Page 530 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 530

Certification and accreditation do seem similar, and thus

                  it is often a challenge to understand them. One perspective you
                  might consider is that certification is often an internal verification

                  of security and the results of that verification are trusted only by
                  your organization. Accreditation is often performed by a third-
                  party testing service, and the results are trusted by everyone in the
                  world who trusts the specific testing group involved.



               The process of certification and accreditation is often iterative. In the
               accreditation phase, it is not uncommon to request changes to the
               configuration or additional controls to address security concerns.
               Remember that whenever you change the configuration, you must

               recertify the new configuration. Likewise, you need to recertify the
               system when a specific time period elapses or when you make any
               configuration changes. Your security policy should specify what
               conditions require recertification. A sound policy would list the
               amount of time a certification is valid along with any changes that
               would require you to restart the certification and accreditation
               process.


               Certification and Accreditation Systems


               Two government standards are currently in place for the certification
               and accreditation of computing systems. The current DoD standard is
               Risk Management Framework (RMF)
               (http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/855101p.pdf
               which recently replaced DoD Information Assurance Certification
               and Accreditation Process (DIACAP), which itself replaced the
               Defense Information Technology Security Certification and

               Accreditation Process (DITSCAP). The standard for all other U.S.
               government executive branch departments, agencies, and their
               contractors and consultants is the Committee on National Security
               Systems (CNSS) Policy (CNSSP) (https://www.cnss
               .gov/CNSS/issuances/Policies.cfm; scroll down to the CNSSP 22 link),
               which replaced National Information Assurance Certification and

               Accreditation Process (NIACAP). However, the CISSP may refer to
   525   526   527   528   529   530   531   532   533   534   535