GUIDE FOR THE
SECURITY CERTIFICATION AND ACCREDITATION OF FEDERAL INFORMATION SYSTEMS
Elizabeth B. Lennon,
Editor
Information Technology
Laboratory
National Institute of
Standards and Technology
In response to the requirements of the E-Government Act (Public Law 107-347), Title III, Federal Information Security Management Act (FISMA) of December 2002, ITL recently published NIST Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Developed through an extensive public review process, the document represents a significant contribution to federal agency security management by providing specific recommendations on how to certify and accredit information systems. State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate. This ITL Bulletin summarizes the document, which is available at http://csrc.nist.gov/sec-cert/.
NIST SP 800-37 provides guidelines for
the security certification and accreditation of information systems supporting
the executive agencies of the federal government. The guidelines have been
developed to help achieve more secure information
systems within the federal government by:
·
Enabling more consistent, comparable,
and repeatable assessments of security controls in federal information systems;
·
Promoting a better understanding of
agency-related mission risks resulting from the operation of information
systems; and
·
Creating more complete, reliable, and trustworthy
information for authorizing officials—to facilitate more informed security
accreditation decisions.
Security
Certification and Accreditation
Security certification and accreditation are important
activities that support a risk management process and an integral part of an
agency’s information security program.
Security
accreditation is the official management decision given by a senior agency
official to authorize operation of an information system and to explicitly
accept the risk to agency operations, agency assets, or individuals based on
the implementation of an agreed-upon set of security controls. Required by OMB
Circular A-130, Appendix III, security accreditation provides a form of quality
control and challenges managers and technical staffs at all levels to implement
the most effective security controls possible in an information system, given
mission requirements, technical constraints, operational constraints, and
cost/schedule constraints. By accrediting an information system, an agency
official accepts responsibility for the security of the system and is fully accountable
for any adverse impacts to the agency if a breach of security occurs. Thus,
responsibility and accountability are core principles that characterize
security accreditation.
It
is essential that agency officials have the most complete, accurate, and
trustworthy information possible on the security status of their information
systems in order to make timely, credible, risk-based decisions on whether to
authorize operation of those systems. The information and supporting evidence
needed for security accreditation is often developed during a detailed security
review of an information system, typically referred to as security certification.
Security certification is a comprehensive assessment of the
management, operational, and technical security controls in
an information system, made in support of security accreditation, to determine
the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the
security requirements for the system. The results of a security certification
are used to reassess the risks and update the system security plan, thus
providing the factual basis for an authorizing official to render a security
accreditation decision.
Roles
and Responsibilities
NIST
SP 800-37 describes the roles and
responsibilities of key participants, summarized below, involved in an agency’s
security certification and accreditation process:
·
The Chief Information
Officer is the
agency official responsible for: (i) designating a senior agency information
security officer; (ii) developing and maintaining information security
policies, procedures, and control techniques to address all applicable requirements;
(iii) training and overseeing personnel with significant responsibilities for
information security; (iv) assisting senior agency officials concerning their
security responsibilities; and (v) in coordination with other senior agency
officials, reporting annually to the agency head on the effectiveness of the
agency information security program, including progress of remedial
actions.
·
The authorizing
official (or designated approving/accrediting authority as referred to by
some agencies) is a senior management official or executive with the authority
to formally assume responsibility for operating an information system at an acceptable level of
risk to agency operations, agency assets, or individuals.
·
The authorizing official’s
designated representative is an
individual acting on the authorizing official’s behalf in coordinating and
carrying out the necessary activities required during the security certification
and accreditation of an information system.
·
The senior agency
information security officer is the agency official responsible for: (i)
carrying out the Chief Information Officer responsibilities under FISMA;
(ii) possessing professional qualifications, including training and experience,
required to administer the information security program functions; (iii) having
information security duties as that official’s primary duty; and (iv) heading
an office with the mission and resources to assist in ensuring agency compliance
with FISMA.
·
The information system owner is an agency official responsible for the overall
procurement, development, integration, modification, or operation and
maintenance of an information system.
·
The information owner
is an agency official with statutory or operational
authority for specified information and responsibility for establishing the
controls for its generation, collection, processing, dissemination, and disposal.
·
The information
system security officer is the individual responsible to the authorizing
official, information system owner, or the senior agency information security
officer for ensuring the appropriate operational security posture is maintained
for an information system or program.
