ABSTRACT
The implementation of a certification and accreditation (C&A) process within industry for
information technology systems will support cost-effective, risk-based management of those
systems and provide a level of security assurance that can be known (proven). The C&A process
addresses both technical and nontechnical security safeguards of a system to establish the extent to
which a particular system meets the security requirements for its business function (mission) and
operational environment.