Articles: Blogs

IT Governance Launches Guide to C&A Transformation

Press Releases - 16th November 2009

Allentown, PA, November 16, 2009 – IT Governance, the one-stop shop for information security compliance, is now publishing a comprehensive guide to the new Federal, Department of Defense and Intelligence Community ‘Certification and Accreditation’ (C&A) process.

C&A (also sometimes known as ‘Authorization’) stretches across the Department of Defense (DoD), the Office of the Director of National Intelligence (DNI), the Committee on National Security Systems (CNSS), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). The new C&A practices will reduce redundant activity and unnecessary documentation, and will shorten the overall process that has historically affected DoD procurement. The new procedures will also ensure system certifications and accreditations accomplished by one agency are valid for all agencies. This C&A transformation will therefore drive decision-making based on sound risk management principles, will incorporate security into common lifecycles that are approved and used by all DoD/Intelligence Community (IC) enterprises, and will eliminate wasteful and redundant processes and paperwork.

The goals of the C&A transformation include:

  • the definition of a common set of trust levels for the IC and DoD to jointly apply to systems;
  • the adoption of reciprocity to facilitate system re-use;
  • the definition of common security controls and a common lexicon;
  • looking beyond individual systems or events in risk assessments;
  • the design and operation of information security as a coherent whole across the enterprise environment, and;
  • the institution of a common process for the IC and DoD to incorporate security within lifecycle processes.

It is essential for information security professionals to understand this huge and complex body of work. ‘The Definitive Guide to the C&A Transformation’ is the first comprehensive manual that sets out to explain the current standards and best practices. The book provides all the information needed to recognise, implement and manage the relevant authorization requirements, and therefore to achieve compliance with federal, local and agency laws and policies.

Alan Calder, Chief Executive of IT Governance, says: “The tools and tactics used to fight the information war have evolved with advances in technology. The defense of critical information systems must therefore evolve as well. The ‘Certification and Accreditation’ transformation will revolutionise how information security is carried out across the DoD/IC. No other book provides such authoritative guidance on these emerging requirements.”

Dr. Julie Mehan and Mr. Waylon Krush, the authors of the book, together offer more than 35 years of experience in developing C&A policies and providing direct help to organizations.

Dr. Mehan says: “At its best, C&A can be extremely effective in protecting the information network. At its worst, it can be cumbersome, laborious and costly, without providing any real security value. The challenges of executing ‘Certification and Accreditation’ within an agency or large enterprise have been staggering and often cost-prohibitive, primarily because traditionally the implementation of C&A has varied not only from site to site or agency to agency, but even within a single agency or organization.”

Mr. Krush adds: “We recognise that a dynamic threat environment necessitates a transformation to more efficient and integrated processes, to ensure C&A represents a truly relevant part of an information systems security program. It is critical that organizations integrate a process that allows them to develop and maintain more resilient systems. This book helps organizations to take that journey. There are hundreds of documents, amounting to thousands of pages, of laws, regulations, policies and guidance that state the requirements for the C&A or the Federal ‘Authorization’ process. Our book compresses and translates those requirements into a usable step-by-step guide.”

Each chapter not only provides a list of related references but also offers recommendations for additional reading. Furthermore, each section refers to relevant templates and references that are included in a usable format on an accompanying CD.

‘The Definitive Guide to the C&A Transformation’ is ideal for security practitioners, system administrators, managers, standards developers, evaluators, testers and, indeed, anybody seeking to learn more about establishing and maintaining a secure information environment.

Details of how to buy ‘The Definitive Guide to the C&A Transformation’, priced at $69.95 (ISBN: 9781849280068), as well as the CD that accompanies the book, priced at $19.95, (ISBN: 9781849280228), can be found at: