Introduction

If your agency or bureau doesn t already have an information security program established, chances are that it hasn t scored well on the annual Federal Computer Security Report Card. Since FISMA isn t going to go away, and senior executives will be held accountable for obtaining acceptable Federal Computer Security Report Card scores, now is the time to start putting into place an information security program. The C&A program is just a piece of the greater information security program, albeit a big piece. The information security program includes the whole ball of wax security policies, procedures, requirements, C&A guidelines, and all the documentation that goes with it. The C&A program is a well-thought-out process with documentation to support it. It explains how C&A will be done within the agency.

If your agency already has information security and C&A programs in place, now might be a good time to start thinking about how you can improve your program. Once a C&A program has been developed, an astute agency will find the need to update and revise the program each year. The more your C&A program is used, the better it will become.

The C&A program developers are often the same folks who are part of the agency evaluation team however, they don t have to be. There are no federal restrictions on which people within the agency can participate in developing the C&A program. The agency itself, however, may set their own policies on who is responsible...