accreditation document/security plan with guidance on what must be done to improve security.
The accreditation document/security plan contains information of value to an intruder. It
describes the security safeguards used to protect the computer and will give the intruder
information which he can use to defeat those safeguards. Sometime an accreditation
document/security plan will be classified. If unclassified, it will be safeguarded as FOR
OFFICIAL USE ONLY.
Part P: Reaccreditation
A computer is accredited to operate using a prescribed set of security safeguards which are
described in the accreditation document/security plan. The safeguards which will work for a
computer in one location probably won't work for that same computer in another location. Moving a
computer changes the security situation.
If there are any changes which will affect security, the ISSO must initiate a reaccreditation. The
purpose of the reaccreditation is to determine how the change will affect security, and what
additional or different security safeguards must be developed to maintain adequate security of the
system. Then, the accreditation document/security plan is redone and submitted to the DAA for
approval for continued accreditation. There are three situations which may affect security and may
Equipment change: The first situation is an equipment change. An equipment change is when an
accredited computer is replaced with a different computer, or if any computer equipment is added to
the computer. A different computer will probably mean some change in security procedures, and the
ISSO must consider what must be done. If the replacement computer is the same exact model, there
is probably no security impact, but the DAA must still be notified.
Physical change: A physical change is a change to the building or a change in the location of the
computer. If the engineers remove walls or add windows to the building, that's going to affect
security. And, a different location means different physical security. Just moving the computer from
one desk to another in the same office probably doesn't require reaccreditation, but again the DAA
must be notified.
Increase in sensitivity level: Accreditation is authorization to process at a certain sensitivity level. An
increase in sensitivity level will require reaccreditation, in most cases. An increase from US2 to US1
won't require reaccreditation, in most cases. An increase from US2 to US1 won't require much more
security, but an increase from US1 to CS2 is a different story. Any time a computer which is
accredited to process at a particular sensitivity level will be used to process information "in a higher
level, reaccreditation must be considered and the DAA notified.
Reaccreditation: Reaccreditation is required after three years. This is not a "maybe," like for the
other situations; this must be done. There is a need for periodic formal review of a computer
system's security safeguards and procedures, and reaccreditation is also required on a scheduled
basis; three years after accreditation.