QCA Qualified Certification Accreditation

Training Provided by Security University This 5-day session meets the objectives stated by the DoD 8500. 1 and 8500. 2 where government agencies are being held accountable to ensure the protection of their information & information systems. In order to meet the requirements of these important laws & mandates, agencies must take necessary steps to implement key information security standards. Attend this program to gain the management skills & standards necessary to meet the requirements of these mandates. This course is designed for individuals who are responsible for meeting the Federal Information Security Management Act (FISMA) requirements for their agency. Upon successful completion of the Qualified Certification & Accreditation training class, each attendee will be able to: Understand the guidelines presented in and documentation required by the DIACAP, NICAP, FISMA & NIST C&A. Describe the process of identifying/ defining an information system for the purpose of C&A. Appreciate how compliance with the government's C&A process standards is beneficial to an organization's short- and long-term information assurance strategy. Complete a certification and accreditation effort.

QCA Qualified Certification Accreditation The outcome of the C&A process is to put together a collection of documents that describe the security posture of the systems, an evaluation of the risks, and recommendations for correcting deficiencies. It is what's known as a Certification Package.

A typical Certification Package usually consists of a minimum of half a dozen documents, though more documentation may be required if the systems contain classified information or highly sensitive data. Each agency is responsible for defining their own C&A process and it must be well-documented in the form of a C&A Handbook. The C&A Handbook is based on one of the three well-known methodologies (NIST, DITSCAP, or NIACAP) with various customizations that are unique for each particular agency. Preparing the C&A package is sometimes referred to as a C&A Review.

Once a Certification Package has been prepared, Mission Assurance auditors review the package and then make decisions on whether or not the systems should be accredited according to the proposed recommendation. All federal agencies must obtain an Authority to Operation (ATO) before their systems can be legitimately and legally used for production purposes.

If the Certification Package does not appear to contain the right information, or if the information reported in the package is considered unacceptable (for example, if there are unacceptable risks cited with inappropriate safeguards to mitigate the risks) the agency may be given an Interim Authority to Operation (IATO), which allows them to operate their systems for usually three months while they correct their deficiencies.

In preparing a C & A package, the documents that are typically required (according to the NIST methodology) include the following:

• System Categorization Statement
• System Description with System Boundaries Noted
• Network Diagram and Data Flows
• Software and Hardware Inventory
• Business Risk Assessment
• System Risk Assessment
• Contingency Plan
• Self-Assessment
• System Security Plan

Depending on the requirements of the particular agency, other documents or variations of these particular documents may also be required. NIST publishes an excellent collection of documents that provide guidance for the C&A review that will explain what sort of information should be reported in each of the required documents.

About The Training Provider: Security University

More Qualified Information Security Training Training from Security University

• QAAP Qualified Access Authentication and PKI Professional
• QEH Qualified Ethical Hacker Certification
• QFE Qualified Forensic Expert Certification with QFE License
• QND Qualified Network Defender
• QNSP Qualified Security Policy Administrator SOA Security Architect
• QPTL Qualified Security Analyst Penetration Tester Workshop
• QSA Qualified Security Analyst Penetration Tester with Qualified Penetration Tester License
• QSSE Qualified Software Security Expert 5-day Bootcamp
• SSCP - Systems Security Certified Practioner