Page 62 - Cyber Warnings
P. 62
Problems Confronting Systems Certification and Accreditation
(C&A) of Government Information Systems
By Dr. Daniel Osafo. Harrison, D.C.S., Security+.
Systems Certification and Accreditation (C&A) also known as Accreditation and Authorizations
is a Federal process that is used for keeping government information systems and sensitive
information that are stored on these systems safe. In the Federal government there are many
challenges that include multiple standards in the C&A documents, poor implementation of the
process, inability to treat the C&A process as a project (using project management principles),
and many complex changes to policies that govern the C&A process. These challenges create
the opportunity for sophisticated hackers to break into government systems and attempt to steal
valuable data. This study design was a case study that analyzed two case studies that
presented challenges in the federal government. The first case study was from the Department
of Defense (DoD) and the Department of Veterans Affairs (VA). The results of the study showed
that a successful alternative to these breaches was to treat the C&A process as a project.
Keywords: federal government security, information security management, C&A processes,
project management and federal government, Certification and Accreditation.
Introduction
The advent of the Internet makes it possible for hackers in the United States and globally, to
devise a variety of attack strategies that when successfully implemented, can by-pass any
enterprise information system, including the federal information system. Part of the reason that
hackers are able to find a way into these systems is because the federal government
departments are using flawed Certification & Accreditation processes (Buszta, 2008). Some of
the problems that C& A programs have include multiple standards for accreditation, poor
implementation of the programs, treating information technology as a separate situation instead
of a project (using project management principles), lack of scope definition, lack of foresight,
and having too many complex changes (Buszta, 2008). For example, the Veterans Affairs
Department puts data for tens of millions of veterans in jeopardy, because of a lack of
institutional control over its cyber security evaluation and approval process (Miller, 2013). This is
only one part of an extensive C&A process. To alleviate some of these challenges, seeing C&A
processes as a full project would be valuable because there would be specific steps involved for
each process.
Research Method and Design
The research used was a qualitative case study that analyzed two federal agencies. The
researcher did not interview individuals but analyzed two case studies found in the literature on
government security. The two cases provided data on how C&A programs failed. Also, the case
studies provided an understanding of best practices for designing internet security features that
may be successful if used in government programs.
62 Cyber Warnings E-Magazine – September 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
