Assessment & Authorization (A&A)
Certification & Accreditation (C&A)
Information Assurance (IA)
Security Test & Evaluation (ST&E)
To help secure information systems within the Federal government, including the critical infrastructure of the United States, TrustedQA uses established standardized assessment methods and procedures to assess the security controls in federal information systems.
Our A&A / C&A processes will determine if security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the agency.
TrustedQA assessments take into consideration the entire system, network, and application lifecycle from a security standpoint. In short, the A&A / C&A process is a manual audit of policies, procedures, controls, and contingency planning.
The employment of standard assessment methods and procedures promotes more consistent, comparable, and repeatable security assessments. TrustedQA will also develop specific security test and evaluation procedures and methods for unique and non-standard environments. For those systems that exhibit security vulnerabilities, TrustedQA will produce recommendations for bringing the appropriate security controls into compliance.
The outcome of the A&A / C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what’s known as a Certification Package.
DIACAP to Risk Management Framework (RMF) Transition
The Defense Information Assurance Certification and Accreditation Program (DIACAP) is currently being replaced across DoD with a new process named Risk Management Framework (RMF). RMF’s goal is to develop and maintain the same Certification & Accreditation (C&A) process and control throughout the entire Federal Enterprise (DoD and civilian), allowing for greater inter-connectivity between agencies.
The words “Certification & Accreditation” are actually misnomers. When security professionals evaluate a particular system, they are not actually certifying anything; they “assess” it and provide recommendations. In DIACAP this recommendation was incorrectly called a “certification”, leaving many wondering why the still couldn’t go live after their system was “certified”. To avoid confusion, RMF will call this step an “assessment”.
The second part of the process is similarly confusing. After “certification” the recommendation was sent to a Designated Accrediting Authority (DAA). The DAA’s signature actually completed the “accreditation” portion and allowed the system to go love or remain in operation, when in reality the DAA’s role is to “authorize” the assessment instead of “accredit” it. To clarify the entire process, RMF will change Certification & Accreditation (C&A) to Assessment & Authorization (A&A).
TrustedQA’s Information Assurance Analyst are knowledgeable on RMF’s six-step system life cycle process and can help guide your programs transformation from traditional C&A to RMF’s A&A.
Our skilled and experienced C&A Assessment Teams can help in many areas, including:
- Regulatory Compliance (FISMA, OMB Circular A-130 III, FIPS 199)
- Risk Management Framework / Assessment & Authorization (NIST SP 800-37)
- Certification and Accreditation (NIST SP 800-37, DIACAP, DCID 6/3, ISO 27002 – ISO 17799)
- Risk Assessments, System Security Plans (NIST SP 800-53, SP 800-26, SP 800-18)
- DIACAP DoD IA C&A Process, DCID 6/3
- Business Continuity and IT Systems Contingency Plans (NIST SP 800-34)
- Security Control Assessments (SCA) and Security Test & Evaluation (ST&E)
- Physical Security Assessments, Disaster Recovery Plans and Testing, COOP Plans and Testing…