This chapter covers System Certification and Accreditation (C&A), a critical governance process that ensures information systems meet security requirements before and during operation. For SY0-701, this maps to Objective 5.1: Summarize elements of effective security governance, specifically the components of third-party governance and system authorization. Understanding C&A is essential for security professionals because it formalizes risk acceptance and accountability. This chapter explains the C&A lifecycle, key roles, documentation, and how it integrates with other governance frameworks.
Jump to a section
Imagine a city government that must approve new buildings before construction begins. The building permit process requires architects to submit detailed blueprints, engineers to certify structural integrity, and inspectors to verify compliance with fire codes, electrical standards, and zoning laws. After construction, a final inspection grants a certificate of occupancy—the official permission to operate. This mirrors system certification and accreditation (C&A). The system owner (architect) designs the system with security controls (blueprints). A certifier (engineer) evaluates the system against a baseline (building code) and produces a certification report (structural analysis). The authorizing official (city inspector) reviews the report and residual risks, then issues an accreditation decision (certificate of occupancy). Just as a building can be denied occupancy if it fails inspection, a system can be denied accreditation if risks are too high. And like a building that must be re-inspected after major renovations, systems must undergo re-accreditation after significant changes. The analogy is mechanistic: each role, document, and decision mirrors a specific C&A component, making the abstract process concrete.
What is System Certification and Accreditation?
System Certification and Accreditation (C&A) is a formal, systematic process used to evaluate, authorize, and maintain the security posture of an information system. The goal is to ensure that a system operates with an acceptable level of risk, as determined by a senior official (the Authorizing Official or AO). C&A is a cornerstone of the Risk Management Framework (RMF) and is mandated by U.S. federal standards like FISMA (Federal Information Security Management Act) and NIST SP 800-37 (Guide for Applying the Risk Management Framework). Although primarily associated with government systems, many private-sector organizations adopt C&A principles to comply with regulations like HIPAA, PCI DSS, or SOX.
The threat C&A addresses is the deployment and operation of systems with unknown or unmanaged security risks. Without C&A, organizations might deploy systems with vulnerabilities, weak configurations, or inadequate controls, leading to data breaches, compliance failures, and operational disruptions. C&A forces stakeholders to identify, assess, and accept risks before the system goes live and periodically thereafter.
How the C&A Process Works Mechanically
The C&A process follows a structured lifecycle. While specific steps vary by framework (e.g., NIST RMF, DoD DIACAP, or CNSS Instruction 1253), the core stages are:
Initiation and Planning: The system owner defines the system's boundaries, identifies applicable security requirements, and develops a System Security Plan (SSP). The SSP documents the system's architecture, security controls, and planned implementation.
Security Control Selection and Implementation: Based on the system's security categorization (low, moderate, high) per FIPS 199, the organization selects baseline controls from NIST SP 800-53. Controls are implemented (e.g., access control, encryption, audit logging).
Security Control Assessment: An independent certifier (or assessment team) evaluates the effectiveness of implemented controls. This involves testing, interviews, and documentation review. The output is a Security Assessment Report (SAR) listing findings (deficiencies) and recommendations.
Risk Analysis and Determination: The system owner and certifier analyze residual risks (risks remaining after controls are applied). They may recommend mitigation actions or accept risks.
5. Accreditation Decision: The Authorizing Official reviews the SSP, SAR, and risk analysis. The AO makes one of three decisions: - Authorization to Operate (ATO): The system is approved for operation, often with conditions (e.g., remediate critical findings within 30 days). - Interim Authorization to Test (IATT): Temporary approval for testing in a production-like environment. - Denial of Authorization: The system is not approved due to unacceptable risks.
Continuous Monitoring: After ATO, the system enters a continuous monitoring phase. Periodic assessments, vulnerability scans, and incident reports are used to maintain authorization. If significant changes occur (e.g., major upgrade, new data types), a re-accreditation may be triggered.
Key Components, Variants, and Standards
- Roles: - Authorizing Official (AO): Senior executive with authority to accept risk on behalf of the organization. The AO is ultimately accountable for the system's security posture. - System Owner: Person responsible for the system's development, operation, and maintenance. They implement controls and provide documentation. - Certifier (or Security Control Assessor): Independent evaluator who tests controls and produces the SAR. Independence ensures objectivity. - Common Control Provider: Entity that manages controls inherited by multiple systems (e.g., enterprise firewalls, identity management).
