Information systems need to be evaluated and they may also need to be certified based on a set of defined parameters. There are many security certification and accreditation standards for security assurance. The following topics describe a few important ones.
Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) is the standardized approach designed to guide DoD agencies through the certification and accreditation process for a single information technology (IT) entity.
There are four phases to the DITSCAP process:
System Security Authorization Agreement (SSAA) is a document that details system specifications, such as the system mission, target environment, target architecture, security requirements, and applicable data access policies. SSAA is a basis on which certification and accreditation actions take place.
National Information Assurance Certification and Accreditation Process (NIACAP) is a process for the certification and accreditation of the computer systems that handle the US National Security information. It is derived from DITSCAP.
The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a standard that supersedes DITSCAP. This standard was published in 2006.
System Security Engineering Capability Maturity Model (SSE-CMM) is a system security process maturity model that focuses on requirements pertaining to the implementation of security in a system or a group of systems specifically in the Information Technology security domain. It is a National Security Agency (NSA) sponsored effort.
There are 11 security engineering practices that are defined in SSE-CMM. They are as follows:
There are 11 more process areas and related project and organizational practices. They are as follows: