Certification and Accreditation: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
{{Orphan|date=February 2009}} |
{{Orphan|date=February 2009}} |
||
'''Certification and Accreditation (C&A)''' is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include [[FISMA]], [[NIACAP]], [[DIACAP]] and [[DCID 6/3]]. |
'''Certification and Accreditation (C&A)''' is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include [[FISMA]], [[NIACAP]], [[DIACAP]], [[IACET]], [[NICCM]] and [[DCID 6/3]]. In addition the '''Certification and Accreditation (C&A)''' process is used by independent associations and entities to establish an agreed upon standard for assessing and maintaining these standards. In the United States, and many other countries, the '''Certification and Accreditation (C&A)''' process is used by colleges and universities to adhere to agreed upon standards with which to establish uniformity in concepts of degrees and recognition. |
||
By in large states and government entities will "certify" agencies, while independent institutions fufill the activity of "accreditation" of agencies. This is to provide non competitive and unbiased oversight and to avoid any appearance of a violation of federal antitrust laws. |
|||
Likewise, non-accredited institutions typically award "credentials" to individuals, while colleges award "degrees" and states award "certification". |
|||
[[Certification]] is a comprehensive assessment of the management, operational, and technical [[security controls]] in an information system, made in support of [[security accreditation]], to determine the extent to which the [[controls]] are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the [[security requirements]] for the system. |
[[Certification]] is a comprehensive assessment of the management, operational, and technical [[security controls]] in an information system, made in support of [[security accreditation]], to determine the extent to which the [[controls]] are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the [[security requirements]] for the system. |
||
[[Accreditation]] is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the [[risk]] to agency operations (including mission, functions, [[image]], or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of [[security controls]]. |
[[Accreditation]] is the official management decision given by a senior agency or institution official to authorize operation of an information system and to explicitly accept the [[risk]] to agency operations (including mission, functions, [[image]], or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of [[security controls]]. By in large the term [[Accreditation]] is in public domain and accessable to any who choose to use the term. |
||
Revision as of 17:38, 23 March 2010
Certification and Accreditation (C&A) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, IACET, NICCM and DCID 6/3. In addition the Certification and Accreditation (C&A) process is used by independent associations and entities to establish an agreed upon standard for assessing and maintaining these standards. In the United States, and many other countries, the Certification and Accreditation (C&A) process is used by colleges and universities to adhere to agreed upon standards with which to establish uniformity in concepts of degrees and recognition.
By in large states and government entities will "certify" agencies, while independent institutions fufill the activity of "accreditation" of agencies. This is to provide non competitive and unbiased oversight and to avoid any appearance of a violation of federal antitrust laws.
Likewise, non-accredited institutions typically award "credentials" to individuals, while colleges award "degrees" and states award "certification".
Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Accreditation is the official management decision given by a senior agency or institution official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. By in large the term Accreditation is in public domain and accessable to any who choose to use the term.
References
- NIST Special Publication 800-37 rev.2 (DRAFT) Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
- NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
- FISMApedia Certification and Accreditation Terms