Security Certification and Accreditation (SC&A) is a formal defined process designed to "certify" that an information system meets documented security requirements before the information system is "accredited" into operations (e.g., goes live). It incorporates mechanisms to ensure that the information system will continue to maintain the accredited security posture throughout the system life cycle. Responsibility and accountability are core principles that characterize security accreditation, as the "accreditor" accepts responsibility for the security of the system and any adverse impacts to the entity if a breach of security occurs.
In support of this accountability, it is essential that "accreditors" have the most complete, accurate and trustworthy information possible on the security status of their information systems in order to make timely, credible, risk-based decisions on whether to authorize operation of those systems. The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification. Security certification is a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision.
Although SC&A was originally the domain of the federal government, its application has spread widely over the last few years into non-federal government and the private sector. These entities generally use an appropriate subset of NIST 800-37.
If we can be of assistance in determining the best way to "certify" business critical systems and achieve security objectives please call 888-PivotPoint and ask to speak with our Practice Area Manager or send us an email.