DoD Information Assurance Certification and Accreditation Process
Q/C&A Qualified/ Certification & Accreditation
This class is CNSS 4011, 4012/ 4015/ 4016A Approved
ONE Class for the above approved 4 Certificates
Need your Navy System Certifier and Validator Certificate?
Want the MOST ADVANCED Risk Analyst Certificate available? Get 4106A Certified
If you are looking for GREAT Information Assurance Cybersecurity Training, you have found the right site.
SU is focused on providing DoD and Federal organizations the training needed to perform in the roles of ISSM (IAM), ISSO (IAO), System Administrator (SA) and Certifier (validator) agent. We base our efforts on satisfying PL 100-235, OMB-130, DCID 6-3, NIST 800 series, and DoD the 8500 series which states that "IA awareness, training and education must be provided to all military and civilian personnel, including contractors, commensurate with their respective responsibilities for developing, using, operating, administering, maintaining, and retiring DoD information systems".
We have been certified by the Information Assurance Courseware Evaluation (IACE) Program under the auspices of the National IA Education and Training Program that our courseware meets all of the elements of the Committee on National Security Systems (CNSS) National Training Standards.
The IACE Program provides consistency in training and education for the information assurance skills that are critical to our nation and SU is pleased to be one of the few companies that can provide this needed training to 4011, 4012, 4015 and 4016 "A" (Advanced) 4016A level.
Security University has been designated as a "FULLY QUALIFIED NAVY CORPORATE CERTIFICATION AGENT"
 This 5-day session meets the objectives of the CNSS-4012 Senior System Manager (SSM) and CNSS-4015 System Certifier and 4016 Risk Analyst certificate course which is specifically designed to consolidate all SSM and System Certifier and Analyst knowledge requirements into a single, comprehensive curriculum. This course provides 5 (five) days of intense, highly concentrated, non-technical professional training necessary to achieve the in-depth knowledge, skills, and abilities needed to enforce Information Assurance and Cybersecurity requirements, apply Information System Security (INFOSEC) methodologies and facilitate certification and accreditation (C&A) activities.
Additionally, this course addresses professional and functional requirements necessary for System Managers and System Certifiers and to identify specific assurance levels and evaluate risk impact thresholds in meeting applicable security policies, standards and requirements to ensure that accrediting authorities have the information necessary to make an objective accreditation determination based on an acceptable level of risk. This course focuses on analyzing, evaluating, and assessing, information system security policies, processes and procedures necessary to ensure a comprehensive multi-disciplined assessment of technical and non-technical security features and associated safeguards.
Lastly this is a fully certified (CNSS)-4016 Risk Analyst course that provides four days of intense, highly concentrated training necessary to achieve the fundamental knowledge, skills and abilities needed to analyze, assess, control, determine, mitigate and manage risk within a federal management and acquisition framework or within federal interest computer systems that store, process, display or transmit classified or sensitive information (e.g. Personally Identifiable Information (PII), Electronically Protected Health Information (ePHI)/Individually Identifiable Health Information (IIHI) , etc).. which addresses specific knowledge factors and functional requirements established for Entry and Intermediate and ADVANCED Level Risk Analysts. Specific focus is directed on identifying, implementing and integrating management, acquisition and administrative risk methodologies for securing critical and sensitive information infrastructures and establishing standards necessary to help protect the confidentiality, maintain the integrity and ensure the availability of critical organizational computing resources.
Note: This class can be easily tailored to meet the certification and accreditation needs of any organization.
| Class Fee: |
$2,995* |
| Time: |
8:30am - 5pm |
| Location: |
Click here to view the class schedule |
| Learning Level: |
Beginner to experienced |
| CPE Credits: |
40 |
| Prerequisites: |
Contractors and govt and military that work for government IS or won a contract award to service the military IS . |
 |
Download the 2012 SU Roadmap |
We're here to help!
CALL NOW 877-357-7744 |
Who Should Attend
DoD Information Security and IT managers; Information Assurance Officers and Managers; Information Security Analysts, Consultants and Contractors; Security and Certification Officials responsible for developing C&A packages.
This course is designed for individuals who are responsible for meeting the Federal Information Security Management Act (FISMA) requirements for their agency.
What You Will Learn
- Information System Security Administration, Management, Program Implementation and Documenting Mission Needs.
- Analyzing, Assessing, Measuring, Managing and Mitigating Information System Threats, Vulnerabilities and Associated Risks.
- Legal Issues, Intrusion Forensics and Incident Response as well as Intrusion Prevention, Detection, Response, Recovery and Reporting.
- Physical, System, Data Access Control.
- Life-Cycle Security and Life-Cycle Management in Defending the Information Environment (Information Operations).
