Certification, Accreditation and Security Assessments

• CA-1       Certification, Accreditation and Security Assessment Policies and Procedures
• CA-2       Security Assessments
• CA-3       Information System Connections
• CA-4       Security Certification
• CA-5       Plan of Action and Milestones
• CA-6       Security Accreditation
• CA-7       Continuous Monitoring

CA-1       Certification, Accreditation and Security Assessment Policies and Procedures

The organization security program includes procedures for certification, accreditation and security assessment of information systems.  The security assessment and certification and accreditation policies and procedures are consistent with applicable federal laws, directives, policies, regulations, standards and guidelines.

Control Enhancements: None

Control Recommendations:
Low: CA-1
Moderate: CA-1
High: CA-1

CA-2       Security Assessments

The organization ensures that periodic assessments of the security controls in the information systems are conducted to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the current security requirements for the system.

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-2
Moderate: CA-2
High: CA-2

CA-3       Information System Connections

The organization:

• authorizes all connections from the information system to other information systems outside of the accreditation boundary
• monitors/controls the system interconnections on an ongoing basis
• approves information system interconnection agreements.

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-3
Moderate: CA-3
High: CA-3

CA-4       Security Certification

The organization integrates security certification into the span of the System Development Life Cycle (SDLC). Security assessments are carried out at each phase to certify that security requirements are met.

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-4
Moderate: CA-4
High: CA-4

CA-5       Plan of Action and Milestones

The organization develops and updates, at least every 3 years, a plan of action and milestones for the information system. The plan of action and milestones updates are based on the findings from security control assessments, security impact analyses and continuous monitoring activities.

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-5
Moderate: CA-5
High: CA-5

CA-6       Security Accreditation

The organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization at least every 3 years or after major changes. Security assessment (see CA-2) of the systems security controls are done before and in support of the security accreditation.

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-6
Moderate: CA-6
High: CA-6

CA-7       Continuous Monitoring

The organization ensures continuous monitoring of the security controls in the information system, including:

• configuration management and control of information system components
• security impact analyses of changes to the system
• ongoing assessment of security controls
• status reporting

Supplemental Guidance: None

Control Enhancements: None

Control Recommendations:
Low: CA-7
Moderate: CA-7
High: CA-7

Go to ITD Security main page.

Content reviewed on July 3, 2006 by Jeff Webster
Page last modified July 17, 2006 by cawalker