Home About Us Services Products Clients Careers Contact Us   

Security Certification and Accreditation

Capricorn Systems, Inc. offers Security and Information Assurance Services to its customers. Though spearheaded by standards and processes defined by the U.S. Government and implemented by military, federal and state agencies, several commercial organizations have also embraced these security safeguards and the processes to ensure that they are kept up-to-date.

All federal agencies in the United States must have their IT systems and infrastructure certified and accredited (C&A) once every three years. It is a detailed and extensive process where certified security experts inspect reams of policy and operational documentation on an agency's IT systems and infrastructure, and either pass them or fail them.

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) is specific in its requirements and stipulates that an agency's information security program must include documentation and reports that clearly describe the following:

Information security policies and procedures
Periodic risk assessments
Assessment of threats, including their likelihood and impact
Policies and procedures for detecting security vulnerabilities
Evaluation and periodic testing of how well security policies are working
An inventory of software and hardware assets
Security awareness training and expected rules of behavior for end-users
Evaluation of the technical, management, and operational security controls
Procedures for reporting and responding to security incidents
Process for addressing any deficiencies reported
Contingency plans to ensure continuity of operations in the face of a disaster

Following are the two methodologies used for C & A initiatives:
[ Top ]

Contact Sales
Ed Guillory, V.P. Government Solutions
(678) 514-1080 ext 2507

Security Certification And Accreditation
DIACAP Process
DIACAP is an acronym for Department of Defense Information Assurance Certification and Accreditation Process. It is based on a publication known as Defense Information Assurance Certification and Accreditation regulation Department of Defense (DoD) 8510.01. DIACAP is typically used for defense agencies, although civilian agencies may opt to apply DIACAP principles to their own customized C&A process.

NIST Risk Management Framework
NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. While many civilian agencies have traditionally used either the DIACAP or NIST methodologies, the current trend is that most agencies are moving away from DIACAP to embrace the new NIST Risk Management Framework methodology.

Both methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint.

Capricorn Services
Capricorn reviews, advises, recommends, and implements security controls and assessments for all types of controls: Program, Management, Operational, and Technical. Our analysts develop and assess the full scale and scope of the security activities for the systems under assessment.

Our analysts are experienced with applicable statutes such as the Federal Information Security Management Act (FISMA), the Computer Security Act, (Office of Management and Budget) OMB Circulars, and the Clinger-Cohen Act. Our security analysts are often called upon to support IT security policy and implementation in compliance with technical standards from agencies such as the NIST.

Security Services
  • Certification & Accreditation of systems, programs, technologies (Indications, Analysis and Warnings systems) IAW NIST SP800-37 rev1 (new) and SP 800-53
  • DIACAP support for DoD C&A Activities
  • Training of C&A and DIACAP processes
  • Procedures, policies and guidelines for security personnel
  • Incident Response & Contingency Planning activities
Certification and Accreditation Services
  • C&A reviews, audits, and support for FISMA/NIST-based systems for Federal Civilian Agencies utilizing Security Authorization standards from NIST SP 800-37 rev 1 (new)
  • "Gap" analysis process and procedures for C&A Status reviews and audits which reduces total project time by half
  • C&A support for Systems to obtain "Authority to Operate" (ATO)
  • FISMA-based Audits for systems with resultant "return-to-green" status
DoD IA Certification & Accreditation Program (DIACAP)
  • DIACAP-related C&A activities
  • "Gap" analysis process and procedures for DIACAP & Risk Assessment Status reviews and audits
  • DIACAP support for medium and small systems to obtain "Authority to Operate" (ATO) on DoD networks
C&A - DIACAP Training
  • Proven & Certified (CISSP, CISA, CISM) Technical Instructors
  • Classes provided include Federal C&A Process, DIACAP process, and FISMA compliance
  • Additional classes with C&A focus include Business Continuity & Disaster Recovery, Incident Response, Team Management, IA Security Engineering and IA Project Management
Security Policies, Procedures & Guidelines
  • Documentation reviews for security policies and correlated procedures IAW NIST standards
  • Develop and provide customers with procedures and policies, IAW NIST and FISMA guidelines systems for Federal Civilian Agencies, such as DOL, OPM and NASA
  • "Gap" analysis process and procedures for C&A Status reviews of documentation, policies, procedures, guidelines and corporate standards
  • C&A package development and delivery for Systems which obtained "Authority to Operate" (ATO)
Incident Response & Contingency Planning
  • Incident Response and Continuity Planning activities for private organizations
  • Certified Business Continuity practitioner on staff
  • Forensics Team Management and Incident Response
[ Top ]
DIACAP Process
DIACAP Process
Closer View

NIST Risk Management Framework
NIST Risk Management Framework
Closer View