- Configuration Management, Consequence Management, Contingency and Disaster Recovery Planning (Business Continuity Planning (BCP)).
- Certification, Evaluation and Network Security Certification and Accreditation (C&A).
- System Certification Requirements including Policies, Processes, Procedures and Protocols.
- Fundementals of Threat/ Vulnerability Analysis and Risk Management
- Countermeasure IS and Assessment
- Certification and Accreditation of systems
- Testing And Evaluation
|
Preparing for C&A
The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.
A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.
Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.
If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.
In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:
- System Categorization Statement
- System Description with System Boundaries Noted
- Network Diagram and Data Flows
- Software and Hardware Inventory
- Business Risk Assessment
- System Risk Assessment
- Contingency Plan
- Self-Assessment
- System Security Plan
Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.
Levels of Certification and Starting the Review
There are typically four levels of accreditation for a system. At the beginning of a C&A project, the C&A review team makes a decision on the appropriate accreditation level that it is going to seek, and drafts a memorandum that justifies this decision. The four levels of accreditation are tightly mapped to the sensitivity of the systems being certified, and the severity of the impact that a disaster would have on the systems or information. How to categorize the software and hardware assets appropriately is described in the following documents:
Business Needs / Course Goals for C&A
Understanding Roles & Responsibilities
Phases 1-4 of C&A
Phases 1-9 of RA
Classification of System
Understanding Legislation
FISMA, SOX 404, HIPAA
Understanding C&A in Lifecycle
Development phase to RA and C&A
Identifying Risk Assessment in C&A
Boundary Accreditation in a system environment
Identifying a system boundary
Accreditation Decision Model
Communicate what transpires in delivering a decision; IATO, Full Accreditation, Do Not Accredit
FISMA Scorecard
Positive and negative impacts
17 Baseline Management, Operational, & Technical Policies
Understanding policy source, relationships, procedures, controls, and testing
Guide for Developing Security Plans (NIST SP800-18)
System Analysis
System Boundaries
Information sensitivity
System Category
Major Applications
General Support System
Plan Development – All Systems
Plan Control
System Identification and sensitivity level
System Operational Status
General Description/Purpose
System Environment
System Interconnection/Information Sharing
Sensitivity of Information Handled
Laws, Regulations, and Policies Affecting the System requirements for confidentiality, integrity, or availability
Management Controls
Operational Controls
Documentation (MA Example)
Vendor-supplied documentation of hardware
Vendor-supplied documentation of software
Application requirements
Application security plan
General support system(s) security plan(s)
Application program documentation and specifications
Testing procedures and results
Standard operating procedures
Emergency procedures
Contingency plans
Memoranda of understanding with interfacing systems
Disaster recovery plans
User rules of behavior
User manuals
Risk assessment
Backup procedures
Authorize processing documents and statement
Technical Controls
Major Application Template
General Support System Template
Standards for Security Categorization (FIPS 199)
Determine National Security System Classification using NIST SP 800-59
Security Category for Confidentiality, Integrity, and Availability for:
Low Impact
Moderate Impact
High Impact
Selection and Specification of Security Controls (NIST 800-53) -> (FIPS 200)
Management Controls PL-1: Security Planning Policy and Procedures (82)
RA-1: Risk Assessment Policy and Procedures (87)
SA-1: System and Services Acquisition Policy and Procedures (89)
CA-1: Certification, Accreditation, and Security Assessments Policy and Procedures (54)
Operational Controls
AT-1: Security Awareness and Training Policy and Procedures (48)
CM-1: Configuration Management Policy and Procedures (57)
CP-1: Contingency Planning Policy and Procedures (60)
MP-1: Media Protection Policy and Procedures (73)
PE-1: Physical and Environmental Protection Policy and Procedures (76)
SI-1: System and Information Integrity Policy and Procedures (100)
IR-1: Incident Response Policy and Procedures (68) MA-1: System Maintenance Policy and Procedures (70)
PS-1: Personnel Security Policy and Procedures (84)
Technical Controls
AC-1: Access Control Policy and Procedures (40)
AU-1: Auditing and Accountability Policy and Procedures (50)
IA-1: Identification and Authentication Policy and Procedures (65)
SC-1: System and Communications Protection Policy and Procedures (93)
Risk Assessment and Management Process (NIST SP800-30)
Risk Assessment Program and Methodology
Key Roles
Senior Management.
Chief Information Officer (CIO).
System and Information Owners.
Business and Functional Managers.
ISSO. IT security program managers
IT Security Practitioners.
