The Accreditation Decision and the Authorizing Official
Posted February 10th, 2009 by rybolovThe accreditation decision is one of the most key activities in how the US Government secures its systems. It’s also one of the most misunderstood activities. This slideshow aims to explain the role of the Authorizing Official and to give you some understanding into why and how accreditation decisions are made.
I would like to give a big thanks to Joe Faraone and Graydon McKee who helped out.
The presentation is licensed under Creative Commons, so feel free to download it, email it, and use it in your own training.
Similar Posts:
Posted in FISMA, NIST, Risk Management, Speaking | 5 Comments »
Tags: 800-37 • accreditation • C&A • certification • compliance • fisma • government • infosec • management • NIST • omb • risk • security • speaking
February 11th, 2009 at 11:11 am
[…] Smith over on the Guerilla CISO blog has just posted a presentation entitled The Accreditation Decision and the Authorizing Official. This is an update of a slide deck that Mike, Joe Faraone, and I have been using in our Potomac […]
February 13th, 2009 at 1:09 pm
I found the slides to be very good, I especially liked the scenarios.
I will be making changes to some of the semantics. Where it says that a certifier is finding risks, they in fact don’t. They discover findings. Those findings could be policy violations, evidence of policy violations or general system architecture weaknesses.
For instance, when I was a certification agent I did not list out all the patches they did not have installed. This is evidence that a patch management program is ineffective (depending on the date that a patch was released and that the SSP says that it is an implemented control).
The assignment of risk would be left up to the system owner, the certifier (a role that is disappearing in 800-37 Rev 1) or the AO. They would do this by going through an 800-30 exercise. They would start with the security assessment findings and then assign likelihood and impact ratings. This is also presuming that there is even a threat vector.
Let me know if you had a different interpretation or if I missed something.
February 14th, 2009 at 1:06 pm
@Chris\ Burton
I agree with you, but I’m looking through the slides and I can’t figure out where I said or implied that the certifier identifies risk.
I did use the term “assessment of risk” which is spot-on but can be misunderstood. =)
So yes, you’re right.
February 17th, 2009 at 11:41 am
[…] and contributor to the Guerilla CISO). Mike, Joe and I worked on a presentation entitled The Authorizing Official and the Accreditation Decision which addressed these topics as a stage of Certification and Accreditation, a process that the […]
February 18th, 2009 at 12:11 pm
I am going to go through it (again!), and send you the track changes.