US Department of Defense Information Assurance: Achieving Successful DITSCAP with eZ publish as a Platform
Sunday 19 November 2006 8:23:00 am
Risk analysis and assessment
The information from the certifier interview, the SSAA, and the results of the vulnerability scan are used to conduct a security risk analysis on the system. The outcome of the analysis is a risk assessment report. These items become part of the certification and accreditation package.
The certification and accreditation package is forwarded to the designated approving authority and is used to decide whether or not the system operates with a low enough security risk to be granted an Authority to Operate.
To manage security risks, it is advisable to have a risk management plan that includes strategies and techniques that you can use to mitigate any security risks that are discovered during the risk assessment.
Certification package
A typical certification package usually consists of a minimum of six documents, although more documentation may be required if the system contains classified information or highly sensitive data. The package is a collection of documents that describes the security posture of the system, an evaluation of the risks, and recommendations for correcting any deficiencies.
Once a certification package has been prepared, appropriate auditors review the package and then make decisions on whether or not the system should be accredited according to the proposed recommendation. All DOD agencies must obtain an Authority to Operate (ATO) before their system can be used for production purposes.
If the certification package does not contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with insufficient safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for (usually) three months while they correct the system's deficiencies.
DASN (ACQ) One Source received their ATO on August 14, 2006.