C & A

The Policy on Government Security (PGS) mandates that departments certify and accredit all IT systems prior to operation.  The certification process involves the actual verification of security functionality, while accreditation is the management decision to accept any remaining risks.

The following is a sample list of documents which need to be completed in order for an IT system to obtain certification and accreditation:

• Statement of Acceptable Risk
• Concept of Operation (ConOps)
• Statement of Sensitivity (SoS)
• Threat and Risk Assessment
• Business Impact Assessment (BIA)
• Privacy Impact Assessment (PIA)
• Certification Plan (Project Plan & Schedule)
• Security Requirements Traceability Matrix
• Security Architecture – Conceptual, Logical, Physical and Verification
• Detailed Security Safeguard Design
• Design or Safeguards Verification / Design Certifiability Statement
• Security Testing and Evaluation (ST&E)
• Vulnerability Assessment / Independent V&V
• Statement of Compliance
• Statement of Residual Risks
• Safeguard Implementation Plan (SIP)
• Certification Evidence Report
• Certification Report
• Letter of Accreditation

For more information, please click here.