NOTE:
The accreditation document contains information of value to an unauthorized intruder. At
a minimum, it will be safeguarded as FOR OFFICIAL USE ONLY.
Part E: Accreditation
Our next topic of discussion is a very important part of computer security. The term "accreditation"
is synonymous with "approval to operate." In the Army we must have this approval to operate before
we can use a computer to process any classified or unclassified-sensitive information. This lesson
will introduce you to accreditation, to the Army's accreditation requirements, and the accreditation
process.
Why accreditation? Accreditation is the key to security. Accreditation can be thought of as "an
application for a license to operate," like getting a driver's license to operate a motor vehicle, and the
reason for requiring approval to operate a computer is the same mason you have to have a drivers
license.
Before you can drive a car you have to have a license. To get a license you have to show the
licensing authority (like the Department of Motor Vehicles) that you can operate a car in compliance
with the rules of the road. If you didn't need a drivers license, and anybody could just buy a car and
hit the road, the number of accidents would skyrockets!
Before you can operate an Army computer you have to have an accreditation. To get an
accreditation you have to show the accreditation authority that you can operate that computer in
compliance with the rules of computer security, as specified In AR 380-19. If you didn't need an
accreditation and any unit could just get a computer and start processing classified information, the
number of compromises would skyrocket!
Accreditation is a formal declaration by the DAA that a computer is authorized for operation.
Accreditation is approval for it to process information at one of the sensitivity levels, using a
prescribed set of security safeguards. Basically, accreditation requires that a unit develop security
safeguards, submit them for approval, and begin processing after approval is granted.
Part F: Initial Accreditation
Before we can use a new computer to process any classified or unclassified-sensitive information, it
must be accredited. That's initial accreditation, and that's what Paragraph 2-3a(10), AR 380-19,
means when it states, "Before operation, each computer (except those computers which are
designated as Nonsensitive) will be accredited under a set of security safeguards approved by the
DAA." The term "before operation" means that the computer cannot be used to process any classified
information or any unclassified-sensitive information until the DAA has formally authorized this
processing in writing.
Part G: Accreditation Level
Each computer is designated based on the highest classification or sensitivity of information which is
processed by that computer. Accreditation is authorization to process information at one of the
sensitivity levels. A sensitivity designation, like CS3 or US1, is also referred to as a "sensitivity level."