NIST 800-37 Certification & Accreditation Process
1
System Owner Authorizing Official Certification Agent Prepare Documentation Initiation Phase 1 1. Describe the System 2. Categorize its C.I.A. 3. Identify Threats to it 4. Identify its Vulnerabilities 5. Identify In- Place and Planned Security Controls 6. Determine its Initial Risks Initiation NIST 800-37 Risk Management & Certification and Accreditation Tasks Notify Officials & Identify Resources Planning Phase 3 1. Notify Program Officials 2. Identify Resources Needed and Plan execution of Activities Initiation Report & Document Status O&M Phase 9 1. Update Security Plan 2. Update Plan of Action & Milestones 3. Report Status Monitoring Monitor Security Controls O&M Phase 9 1. Select In-Place Security Controls 2. Assess Selected Security Controls Monitoring Manage & Control Configuration O&M Phase 9 1. Document System Changes 2. Analyze Security Impacts Monitoring Analyze, Update & Accept System Security Plan Multiple Phases 4-6 1. Review Security C.I.A. Categorizations 2. Analyze Security Plan 3. Update Security Plan 4. Obtain Authorizing Official Acceptance of Security Plan Initiation Assess & Evaluate Security Controls Integration & Test Phase 7 1. Prepare Documentation & Supporting Materials 2. Review Methods and Test Procedures 3. Assess & Evaluate In- Place Security Controls 4. Report Security Assessment Results Certification Document Security Accreditation Integration & Test Phase 7 1. Transmit Security Accreditation Package 2. Update Security Plan Accreditation Document Security Certification Integration & Test Phase 7 1. Provide Findings and Recommendations 2. Update Security Plan 3. Prepare Plan of Action & Milestones 4. Assemble Accreditation Package Certification Make Security Accreditation Decision Integration & Test Phase 7 1. Determine Final Risk Levels 2. Accept Residual Risk Accreditation System Owner Phase 1 – Task 1 Phase 3 – Task 6 Phase 1 – Task 2 Phase 1 – Task 3 Phase 2 – Task 4 Phase 2 – Task 5 Phase 3 – Task 7 Phase 4 – Task 8 Phase 4 – Task 9 Phase 4 – Task 10 Primary Responsibility SDLC NIST 800-37 Phases Presented By Dr. Tim McGuinness www.RegulatoryPro.us
-
Upload
timmcguinness -
Category
Technology
-
view
3.111 -
download
1
description
NIST 800-37 Certification & Accreditation Process
Transcript of NIST 800-37 Certification & Accreditation Process
System Owner
Authorizing OfficialCertification Agent
Prepare Documentation
Initiation Phase 1
1. Describe the System2. Categorize its C.I.A.3. Identify Threats to it4. Identify its Vulnerabilities5. Identify In-Place and Planned Security Controls6. Determine its Initial Risks
Initiation
NIST 800-37 Risk Management & Certification and Accreditation Tasks
Notify Officials & Identify
Resources
Planning Phase 3
1. Notify Program Officials2. Identify Resources Needed and Plan execution of Activities
Initiation
Report & DocumentStatus
O&M Phase 9
1. Update Security Plan2. Update Plan of Action & Milestones3. Report Status
Monitoring
Monitor SecurityControls
O&M Phase 9
1. Select In-Place Security Controls2. Assess Selected Security Controls
Monitoring
Manage & ControlConfiguration
O&M Phase 9
1. Document System Changes2. Analyze Security Impacts
Monitoring
Analyze, Update& Accept System
Security Plan
Multiple Phases 4-6
1. Review Security C.I.A. Categorizations2. Analyze Security Plan 3. Update Security Plan 4. Obtain Authorizing Official Acceptance of Security Plan
Initiation
Assess & EvaluateSecurity Controls
Integration & Test Phase 7
1. Prepare Documentation & Supporting Materials2. Review Methods and Test Procedures3. Assess & Evaluate In- Place Security Controls4. Report Security Assessment Results
Certification
Document SecurityAccreditation
Integration & Test Phase 7
1. Transmit Security Accreditation Package2. Update Security Plan
Accreditation
Document SecurityCertification
Integration & Test Phase 7
1. Provide Findings and Recommendations2. Update Security Plan3. Prepare Plan of Action & Milestones4. Assemble Accreditation Package
Certification
Make Security Accreditation
DecisionIntegration & Test
Phase 7
1. Determine Final Risk Levels2. Accept Residual Risk
Accreditation
System Owner
Phase 1 – Task 1
Phase 3 – Task 6
Phase 1 – Task 2 Phase 1 – Task 3 Phase 2 – Task 4 Phase 2 – Task 5
Phase 3 – Task 7 Phase 4 – Task 8 Phase 4 – Task 9 Phase 4 – Task 10
Primary Responsibility
SDLC
NIST 800-37
Phases
Presented By Dr. Tim McGuinness www.RegulatoryPro.us
