DoD Certification and Accreditation

DoD Certification and Accreditation. The standard DoD approach for identifying information security requirements, providing security solutions, and managing the security of DoD information systems.

— DoDI 8500.2, Information Assurance (IA) Implementation http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf

 

If you have an important system (an asset) that is producing, processing, storing or distributing important data then you need to make sure that it is protected.  You need a high level of confidence that your asset and its data is secure, not tampered with stolen or corrupted.  

If you go through IT Security training, we are talking about confidentiality, integrity, and availability (aka CIA).  You want to make sure your data has confidentiality (trade secrets are protected), available to users and that the data has integrity (not corrupted).  

The process of ensuring assets are secure is known as certification and accreditation (aka C&A).  The C&A process consists of evaluating the system for security and then having someone in charge take responsibility for the remaining risks to that system.

Certification – a comprehensive evaluation and validation of a DoD IS to establish the degree to which it complies with assigned IA controls based on standardized procedure (8510.01, E2.10)

Accreditation Decision – a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) (8510.01, E2.2).

The C&A process has been done by most major companies and organizations in the private sector and governments.  They may have different names for it and slightly different methods, but they are are essentially doing the same thing.  They have to do it because their enterprise gets so big that its impossible to stop every threat and quickly remove everyone weakness.  The best they can do is create a process to manage the risk.  That is what C&A is supposed to do.  

The problem with certification and accreditation is that it is inefficient often taking months to do thousands of hours and millions of dollars.  Since there is so much documentation involved and coordination its often ignored or not done thoroughly.  

The certification and accreditation process has been automated (somewhat) with online databases and there has been a move to do away with C&A all together and move to a risk management framework.