1
Available from the National Security
Telecommunications And Information Systems Security Committee Secretariat
(V503), NSA, 9800 Savage Road STE 6716, Fort Meade MD 20755-6716.
2
Available from the Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence, (703) 697-7626.
3
Available from the DISA Information Systems Security Program Management
Office, 701 Courthouse Road, Arlington, VA 22204-2199.
4The term
program manager will be used throughout this document to refer to the
acquisition organization's program manager during the system acquisition,
the system manager during the operation of the system, or the maintenance
organization's program manager when a system is undergoing a major change.
The DAA is also referred to as the accreditor throughout this document.
5It is
recognized these managers may chose to designate someone to represent them
in the negotiations. (In some cases the DAA may designate the CA to act in
his or her behalf.) Unless noted otherwise, the terms will be used
interchangeably to mean the principle or their designated representative.
6
Supporting C&A teams may be useful to support the accreditor.
7 An
acceptable level of residual risk is based on the relationship of the
threat to the system and the information processed, to the information
system's mission, environment, and architecture; and its security
confidentiality, integrity, availability, authenticity, and nonrepudiation
objectives.
8 OMB,
DoD, Service, and Agency directives have mandatory recertification and
reaccreditation requirements. These requirements shall be included in the
SSAA, governing security requisites.
9This
description does not attempt to define the management structure within the
Department of Defense, Services, or Agencies that may be necessary to
oversee the C&A of DoD systems.