- Documentation: - System Security Plan (SSP): Describes the system, its environment, and how security controls are implemented. - Security Assessment Report (SAR): Documents assessment results, findings, and recommendations. - Plan of Action and Milestones (POA&M): Lists planned remediation actions for identified weaknesses, with timelines and responsible parties.
- Frameworks: - NIST Risk Management Framework (RMF): The current standard for U.S. federal agencies. Steps: Categorize, Select, Implement, Assess, Authorize, Monitor. - DoD DIACAP (Department of Defense Information Assurance Certification and Accreditation Process): Replaced by RMF for DoD, but still referenced. - CNSS Instruction 1253: Provides categorization and control selection for national security systems.
Security Categorization (FIPS 199): Systems are categorized as low, moderate, or high impact based on the potential impact of a security breach on confidentiality, integrity, and availability. This determines the baseline controls.
How Attackers Exploit or Defenders Deploy
Attackers may target systems that bypassed C&A or have expired ATOs. For example, a developer deploys a shadow IT application without authorization. Attackers discover this unvetted system and exploit its weak controls (e.g., default credentials, unpatched vulnerabilities). Defenders use C&A to prevent such scenarios: by requiring formal authorization, they ensure that all systems are properly configured, monitored, and patched.
Defenders also use continuous monitoring to detect configuration drift. For instance, if a system's firewall rules change without approval, the monitoring process can flag the deviation and trigger a review, potentially leading to revocation of ATO if risks become unacceptable.
Real Command/Tool Examples
While C&A is a process, tools support it. For example, using nmap to scan for unauthorized services:
nmap -sV -p 1-65535 target_ipThis might reveal an unauthorized web server on port 8080, which could indicate a shadow IT system that hasn't been through C&A. The defender would then investigate and ensure the system is either removed or formally accredited.
Vulnerability scanners like Nessus or OpenVAS produce reports that feed into the SAR. An example scan result:
Plugin ID: 12345
Vulnerability: Apache Struts2 Remote Code Execution (CVE-2017-5638)
Risk: Critical
Solution: Upgrade to Apache Struts 2.3.32 or 2.5.10.1This finding would be documented in the SAR and a POA&M item created with a remediation date.
For continuous monitoring, Security Information and Event Management (SIEM) tools like Splunk can be used to monitor compliance with ATO conditions. A sample query:
index=main sourcetype=access_combined status=403 | stats count by src_ipThis detects repeated access attempts to restricted areas, which might indicate a control failure that needs to be reported to the AO.
Initiate C&A Process
The system owner identifies the need for a new system or a major change to an existing system. They draft a System Security Plan (SSP) that defines the system boundary, purpose, and data flow. The SSP also references the security categorization (FIPS 199) and the baseline controls selected from NIST SP 800-53. This step is crucial because it sets the scope for all subsequent activities. A common mistake is defining the system boundary too narrowly, omitting connected systems or data stores, which leads to incomplete risk assessment. The SSP is submitted to the certifier for review.
Select and Implement Controls
Based on the security categorization (low, moderate, high), the system owner selects an appropriate baseline set of controls. For example, a moderate impact system might require access control (AC-3), audit logging (AU-2), and system and communications protection (SC-8). The system owner then implements these controls, often by configuring operating systems, applications, and network devices. Documentation of implementation is critical—each control must have evidence (e.g., screenshots, configuration files) that it is in place. The system owner also identifies any common controls inherited from enterprise services (e.g., physical security from the data center).
Assess Security Controls
An independent certifier (or assessment team) evaluates the implemented controls against the SSP and NIST SP 800-53A assessment procedures. The assessment includes: (1) examining documentation, (2) interviewing personnel, (3) testing controls technically (e.g., vulnerability scanning, penetration testing). The certifier produces a Security Assessment Report (SAR) that lists each control's effectiveness (satisfied, partially satisfied, or not satisfied). For each deficient control, the SAR includes findings and recommendations. For example, a test might reveal that audit logs are not being reviewed weekly as required. The SAR is submitted to the Authorizing Official.
Analyze and Accept Risk
The system owner and certifier analyze the residual risks after controls are applied. They create a Plan of Action and Milestones (POA&M) for any deficiencies that cannot be immediately remediated. The POA&M assigns responsibility and target dates for each action. The system owner formally requests authorization by submitting the SSP, SAR, and POA&M to the Authorizing Official. The AO reviews the risk posture and decides whether the residual risk is acceptable. If the AO determines that risks are too high, they may deny authorization or require additional controls before granting an Interim Authorization to Test (IATT).
