TABLE OF CONTENTS Don t try to figure out what other people want to hear from you; figure out what you have to say. It s the one and only thing you have to offer.
Barbara Kingsolver
All Certification Packages get certified and accredited at Level 1, 2, 3, or 4. The C&A review team, information system owner, and ISSO determine the C&A level and justify this level in a document known as the C& A Level of Recommendation. Unless the agency has decided to use some other methodology for determining the level of recommendation, the best guidance that exists for determining the level of accreditation is a document known as FIPS 199 (see Appendix C) written by the National Institute of Standards. Although I don t plan on trying to recreate FIPS 199, I want to help you understand how to use it.
There are four different levels for which information systems can be certified and accredited. The four levels are known simply as Level 1, Level 2, Level 3, or Level 4. The information system owner is supposed to decide at what level to certify the information system, and then obtain buy-in on that level from the authorizing official. The ISSO and C&A preparation team should assist the information system owner in determining the proper level at which to certify and accredit the information system.
Level 1 is for information systems that are not sensitive, and have few security requirements. Level 2 is for information systems...
