C&A

Overview

Certification and Accreditation Methodology

 

Integral Business Solutions uses a methodology framework to assess the infrastructure and application environments based on a blend of standards including ISO 17799, FISMA and NIST. There are several areas one should examine, depending on the level of confidentiality of the data being handled, regulatory requirements, and the exposure of the applications to the users which Integral Business Solutions will review.

Integral Business Solutions takes care to align governmental regulations with implementation of security best practices through our assessment methodology, which blends applicable elements of NIST, COBIT, FISMA, and ISO 17799.

 

The following diagram explains Integral's approach and methodology for a C&A process. Integral uses the methodology to:

  • Successfully deploy DoD DITSCAP/DIACAP assessments and programs
  • Create certification packages and prepare for accreditation
  • Deploy FISMA certification frameworks
  • Provide customized and repeatable process
  • Provide automation tools
    • Integral has developed/developing various automation tools to reduce the repetitive efforts, turnaround times, and recurring costs.

DITSCAP / DIACAP

 

Integral Business Solutions has extensive experience working with DoD customers to generate DITSCAP C&A packages and DIACAP processes for systems Authority to Operate certification.

 

Our DIACAP Capabilities

1. Assist in registering the system in EITDR.

2. Through interviews with system stakeholders, determine the confidentiality level and Mission Assurance Level (MAC).

3. Determine which IA controls apply to the system.

4. Assist in identifying the DIACAP team members.

5. Create and manage the DIACAP implementation plan for the assigned IA controls.

- Determine the implementation status of controls.

- Help identify the responsible parties for the control subject areas.

- Help define the resources needed to implement controls.

- Help determine realistic completion dates for implementation of the controls.

6. Conduct validation (testing) of assigned IA controls with the direct assistance of team members (System administrator, configuration manager, information system owner, etc.).

7. Assist in refining documentation that will serve as C&A artifacts (see documentation list below in Questions for Client, number 5).

8. Create Plan of Action and Milestones (POA&M).

9. Compile DIACAP scorecard.

10. Assist in the submission of the C&A package for an certification and accreditation decisions.

11. Assist in maintenance of C&A

- Conduct annual reviews of IA controls

- Create POA&M when required

- Guide the creation of the Annual Security Review Meeting