Authorize and Monitor Continuously
The Authorizing Official makes an accreditation decision: (1) Authorization to Operate (ATO) – typically valid for 1-3 years, (2) Interim Authorization to Test (IATT) – for testing only, or (3) Denial. The ATO document specifies conditions, such as remediating critical findings within 30 days. After ATO, the system enters continuous monitoring. The system owner must perform regular vulnerability scans, review audit logs, and report any security incidents. If a significant change occurs (e.g., new software, change in data sensitivity), the system owner must notify the AO, who may require re-accreditation. Continuous monitoring ensures that the system remains within acceptable risk levels throughout its lifecycle.
Scenario 1: Shadow IT Discovery
At a mid-sized financial services firm, an analyst in the marketing department deploys a cloud-based collaboration tool (e.g., Slack) without IT approval. The security team, during a routine network scan using Tenable Nessus, discovers traffic to an unknown external service. The analyst sees an alert: 'Unauthorized external communication detected from host 10.10.50.100 to 34.120.0.1:443.' The security engineer investigates and finds the shadow IT system. The correct response is to immediately block the traffic at the firewall, then engage the system owner to either integrate the tool into the formal C&A process or decommission it. A common mistake is to allow the tool to continue operating while 'working on approval,' which exposes the organization to unmanaged risk. The engineer should also document the incident and report it to the Authorizing Official as a potential violation of the ATO conditions for the marketing department's network segment.
Scenario 2: ATO Renewal with Critical Findings
A large healthcare organization is renewing the ATO for its electronic health records (EHR) system. During the security assessment, the certifier discovers that the system is running an unsupported version of Oracle Database (version 11g, which is end-of-life). The vulnerability scanner (Qualys) reports multiple critical vulnerabilities (e.g., CVE-2020-14750 – Oracle WebLogic Server remote code execution). The SAR lists this as a critical finding. The system owner argues that upgrading is not possible due to application compatibility issues. The correct response is to create a POA&M with a detailed remediation plan, including interim compensating controls (e.g., network segmentation, strict access controls, enhanced monitoring). The Authorizing Officer may issue a temporary ATO with a 30-day deadline to either upgrade or implement compensating controls. A common mistake is to ignore the finding and hope it goes unnoticed, which could lead to a data breach and regulatory penalties under HIPAA.
Scenario 3: Continuous Monitoring Alerts
A government agency operates a classified network. The continuous monitoring system (e.g., Splunk with custom alerts) detects that a server's host-based firewall has been disabled for 15 minutes. The SIEM alert reads: 'Critical: Host firewall disabled on server SEC-SRV-001 for >10 minutes.' The security analyst investigates and finds that an administrator disabled the firewall to troubleshoot a connectivity issue, but forgot to re-enable it. The correct response is to re-enable the firewall immediately, then report the incident to the AO as a potential violation of ATO conditions (since the firewall is a required control). The analyst should also check logs for any unauthorized access during the window. A common mistake is to simply re-enable the firewall without reporting, which bypasses the accountability required by the C&A process. The incident should be documented in the POA&M as a training issue.
What SY0-701 Tests
SY0-701 Objective 5.1 expects you to understand the elements of third-party governance and system authorization. Specifically, the exam tests: (1) The purpose of system certification and accreditation (C&A) – to ensure systems meet security requirements before operation. (2) The key roles: Authorizing Official (AO), system owner, and certifier. (3) The difference between certification (technical evaluation) and accreditation (management decision). (4) The outputs: SSP, SAR, POA&M, ATO. (5) The concept of continuous monitoring and re-accreditation. (6) How C&A fits into the Risk Management Framework (RMF).
Common Wrong Answers and Why
Confusing certification with accreditation: Many candidates think certification is the final approval. Wrong. Certification is the technical assessment; accreditation is the management decision to accept risk. On the exam, if a question asks 'who makes the final decision to allow a system to operate?', the answer is the Authorizing Official (accreditation), not the certifier.
Choosing 'System Owner' as the risk acceptor: The system owner implements controls but does not have the authority to accept organizational risk. That is the AO's role.
Selecting 'DIACAP' as the current framework: DIACAP is outdated for most contexts; NIST RMF is the current standard for federal agencies. However, the exam may still reference DIACAP as a legacy process, so know that RMF replaced it.
Mixing up ATO and IATT: An IATT is temporary for testing, not full operation. ATO is full authorization. If a question mentions 'testing in a production environment,' the answer is IATT.
Specific Terms and Values
FIPS 199: Security categorization (low, moderate, high) based on impact to confidentiality, integrity, availability.
NIST SP 800-37: Guide for Applying the Risk Management Framework.
NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations.
POA&M: Plan of Action and Milestones – remediation tracking.
ATO: Authorization to Operate – typically valid 1-3 years.
Common Trick Questions
A question may describe a 'certification' process and ask who is responsible. Trap: They might list 'Authorizing Official' as an option, but the correct answer is 'certifier' or 'security control assessor.'
Another trick: 'Which document lists the security controls and how they are implemented?' Answer: SSP, not SAR. SAR is the assessment results.
'Which document identifies weaknesses and remediation plans?' Answer: POA&M.
Decision Rule
For scenario questions: First identify the phase of the C&A lifecycle (initiation, assessment, authorization, monitoring). Then map the action to the correct role and document. For example, if the scenario involves testing controls, it's certification; if it involves a decision to operate, it's accreditation. Eliminate answers that mix up roles or documents.
C&A ensures systems meet security requirements before operation and throughout their lifecycle.
FIPS 199 defines security categories (low, moderate, high) based on impact to confidentiality, integrity, and availability.
NIST SP 800-37 (RMF) is the current standard for federal C&A, replacing DIACAP.
Key roles: Authorizing Official (risk acceptor), System Owner (implementer), Certifier (evaluator).
Key documents: SSP (system description), SAR (assessment results), POA&M (remediation plan), ATO (authorization).
Continuous monitoring is required after ATO to maintain acceptable risk levels.
Re-accreditation is triggered by significant changes to the system or environment.
C&A is a governance process that integrates with other risk management activities.
These come up on the exam all the time. Here's how to tell them apart.
Certification
Technical evaluation of security controls
Performed by independent certifier or assessor
Output is Security Assessment Report (SAR)
Determines if controls are implemented correctly
Focuses on technical compliance
Accreditation
Management decision to accept risk
Performed by Authorizing Official (AO)
Output is Authorization to Operate (ATO) or denial
Determines if residual risk is acceptable
Focuses on business risk acceptance
Mistake
Certification and accreditation are the same thing.
Correct
Certification is the technical evaluation of security controls; accreditation is the management decision to accept residual risk and authorize operation. They are distinct steps in the C&A process.
Mistake
Once a system receives ATO, it never needs to be reassessed.
Correct
ATO is time-limited (typically 1-3 years) and requires continuous monitoring. Significant changes or new threats may trigger re-accreditation before expiration.
Mistake
Only government systems use C&A.
Correct
While rooted in federal standards (FISMA, NIST RMF), many private organizations adopt C&A principles for compliance with HIPAA, PCI DSS, SOX, or internal risk management.
Mistake
The system owner is the one who accepts risk.
Correct
The system owner implements controls and provides documentation, but the Authorizing Official (AO) is the senior executive who formally accepts residual risk on behalf of the organization.
Mistake
C&A is a one-time event before system deployment.
Correct
C&A is a lifecycle that includes continuous monitoring, periodic reassessments, and re-accreditation. It does not end when the system goes live.
Certification is the technical evaluation of security controls by an independent assessor to determine if they are implemented correctly and effectively. Accreditation is the management decision by the Authorizing Official to accept residual risk and formally authorize system operation. Think of certification as the inspection and accreditation as the permit to operate.
An ATO is typically valid for 1 to 3 years, depending on organizational policy and risk posture. It requires continuous monitoring during that period. Before expiration, the system must undergo re-accreditation (reassessment and new ATO).
Significant changes to the system, such as major software upgrades, changes in data sensitivity, new interconnections, or after a security incident. Also, if continuous monitoring reveals a significant increase in risk, the AO may require re-accreditation.
The Authorizing Official is a senior executive (e.g., CIO, CISO) with the authority to accept risk on behalf of the organization. They review the certification results and make the accreditation decision. They are ultimately accountable for the system's security posture.
The Plan of Action and Milestones (POA&M) documents identified weaknesses (from the SAR) and the planned remediation actions, including responsible parties and target completion dates. It tracks progress and ensures accountability for fixing security deficiencies.
No, while C&A originated from federal requirements (FISMA, NIST RMF), many private organizations adopt similar processes to comply with regulations like HIPAA, PCI DSS, SOX, or to manage internal risk. The principles of risk assessment, control implementation, and formal authorization are universal.
Continuous monitoring ensures that the security posture of an authorized system remains acceptable over time. It involves ongoing vulnerability scanning, log review, incident detection, and compliance checks. If monitoring reveals new risks, the AO may require remediation or re-accreditation.
You've just covered System Certification and Accreditation — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?