It is during the Security Plan Analysis, Update, Acceptance sub-phase that the plan should be validated against current NIST standards as outlined in NIST SP 800-1835. 800-18 describes in detail how to create and maintain a system security plan. Conformity with this standard is what the security plan will first be judged against in C&A. Uncompliance with the standard will flag the entire system as potentially un-certifiable. If deficiencies have been identified in the plan then, of course, it should be updated before the Certification process is started.
Certification and Accreditation
For information on the Certification and Accreditation phases, please refer to the GSEC practical “Government System Certification: A Guide to Government Mandates” by Christian Enloe. In brief, Enloe identifies and describes what it takes to pass a system review. He identifies six basic requirements36:
Defining System Boundaries;
System Security Plans;
Contingency Plans; and
Plan of Actions and Milestones (POA&M)
In addition to what Enloe describes in his paper, it should be noted that at this point in the entire C&A process most supporting documentation should already be created and should only need to be evaluated by the certifying authority. Corrective action plans will be created at the completion of the Certification phase usually requiring the supporting documentation to be updated before entering the Accreditation phase.
Continuous Monitoring Phase
Per FISMA, individual agencies must report on their systems on a yearly basis.37 Additionally, as part of an agencies security program, they must make “periodic assessments of the risk”38 of the systems. Not only are yearly or periodic checks of system security important, it should be an on-going process. C&A supporting documents, such as the security plan, risk assessment, business continuity plan and disaster recovery plans are vitally important to security; they are living documents that should be regularly updated. It is not enough to wait until the next C&A to update and amend security documentation. As living documents they can be compared to regular checkups with the doctor; skip a few visits and you could find yourself in serious trouble down the road. In order to maintain checks and
© SANS Institute 2004, Author retains full rights.
35 36 See NIST Special Publication 800-18 http://www.csrc.nist.gov/sec-cert/ca-library.html GSEC Practical “Government System Certification: A Guide to Government Security Mandates” by Christian Enloe, December 2002, pg. 5. E-Government Act of 2002: Title III-Information Security-3544c1. IBID 37 38
© SANS Institute 2004,
As part of the Information Security Reading Room
9 Author retains full rights.