What Is System Security Authorization Agreement
FIPS 102 is designed to certify an application through a six-step technical security assessment: configuration management and control was performed by the people responsible for the day-to-day operation of the system: the Information System Owner (ISO), the Information System Security Officer (ISSO) and the Configuration Control Board (CCB). The CAOT was founded to track changes to the system. While it is possible to have a CCB for each system, most organizations found it more efficient to have one or more CCBs that monitored many different but related systems. This board evaluated and approved the proposed changes to the system. It is important to note that these approvals should have been granted before the changes were actually applied to the system. ISO and ISSO monitored these changes and determined the resulting security implications. The ISSO contacted the ISM or AO about the changes to ensure that they did not constitute a significant security-related change that would require the system to restart the C&A process with a reduced or terminated authorization decision. The certifier determines whether a system is ready for certification and performs the certification process - a comprehensive assessment of the technical and non-technical safety features of the system. At the end of the certification efforts, the certifier reports the status of the certification and recommends that the DAA accredit the system based on the documented residual risk. In 1999, the Common Criteria were revised to align with ISO/IEC-154508, IT Security Evaluation Criteria.
The DoD statement (December 1997 issue that describes DITSCAP and provides an overview of the SSAA document is DODI 5200.40. The DITSCAP application manual (DoD 8510.1-M) published in July 2000 provides further details. Many roles are involved in the C&A process. Several of these roles,. B for example, System Owner, System Manager, Configuration Manager, System Administrator, and Risk Analyst, are defined in other chapters of this book. This standard became in 2000 the Code of Practice for the Management of Information Security of the International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 17799. ISO/IEC 17799 organizes information security into 10 main sections: Phase 4 continues until the information system is decommissioned (downgraded), major revisions are made, or regular compliance validation is required. The other answers are distractions. .