Handbook AS-805-A-Information Resource Certification and Accreditation (C&A) Process
June 2015

Transmittal Letter 1 Introduction 1-1 About This Handbook 1-2 Purpose of Certification and Accreditation 1-3 Importance of Certification and Accreditation 1-4 Supporting Documentation 2 Roles and Responsibilities 2-1 Chief Inspector 2-2 Executive Vice President and Chief Information Officer 2-3 Vice President, Information Technology 2-4 Manager, Computer Operations 2-5 Manager, Corporate Information Security Office 2-6 Vice Presidents of Functional Business Areas 2-7 Executive Sponsors 2-8 Business Relationship Management Portfolio Managers 2-9 Project Managers 2-10 Chief Privacy Officer 2-11 Certifier 2-12 Accreditor 2-13 Information Systems Security Officers 2-14 Information Systems Security Representatives 2-15 Contracting Officers and Contracting Officer Representatives 2-16 Business Partners 2-17 Disaster Recovery Services 2-18 Functional System Coordinators 2-19 Functional System Gatekeepers 3 Information Designation and Control 3-1 Elements of the Certification and Accreditation Process 3-2 What the Certification and Accreditation Process Applies To 3-3 Frequency of Certification and Accreditation 3-4 Funding 3-5 Certification and Accreditation Core Team

4 Certification and Accreditation Process 4-1 Phase 1 — Initiate and Plan 4-2 Phase 2 — Requirements 4-3 Phase 3 — Design 4-4 Phase 4 — Build 4-5 Phase 5 – System Integration Testing 4-6 Phase 6 – Customer Acceptance Testing 4-7 Phase 7 — Governance Compliance 4-8 Phase 8 — Release and Production 4-9 Phase 9 — Retire 5 Independent Reviews 5-1 Independent Security Code Reviews 5-2 Independent Information Security Risk Assessments 5-3 Independent Vulnerability Scans 5-4 Independent Penetration Testing 5-5 Independent Security Test Validation 6 Re-Initiating the Certification and Accreditation 6-1 Purpose 6-2 Criteria Forcing Security Recertification 6-3 Process 7 Assessment of Offsite Hosted Solutions 7-1 Purpose 7-2 Process