Federal government agencies handle sensitive information and assets, and it is critical to ensure that their systems and applications are secure from potential cyber threats. The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to provide cybersecurity for their operations and assets. All systems and applications that support Federal government agencies must follow National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication (SP) 800-37, which sets the standard for Assessment and Authorization (A&A) process before any system or application can be put into production.
The A&A process is a thorough evaluation of an information system's policies, technical and non-technical security components, documentation, supplemental safeguards, and vulnerabilities. It establishes the extent to which a system's design and implementation meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates, into a formal authorization package. The authorization package is reviewed by the Authorizing Official (AO), who either grants an Authorization to Operate (ATO), an ATO with conditions, or denies authorization. With an ATO, the information system can operate in a particular security mode using a prescribed set of safeguards and function at an acceptable level of risk to the agency. Every five years, the A&A process is repeated to maintain the system security.
The Department of the Interior (DOI) and Office of the Chief Information Officer (OCIO) provides A&A accreditation services using a proven methodology that ensures customer readiness and efficient delivery, minimizing impact to technology support teams. The Information Systems Security Line of Business Center of Excellence (ISSLOB COE) within OCIO performs the development, update, and review of all required security documentation, provides A&A consultation services to information system personnel, and performs an independent assessment to ensure all required system security controls are in place, implemented correctly, and operating as intended.
OCIO's A&A services consist of three phases - Initiation, Assessment, and Authorization. The Initiation Phase includes a review of system security categorization, privacy impact assessment, system security plan, contingency/disaster recovery plan, and risk assessment. In the Assessment Phase, security controls are comprehensively analyzed to determine if they are implemented correctly, operating as intended, and producing the desired control described in the System Security Plan. Security Testing and Evaluation Planning, Security Assessment Report, and Plan of Action and Milestones are included in this phase. Finally, the Authorization Phase involves reviewing the A&A package, providing an AO briefing, submitting the authorization package, and making an authorization decision.
OCIO also offers customized A&A services, including System Development Lifecycle A&A Services Integration, Pre-Deployment Certification and Accreditation, System Reauthorization, In-flight Annual Reviews, CP/DR Test, Compliance Verification, and optional services like A&A documentation preparation, security policies, security procedures, security technical guidelines, security awareness and training plan, configuration management plan, patch management plan, rules of behavior, contingency/disaster recovery plan, incident response plan, and continuous monitoring plan.
In conclusion, the A&A process is an essential step in ensuring the security of information systems and assets managed by federal agencies. The DOI OCIO provides A&A accreditation services to support the compliance of federal agencies with the FISMA requirements. By following the NIST RMF SP 800-37 standard and OCIO's proven methodology, agencies can ensure the security of their information systems and assets.
This blog was written by the Activated Solutions team. If you are a business owner or an individual concerned about your cybersecurity, it's time to take action. Activated Solutions can help you to protect your business and personal data from potential cyber threats.
Contact Activated Solutions today to learn more about how they can help you protect your business. With our expertise and commitment to cybersecurity, you can have peace of mind knowing that you are taking proactive steps to protect yourself and your business from potential data breaches.
For more information, please visit: activatedsolutions.ca.
Sources
Office, Chief. “Doi Security Assessment & Authorization.” U.S. Department of the Interior, 16 May 2018, www.doi.gov/ocio/customers/assessment.
Comments