Justice explains C&A approach

Agencies are close to consensus on standards for security certification and accreditation

New standards for C&A

The Office of the Director of National Intelligence, working with the Defense Department, National Institute of Standards and Technology, and Office of Management and Budget, has established goals for transforming security certification and accreditation procedures in the intelligence community. The agencies want to:


  • Define a standard way of viewing information.

  • Accept one another’s certifications.

  • Define, document and adopt common security controls.

  • Agree on a common language and understanding of terms.

  • Create a senior executive position that will take an enterprisewide view of risks.


— Mary Mosquera

The Justice Department’s pitch to help agencies improve their security reporting is all about automation — leaving more time to do real-time monitoring.

Justice officials said they are taking information security to a new level by offering a security control application that automatically documents many of the processes necessary for certifying and accrediting federal information systems.

Certification and accreditation is one of the mandatory procedures agencies must complete and document under the Federal Information Security Management Act.

But in addition to providing documentation, Justice offers tools that monitor an information system’s security controls so C&A becomes more than a just snapshot of security at a point in time that has passed.

The purpose of C&A procedures is to demonstrate that information systems are trustworthy so agencies can establish system-to-system exchanges.

But “what happens usually has been a check-off, and you can’t get a trust relationship with that,” said Dennis Heretick, Justice’s chief information security officer.

Justice offers a security reporting service under the Office of Management and Budget’s Information Systems Security Line of Business (ISS LOB) consolidation initiative. Fifteen departments and agencies have signed up to use its shared-services center.

The Environmental Protection Agency also is an ISS LOB center for FISMA reporting. OMB has directed agencies to move to a shared-services provider for FISMA reporting by September 2008.

Agencies typically use a checklist to document that their information systems meet federal security requirements, but checklists tend to be paper exercises.

Justice is trying to make the C&A process more effective with a service that is sensitive to real-time risks.

The department is testing the security control authoring toolkit in the Office of the Director of National Intelligence as part of a larger effort to establish a unified federal approach to C&A.

Justice’s security shared-services center uses the department’s Cyber Security Assessment and Management database of security requirements, controls, systems inventory and security categories.

“You can generate the controls that apply, determine which ones can be inherited from other projects or systems, and which ones may be out of scope because, say, your system is a financial system, which would bump up the controls,” Heretick said.

The service also incorporates the Risk Management Framework developed by the National Institute of Standards and Technology. “We break those down into specific risk-control requirements, and within those controls, the expected results,” Heretick said.

ODNI is using the toolkit to document, assess and monitor its security controls. ODNI charts threats and vulnerabilities and assigns them risk values.

That testing is occurring as ODNI and Defense Department officials work to reach consensus on C&A security standards for the intelligence community.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above