A Guide to Government Security Mandates

To reverse a trend of weak security in government computer systems, Congress has passed legislation that requires federal agencies to more effectively manage the security of its IT systems. A fundamental component of this improved security management is System Certification. System Certification provides a holistic view of the state of security for each system by identifying the risks associated with the system, identifying the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in any one of these areas. This document identifies each major component of the System Certification process and provides an overview of each. This document endeavors to provide the reader with a solid understanding of the certification process, the order in which the steps should be completed, and some lessens learned from actual experience.