1 / 23

Understanding the Certification and Accreditation Process

Understanding the Certification and Accreditation Process. Marianne Swanson Computer Security Division National Institute of Standards and Technology. Topics. Background Approach Process Timetable for document. Research Phase. Review FIPS 102 Review NIST SP 800-12 and 800-18

jaquelinep
Download Presentation

Understanding the Certification and Accreditation Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding the Certification and Accreditation Process Marianne Swanson Computer Security Division National Institute of Standards and Technology

  2. Topics • Background • Approach • Process • Timetable for document

  3. Research Phase • Review FIPS 102 • Review NIST SP 800-12 and 800-18 • Review NIACAP (DITSCAP) • Agency Practices • IATF Meeting (January 2001)

  4. NIST Approach on New Document • FIPS 102 update will be a NIST Special Publication • Small working group guiding document development • Use the best of all current C&A documents

  5. Roles & Responsibilities • Program Manager • Accrediting Official • System Security Officer • Certifier/Reviewer • User Representative

  6. C&A Program Structure • Centralized • All certification resources at the headquarters level • Accrediting Officials throughout organization • Advantages: • Better visibility and influence • Uniformity • Efficiency and economy of scale

  7. C&A Program Structure - 1 • Disadvantages: • Reduced awareness by Program Managers of certification requirements in the SDLC • Backlog of certification support

  8. C&A Program Structure - 2 • De-Centralized • Resources are located within each organization • Accrediting Officials throughout organization • Advantages: • Quicker response to support requests • Better awareness of C&A requirements

  9. C&A Program Structure - 3 • Disadvantages: • Lower organizational visibility • Reduced uniformity • Loss of economics of scale

  10. C&A Program Structure – 4 • Hybrid • Variation of Centralized and De-Centralized • Small CIO team with in-depth knowledge • Each organization performs their own certification • Compliance function at headquarters

  11. Accreditation Process • Pre-accreditation • Accreditation • Post accreditation

  12. Three Certification Levels • Basic Certification • Low risk and sensitivity • Completion of self-assessment • Qualified in-house staff or external evaluators • Extended Certification • Higher degree of assurance – most mission critical systems • Test effectiveness of security controls • Detailed analysis

  13. Three Certification Levels - 1 • Advanced Certification • Highest degree of assurance – critical infrastructure • Comprehensive analysis of system level information • Independent evaluation of all security controls • All interfaces with other systems identified & evaluated

  14. Information Gathering - Preparation • Identify key individuals • Determine certification level – sensitivity/risk assessment • Determine type of certification – system/site/type • Obtain documentation on the system

  15. Security Plan Risk Assessment Contingency Plan System Specifications Architecture and Design User Manuals Operating Procedures Network Diagrams Configuration Mgmt. Documentation

  16. Perform Certification Review • Review security plan • Perform security review • Self assessments • Independent audits • Penetration testing

  17. Perform Certification Review- continued • Security test and evaluation • System security infrastructure • Physical, personnel and procedural security controls • Site evaluations • NIAP Evaluated products • Contingency plan review and test • Review risk assessment

  18. Summarize Activities and Results • Major findings • Mitigations • Compilation of all documents

  19. Three Choices • Accredit the system • Conditional accreditation • Do not accredit the system

  20. Post Accreditation • Review and maintain C&A documents • Conduct periodic security reviews • Re-accreditation

  21. Timetable • March 2002 - Annotated Outline • June 2002 - First Draft • August 2002 – Workshop (if needed) • September 2002 - Final Document • Follow-on projects ? • best practices • training • NIAP evaluated C&A laboratories/auditors

  22. URL’s for Documents • FIPS 102, NIST SP 800-12 and 800-18http://csrc.nist.gov • NIACAPhttp://www.nstissc.gov/html/library.html

  23. Contact Information • Marianne Swansonmarianne.swanson@nist.gov301-975-3293

More Related