Systems Certification and Accreditation

September 30, 2016

Definition:Certification is the comprehensive evaluation and validation of a[n]...information system (IS) to establish the degree to which it complies with assigned information assurance (IA) controls based on standardized procedures. An accreditation decision is a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a[n]...IS and [is] expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) [1].

Keywords: accreditation, certification, DIACAP

MITRE SE Roles & Expectations: MITRE systems engineers (SEs) are expected to understand the principles of certification and accreditation (C&A), how a government development organization initiates the C&A process, and how the government sponsor maintains accreditation status following product delivery. They are also expected to understand information assurance (IA) and C&A requirements and processes so they can advise when the government or the contractor is not complying with the letter or intent of department or agency policies and processes. MITRE systems engineers are expected to understand how systems engineering decisions may impact the IA posture of a system.


This article is intended to provide general guidance on C&A of all government systems. It follows the Department of Defense (DoD) C&A process and is directly applicable to DoD systems. C&A processes for other U.S. government systems are similar in their essentials but otherwise may vary. In the latter case, the guidance presented here should serve as a general reference for the conduct of C&A activities. Non-DoD department or agency guidance should always take precedence for C&A of their systems.

Certification and Accreditation Process Overview

C&A processes applied to federal and DoD systems are similar. These similarities include use of a common set of functional roles as follows:



Information Owner

An official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.

Information System Owner

Individual, group, or organization responsible for ensuring the system is deployed and operated according to the agreed-on security requirements.

Certifying Authority/Agent (CA)

Individual, group, or organization responsible for conducting a security certification, or comprehensive assessment of the management, operational, and technical security controls in an information system.

Designated Accrediting Authority (DAA) or Authorizing Official

An official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.

The following generic C&A process overview is based on the functional roles described above.

  1. The information owner establishes data sensitivity and security protection requirements.
  2. The information system owner implements technical, administrative, and operational security controls in accordance with security protection requirements provided by the information owner.
  3. The CA evaluates the security controls incorporated by the system and makes a recommendation to the DAA on whether the system satisfies its security requirements.
  4. The DAA assesses the residual security risk, based on the CA's recommendation, and makes an accreditation decision.
  5. The information system owner operates the accredited system, which must undergo periodic review and/or re-accreditation.

DoD Information Assurance Certification and Accreditation Process (DIACAP) [2, 3]

DIACAP is the C&A process applied to systems that store or process DoD information. It is defined in DoD Instruction 8510.01 as the "process to manage the implementation of IA capabilities and services and provide visibility of accreditation decisions regarding the operation of DoD information systems (IS), including core enterprise services and Web services–based software systems and applications." [1]

In supporting C&A of a system, MITRE should help the program manager (PM) assemble the DIACAP team, identify requirements, design solutions, implement the system, and integrate testing. The entire DIACAP team should be assembled at program inception to determine the IA Strategy, to agree on the mission assurance category (MAC) and confidentiality level, negotiate a baseline set of IA controls, and assign responsibilities. If there is no team review of system design for compliance with IA requirements, then testing of IA and functional requirements, which sometimes can conflict, will likely not be integrated. It is important that the DIACAP team be assembled to resolve discrepancies throughout the acquisition life cycle; without that cooperation, it is more likely the PM or engineers will make unilateral decisions the DAA may not be able to accept. To help ensure a successful positive C&A outcome, MITRE, often acting as "lead integrator" for the activity, should at the outset reach back to staff members who support the CA and DAA to ensure coordination and agreement regarding the scope of the C&A process.

Process Artifacts

Execution of the DIACAP produces a number of engineering artifacts that are summarized in the table below.



System Information Profile (SIP)

Information to register about the system being developed.

DIACAP Implementation Plan (DIP)

Enumerates, assigns, and tracks the status of IA controls being implemented.

DIACAP Scorecard

Records the results of test procedures/protocols used to validate implemented IA controls.

Plan of Action & Milestones (POA&M)

Identifies tasks or workarounds to remediate identified vulnerabilities.

Supporting Certification Documents

A compilation of IA controls validation artifacts provided to the CA.

Interim Approval to Test (IATT)

An accreditation decision is a special case for authorizing testing in an operational information environment or with live data for a specified time period.

Interim Approval to Operate (IATO)

An accreditation decision intended to manage IA security weaknesses while allowing system operation for up to 180 days, with consecutive IATOs totaling no more than 360 days.

Denial of Approval to Operate (DATO)

An accreditation decision that the system should not operate because the IA design, IA controls implementation or other security is inadequate and there are no compelling reasons to allow system operation.

Approval to Operate (ATO)

An accreditation decision for a system to process, store, or transmit information for up to three years; indicates a system has adequately implemented all assigned IA controls and residual risk is acceptable.

These artifact documents, together with all other documents resulting from the DIACAP process, are typically produced by the program office and/or the acquisition team. When a contractor produces a DIACAP document, it is reviewed and approved by the program office, often with a MITRE systems engineer involved.

Is HR Certification (PHR/SPHR) Worth It? - HR Payroll Systems
Is HR Certification (PHR/SPHR) Worth It? - HR Payroll Systems
China Compulsory Product Certification System- Mark
China Compulsory Product Certification System- CCC Mark
What is management systems certification?
What is management systems certification?
Share this Post