Certification and Accreditation (C&A) is a risk management process intended to:
- Promote a better understanding of organizational risks resulting from the operation and use of information systems;
- Ensure authorizing officials are appropriately engaged throughout the risk management process; and
- Support consistent, informed security authorization decisions.
C&A provides management with an assessment of the extent to which management, operational, and technical security controls for an information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. Management uses this assessment to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
KOMPSYS helps agencies perform C&A of their systems while maintaining an auditor’s perspective. This audit perspective helps ensure:
- The C&A methodology follows guidance in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37
- System security plans are developed and documented in accordance with NIST SP 800-18 and 800-53
- Risk Assessments are conducted and documented in accordance with NIST SP 800-30
- Testing is conducted in accordance with SP 800-53A and test results are fully supported with detailed testing documentation
- Management’s acceptance of risks is appropriate and clearly documented
- Management designs and implements effective continuous monitoring controls over C&A systems