System certification is a formal methodology for comprehensive testing and documentation of information system security safeguards, both technical and nontechnical, in a given environment using established evaluation criteria (TCSEC).
Accreditation is an official, written approval for the operation of a specific system in a specific environment as documented in the certification report. Accreditation is normally granted by a senior executive or Designated Approving Authority (DAA). The term DAA is used in the U.S. military and government and is normally a senior official, such as a commanding officer.
System certification and accreditation must be updated when any changes are made to the system or environment and must also be periodically revalidated, which typically happens every three years.
The certification and accreditation process has been formally implemented in U.S. military and government organizations as the Defense Information Technology Security Certification and Accreditation Process (DITSCAP) and National Information Assurance Certification and Accreditation Process (NIACAP), respectively.
The Defense Information Technology Security Certification and Accreditation Process (DITSCAP) formalizes the certification and accreditation process for U.S. DoD information systems through four distinct phases:
Definition: In this phase, security requirements are determined by defining the organization and system’s mission, environment, and architecture.
Verification: This phase ensures that a system undergoing development or modification remains compliant with the System Security Authorization Agreement (SSAA), which is a baseline security configuration document.
Validation: This phase confirms compliance with the SSAA.
Post-accreditation: This phase represents ongoing activities required to maintain compliance and address new and evolving threats throughout a system’s life cycle.
The National Information Assurance Certification and Accreditation Process (NIACAP) formalizes the certification and accreditation process for U.S. government national security information systems. NIACAP consists of four phases (Definition, Verification, Validation, and Post-accreditation) that generally correspond to the DITSCAP phases. Additionally, NIACAP defines three types of accreditation:
Site accreditation: In this phase, all applications and systems at a specific location are evaluated.
Type accreditation: In this phase, a specific application or system for multiple locations is evaluated.
System accreditation: In this phase, a specific application or system at a specific location is evaluated.