ABSTRACT

In the rst years following the enactment of the Federal Information Security Management Act, government agencies placed great emphasis on certifying and accrediting their information systems reportable to the Ofce of Management and Budget (OMB) and expended large sums in ensuring the agency had achieved the OMB goals of 100% certication and accreditation of all systems in its information systems inventory. Unfortunately, in many organizations at that time certication and accreditation constituted the entire information security program. Although system authorization is important, obtaining authorization to operate is clearly not the end of the process. It must be remembered that system authorization consists of more than the initiation, certication, and accreditation phases. The continuous monitoring phase provides assurance that an information system remains secure following authorization to operate. Information included in this chapter maps to Risk Management Framework (RMF) Tasks 6-1 through 6-7, also highlighted in the chapter.