·
The certification agent is an individual, group, or organization responsible for conducting a security
certification, or comprehensive assessment of the
management, operational, and technical security controls in an information
system to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system.
·
User representatives are
individuals that represent the operational interests of the user community and
serve as liaisons for that community throughout the system development life
cycle of the information system.
At the discretion of senior
agency officials, certain security certification and accreditation roles may be
delegated, and if so, appropriately documented. Individuals serving in delegated
roles are able to operate with the authority of agency officials within the limits
defined for the specific certification and accreditation activities. Agency
officials retain ultimate responsibility, however, for the results of actions
performed by individuals serving in delegated roles.
The
Process
The security certification and
accreditation process consists of four distinct phases:
·
Initiation Phase;
·
Security Certification Phase;
·
Security Accreditation Phase; and
·
Continuous Monitoring Phase.
Each phase in the security
certification and accreditation process consists of a set of well-defined tasks
and subtasks that are to be carried out, as indicated, by responsible
individuals (e.g., the Chief Information Officer, authorizing official,
authorizing official’s designated representative, senior agency information
security officer, information system owner, information owner, information
system security officer, certification agent, and user representatives).
The
Initiation Phase consists of three tasks: (i) preparation; (ii)
notification and resource identification; and (iii) system security plan
review, analysis, and acceptance. The purpose of this phase is to ensure that
the authorizing official and senior agency information security officer are in
agreement with the contents of the system security plan before the
certification agent begins the assessment of the security controls in the
information system.
The
Security Certification Phase consists of two tasks: (i) security control
assessment; and (ii) security certification documentation. The purpose of this
phase is to determine the extent to which the
security controls in the information system are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system. This phase also addresses specific
actions taken or planned to correct deficiencies in the security controls and
to reduce or eliminate known vulnerabilities in the information system. Upon
successful completion of this phase, the authorizing official will have the information
needed from the security certification to determine the risk to agency
operations, agency assets, or individuals, and thus will be able to render an
appropriate security accreditation decision for the information system.
The
Security Accreditation Phase consists of two tasks: (i) security
accreditation decision; and (ii) security accreditation documentation. The
purpose of this phase is to determine if the remaining known vulnerabilities in
the information system (after the implementation of an agreed-upon set of
security controls) pose an acceptable level of risk to agency operations,
agency assets, or individuals. Upon successful completion of this phase, the
information system owner will have: (i) authorization to operate the
information system; (ii) an interim authorization to operate the information
system under specific terms and conditions; or (iii) denial of authorization to
operate the information system.
The
Continuous Monitoring Phase consists of three tasks: (i) configuration
management and control; (ii) security control monitoring; and (iii) status
reporting and documentation. The purpose of this phase is to provide oversight
and monitoring of the security controls in the information system on an ongoing
basis and to inform the authorizing official when changes occur that may impact
on the security of the system. The activities in this phase are performed
continuously throughout the life cycle of the information system.
The
security accreditation package documents the results of the security
certification and provides the authorizing official with the essential
information needed to make a credible, risk-based decision on whether to
authorize operation of the information system.
Security accreditation decisions resulting from security certification
and accreditation processes should be conveyed to information system owners. To
ensure the agency’s business and operational needs are fully considered, the
authorizing official should meet with the information system owner prior to
issuing the security accreditation decision to discuss the security
certification findings and the terms and conditions of the authorization. There
are three types of accreditation decisions that can be rendered by authorizing
officials:
·
Authorization to
operate;
·
Interim authorization to
operate; or
·
Denial of authorization
to operate.
Examples
of security accreditation decision letters appear in Appendix E.
A
critical aspect of the security certification and accreditation process is the
post-accreditation period involving the continuous monitoring of security
controls in the information system over time. An effective continuous
monitoring program requires:
·
Configuration management
and configuration control processes;
·
Security impact analyses
on changes to the information system; and
·
Assessment of selected
security controls in the information system and security status reporting to
appropriate agency officials.
Conclusion
Completing a security
accreditation ensures that an information system will be operated with
appropriate management review, that there is ongoing monitoring of security
controls, and that re-accreditation occurs periodically in accordance with
federal or agency policy and whenever there is a significant change to the
system or its operational environment.
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.