· Overview · Program Management Support · Capital Planning · PRISMA · Return on Investment · Certification and Accreditation · Critical Infrastructure · FISMA and POA&M · Performance Metrics and A-130 Compliance

Situation The Computer Security Act of 1987 requires that all IT systems have risk-based security plans for the information they contain, process, and transmit. The Federal Information Security Management Act (FISMA) of 2002 strengthens NIST's role in this process by requiring that all systems undergo Certification and Accreditation (C&A) in accordance with their published guidelines. Complete C&A guidance necessitates a joint working relationship between NIST, the Government and the independent companies currently performing C&A.

Analysis The National Science Foundation, like most Federal Agencies, was faced with the daunting task of meeting the certification and accreditation mandates for all of their general support systems (GSS) and major applications (MA). System 1, as part of the prime contractor's team, worked with NSF personnel to develop a methodology consistent with NIST draft guidance, that allowed the C&A team to understand and test the NSF systems. We realized we would need to work with the Designated Approving Authority to create the necessary documentation (system boundaries, ST&E, CIA analysis, etc.) to meet the needs for accrediting the operations of each GSS and MA.

Solution The above activities were completed using appropriate NIST SP 800 series and FIPS documents along with available best practices documentation available through industry sources. Through all steps of the process System 1 personnel worked closely with their respective system owners to ensure that the activities and recommendations were in keeping with industry and NSF best practices. System 1 also provided a plan of action to improve the documents going forward and recommended additional actions that would enhance the level of security for all NSF systems. One of these was the development and implementation of a configuration management function within NSF. The team also recommended the inclusion of security personnel in the early stages of systems acquisition functions to provide early input into the functional requirements to ensure future systems included the required security controls. The results of this effort were impressive. Their OMB score went from a D in 2002 to and A- in 2003.