Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Education & Development
Jobs and Careers
What is Certification and Accreditation?
GGrill
I was interested in exploring more into the world of compliance since my company is about to start the process of going through a FISMA based C&A. My management decided to follow the government and take security more seriously which is a good thing. I've read the definitions from Wikipedia and other sources on what entails a C&A, but it still hard for me to explain to others when asked about the process.
Would somebody be able to break down the process of C&A from the categorization of the system to the process of getting a Authorization to Operate? Is the process too much to explain?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
Cyberscum
Well, prob not the response you wanted.....But its all here
http://csrc.nist.gov/publications/secpubs/otherpubs/CA_Handbook.pdf
...Alongside that are NIST SP 800-379 and NIST SP 800-30 r1
...And for feds
https://www.fismacenter.com/SP800-37-final.pdf
dou2ble
Which C&A framework will you be using? NIST uses RMF in SP800-37. Certification is certifying (through assessing in step 4 the security controls SP800-53) that it was built correctly to all the security requirements. These security controls should be identified early (Step 2) in the engineering process. Accreditation is getting these results accredited by the authorizing official. The AO decides (step 5) if the residual risk is acceptable or not. Here's more detailed info on the 6 steps -
http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/
CyberSecurity
The easiest way I can explain it is you have to assess the risk of a entity via cybersecurity methods. Once a program reaches an acceptable level of risk it becomes accredited.
If you need more info just ask, I was going for a one liner here. I work directly for an Authorizing Official (AO) as a Cyber Security Analyst in C&A so i'll try my best to answer.
GGrill
Thanks for the explanations, our company is going to use the NIST framework for compliance and I want/needed to more information to understand what the process is for my own understanding and to explain it to my manager. I'm hoping that this could be an opportunity for me to move into a new security position as well so I was looking for sort of a break down or at least a steer in the right direction on what I should brush up on.
Originally I downloaded a few NIST 800-XX pdf's and while I understood what the documents were discussing, I guess I'd like to know how they all tie together. For example, to start the C&A process, do you initially categorize a system using FIPS 199? From there do you move onto security controls with NIST 800-53?
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
