Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

Certification, accreditation, and security assessments (from NIST)

This certification, accreditation, and security assessments list and description are meant to tie certification, accreditation, and security assessments to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • Certification, accreditation and security assessment policies and procedures - Provides formal policies and procedures covering security assessments, system certification, and system accreditation. The scope, purpose, roles and responsibilities are covered in the policies and procedures documents. (low)
  • Security assessments - Provides a method for keeping information technology (IT) security at a standard and reasonable level relative to the business requirements. The security assessment provides an overview of a specific system security requirements and documents the controls in place or planned for meeting those security requirements. The assessment ensures a definition of responsibilities and expected behavior of those accessing the system. The assessment report provides the sponsors and stakeholders with a summary of security related problems, and security recommendations. (moderate)
  • Information system connections - Appropriate controls and authorization to connect to other systems as required to support the organization must be provided. The other systems may or may not be accredited and the information passed between the systems should be monitored. (low)
  • Security certification - Ensures that security controls are effectively implemented through established verification techniques and procedures and provides confidence that appropriate safeguards and countermeasures are in place to protect the organizationís information system. The security certification discovers and describes known vulnerabilities in the information system. (low)
  • Plan of action and milestones - A plan of action and milestones for the correction of any system shortcomings. These shortcomings may be found by the security assessment, monitoring of activities, or security incidents. (low)
  • Security accreditation - Provides the necessary security authorization of an information system to process, store, or transmit information that is required. This authorization is granted by a senior organization official and is based on the verified effectiveness of security controls to some agreed upon level of assurance and an identified residual risk to agency assets or operations. (low)
  • Continuous monitoring - Includes periodic monitoring of the system for problems by checking logs and performing preventative maintenance along with configuration management, and security assessments created when system changes are made. (low)