Certification and Accreditation. In the second draft two other phases were identified: Initiation and Continuous Monitoring.
The NIST guidelines undergo detailed reviews by both the government and public. In response to submitted comments, the Initiation and Continuous Monitoring Phases were introduced by NIST.
The Initiation Phase of C&A is a very important one. It gives the system authorizing agent the opportunity to assess the system security plan before it goes into the Certification phase. By pre-assessing the system security plan the authorizing agent will have greatly increased the chances of successful certification and accreditation. It is like testing a hot bath with only your toe before throwing your whole body in; it is much better to assess the water before risking a full body burn.
The Initiation Phase consists of three sub-phases:34
Notification and Resource Identification; and
Security Plan Analysis, Update, and Acceptance
The Preparation sub-phase is just as its name suggests, a phase where the supporting documentation for the C&A is prepared and validated by the system owner; putting your ducks in a row, so to speak. More specifically, in this phase the system security plan as well as the initial risk assessment should be reviewed to confirm vital system information has been documented. If NIST 800-18 was followed during creation of the security plan then all required information should already be part of the plan. It should be verified that the security category as established in FIPS PUB 199 is also clearly identified. All potential threats, vulnerabilities, and risks using the guidelines established in NIST SP 800-18 and NIST SP 800-30 Risk Management Guide for Information Technology Systems should also be clearly stated. And lastly, security controls using the guidelines in NIST SP 800-53 (when it’s released), should be validated.
The Notification and Resource Identification sub-phase is a standard phase in program management. It is intended to communicate the need for the project, for example, C&A, the resources needed to carry it out, and the schedule of tasks and deliverables. Without this sub-phase programs could be left without the appropriate resources, such as development or documentation staff, and, in some cases more importantly, without the budget to complete the project. With any project, proper notification must be given to those who provide the resources.
© SANS Institute 2004, Author retains full rights.
NIST SP 800-37, pg. 21.
© SANS Institute 2004,
As part of the Information Security Reading Room
8 Author retains full rights.