How Do We Do It?
While all these rules and regulations sound good, they cannot provide for effective security of government security systems by themselves. They are all pieces of the security puzzle that agency officials need to understand and manage. To successfully perform any of these tasks, there needs to be an effective security program, focused on a continual analysis and review of the information systems and all associated risks. Furthermore, any such program should consist of steps that are consistent and repeatable across all agencies.
Over the years, guidance has been provided to meet this need. This guidance has taken the form of a methodology known as Certification and Accreditation, or C&A. Before we go on, you should understand these terms:
- Security Certification. The comprehensive assessment of the management, operational and technical security controls in an information system, made accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
- Security Accreditation. The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals—based on the implementation of an agreed-upon set of security controls.
These definitions do not describe a methodology; instead they define the goals of the methodology. The goal of a C&A program is to certify and accredit a government system for operation. It should be obvious that one methodology and set of requirements cannot meet the needs of many disparate agencies. It should also be obvious that agencies and their supporting systems have different missions, use information of various classifications and sensitivity, and therefore have different security requirements. So there are different C&A methodologies for several different operating environments. There are four basic classes of C&A frameworks:
- DITSCAP/DIACAP stands for the Defense Information Technology Systems Certification and Accreditation Process. Guidance is provided in a publication known as the Defense Information Systems Certification and Accreditation regulation Department of Defense (DoD) 5200.40. DITSCAP is intended for use by defense agencies. DITSCAP is in the process of transitioning to a new methodology known as the DoD IA C&A Process (DIACAP).
- NIACAP stands for the National Information Assurance Certification and Accreditation Process. It is based on a process published by the National Security Telecommunications and Information System Security Instruction known as NSTISSI No. 1000, and is intended for use on national security systems.
- NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. It is used primarily by federal government agencies.
- DCID 6/3 is Director of Central Intelligence Directive (DCID) 6/3 Protecting Sensitive Compartmented Information within Information Systems, intended for classified systems.
Just as there are different operational environments, as identified in the previous section, there are different needs based on the type of information in use. Thus, different levels of C&A can be performed. There are four levels of accreditation for a system. These levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that an incident would have on the systems or information. NIST has developed standards in this area as well:
- FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems
- Special Publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories: Volume I and Volume II
Level 4 accreditation would generally be reserved for the most sensitive systems, in which an incident would have the greatest impact (loss of life, for example), whereas Level 1 would be used for systems that do not process, contain, or transmit any sensitive information. It is critical to ensure that a system is properly categorized. Auditors look at this closely, and do not accredit a system that has been categorized incorrectly.
All these methodologies take a life cycle approach to security. They provide guidance and structure for the development of policies and procedures, security controls, contingency planning, and ongoing audits.