Feeds

•  Posts RSS
•  Comments RSS
• Subscribe via Email

Phone-Readable

Recent Comments

• Darren Couch on DHS is Looking for a CISO
• MMO Tag on Training for the Zombie Pandemic
• Sam Bowne on The Rise of the Slow Denial of Service
• jg on Apache Killer Effects on Target
• Apache Killer Effects on Target | The Guerilla CISO on The Rise of the Slow Denial of Service

What’s Hot

Tags

Categories

• Army (24)
• BSOFH (15)
• Cyberwar (7)
• DDoS (7)
• Diary of a Startup (3)
• DISA (9)
• FISMA (148)
• Flyfish (20)
• Hack the Planet (28)
• IKANHAZFIZMA (79)
• ISM-Community (15)
• NIST (93)
• Odds-n-Sods (117)
• Outsourcing (32)
• Public Policy (35)
• Rants (108)
• Risk Management (75)
• Speaking (32)
• Technical (93)
• The Guerilla CISO (80)
• Uncategorized (6)
• What Doesn't Work (87)
• What Works (112)
• Zombies (44)

Blogroll

• Amrit Williams
• Ascension Blog
• BackTrack
• Backwater Angler
• Chateau Blogsville
• Chris Hoff
• Cypher Punk Reading List
• Emergent Chaos
• Gunnar Peterson
• How Is That Assurance Evidence
• InfoSecAlways
• ISM-Community
• ISM-Community Blogs
• ISM-Community Combined Feed
• Jack Whitsitt
• Layer 8
• LOLFED
• Martin McKeay
• My Linux Blog
• NoVa InfoSec Portal
• Rich Smith
• Riskanalys.is
• Rob Newby
• Security Buddha
• Securosis
• Technology Liberation Front
• The New School of Information Security
• The Ninja CISO
• This is Fly
• TSSCI Security

Archives

• October 2012
• May 2012
• December 2011
• November 2011
• September 2011
• August 2011
• April 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007

Blog under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License

The Accreditation Decision and the Authorizing Official

Posted February 10th, 2009 by rybolov

The accreditation decision is one of the most key activities in how the US Government secures its systems. It’s also one of the most misunderstood activities. This slideshow aims to explain the role of the Authorizing Official and to give you some understanding into why and how accreditation decisions are made.

I would like to give a big thanks to Joe Faraone and Graydon McKee who helped out.

The presentation is licensed under Creative Commons, so feel free to download it, email it, and use it in your own training.

The Authorizing Official And The Accreditation Decision

View more presentations from Michael Smith. (tags: c&a certification)

Similar Posts:

• Your Friendly Neighborhood C&A Podcast Panel
• Certification and Accreditation Seminar, March 30th and 31st
• Building A Modern Security Policy For Social Media and Government
• DojoCon 2009 Presentation
• Massively Scaled Security Solutions for Massively Scaled IT

Posted in FISMA, NIST, Risk Management, Speaking | 5 Comments »
Tags: 800-37 • accreditation • C&A • certification • compliance • fisma • government • infosec • management • NIST • omb • risk • security • speaking

5 Responses

1.  Ascension Blog » Attention Government Authorizing Officials Says:
   February 11th, 2009 at 11:11 am

   […] Smith over on the Guerilla CISO blog has just posted a presentation entitled The Accreditation Decision and the Authorizing Official.  This is an update of a slide deck that Mike, Joe Faraone, and I have been using in our Potomac […]

2.  Chris Burton Says:
   February 13th, 2009 at 1:09 pm

   I found the slides to be very good, I especially liked the scenarios.

   I will be making changes to some of the semantics. Where it says that a certifier is finding risks, they in fact don’t. They discover findings. Those findings could be policy violations, evidence of policy violations or general system architecture weaknesses.

   For instance, when I was a certification agent I did not list out all the patches they did not have installed. This is evidence that a patch management program is ineffective (depending on the date that a patch was released and that the SSP says that it is an implemented control).

   The assignment of risk would be left up to the system owner, the certifier (a role that is disappearing in 800-37 Rev 1) or the AO. They would do this by going through an 800-30 exercise. They would start with the security assessment findings and then assign likelihood and impact ratings. This is also presuming that there is even a threat vector.

   Let me know if you had a different interpretation or if I missed something.

3.  rybolov Says:
   February 14th, 2009 at 1:06 pm

   @Chris\ Burton

   I agree with you, but I’m looking through the slides and I can’t figure out where I said or implied that the certifier identifies risk.

   I did use the term “assessment of risk” which is spot-on but can be misunderstood. =)

   So yes, you’re right.

4.  Ascension Blog » Security Catalyst Podcast Says:
   February 17th, 2009 at 11:41 am

   […] and contributor to the Guerilla CISO).  Mike, Joe and I worked on a presentation entitled The Authorizing Official and the Accreditation Decision which addressed these topics as a stage of Certification and Accreditation, a process that the […]

5.  Chris Burton Says:
   February 18th, 2009 at 12:11 pm

   I am going to go through it (again!), and send you the track changes.

Leave a Comment