Certification & Accreditation

Certification and Accreditation (C&A) is a process for implementing any formal process. It is a systematic procedure for evaluating, describing, testing, and authorizing systems or activities prior to or after a system is in operation.

Certification is a comprehensive evaluation of a process, system, product, event, or skill, typically measured against some existing norm or standard. Industry and/or trade associations will often create certification programs to test and evaluate the skills of those performing services within the interest area of that association. Testing laboratories may also certify that certain products meet pre-established standards, or governmental agencies may certify that a company is meeting existing regulations (e.g., emission limits).

Accreditation is the formal declaration by a neutral third party that the certification program is administered in a way that meets the relevant norms or standards of certification program (e.g., NIST 800-37 or ISO/IEC).

VSI can provide a Certification and Accreditation Package for any of the following methodologies but we prefer using the NIST Risk Management Framework. Note: Certifications other than these are available, but these are dominant.

Europe & Asia

Most of the world uses the ISO 27000 series of documents for a cyber security controls standard.

The International Standards Organization (ISO) is an international body of 161 members that is the framework of choice for companies that do business internationally. ISO 27001 was developed to allow managers to monitor and control their systems. Therefore while many people look to it for cybersecurity, it is important to note that it is a management system first.

ISO 27002 has 114 controls and 14 control groups. In order to be certified a company must go through an audit by a certified registrar. These audits require the verification of records to prove that the management system is effective, in use and known to all.

United States

There is no "approved" accreditation body within the United States. As a result, over the years multiple accreditation bodies have become established to address the accreditation needs of government and specific industries or market segments. Some of these accreditation services are for profit entities, however the majority are not-for-profit bodies that provide accreditation services as part of their mission.

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law as part of the Electronic Government Act of 2002. FISMA authorized NIST, the National Institute of Standards & Technology, to create a series of documents to address cyber security. This resulted in the 800 series of documents that describe United States federal government computer security policies, procedures and guidelines.

NIST stands for the National Institute of Standards and Technology. NIST was founded in 1901 as a non-regulatory body within the US department of commerce.

NIST sets out special publications (SPs) that direct federal agencies how to securely manage their IT infrastructure. Of special note are the following:

SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) is an exhaustive set of 18 controls that govern IT. This is specifically for federal government agencies but the principles can be applied to private organizations.

SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations) this is a new standard for private companies that the government shares information with. It is not as exhaustive as 53 but cross references 53 in many places. This goes into effect Dec 31, 2017, and has 14 families of controls.

SP 800-66 (An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule) as the name states this is the framework for people that fall under HIPAA and only includes the security rule not the privacy rule. The security rule relates only to the electronic information and operationalizes protections contained in the privacy rule.

There are other SPs that become very specific on certain topics such as firewalls, and incident response. NIST SPs are available for free download.

NIST - Risk Management Framework (RMF)

1. Categorize information system (NIST SP 800-60)

2. Select security controls (NIST SP 800-53) Focus Area

3. Implement security controls (NIST SP 800-160)

4. Assess security controls (NIST SP 800-53A)

5. Authorize information system (NIST SP 800-37)

6. Monitor security controls (NIST SP 800-137)

NIST – CSF (Cybersecurity Framework) is a collaboration between government and the private sector to promote the protection of critical infrastructure. CSF was created in 2013 by President Obama in Executive Order 13636

Improving Critical Infrastructure Cybersecurity. It consists of 5 logical categories 97 subcategories.

The CSF Framework works with existing risk management program and supports multiple programs:

• ISO/IEC 27005, Information Security Risk Management

• ISO/IEC 31000, Risk Management

• NIST SP 800-39, Managing Information Security Risk

• Electricity Subsector Cybersecurity Risk Management Process (RMP)

The NIST Special Publications (SP) 800 series are required by the Office of Management and Budget (OMB) policies for almost all federal agencies. They are not required for private business. Nevertheless, they form part of the NIST Risk Management Framework (RMF) that is used by many U.S. organizations as the base framework for their own security policy. NIST recently cited a Gartner report that the framework is used by 30 percent of U.S. organizations, with projected use of 50 percent by 2020.

Defense Information Systems Agency - DISA, the cyber security authority for the U.S. Defense Dept, originally developed their own set of cyber security controls and C&A methodology, (DITSCAP & DIACAP), but in 2014 embraced a combination of more heavily risk-management-focused approaches developed over many years by NIST, including standards for assessment and authorization, risk assessment, risk management, and dynamic continuous monitoring practices.

Control Objectives for Information and Related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA) as a framework and a supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.

COBIT is in version 5, and can be purchased from the ISACA web site. Previous versions can also be downloaded complimentary after registration. COBIT is one of the most commonly used frameworks for demonstrating compliance with Sarbanes-Oxley.