Model Preview
INITIATION PHASE
TASK 1: PREPARATION
SYSTEM DESCRIPTION
SUBTASK 1.1: Confirm that the information system has been fully characterized and documented in the security plan or an equivalent document.
SECURITY CATEGORIZATION
SUBTASK 1.2: Confirm that the security category of the information system has been determined and documented in the security plan or an equivalent document.
THREAT IDENTIFICATION
SUBTASK 1.3: Confirm that potential threats that could exploit information system flaws or weaknesses have been identified and documented in the security plan or an equivalentdocument.
SECURITY CONTROL IDENTIFICATION
SUBTASK 1.4: Confirm that the security controls (either planned or implemented) for the information system have been identified and documented in the security plan or an equivalent document.
VULNERABILITY IDENTIFICATION
SUBTASK 1.5: Confirm that flaws or weaknesses in the information system that could be exploited by potential threats have been identified and documented in the security plan or an equivalent document.
RESIDUAL RISK DETERMINATION (EXPECTED)
SUBTASK 1.6: Confirm that the expected residual risk to agency operations or agency assets has been determined and documented in the security plan or an equivalent document.
TASK 2: NOTIFICATION AND RESOURCE IDENTIFICATION
NOTIFICATION
SUBTASK 2.1: Inform the authorizing official, certification agent, user representative, and cognizant agency officials that the information system will require security certification and accreditation support.
PLANNING AND RESOURCES
SUBTASK 2.2: Determine the level of effort and resources required for the security certification and accreditation of the information system (including organizations involved) and prepare a plan of execution.
TASK 3: SECURITY PLAN ANALYSIS , UPDATE, AND ACCEPTANCE
SECURITY PLAN ANALYSIS
SUBTASK 3.1: Analyze the security plan to determine if the expected vulnerabilities in the information system and the resulting expected residual risk to agency operations (including mission, functions, image, or reputation) or agency assets, is actually what the plan would produce.
SECURITY PLAN UPDATE
SUBTASK 3.2: Update the security plan based on the results of the independent analysis and recommendations of the certification agent and the authorizing official or designated representative.
SECURITY PLAN ACCEPTANCE
SUBTASK 3.3: Review the security plan to determine if the expected residual risk to agency operations (including mission, functions, image, or reputation) or agency assets is acceptable.
KEY MILESTONE QUESTIONS BEFORE PROCEEDING TO SECURITY CERTIFICATION PHASE
Is the FIPS Publication 199 risk level described in the security plan correct?
Does the execution plan properly identify the resources required to successfully complete the security certification and accreditation activities?
Does the expected residual risk described in the security plan appear to be correct?
Having decided that the expected residual risk appears to be correct, would the risk be acceptable?
SECURITY CERTIFICATION PHASE
TASK 4: SECURITY CONTROL VERIFICATION
DOCUMENTATION AND SUPPORTING MATERIALS
SUBTASK 4.1: Assemble any documentation and supporting materials necessary for the evaluation of the security controls in the information system.
REUSE OF EVALUATION RESULTS
SUBTASK 4.2: Assemble and review the findings, results, evidence, and documentation from previous assessments of the security controls in the information system for use during the security certific ation and accreditation process.
TECHNIQUES AND PROCEDURES
SUBTASK 4.3: Select, or develop when needed, appropriate techniques and procedures to evaluate the management, operational, and technical security controls in the information system.
SECURITY EVALUATION
SUBTASK 4.4: Evaluate the management, operational, and technical security controls in the information system using techniques and procedures selected or developed in Subtask 4.3, to determine the effectiveness of those controls in a particular environment.
SECURITY TEST AND EVALUATION REPORT
SUBTASK 4.5: Prepare the final security test and evaluation report.
TASK 5: SECURITY CERTIFICATION DOCUMENTATION
CERTIFICATION AGENT FINDINGS AND RECOMMENDATIONS
SUBTASK 5.1: Provide the information system owner with a security test and evaluation report.
SECURITY PLAN UPDATE
SUBTASK 5.2: Update the security plan based on the results of the security evaluation and any modifications to the security controls in the information system.
SECURITY CERTIFICATION PACKAGE ASSEMBLY
SUBTASK 5.3: Assemble the final security certification package.
KEY MILESTONE QUESTIONS BEFORE PROCEEDING TO SECURITY ACCREDITATION PHASE
What are the actual vulnerabilities in the information system?
What specific corrective actions have been taken or are planned to reduce or eliminate vulnerabilities in the information system?
SECURITY ACCREDITATION PHASE
TASK 6: SECURITY ACCREDITATION DECISION
RESIDUAL RISK DETERMINATION (ACTUAL)
SUBTASK 6.1: Determine the actual residual risk to agency operations or agency assets based on the confirmed vulnerabilities in the information system and any planned or completed corrective actions to reduce or eliminate those vulnerabilities.
RESIDUAL RISK ACCEPTABILITY
SUBTASK 6.2: Determine if the actual residual risk to agency operations or agency assets is acceptable and prepare the final security accreditation package.
TASK 7: SECURITY ACCREDITATION DOCUMENTATION
SECURITY ACCREDITATION PACKAGE TRANSMISSION
SUBTASK 7.1: Provide copies of the final security accreditation package to the information system owner and any other agency officials having an interest in the security of the information system.
SECURITY PLAN UPDATE
SUBTASK 7.2: Update the security plan based on the final determination of actual residual risk to agency operations or agency assets.
KEY MILESTONE QUESTIONS BEFORE PROCEEDING TO CONTINUOUS MONITORING PHASE
How do the actual vulnerabilities in the information system translate into actual residual risk to agency operations or agency assets?
Is the actual residual risk acceptable?
CONTINOUS MONITORING PHASE
TASK 8: CONFIGURATION MANAGEMENT AND CONTROL
DOCUMENTATION OF INFORMATION SYSTEM CHANGES
SUBTASK 8.1: Using established agency configuration management and configuration control procedures, document proposed or actual changes to the information system.
SECURITY IMPACT ANALYSIS
SUBTASK 8.2: Analyze the proposed or actual changes to the information system to determine the security impact of such changes.
TASK 9: ONGOING SECURITY CONTROL VERIFICATION
SECURITY CONTROL SELECTION
SUBTASK 9.1: Identify a subset of the security controls in the information system that should be evaluated to determine the continued effectiveness of those controls in providing appropriate protection for the system.
SECURITY CONTROL MONITORING
SUBTASK 9.2: Evaluate the agreed upon set of security controls in the information system to determine the continued effectiveness of those controls in providing appropriate protection for the system.
TASK 10: STATUS REPORTING AND DOCUMENTATION
SECURITY PLAN UPDATE
SUBTASK 10.1: Update the security plan based on the documented changes to the information system and the results of the ongoing process to monitor the effectiveness of the security controls in the information system.
STATUS REPORTING
SUBTASK 10.2: Report the security status of the information system to the authorizing official or designated representative.
KEY MILESTONE QUESTIONS BEFORE REINITIATING SECURITY CERTIFICATION AND ACCREDITATION PROCESS
Have any changes to the information system affected the current, documented vulnerabilities in the system?
If so, has the actual residual risk to agency operations or assets been affected?
Has a specified time period passed requiring the information system to be reauthorized in accordance with federal or agency policy?