authorization. The security accreditation decision communicates the accreditation authority’s decision and provides the information system owner with the: • Security accreditation decision – official decision by the authorizing official on whether to accredit the system, accredit the system with conditions, or deny system accreditation; 73 See NIST 800-18, Guide for Developing Security Plans for Federal Information Systems, Revision 1, and Chapter 8, Security Planning, of this guide for additional guidance on system security planning. 102
Chapter 11 Certification, Accreditation, and Security Assessments • Supporting rationale for the decision – justification for the authorizing official’s decision; and • Terms and conditions for the authorization – limitations or restrictions placed on the operation of the system to which the system owner is bound. The contents of security certification and accreditation-related documentation, especially information dealing with information system vulnerabilities, should be marked and protected appropriately in accordance with agency policy, and retained in accordance with the agency’s record retention policy. 11.6 Continuous Monitoring The Continuous Monitoring phase is an essential component in any security program. During this phase, the status of the security controls in the information system are checked on an ongoing basis. An effective continuous monitoring program can be used to support the annual FISMA requirement for assessing the security controls in information systems. At a minimum, an effective monitoring program requires the following: • Configuration management and configuration control processes for the information system; • Security impact analyses on changes to the information system; and • Assessment of selected security controls in the information system and reporting of information system security status to appropriate agency officials. To determine which security controls to select for review, agencies should first prioritize testing on POA&M items that become closed. These newly implemented controls should be validated. Agencies should test against system-related security control changes that occurred but did not constitute a major change necessitating a new C&A. Agencies should identify all security controls that are continuously monitored as annual testing and evaluation activities. Examples of this include (but are not limited to) ongoing security training, Denial of Service and Malicious Code protection activities, Intrusion Detection monitoring, Log File reviews, etc. Once this is completed, agencies should look at the remaining controls that have not been tested for that year and make a decision on further annual testing based on risk, importance of control, and date of last test.
You've reached the end of your free preview.
Want to read all 178 pages?