This Guideline is intended for use by ADP managers and technical staff in establishing and carrying out a program and a technical process for computer security certification and accreditation of sensitive computer applications. It identifies and describes the steps involved in performing computer security certification and accreditation; identifies and discusses important issues in managing a computer security certification and accreditation program; identifies and describes the principal functional roles needed within an organization to carryout such a program; and it contains sample outlines of an Application Certification Plan and a Security Evaluation Report as well as a sample Accreditation Statement and sensitivity classification scheme. A discussion of recertification and re-accreditation and its relation to change control is also included. The Guideline also relates certification and accreditation to risk analysis, EDP audit, validation, verification and testing (VV&T), and the system life cycle. A comprehensive list of references is included.
FIPS PUB 102