Security Awareness Trainers (Security/Subject Matter Professionals)
Assessment Tools
Vulnerability Scanning
Scanning & Enumeration
War Dialing
Wireless
Privilege Escalation and Back Door
Network Analyzers (sniffers)
File Integrity Checkers
Password Crackers
Risk Analysis & Reporting Tools
C&A Reporting Tools
Risk Assessment
Step 1 System Characterization – Operational and Processing Environment
Step 2 Vulnerability Identification
Step 3 Threat Identification
Step 4 Operational, Technical, and Management Control Analysis
Step 5 Threat Likelihood Determination
Step 6 Impact and Loss of Confidentiality, Integrity, and Availability Analysis
Step 7 Risk Determination
Step 8 Control Recommendations
Step 9 Results Documentation – Report recommendations and documentation
Risk Mitigation
Evaluation and Assessment
Guide for Mapping Types Information and Information Systems to Security Objectives and Risk Levels (NIST SP 800-60)Security Categorization of Information and Information Systems
Security Categories and Objectives (Contents from FIPS 199)
Impact Assessment (Contents from FIPS 199)
Assignment of Impact Levels and Security Categorization
Mapping Information Types to Security Controls and Impact Levels
Information Type Identification
Selection of Provisional Impact Levels
Review and Adjustment and Finalization of Information Impact Levels
Guidelines for System Security Categorization
Guidelines for Assignment of Impact Levels to Mission-based Information
Impact levels by type for the management and support information
Management and Support Information and Information System Impact Levels
Rationale and Factors for Services Delivery Support Information
Rationale and Factors for Government Resource Management Information
Impact Determination for Mission-based Information and Information Systems
Legislative and Executive Sources establishing Sensitivity/criticality
NIST Certification and Accreditation Process (NIST SP800-37)
NIST SP800-37 C&A Process Overview
Defining the Accreditation Package
C&A Process Phases
Initiation Phase
Security Certification Phase
Security Accreditation Phase
Continuous Monitoring Phase
Security Certification Package
Updated System Security Plan
Completed Security Risk Assessment
Updated Configuration Management Plan
Contingency Management Plans
Security Test & Evaluation Report
User Manual W/SFUG
Interconnection Security Agreements
Memorandums of Agreement
Completed Privacy Impact Assessment
Federal Register System of Record Notice
Plan of Action and Milestones (POAM)
Security Accreditation Package
Security Assessment Report
Security Accreditation Decision Letter
System Security Plan
Plan of Action & Milestones (POAM)
Initiation Phase
Preparation
1-1 System Description (ISO, ISSO)
1-2 Security Categorization Verification (ISO, ISSO)
1-3 Risk Assessment Review (ISO, ISSO)
Notification & Resource Identification
2-1 Notification of C&A Support (ISO, ISSO)
2-2 Planning & Resource Identification (CA)
Security Program Documentation Analysis, Update & Acceptance
3-1 Security Categorization Validation (CA)
3-2 Security Program Documentation Analysis (CA)
3-3 Security Program Documentation Update (ISO, ISSO)
3-4 Acceptance of Security Program Documentation (ISO, ISSO)
Security Certification Phase
Security Control Verification & Validation
4-1 Documentation & Supporting Materials
4-2 Reuse of Assessment Results
4-3 C&A Methods & Procedures
4-4 C&A Security Assessment
4-5 Prepare Final Assessment Report
Security Certification Documentation
5-1 Certification Findings & Recommendations
5-2 Security Documentation Update
5-3 Plan of Action & Milestone Preparation
5-4 Security Accreditation Package
Security Accreditation Phase
Security Accreditation Decision
6-1 Final Risk Determination
6-2 Residual Risk Acceptance
Security Accreditation Documentation
7-1 Security Accreditation Package Transmission
7-2 C&A Documents and Plans Update
Continuous Monitoring Phase
Configuration & Change Management Control
8-1 Documentation of Information System Changes
8-2 Security Impact Analysis
Ongoing Security Control Monitoring
9-1 Security Control Selection
9-2 Security Control Monitoring
Status Reporting and Updating Security Program Documentation
10-1 Security Program Documentation Update
Status Reporting NIST SP800-37 C&A Process Summary
The most sensitive systems, those that have lives depending on them, typically seek accreditation at the highest level, Level 4. Systems that are not sensitive seek accreditation at the lowest level, Level 1. Moderately sensitive systems typically undergo a Level 2 or Level 3 C&A review.
It is important to understand the appropriate level of accreditation required for the systems undergoing the C&A review as the auditors will not accredit a system that has been incorrectly categorized. However, it is up to the system owners to understand the levels of certification and their implications. Differing amounts of information are required in the documentation that must be provided to the Mission Assurance auditors depending on the level of accreditation that is sought. Determining the appropriate level of certification and accreditation to seek out is the first step in getting your C&A project off the ground. |
|
Prerequisites
Basic computer literacy. |
*Class fees are subject to change
Top
View Class Schedule
More Detection Classes |
