Certification & Accreditation (C&A;) – the process changes but the end game remains the same…
C&A; Process: Determination of the risk profile of the system (Certification) and then acceptance of the operational risk by an approving authority (Accreditation).
It is important to remember that since these C&A; processes are designed to be tailorable processes, each DoD Service or Government agency will develop their own customized implementation of their C&A; process. So for example the USMC does not do C&A; the same way that the USN does C&A.;
Here are the various tailorable C&A; processes:
DITSCAP – DISA developed process for DoD C&A; which has been replaced by DIACAP.
DIACAP – DITSCAP replacement in various stages of rollout by the armed services.
DCID 6/3 – Utilized for SCIF systems in the TS and above realm
NIACAP – used for the certification and accreditation (C&A;) of national security systems outside of the DoD.
DIACAP & DCID 6/3 replacement – announced at Air Force ISR Agency & DCGS Information Assurance Conference in late 2007 and to be revealed at the DODIIS Conference in San Diego the week of March 16th 2008. This replacement is supposed to be based on NIST standards being developed in conjunction with NII.
What is driving the recent push to perform/update C&A; over the last several years?
Congress has tied IA Readiness to Funding Requirements and is using the Federal Information Security Management Act (FISMA) E-Government Act of 2002; Public Law 107-347, to measure IA Readiness. Passing grades by Agencies have been less than stellar (sometimes almost non-existent) and enforcement of the law has increased, providing a market for C&A; engineers.