If your agency does not have a standardized C&A program, you can expect the C&A process to become extremely confusing and overly complicated.
C&A preparers will not know what should be included in each package, and evaluators will not know if anything is missing.
Missing Information
Without a C&A program, different Certification Packages will include dif- ferent types of information. For example, without a prescribed and standard- ized C&A program, one Certification Package might have an Information Technology Contingency Plan (ITCP) and others might not. One
Certification Package might include a network topology map, and others might not. When it comes time to evaluate the entire Certification Package, it is hard to fail a package for not having an information technology
Contingency Plan if no policy or organizational process ever required one to exist in the first place. It is very hard to hold the information system owners
and the ISSOs accountable for putting together adequate Certification Packages if your agency has not yet defined what exactly constitutes an ade- quate Certification Package.
Lack of Organization
Though specifying the right information to include in a Certification Package is of primary importance, the format of the package should not be overlooked. A Certification Package can be 500 pages long. Unless each one is organized the same way, it will be very cumbersome for the evaluators to wade through the voluminous information and check to see if all the right material has been included. It’s best to make things easiest for the evaluators.
Evaluators who can’t make heads or tails out of the information presented to them, and can’t find key pieces of information, are going to be reluctant to recommend that a package be accredited.
Inconsistencies in the Evaluation Process
You want each Certification Package to be evaluated the same way. One agency may have many different evaluators. Without any sort of standard for Certification Package content or format, you are leaving the entire evaluation up to the subjective opinion of one (or a small group) of people. Different evaluators may put emphasis on different areas. If each package has the same organizational format, it improves the chances that different evaluators will evaluate the packages in the same way because they will look for, and expect the same type of information.
Unknown Security
Architecture and Configuration
Without a Certification Package, it may be the case that the security archi- tecture and configuration of your information infrastructure is not known.
By working through the C&A process, you will become aware of whether this is the case or not. If the security architecture is well documented, C&A serves as an opportunity to make sure the architecture diagrams and net- work maps are correct. If it’s not well documented, or not documented at all, this is something you’ll want to research and diagram. The same holds
true for the security configuration. All software requires configurations.
When operating systems and applications are installed, even if they are installed securely, are the security settings documented? If the security set- tings are not documented, they are basically unknown. Even expert and sea- soned systems administrators cannot usually remember every little thing they have done to a system when configuring it because today’s operating systems and applications are so feature rich. That is why security architec- ture and configuration documentation is critical. The C&A process is designed to find the unknowns of the security architecture and configura- tion settings and then resolve the unknowns by creating the necessary docu- mentation along the way.
Unknown Risks
Federal laws aside, the primary reason for understanding the security posture of your information systems is to identify risks, understand them, and take mitigating actions. With C&A left undefined, you are leaving the risks that you want your agency to look for open to speculation. Maybe the agency ISSOs will identify all the key risks, but maybe they won’t. One ISSO may put emphasis on disaster recovery planning, and another might put emphasis on system risks. It is unlikely that they all will put the same emphasis on all aspects of information security. When it comes to identifying risks, there are numerous items to take into consideration.There are business risks, system risks, training risks, policy risks, inventory risks, and so on. A well-defined C&A program ensures that all the relevant types of risks are taken into con- sideration.
Laws and Report Cards
You may be surprised to find out that the words “certification” and “accredi- tation” are not used in the Federal Information Security Act of 2002. However, the law very clearly states the requirement of an information security pro- gram, and also names the required elements of that program. Many of the required elements of the mandated information security program are those that have evolved to be now known as “Certification and Accreditation.”
Even if the agency-wide program were called something else—say “The
Security Validation Program”—all the same elements of the program would be required.You should not get hung up on the fact that you don’t see the terms “certification” or “accreditation” in the written law.The named ele- ments of the program are required by law no matter how you entitle them.
Without these elements, and without an information security program, agen- cies are breaking the law. What’s more, agencies that don’t have the right ele- ments included in their information security program will obtain poor Federal Computer Security Report Card grades. I’ll discuss this more in Chapter 23, but it’s almost a sure bet that if you don’t have a well-defined C&A program, you won’t get a good grade on the Federal Computer Security Report card.
Summary
There is no task that can be effectively accomplished using a repeatable pro- cess without having adequate documentation in place.Therefore, the first step in implementing a C&A program in an organization is developing a C&A handbook. Once the handbook is finalized it should be clear that there is a set of documents that will be created or used during the execution of each C&A task.Templates for each of these tasks should be developed to standardize the output and to reduce the work required to create them. Once these items are in place, C&A packages can effectively and efficiently be generated, but the C&A program should include mechanisms by which the process itself can be evaluated and improved. Cars are not manufactured the same way today as they were 20 years ago. Process improvements are discovered and incorpo- rated into the process, and the same should be true of any C&A program. If an organization’s C&A program is constantly evolving and improving, then by extension, the organization’s security posture should be evolving and
improving as well.
Developing