White Paper

Cyber Security – Certification and Accreditation

Information security can be a daunting task for most companies – and particularly for those organizations or entities that may lack human and / or financial resources for putting the most effective systems in place. Yet, with cyber threats becoming much more prevalent today (and oftentimes more difficult to detect), this is an area that no business or entity can afford to overlook.

IT security was for many years deemed as a service that was best provided in-house for most organizations. However, over time, this consensus has changed as independent specialists and companies have become more highly adept at providing needed services, oftentimes in a more cost-efficient manner.

In its most basic sense, certification and accreditation – which is also often referred to simply as C&A – is defined as, “A procedure for implementing any formal process. It is a systematic procedure for evaluating, describing, testing, and authorizing systems or activities prior to or after a system is in operation.”

Therefore, going through the formal process of C&A can typically help to better ensure that a clearly established set of security requirements will be both developed and implemented, in turn, minimizing risk. The C&A process is typically used with regard to government initiatives whereby a network device or software program is being reviewed for security issues.

At times, however, obtaining the needed approval for any new programs and / or devices can be a slow and costly process.  In addition, in various instances, the critical pieces of an entity’s security coverage may not necessarily always be implemented.

In other cases, security policies may be established, but not followed. The C&A process, however, forces the establishment of security configurations, controls, policies, and procedures, while at the same time verifying their correct implementation.

A Brief Overview of C&A Tasks

A brief overview of the ten most critical and essential C&A tasks can be outlined as follows:

1) First, a list of guidance documents is compiled from all applicable directives and policy guidelines in order to define the rules that the C&A process will follow. This task is also undertaken for the purpose of helping to define a set of Security Requirements for the system.

2) Next, the persons and / or the organizations are chosen to fill the various roles that have been defined by the above-referenced C&A guidance documents.

3) Afterwards, the scope of the system that is being certified will be determined.

4) A list is then created which outlines the Security Requirements that are most relevant to the system.

5) An SSAA (System Security Authorization Agreement) document is then created, which contains all of the pertinent details regarding the system.

6) Once that is complete, a set of test procedures is developed from the security requirements.

7) Next, an ST&E (System Test and Evaluation) will be performed by the certifiers, after which a report that outlines the security findings will be generated.

8) After all security findings have been both verified and addressed, a risk assessment will be performed in order to ascertain the severity of the residual risk to the organization or entity.

9) A recommendation will then be made by the certifiers.

10) Finally, the evaluated system is then either a) accredited; b) granted an interim authority to operate; or c) denied accreditation.

When going through the process of C&A, a minimum set of roles is defined by the National Information Assurance Certification and Accreditation Process (NIACAP). NIACAP is derived from the Department of Defense Certification and Accreditation Process, or DITSCAP, and it plays a primary role in the National Information Assurance Partnership.

These roles, for instance, will typically include the following:

  • Program Manager – The Program Manager is the person who is responsible for the project as a whole.
  • Certifier / Certification Team – This team should minimally consist of a separate chain of command from the project so as to eliminate any conflict of interest. In this area, a third-party contractor is typically preferred in order to achieve the best result.
  • User Representative – This role is ultimately responsible for ensuring that the implementing of the security does not impede unnecessarily on the functionality of a system from the user’s perspective.
  • Designated Approving Authority – The Designated Approving Authority should ideally be an individual who has the power to fund any of the additional security implementation that is needed and / or recommended by the certifiers.
  • Information Systems Security Officer (ISSO) – The Information System Security Officer can be a key player in both the development and the maintenance of the various security features and / or policies of the system.

After the set of security requirements have been developed, an RTM (Requirements Traceability Matrix) will be created. This lists each of the requirements, as well as the guidance document that the requirement has been developed from, and the security feature or policy that will satisfy each of these requirements.

Once the RTM has been established, there will be a direct mapping between each of the intended security directives, as well as a security feature and /or policy that is in place for the purpose of satisfying such directives.

