The Joint Automated Booking System
Audit Report 05-22
May 2005
Office of the Inspector General
|
Certification and Accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Security Certification consists of two tasks: i) security control assessment; and ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the authorizing official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals-and thus, will be able to render an appropriate security accreditation decision for the information system. Security Accreditation consists of two tasks: i) security accreditation decision; and ii) security accreditation documentation. The purpose of this phase is to determine if the remaining known vulnerabilities in the information system (after the implementation of an agreed-upon set of security controls) pose an acceptable level of risk to agency operations, agency assets, or individuals. Upon successful completion of this phase, the information system owner will have: i) authorization to operate the information system; ii) an interim authorization to operate the information system under specific terms and conditions; or iii) denial of authorization to operate the information system. |