The Four Phases of Authorization and Accreditation (A&A)
Phase I: Initiation and Planning
The ﬁrst phase of the A&A process is initiation and planning. In this phase, the information system owner and the designated Information System Security Ofﬁcer (ISSO1 will formally initiate the A&A process by acknowledging that an A&A is required, establishing a A&A team, developing a project plan with milestones, determining a formal security classiﬁcation for the system and deciding what resources are required to perform a A&A process. In most cases, for commercially-hosted federal systems, the system owner will outsource the A&A process to the systems integrator or Managed Service Provider (MSP1. This is important because the A&A process is a large undertaking and requires substantial resources, including experienced and knowledgeable InfoSec and compliance professionals to complete the A&A package properly. Attempting to tackle the A&A process without the proper knowledge or resources can lead to costly delays and potentially a denial of accreditation.
The A&A package preparer will be responsible for compiling all of the required A&A package documentation, such as the System Security Plan (SSP1, and performing a risk assessment. Based on the outcome of the risk assessment, any risk that cannot be remediated will be added to the Plan of Actions and Milestones (POAM1 for review by the Certifying Authority (CA1. The preliminary A&A package must be completed and reviewed by the CA before moving onto phase two – Certiﬁcation.
Phase II: Certiﬁcation
In the Certiﬁcation phase, a team of independent auditors will perform a review of the preliminary C&A package and audit the information system utilizing a checklist to certify that the proper controls – based on NIST special publication 800.53 – have been implemented. The independent audit will consist of onsite interviews, vulnerability scans, and visual inspections and testing. Once the independent audit is complete, the auditors will assemble a formal C&A package with the results of their evaluation and make a recommendation to the CA on the certiﬁcation worthiness of the system.
Phase III: Accreditation
In the Accreditation phase, the Certifying Authority will review the completed C&A package to validate that all of the required information is contained within the package before making an accreditation decision. Once the Certifying Authority has reviewed the final C&A package and auditor’s recommendations, he/she will make a determination to accept any non-remediated risk before granting an accreditation. If the CA concludes that the C&A package contains all of the required documentation and there are no unacceptable risks, a formal letter of accreditation will be issued to the system owner, granting the system owner the Authority to Operate (ATO1. ATO’s are valid for three years and must be renewed at the end of the three-year cycle in order for the federal system to continue to operate. Failure to renew a system ATO may result in a denial of authority to operation.
In order to maintain the system’s compliant baseline and to detect any new threats to the system, a process of continuous monitoring must be implemented. ISSO’s utilize intrusion detection tools, sys logs and change management procedures to monitor and prevent any unauthorized changes to the compliance baseline. By establishing a process to continuously monitor the information system, the ISSO can detect any conﬁguration changes or compromises that may adversely impact the system. In addition to ISSO continuous monitoring, Federal Agencies may perform onsite annual audits to ensure the information system has maintained its compliance baseline.
Achieving FISMA compliance and accreditation for a federal information system can be a difficult undertaking, as it requires a strict adherence to federally-mandated laws and guidelines. Federal agency CIO’s are tasked with establishing an agency-wide compliance program from the top down to certify that all information systems under agency control are federally compliant.