Certifications and Accreditations (C&A)
We developed certification and accreditation documentation for over 25 systems in the last 4 years. The systems included office automation, data processing centers, network control centers, WAN's, LAN's, financial systems, and numerous special purpose systems and applications. We performed all types of certification and accreditation using the following:
- DoD Information Technology Security Certification and Accreditation Process (DITSCAP)
- National Information Assurance C&A Process (NIACAP)
- Certification and Accreditation Process Handbook for Certifiers, NCSC-TG-31, and Accreditor's Guide, NCSC-TG-032
There are three types of accreditations that can be obtained by federal agencies: (1) system accreditation, (2) type accreditation, and (3) site accreditation. The accreditation category is an important concept that plays a central role in the subsequent tasks and subtasks undertaken during the C&A process. The accreditation category describes how the IT system will be viewed during C&A-that is, as a one-of-a-kind major application or general support system, as a more generic type of application or system that will be replicated in many different locations, or as a group of applications and/or systems under a common DAA at a specific, self-contained location or proximate geographic area. Each accreditation category addresses a different accreditation need and is closely related to the C&A packages for all three types.
A system accreditation is the most common type of accreditation that authorizes the operation of a major application or a general support system at a particular location with specified environmental constraints. A system accreditation for a major application or a general support system is warranted when information resources require special security considerations because of the risk and magnitude of the harm resulting from the loss, misuse or unauthorized access to or modification of the information or information resources involved. The certification process will assess all of the relevant security controls, (i.e., management, operational, and technical controls) for the major application or general support system with the resulting accreditation authorizing operation at an agreed upon level of residual risk.
In some situations, a major application or general support system is intended for installation at multiple locations. The application or system usually consists of a common set of hardware, software, and firmware. Since it is difficult to accredit a common application or system at all possible locations, the DAA may issue a type accreditation for typical operating environments. Type accreditations are a form of interim accreditation are used to certify and accredit multiple instances of a major application or general support system for operation at approved locations with the same type of computing environment.