Security Certification and Accreditation | Security and Information Assurance Services| Security Management

Home

About Us

Services

Products

Clients

Careers

Security Certification and Accreditation

Capricorn Systems, Inc. offers Security and Information Assurance Services to its customers. Though spearheaded by standards and processes defined by the U.S. Government and implemented by military, federal and state agencies, several commercial organizations have also embraced these security safeguards and the processes to ensure that they are kept up-to-date.

All federal agencies in the United States must have their IT systems and infrastructure certified and accredited (C&A) once every three years. It is a detailed and extensive process where certified security experts inspect reams of policy and operational documentation on an agency's IT systems and infrastructure, and either pass them or fail them.

Title III of the E-Government Act (Public Law 107-347) entitled Federal Information Security Management Act (FISMA) is specific in its requirements and stipulates that an agency's information security program must include documentation and reports that clearly describe the following:

	Information security policies and procedures
	Periodic risk assessments
	Assessment of threats, including their likelihood and impact
	Policies and procedures for detecting security vulnerabilities
	Evaluation and periodic testing of how well security policies are working
	An inventory of software and hardware assets
	Security awareness training and expected rules of behavior for end-users
	Evaluation of the technical, management, and operational security controls
	Procedures for reporting and responding to security incidents
	Process for addressing any deficiencies reported
	Contingency plans to ensure continuity of operations in the face of a disaster

Methodologies
Following are the two methodologies used for C & A initiatives:

	DIACAP
	NIST

[ Top ]

Contact Sales
Ed Guillory, V.P. Government Solutions
EdGuillorySales@capricornsys.com
(678) 514-1080 ext 2507

DIACAP Process
DIACAP is an acronym for Department of Defense Information Assurance Certification and Accreditation Process. It is based on a publication known as Defense Information Assurance Certification and Accreditation regulation Department of Defense (DoD) 8510.01. DIACAP is typically used for defense agencies, although civilian agencies may opt to apply DIACAP principles to their own customized C&A process.

NIST Risk Management Framework
NIST is the National Institute of Standards and Technology, and its C&A methodology is described in a document known as Special Publication 800-37. While many civilian agencies have traditionally used either the DIACAP or NIST methodologies, the current trend is that most agencies are moving away from DIACAP to embrace the new NIST Risk Management Framework methodology.

Both methodologies take into consideration the entire system, network, and application lifecycle from a security standpoint.

Capricorn Services
Capricorn reviews, advises, recommends, and implements security controls and assessments for all types of controls: Program, Management, Operational, and Technical. Our analysts develop and assess the full scale and scope of the security activities for the systems under assessment.

Our analysts are experienced with applicable statutes such as the Federal Information Security Management Act (FISMA), the Computer Security Act, (Office of Management and Budget) OMB Circulars, and the Clinger-Cohen Act. Our security analysts are often called upon to support IT security policy and implementation in compliance with technical standards from agencies such as the NIST.

Security Services

Certification & Accreditation of systems, programs, technologies (Indications, Analysis and Warnings systems) IAW NIST SP800-37 rev1 (new) and SP 800-53
DIACAP support for DoD C&A Activities
Training of C&A and DIACAP processes
Procedures, policies and guidelines for security personnel
Incident Response & Contingency Planning activities

Certification and Accreditation Services

C&A reviews, audits, and support for FISMA/NIST-based systems for Federal Civilian Agencies utilizing Security Authorization standards from NIST SP 800-37 rev 1 (new)
"Gap" analysis process and procedures for C&A Status reviews and audits which reduces total project time by half
C&A support for Systems to obtain "Authority to Operate" (ATO)
FISMA-based Audits for systems with resultant "return-to-green" status

DoD IA Certification & Accreditation Program (DIACAP)

DIACAP-related C&A activities
"Gap" analysis process and procedures for DIACAP & Risk Assessment Status reviews and audits
DIACAP support for medium and small systems to obtain "Authority to Operate" (ATO) on DoD networks

C&A - DIACAP Training

Proven & Certified (CISSP, CISA, CISM) Technical Instructors
Classes provided include Federal C&A Process, DIACAP process, and FISMA compliance
Additional classes with C&A focus include Business Continuity & Disaster Recovery, Incident Response, Team Management, IA Security Engineering and IA Project Management

Security Policies, Procedures & Guidelines

Documentation reviews for security policies and correlated procedures IAW NIST standards
Develop and provide customers with procedures and policies, IAW NIST and FISMA guidelines systems for Federal Civilian Agencies, such as DOL, OPM and NASA
"Gap" analysis process and procedures for C&A Status reviews of documentation, policies, procedures, guidelines and corporate standards
C&A package development and delivery for Systems which obtained "Authority to Operate" (ATO)

Incident Response & Contingency Planning

Incident Response and Continuity Planning activities for private organizations
Certified Business Continuity practitioner on staff
Forensics Team Management and Incident Response

[ Top ]

DIACAP Process

Closer View

NIST Risk Management Framework

Closer View