What Is System Certification and Accreditation?
System certification is a formal methodology for comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment by using established evaluation criteria (the TCSEC).
Accreditation is an official, written approval for the operation of a specific system in a specific environment, as documented in the certification report. Accreditation is normally granted by a senior executive or Designated Approving Authority (DAA). The term DAA is used in the U.S. military and government. A DAA is normally a senior official, such as a commanding officer.
System certification and accreditation must be updated when any changes are made to the system or environment, and they must also be periodically revalidated, which typically happens every three years.
The certification and accreditation process has been formally implemented in U.S. military and government organizations as the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and National Information Assurance Certification and Accreditation Process (NIACAP), respectively. U.S. government agencies utilizing cloud-based systems and services are required to undergo FedRAMP certification and accreditation processes. These important processes are used to make sure that a new (or changed) system has the proper design and operational characteristics, and that it’s suitable for a specific task.