3 Information Designation and Control

3-1 Elements of the Certification and Accreditation Process

The C&A process is integrated in phases that are conducted with the development and deployment of new information resources using the Waterfall Development Methodology (see Exhibit 3-1):

  1. Phase 1 — Initiate and Plan.
  2. Phase 2 — Requirements.
  3. Phase 3 — Analysis and Design.
  4. Phase 4 — Build.
  5. Phase 5 — System Integration Testing (SIT).
  6. Phase 6 — Customer Acceptance Testing (CAT).
  7. Phase 7 — Governance Compliance.
  8. Phase 8 — Release Management.
  9. Phase 9 — Retire

The C&A process is also integrated in the phases that are conducted concurrently with the development and deployment of new information resources using the Agile Scrum Development Methodology (see Exhibit 3-1):

  1. Phase 1 — Initiate and Plan.
  2. Phase 2 — Sprint 0-N.
  3. Phase 4 — System Integration Testing (SIT).
  4. Phase 5 — Customer Acceptance Testing (CAT).
  5. Phase 6 — Governance Compliance.
  6. Phase 7 — Release Management.
  7. Phase 8 — Retire

The C&A process does the following:

  1. Determines the sensitivity and criticality of Postal Service information resources.
  2. Defines information security requirements.
  3. Determines appropriate security controls and processes to satisfy the security requirements.
  4. Tests the effectiveness of implemented security controls and processes.
  5. Evaluates the threats and vulnerabilities associated with the information resources and the risks associated with deployment.
  6. Culminates with certification, risk acceptance, accreditation, and approval to deploy the information resource.

During the release and production phase, the C&A process ensures the information resource is maintained with the appropriate security, residual risk is appropriately managed, and when the information resource is retired equipment is sanitized and sensitive-enhanced and sensitive information is appropriately destroyed.




Powered By OneLink