System Security Accreditation Agreement

NIACAP provides instructions on the implementation of NSTISSP-Nr. 6-Policy defining the requirement for departments and federal authorities to implement a C-A process for national security systems. The requirements of NSTISSI 6 apply to all departments, agencies and their contractors and consultants. The operational interests of the users of the system are due to the user`s representative. In the C-A process, the user representative takes care of system availability, access, integrity, functionality, performance and privacy of the mission environment. Accreditation is an official and written authorization for the operation of a particular system in a given environment, as shown in the certification report. Accreditation is generally granted by a senior secretariat or designated reception authority (DAA). The term DAA is used in the U.S. military and government and is normally a senior official, as a commanding officer. Upon receiving the certifier`s recommendation, the DAA reviews the SSAA and conducts an accreditation evaluation.

This provision is added to the SSAA. The final SSAA accreditation package includes the certifier`s recommendation, the DAA`s operating authorization and support documentation. The SSAA contains all the information necessary to support the decision recommended by the certifier, including safety findings, defects, operational risks and corrective actions. FIPS 102 is designed to certify an application by conducting a six-step technical safety assessment: certification of your security management system allows you to maintain controls and policies continuously to meet certification requirements. Certification also shows your partners and customers that your security management systems help keep your business running smoothly when network security events occur. Additional roles can be added to improve the integrity and objectivity of C-A decisions. For example, the Information Systems Security Officer (ISSO) generally plays a key role in maintaining post-accreditation security and may also play a key role in the system`s ACT. This standard became in 2000 the International Organization for Standardization/ International Electrotechnical Commission (ISO/CIS) 17799, code of practice for information security management.

ISO/IEC 17799 organizes information security into 10 main sections: the certifier, not the DAA, determines the existing residual risk level and makes the recommendation for accreditation. The AAD determines the acceptable and non-existent risk to a system. The other answers on the DAA are true. The certifier determines whether a system is ready for certification and performs the certification process – a comprehensive assessment of the system`s technical and non-technical safety features. Once the certification efforts are complete, the certifier reports the status of the certification and recommends that the DAA accredit the system on the basis of documented residual risk. The final phase of the C-A process was when the system was authorized and went into continuous monitoring. The three tasks of this phase were configuration management and management, control verification and status reporting.