Introduction

Certification and Accreditation is a process that ensures that systems and major applications adhere to formal and established security requirements that are well documented and authorized. Informally known as C& A, Certification and Accreditation is required by the Federal Information Security Management Act (FISMA) of 2002. All systems and applications that reside on U.S. government networks must go through a formal C&A before being put into production, and every three years thereafter. Since accreditation is the ultimate output of a C&A initiative, and a system or application cannot be accredited unless it meets specific security guidelines, clearly the goal of C&A is to force federal agencies to put into production systems and applications that are secure.

FISMA, also known as Title III of the E-Government Act (Public Law 107-347), mandates that all U.S. federal agencies develop and implement an agency-wide information security program that explains its security requirements, security policies, security controls, and risks to the agency. The requirements, policies, controls, and risks are explained formally in a collection of documents known as a Certification Package. The Certification Package consists of a review and analysis of applications, systems, or a site basically whatever it is that the agency wants accredited. New applications and systems require accreditation before they can be put into production, and existing applications and systems require accreditation every three years.

Each agency shall develop, document, and implement an agency-wide information security program to...