Current federal regulations require all general support systems (GSSs) and major applications (MAs) to be certified as being compliant with information technology (IT) security requirements so that information resources and data are adequately protected. Based on this certification, agency heads issue authorizations to operate (ATOs – accreditations) to systems that are compliant. This highly structured and regulated process serves two purposes: it documents various aspects of the system’s security posture, and it allows the system owner to understand and accept the residual risk associated with the system’s operation. This provides the basis for the Government-mandated, risk-based management of IT resources. An indirect result of the certification and accreditation (C&A) process is the ability to better justify budget requests and to plan more efficient capital expenditures. Both the Department of Defense (DOD) and Office of Management and Budget (OMB) require every system to be recertified once every three years after initial accreditation, or whenever major changes are implemented.
SeNet will perform initial system assessments for all of your systems undergoing a C&A and deliver results in concise packages that provide a snapshot of your current security posture. Packages will address all relevant issues and will include a list of recommendations.
SeNet will begin by completing a thorough review of all available system documents. We will gather additional information through face-to-face or telephone interviews with appropriate personnel, including system owners, managers, Information System Security Officers (ISSOs), and administrators. In order to maximize efficiency and minimize the amount of time required from your staff, SeNet will provide an appropriate list of topics and questions in advance. Questions will be tailored to individual systems and will vary based upon system and Government requirements.
SeNet will review and provide a technical edit for each C&A package to determine the:
- Presence or absence of each required document
- Adequacy of each document’s contents
- Completeness and accuracy of presented information
- Appropriateness of references to documents not included in the package.
Final deliverables will be in a format suitable for use in obtaining Authorizations to Operate (ATOs).
In addition to the document reviews and interviews, SeNet will utilize Government-approved vulnerability assessment tools (such as IBM Internet Security Systems [ISS] and Nessus) and our own vulnerability assessment tools to gather additional information and to complete a comprehensive technical vulnerability assessment.
SeNet will complete Security Test and Evaluations (ST&Es) for each assigned system in accordance with Department of Defense (DoD) or National Institute of Standards and Technology (NIST) guidelines. When automated tools are used, they will be adjusted for the specific system and Government-issued requirements, and the final product will undergo a manual review process. We will not simply assume that the tools interpreted all the results correctly.
The DIACAP and Certificate of Networthiness plans establish standard processes to certify and accredit an information system so that when it is connected to the NIPRNET, it will maintain the information assurance and security posture of the Defense Information Infrastructure (DII). In addition, military installations require a Certificate of Networthiness to install an application on base. These processes support a risk-based approach to security, with a focus on a system’s mission, environment, and cost factors. Let SeNet’s experienced professionals guide you through these processes and ensure that your system is secure and has the proper ATOs.