What is Certification and Accreditation?
GGrill
Member Posts: 16 ■□□□□□□□□□
I was interested in exploring more into the world of compliance since my company is about to start the process of going through a FISMA based C&A. My management decided to follow the government and take security more seriously which is a good thing. I've read the definitions from Wikipedia and other sources on what entails a C&A, but it still hard for me to explain to others when asked about the process.
Would somebody be able to break down the process of C&A from the categorization of the system to the process of getting a Authorization to Operate? Is the process too much to explain?
Would somebody be able to break down the process of C&A from the categorization of the system to the process of getting a Authorization to Operate? Is the process too much to explain?
Comments
-
Cyberscum Member Posts: 795 ■■■■■□□□□□Well, prob not the response you wanted.....But its all here
http://csrc.nist.gov/publications/secpubs/otherpubs/CA_Handbook.pdf
...Alongside that are NIST SP 800-379 and NIST SP 800-30 r1
...And for feds https://www.fismacenter.com/SP800-37-final.pdf -
dou2ble Member Posts: 160Which C&A framework will you be using? NIST uses RMF in SP800-37. Certification is certifying (through assessing in step 4 the security controls SP800-53) that it was built correctly to all the security requirements. These security controls should be identified early (Step 2) in the engineering process. Accreditation is getting these results accredited by the authorizing official. The AO decides (step 5) if the residual risk is acceptable or not. Here's more detailed info on the 6 steps - http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/2015 Goals: Masters in Cyber Security
-
CyberSecurity Member Posts: 85 ■■■□□□□□□□The easiest way I can explain it is you have to assess the risk of a entity via cybersecurity methods. Once a program reaches an acceptable level of risk it becomes accredited.
If you need more info just ask, I was going for a one liner here. I work directly for an Authorizing Official (AO) as a Cyber Security Analyst in C&A so i'll try my best to answer.Ph.D. IT [UC] - 50% complete
M.S.C.I.A. [WGU] - Completed 6/2018
B.S.I.T.M. [WGU] - Completed 4/2017 -
GGrill Member Posts: 16 ■□□□□□□□□□Thanks for the explanations, our company is going to use the NIST framework for compliance and I want/needed to more information to understand what the process is for my own understanding and to explain it to my manager. I'm hoping that this could be an opportunity for me to move into a new security position as well so I was looking for sort of a break down or at least a steer in the right direction on what I should brush up on.
Originally I downloaded a few NIST 800-XX pdf's and while I understood what the documents were discussing, I guess I'd like to know how they all tie together. For example, to start the C&A process, do you initially categorize a system using FIPS 199? From there do you move onto security controls with NIST 800-53?