ABSTRACT
The Certification & Accreditation (C&A) process requires a systemic perspective that is attentive to the dependencies of related processes, business activities, and interconnected information systems. Federal information systems are complex in nature; they are often distributed, utilize heterogeneous operating systems and hardware, and have data inputs and outputs between many sources. The C&A challenge for agencies is to determine whether their systems meet a standard, consistent, measurable level of security. The process of C&A leads to the delivery of two documents: a certification package and an accreditation package. The certification package contains the findings of the certification team that conducted the evaluation of the system. These findings include the results of the system test and evaluation, vulnerabilities, security controls for mitigating risks, and the residual risk once such controls are implemented. Management and operational controls can be designated as common security controls because all agencies will need these controls on a minimum basic level.
