Jump to content

Certification and Accreditation

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Handprintniccm (talk | contribs) at 17:38, 23 March 2010. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Certification and Accreditation (C&A) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing and authorizing systems prior to or after a system is in operation. The C&A process is used extensively in the U.S. Federal Government. Some C&A processes include FISMA, NIACAP, DIACAP, IACET, NICCM and DCID 6/3. In addition the Certification and Accreditation (C&A) process is used by independent associations and entities to establish an agreed upon standard for assessing and maintaining these standards. In the United States, and many other countries, the Certification and Accreditation (C&A) process is used by colleges and universities to adhere to agreed upon standards with which to establish uniformity in concepts of degrees and recognition.

By in large states and government entities will "certify" agencies, while independent institutions fufill the activity of "accreditation" of agencies. This is to provide non competitive and unbiased oversight and to avoid any appearance of a violation of federal antitrust laws.

Likewise, non-accredited institutions typically award "credentials" to individuals, while colleges award "degrees" and states award "certification".

Certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Accreditation is the official management decision given by a senior agency or institution official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. By in large the term Accreditation is in public domain and accessable to any who choose to use the term.


References