Joint Strategic Initiative Certification Accreditation Policy Education Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This document establishes the JSI Security procedure for the security Certification and Accreditation of any IT technology, product, system or application that is to be implemented within JSI which may or may not impact the security of the JSI network, information or assets. To include the conducting of a Security Risk Assessment (SRA) in order to determine if an interim or full security accreditation should be granted through the issuing of Interim Authority to Operate (IATO) or an Authority to Operate (ATO).

This procedure shall be used for certification and accreditation of IT technologies, products, systems or applications. This procedure applies to all tasks related to certification and accreditation conducted by JSI that may result in an IATO or ATO being issued.

2.0 Objective

    This JSI security procedure is published in order to:

  • Define the requirements, processes and procedures as to how security certification and accreditation is to be obtained for the JSI Program.

  • Define the requirements, processes and procedures as to how an SRA is to be conducted by the Information Systems Security Officer (ISSO) or Information System Security Engineer (ISSE).

  • Define the requirements, processes and procedures whereby an IATO or ATO may be issued.

  • Identify roles and responsibilities with respect to applying for security certification and accreditation, generating and evaluating SAQ's SRA's, SNR's, and the issuing of interim or full security accreditation through the use of IATO's and ATO's.

  • Establish consistency whereby a Certification, Accreditation activities and the performance of an SRA by the ISSO or ISSE shall be considered acceptable or implementable across JSI.

3.0 Requirements

Whenever a program involving an IT technology, product, system or application that is to be implemented within JSI which may impact the security of the JSI network, information or assets or proposes a change to the current usage a IT technology, product, system or application within JSI which may impact the security of the JSI network, information or assets, is brought to the attention of a Information System Security Manager (ISSM), this procedure shall be followed. The JSI ISSM shall set priorities and standards as to which programs will receive an SRA, and which programs will receive an SNR.

It is the responsibility of the ISSM/ISSO/ISSE to protect JSI network assets. In order to do so, the Chief Information Officer (CIO) requires all IT technologies, products, systems and applications to be specifically authorized to operate on the JSI network and in compliance with JSI security policies. It is the responsibility of CIO to provide security certification and accreditation of systems in support of this goal.

This procedure is established to provide a mechanism whereby the responsibility for certification and accreditation can be executed uniformly across the JSI Program. It is the task of CIO to certify projects that may impact JSI network assets as to their compliance or non-compliance with JSI security policies and standards. The procedure used for that purpose is the SRA as described in this document. The procedure on the following pages describes the minimum requirements for all SRA's performed by JSI personnel:

Security Risk Assessment Procedures


Responsible Person(s)



Project Owner

Generate summary of requested Project and deliver to CIO.



Receive and review requested architecture change, and determine if a security review is necessary.

If YES, continue

If NO, notify the Project Owner, prepare an SNR and forward to the CIO, copy to the ISSR.



Assign an ISSR to the request.



Assist the Project Owner in determining a suitable security model to meet compliance with JIS security policies. Provide assistance in describing this security model in the C & documentation as applicable.



Conduct an SAQ interview.  Support the Project Owner in completing the SAQ and verify, where practicable, the accuracy and consistency of the information presented.  Additional information requirements (if any) should be defined at this point.


Project Owner

Complete the SAQ & sign.  No alterations to the SAQ may be made after this point.


Project Owner

Email the completed & signed SAQ to the ISSM for signature, with a copy to the ISSR.



ISSR Completes any portions of the SAQ that pertains to them, sign and return directly to the ISSM.



Is the SAQ complete? 

If yes, proceed.

If no, return to Project Owner with comments.



Evaluate information presented.  Prepare the draft IATO or ATO documentation.



Email the completed draft IATO or ATO documents together with the SAQ and any other supporting documents to the ISSM for review and concurrence. 



Evaluate SRA completeness:  Is the information collected sufficient to fully describe the system's policy compliance status and support the conclusion of the CIO? 

If yes, proceed. 

If no, return documents to ISSR for Corrections.



Email draft IATO or ATO together with the SAQ to the CIO for final review.



Approve SAQ:  Is the information presented sufficient to support the conclusions and recommendations of the IATO or ATO?  Has JSI Policy been followed?

If yes, proceed. 

If no, return all documents to ISSM. 


Designated Approval Authority (DAA)

Review IATO or ATO:  Does the IATO or ATO fully describe the relevant policy and risk issues?  Are the conclusions of the CIO supported by the IATO or ATO discussion and operational conditions? 

If yes, proceed. 

If no, return to CIO.



Sign off on IATO or ATO.



Provide signed copies to CIO and ISSM.



Process is concluded.

4.0 Enforcement

This procedure shall be enforced by all JSI Managers and Security Staff responsible for conducting Certification, Accreditation, SRA and, SNR functions.

5.0 Definitions

Cetification and Accreditation:The purpose of Certification and Accreditation (C&A) is to ensure that systems have adequate security commensurate with level of risk. To this end, C&A is the formalized process used to assess the risks and security requirements of the system and determine whether the system's security needs are being met. Specifically, Certification is an assessment of the security controls of the system and Accreditation is a risk-based decision made base on the certification. Security Testing & Evaluation (ST&E) is the process of testing security measures during the Certification process.

Security Assessment Questionnaire (SAQ): Questionnaire filled out by the project Owner to provide information necessary to conduct a Security Risk Assessment (SRA). Information submitted in the SAQ is used to review whether or not a specific project is in compliance with JSI security policies and identify potential security risks in relation to confidentiality, availability, integrity, reliability and personal data protection issues.

Security Risk Assessment (SRA): An analysis of information, test results and research tasks conducted to determine the security risks associated with a project, and the likelihood and potential impact of those risks to the project and the JSI network, information or assets.

Interim Authority to Operate (IATO): An enforceable document issued by the DAA that grants short-term approval for the operation of a specific program. An IATO may be issued after the SRA is completed and a finding of non-compliance and or identification of risk has been made. The IATO identifies the risk mitigation required, whereby it is deemed that the identified risks are remediated to an acceptable level for interim operation of the project. The IATO also identifies the requirements to be implemented by the project in order to achieve satisfactory compliance for the issuance of an ATO. An IATO may be valid for a period of up to six months from the date of issuance. The IATO is normally not renewable.

Authority to Operate (ATO): An enforceable document issued by the JSI DAA that grants security approval for operation of a program. An ATO is issued only after a project has completed the SRA procedure described in this document. An ATO is issued when a project demonstrates satisfactory compliance with JSI Security policies or does not pose an unacceptable risk to JSI when operating within the parameters and conditions described in the ATO. An ATO is issued for no more than three (3) years and is renewable by default. Any alteration to the program within this three (3) year period may invalidate the ATO and may require a review by the ISSM for compliance to policy or exposure to risk.

Statement of No-Review (SNR): A formal statement outlining the justification of the decision by the JSI ISSM not to perform an SRA. An SNR must be approved by the Chief Information Officer (CIO).

6.0 Roles and Responsibilities

This section delineates the roles and responsibilities relating to this procedure.

6.1 Project Owner (PO)

  • Role:

    • Any individual delegated to represent an engineering initiative using or proposing to use IT assets on the JSI Network.

    • Any JSI group for security review or approval, or proposes to use a leveraged service where certification and accreditation is required, or where a technology change requires a firewall change.

  • Responsibility:

    • Provide all information required to complete the Security Assessment Questionnaire (SAQ) in a manner that is accurate, complete and consistent with IT engineering industry best practices.

    • Provide additional information as requested to support the decision to certify a Project in compliance with JSI security policy.

    • Maintain compliance with all requirements described in the ATO or IATO.

6.2 Information Systems Security Representative (ISSR)

  • Role:
    • The individual appointed by the ISSM to conduct the SRA.

  • Responsibility:

    • Conduct the Security Risk Assessment by completing an accurate and complete assessment of a Project's security policy compliance and risk posture.

    • Collect sufficient information to meet the requirements for completing SRA's.

  • Verify, where possible, that the information submitted by the Project Owner is true, complete and consistent.

  • Support the Project Owner in understanding security engineering methodologies, techniques, and technologies to meet the requirements of JSI security policy and provide security engineering expertise and guidance.

  • Propose conditions under which the project may achieve compliance with JSI security policy and/or suggest mitigating/compensating controls to reduce the overall risk.

  • Certify the project as meeting JSI security policy and/or define where the project does not meet JSI security policy.

  • The ISSR does not have any authority to approve or deny approval to operate the project.

  • Process and track the completion of the SRA process as described in this document.

  • Track compliance with the conditions and requirements of the IATO/ATO approval or denial.

6.3 Information Systems Security Manager (ISSM)

  • Role:

    • The individual identified by the CIO as having primary responsibility for managing risk over a particular physical or virtual area of JSI network assets.

  • Responsibility:

    • Ensure that JSI policies and standards in the evaluation of risk and policy compliance are followed uniformly and without exception.

    • Assign ISSR to Projects.

    • Evaluate the IATO or ATO and supporting documentation to ensure that sufficient evidence exists to support the conclusions of the ISSR.

    • Ensure that the operating conditions of an IATO or ATO are tracked and enforced

    • Draft SNR's in accordance with criteria set by the CIO.

6.4 Chief Information Officer (CIO)

  • Role:

    • The individual appointed as the primary technology and architectural lead for JSI.

  • Responsibility:

    • Reviews all SAQ's and IATO or ATO for compliance with the procedural requirements contained in this document.

    • Under direction of the DAA, promulgates criteria for the designation of Projects that are required to undergo the SRA procedure described in this document.

    • Ensures that the procedure described in this document is followed in compliance with JSI security policy, under the direction of the DAA.

    • Enforces compliance with the procedural requirements outlined in this document.

6.5 Designated Approval Authority (DAA)

  • Role:
    • DAA refers to the Senior CIO within DoS that is responsible for the security posture of JSI Networks, Information and Assets.

  • Responsibility:

    • Issues all IATO's and ATO's for operation of a Project on a JSI network asset.