- Professional Services
- Managed Services
- Programming Services
- IT Support Services
- Design & FX Services
- Products
- Web-Based Software That Works
- Omni-Web
- Compare All Omni-Web Packages
- Compare Omni-Web Packages
- Compare Omni-Web Packages - Enterprise
- Omni-Web Genesys II CMS
- Omni-Web Encounter II CMS
- Omni-Web Horizons II CMS
- Omni-Web Palladium Enterprise Server with Horizons II CMS
- Omni-Web Tertullian Enterprise Server with Horizons II CMS
- Omni-Web Constellation II Enterprise Server with Horizons II
- Mission-Works
- The Fire Engine
| Previous Page |
PRISM Certification and Accreditation |
Does your organization have a comprehensive program that ensures the implementation of PRISM controls for systems and applications prior to implementation? If so - great! If not - we can help.
The Certification and Accreditation process is commonly referred to as "C&A". Federal agencies in the United States must have their IT systems and infrastructure certified and accredited prior to the introduction of "live" or production data. Existing systems must follow the C&A process during the next applicable modification or upgrade.
Background and Purpose
Although mandated for Federal agencies, the C&A process (or reasonable substitute) is also useful for private and publicly-held companies to ensure the security and sustainability of systems and applications.
The Federal Information Security Management Act (FISMA) requires the development and implementation of an information security program to safeguard information assets, including data. FISMA is specific in its requirements and stipulates that the information security program must include documentation and reports that clearly describe the following:
- Periodic risk assessment
- Information security policies, standards and procedures
- An assessment of threats, including their likelihood and impact
- Policies, standards and procedures for detecting security vulnerabilities
- Evaluation and periodic testing of how well security policies are working
- An inventory of hardware and software assets
- Security awareness training and expected rules of behavior for end users
- An evaluation of technical, management and operational security controls
- Procedures for reporting and responding to security incidents
- A process for addressing any and all deficiency reports
- Contingency plans to ensure continuity of operations in the face of disaster
C&A Methodology
Generally, there are three methodologies used for C&A initiatives: DIACAP, NIACAP and NIST. PRISM Professionals supports all three and the chosen methodology should be based on your organization's needs. If you want to use the C&A process for internal security reviews and certifications, a methodology can be tailored to best suit your needs - using a single methodology or a combination of the aforementioned three.
The Process
The C&A process generally consists of four distinct phases. The phases and recommended sub-tasks are:
- Phase I - Initiation
- Preparation
- Notification and resource identification
- System security plan analysis, update and acceptance
- Phase II - Security certification
- Security control assessment
- Security certification documentation
- Phase III - Security accreditation
- Security accreditation decision
- Security accreditation documentation
- Phase IV - Continuous Monitoring
- Configuration management and control
- Security control monitoring
- Status reporting and documentation
Please contact us for more information regarding how our C&A products and services can support your organization.
