 |
 |  |
 |
 |
 |
 |
Certification and Accreditation (C&A) ServicesCurrent federal regulations require all major applications and general support systems to be certified as being compliant with information technology (IT) security requirements so that information resources and data are protected adequately. Based on this certification, agency heads issue authorizations to operate (accreditations) to systems that are compliant. This highly structured and regulated process serves two purposes: it documents various aspects of the system’s security posture, and it allows the system owner to understand and accept the residual risk associated with the system’s operation. This provides the basis for the Government mandated risk-based management of IT resources. An indirect result of the C&A process is the ability to better justify budget requests and to plan more efficient capital expenditures. Both DoD and OMB require every system to be recertified once every three years after initial accreditation, or whenever major changes are implemented. SeNet will perform initial system assessments for all of your systems undergoing a C&A, and deliver results in concise packages that provide a snapshot of your current security posture. Packages will address all relevant issues and will include a list of recommendations. SeNet will begin by completing a thorough review of all available system documents. We will gather additional information through face-to-face or telephone interviews with appropriate personnel, including system owners, managers, Information System Security Officers and administrators. In order to maximize efficiency and minimize the amount of time required from your personnel, SeNet will provide an appropriate list of topics and questions in advance. Questions will be tailored to individual systems and will vary based upon system and Government requirements. SeNet will review and provide a technical edit for each C&A packet to determine:
Final deliverables will be in a format suitable for use in obtaining Approvals to Operate (ATO). In addition to the document reviews and interviews, SeNet will utilize Government- approved vulnerability assessment tools (such as ISS and NESSUS) and our own vulnerability assessment tools to gather additional information and to complete a comprehensive technical vulnerability assessment. SeNet will complete ST&E’s for each assigned system in accordance with DoD or NIST guidelines. When automated tools are used, they will be adjusted for the specific system and Government issued requirements, and the final product will undergo a manual review process. We will not simply assume that the tools interpreted all the results correctly. The specific steps of an ST&E will vary by system; however, we will employ a series of common steps as indicated in the following figure. SeNet Generic Certification and Accreditation (C&A) Process
The DIACAP and Certificate of NetworthinessThe DIACAP and Certificate of Networthiness plans establish standard processes to certify and accredit an information system (IS) so that when it is connected to the NIPRNET it will maintain the information assurance (IA) and security postures of the Defense Information Infrastructure (DII). In addition, military installations require a Certificate of Networthiness to install an application on base. These processes support a risk-based approach to security, with a focus on a system’s mission, environment, and cost factors. Let SeNet’s experienced professions guide you through these processes and ensure you system is secure and has the proper authorizations to operate. |
 |
