Information systems need to be evaluated and they may also need to be certified based on a set of defined parameters. There are many security certification and accreditation standards for security assurance. The following topics describe a few important ones.
Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is the standardized approach designed to guide DoD agencies through the certification and accreditation process for a single information technology (IT) entity.
There are four phases to the DITSCAP process:
- Definition: All the system requirements and capabilities are documented to include mission, function, and interfaces.
- Verification: recommended changes to a system are performed and the resulting deliverable is a refined System Security Authorization Agreement (SSAA).
- Validation: This proceeds with a review of the SSAA.
- Post accreditation: Here, system changes are managed, system operations are reviewed, acceptable risk is maintained, and the SSAA is updated.
Note
System Security Authorization Agreement (SSAA) is a document that details system specifications, such as the system mission, target environment, target architecture, security requirements, and applicable data access policies. SSAA is a basis on which certification and accreditation actions take place.
National Information Assurance Certification and Accreditation Process (NIACAP) is a process for the certification and accreditation of the computer systems that handle the US National Security information. It is derived from DITSCAP.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a standard that supersedes DITSCAP. This standard was published in 2006.
System Security Engineering Capability Maturity Model (SSE-CMM) is a system security process maturity model that focuses on requirements pertaining to the implementation of security in a system or a group of systems specifically in the Information Technology security domain. It is a National Security Agency (NSA) sponsored effort.
There are 11 security engineering practices that are defined in SSE-CMM. They are as follows:
- PA01: Administer Security Controls
- PA02: Assess Impact
- PA03: Assess Security Risk
- PA04: Assess Threat
- PA05: Assess Vulnerability
- PA06: Build Assurance Argument
- PA07: Coordinate Security
- PA08: Monitor Security Posture
- PA09: Provide Security Input
- PA10: Specify Security Needs
- PA11: Verify and Validate Security
There are 11 more process areas and related project and organizational practices. They are as follows:
- PA12: Ensure Quality
- PA13: Manage Configuration
- PA14: Manage Project Risk
- PA15: Monitor and Control Technical Effort
- PA16: Plan Technical Effort
- PA17: Define Organization's Systems Engineering Process
- PA18: Improve Organization's Systems Engineering Process
- PA19: Manage Product Line Evolution
- PA20: Manage Systems Engineering Support Environment
- PA21: Provide Ongoing Skills and Knowledge
- PA22: Coordinate with Suppliers