Tools Commonly Used for Certification and Accreditation

As with any type of system, there are specific tools that are utilized and relied upon in order to ensure proper certification and accreditation. For example, the C&A process can involve the creation of a number of documents that relate to the security of the IT system.

For example – depending on the particular situation – these would establish policies for the management of the system, as well as define the actual security requirements. There may also be questionnaires that can help with determining the present state of security controls and policy for the system.

A set of security requirements would be developed, based on the various guidance documents that apply. These would also establish the more formal requirements that are needed for securing the system. This is typically considered to be the baseline on which the entire certification effort takes place.

Once the security requirements have been established, an RTM (Requirements Traceability Matrix) is then created, which will list each requirement, as well as list the guidance document that the requirement is developed from, and the security feature or policy that will satisfy that particular requirement. At that point, there will be a direct mapping between each security directive from the various guidance documents and a security feature or policy that will satisfy that directive via the security requirement.

Test procedures are then developed direction from the security requirements. In order to ensure a successful certification effort, every security requirement must have a test procedure created, so that each of the requirements’ implementation has been verified.

While C&A can be conducted using manual tools, over time, the transition to automated C&A approaches has reduced the associated labor costs, and it can also provide opportunities for flexibility in reacting to uncertainty.

C&A Manual vs. Automated Tools

Manual Tools / Processes Automated Tools / Processes
Information Gathering Manually enter HA / SW information Use detect functionality to automatically map HW / SW information
Managing Security Regulations Hard copy security library highlighting applicable regulations Built-in content libraries, automated identification of applicable regulations
Testing Manual development of test procedures and checklists Automated checklists and recommended test procedures
Document Formatting Multiple word processing applications, managing fonts, tabs, formats, etc. One-button publishing, automated formatting, consistent output across systems

Source: Enabling Efficient, Consistent Certification and Accreditation Enterprise-Wide. XACTA. (https://www.acsac.org/2001/case/Thurs_C_1530_Berman_Xacta.pdf)

How the Proper C&A Could Benefit…or Backfire

More than ever before, both private industry and the government rely upon increasingly complex technology in order to operate and maintain processes, while at the same time to achieve their strategic objectives.

In fact, there are a number of common issues that can be faced while going through the formal process of C&A in order to ensure that a clearly defined set of security requirements has been developed and implemented, as well as the make sure that any residual risk has been minimized. Just some of the ways in which challenges may be faced include the following:

  • The existing C&A process is too lengthy
  • The existing C&A process is too resource-intensive
  • The results are not consistent
  • Meaningful management information is not available

With that in mind, a well-executed cyber security plan can help to increase such security and in turn, minimize substantial risks. Therefore, partnering with the right security provider is critical. This includes choosing a provider that is well versed in the latest technology and strategies, and that can provide a wide array of related services in order to best meet the specific needs of the entity or organization.

Security-as-a-Service, or Saas (not to be confused with Software-as-a-Service), is a type of outsourcing model for security management. Generally, Security-as-a-Service “involves applications such as anti-virus software that is delivered over the Internet.” However, this term can also refer to security management that is provided in-house to a company or entity by an external organization.

There are numerous benefits that can be offered via Security-as-a-Service. These may include the following:

  • Constant virus definition updates that are not reliant on user compliance;
  • Greater security expertise that is typically available within an organization;
  • Faster user provisioning;
  • Outsourcing of administrative tasks, such as log management, in order to save time and money, as well as to allow an organization to devote more of its time and energy to its core competencies;
  • A Web interface that allows in-house administration of some tasks, as well as a view of the security environment and ongoing activities.

Ensuring that Certification(s) and Accreditation(s) Match Cyber Security Objectives

Attaining and maintaining ample data security is an essential component in safeguarding information – and cyber security certification and accreditation (C&A) can play in integral role in the overall security measures that are undertaken by an organization.

However, it is crucial to ensure that the certification and accreditation services aptly match up with the entity’s short- and long-term security goals – and that the process is being conducted by a specialist organization that is well-versed in such security issues and that has its goals aligned with the overall mission.