TABLE OF CONTENTS No law or ordinance is mightier than understanding.
Plato
A Security Test & Evaluation, known among security experts as an ST& E, is a document that demonstrates that an agency has performed due diligence in testing security requirements and evaluating the outcome of the tests. The ST&E is a C&A document that tends to give agencies a lot of trouble. It s not clear to many agencies what tests they should be doing, who should be doing them, and what the analysis of the tests should consist of. The ST&E is supposed to convince the C&A package evaluators that the agency understands the security requirements, enough so, that they can create tests to ensure that the security controls uphold the requirements.
It is the responsibility of the information system owner to ensure that the testing actually takes place. However, the information system owner may choose to designate this responsibility to the ISSO. The federal guidance on what to include in your ST&E is somewhat vague, and though this leaves lots of room for flexibility, it leaves many information system owners, C&A package preparers, and C&A package evaluators wondering what a good ST&E should include.
Keep in mind that you are trying to certify and accredit an information technology implementation, not a product. That being said, any implementation likely uses many products. Figuring out where to draw the line in the sand on where a product ends and where an implementation begins is...
