ABSTRACT
What sort of documentation should be included in the certification package? The answer is driven by the definition of what information is required by the approving authority to make an informed decision about the security of the system. The list of major documents required for inclusion in the certification package varies by methodology. As shown in Table 15.1, several formal certification and accreditation methodologies have lengthy lists that require a multitude of documentation to substantiate that security has been adequately implemented. The documentation required by these methodologies records the results of the certification process but also includes extensive evidence of implemented controls if not the actual controls themselves. The logical question that results is, What form of proof is necessary to substantiate to the approving authority that controls are adequate? And is an assessment report that documents and provides evidence of the existence of a control sufficient? For example, does the approving authority need to see the configuration management plan for the system as part of the certification and accreditation package to be convinced, or is it sufficient to have an independent certifier review the plan and attest that it exists and that it meets requirements? The answer lies in the definition of the purpose of certification. Certification is an assessment exercise and not a remediation exercise. Certification is
Example of DITSCAP Documentation Example of NIACAP Documentation ■ Mission Need Statement ■ System Security Authorization
designed to assess whether the controls implemented to protect a given system meet a set of predefined requirements. Certification is not intended to assess and to remediate weaknesses found during the assessment. This is the reason that many certification programs fail; they lose sight of what they are intended to do.
