CA-06 Security Accreditation
Security Assessment and Authorization
Description
The organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization [Assignment: organization-defined frequency, at least every three years] or when there is a significant change to the system. A senior organizational official signs and approves the security accreditation.\n
Supplemental Guidance
OMB Circular A-130, Appendix III, establishes policy for security accreditations of federal information systems. The organization assesses the security controls employed within the information system before and in support of the security accreditation. Security assessments conducted in support of security accreditations are called security certifications. The security accreditation of an information system is not a static process. Through the employment of a comprehensive continuous monitoring process (the fourth and final phase of the certification and accreditation process), the critical information contained in the accreditation package (i.e., the system security plan, the security assessment report, and the plan of action and milestones) is updated on an ongoing basis providing the authorizing official and the information system owner with an up-to-date status of the security state of the information system. To reduce the administrative burden of the three-year reaccreditation process, the authorizing official uses the results of the ongoing continuous monitoring process to the maximum extent possible as the basis for rendering a reaccreditation decision. NIST Special Publication 800-37 provides guidance on the security certification and accreditation of information systems. Related security controls: CA-2, CA-4, CA-7.\n
Changes from Rev 4
Title changed from 'Security Authorization' Adds assigning a senior official as the authorizing official for common controls available for inheritance by organizational systems Amplifies what the authorizing official for the system must ensure before commencing operations, accepting the use of common controls inherited by the system; and authorizing the system to operate Adds the authorizing official for common controls must authorize use of those controls for inheritance by organizational systems
Enhancements
(0) None.\n