NIST 800-37 Process Diagram

Document Sample
NIST 800-37 Process Diagram Powered By Docstoc
					                                               Census Certification and Accreditation Tasks

  Phase 1 – Task 1                  Phase 1 – Task 2                  Phase 1 – Task 3                    Phase 2 – Task 4                 Phase 2 – Task 5                 Phase 2 – Task 6

    Initiation                       Initiation                        Initiation                       Certification                     Certification                    Certification
                                  Notify Officials &               Analyze, Update
 Update / Prepare                                                                                     Assess & Evaluate                 Document Security                 Changes, Actions
                                       Identify                    & Accept System
  Documentation                                                                                        Security Controls                   Certification                    Required ?
                                    Resources                        Security Plan
1. Categorize system C.I.A.     1. Notify Authorizing Official,   1. Review Security C.I.A.           1. Acceptance of system          1. Provide Findings and           1. Update package updates
   (FIPS-199)                      CIO, Certification Agent          Categorizations                     C&A package by                   Recommendations                2. Prepare Plan of Action &
2. Complete/update system       2. Identify Resources Needed      2. Analyze Security Plan               Certification Agent           2. Certify system                    Milestones
   Risk Assessment (800-30)                                       3. Update Security Plan             2. Prepare Documentation &       3. Recommend                      3. Assemble Accreditation
3. Complete/update SSP                                            4. Request Certification and           Supporting Materials             Accreditation                     Package
   (800-18)                                                          Accreditation from               3. Review Methods and                                              4. Submit package for
4. Complete/update system                                            Certification Agent                 Test Procedures                                                    Accreditation
   Self Assessment (800-26)                                                                           4. Assess & Evaluate In-
5. Complete/update system                                                                                Place Security Controls
   Contingency Plan (800-                                                                             5. Report Security
   34)                                                                                                   Assessment Results




                      Phase 3 – Task 7              Phase 3 – Task 8                     Phase 4 – Task 9                  Phase 4 – Task 10               Phase 4 – Task 11

                    Accreditation                    Accreditation                        Monitoring                         Monitoring                       Monitoring
                     Make Security
                                                    Document Security                  Manage & Control                   Monitor Security               Report & Document
                      Accreditation
                                                      Accreditation                     Configuration                        Controls                          Status
                        Decision
                  1. Determine Final Risk           1. Sign and Transmit              1. Update System                  1. Select In-Place Security       1. Update Security Plan
                     Levels                            Security                          Security Plan to reflect          Controls                       2. Update Plan of Action
                  2. Accept Residual Risk              Accreditation Package             accreditation status           2. Assess Selected                   & Milestones
                                                                                      2. Document System                   Security Controls              3. Report Status
                                                                                         Changes
                                                                                      3. Analyze Security
                                                                                         Impacts

                                                                                  Primary Responsibility
                                                             System Owner = Information Owner / Hardware Owner (Division Chief)
                                                                               Certification Agent = Chief, ITSO
                                                                         Authorizing Official = Associate Director (DAA)
                                                             System Owner = Information Owner / Hardware Owner (Division Chief)