ABSTRACT
Certification and accreditation is more than merely an exercise in documenting security controls and assessing security weaknesses. The purpose of an effective certification and accreditation program is to ensure that sensitive information resources are being protected and to point out shortfalls when they are not. As stated earlier, certification is an assessment exercise rather than a mitigation activity. However, one must understand that certification does not stand alone and that mitigation of risks is essential to the success of the entire certification and accreditation process. What is needed following assessment is a plan for mitigation of risks. A risk remediation plan is necessary to provide a consolidated, easy-to-use road map for correcting security weaknesses. Also known as a plan of action and milestones (POA&M), risk mitigation plan, remediation plan, or system risk management plan, the risk remediation plan provides a source document for tracking the correction of deficiencies and improving a system’s security. The development of a risk remediation plan assumes that an assessment has been completed, at least temporarily, and that deficiencies in security controls have been adequately documented.
