships with these folks because you will become reliant on them for information. During the Kick-off Meeting introduce
them to the C&A team, and explain to them briefly what C&A is all about.
During this first meeting, you should tell them that you will need as much documentation as you can get on the particular information system that is slated for accreditation. Ask them if they can e-mail you documentation as soon as possible; otherwise they may take weeks to get it to you.You will need information on the design, development, implementation, configuration, network topology, and testing of the information system.You will need to review all this documentation to find the right bits of information to put into the Certification Package.
Obtain Any Existing Agency Guidelines
It is key to find out if the agency you are working for has a C&A Handbook.
Agencies that have in the past scored well on their Federal Computer Security Report Cards probably have one. Agencies that have scored poorly on their report card may not have one. If a handbook exists, you must follow all the guidelines written in it when preparing your Certification Package—even if they are poor guidelines. If the evaluation team does its job properly, they will be evaluating the Certification Package for how well it follows the agency C&A Handbook and requirements.
If a handbook exists, and you think parts of it are so wrong that you shouldn’t follow it, you need to take this up with the ISSO and package eval- uation team before making any decisions. When you are preparing a
Certification Package is not necessarily the best time to try to get the agency to change their regulations and policies. If you think that some parts of it are incorrect, before you go ahead and decide to go your own way and create a more “correct” Certification Package, bring the issues to the attention of the ISSO and offer justification as to why you would like to proceed differently.
Some agencies will fail your Certification Package if you don’t follow their handbook—even if the handbook is wrong.
All agencies are supposed to have a handbook and templates to standardize the C&A process. However, some agencies are less prepared than others, and if you embark on a C&A project, and find out that no handbook or templates exist, you’ll have to do without.You can still put together a solid Certification Package without a handbook or templates, and if you do a good job, perhaps you will be enlisted as a future contributor to develop the much needed
handbook and templates. If a C&A handbook is not present, then see if the parent agency has one. For example a bureau or agency department may not have their own handbook, but the parent agency might. If no C&A handbook at all exists, figure out which methodology your agency should be using (NIST, DITSCAP, NIACAP, DCID 6/3) and look to that for guidance.