What is Certification and Accreditation (C&A)?

Additional policy in support of FISMA is contained in Office of Management and Budget (OMB) Circular A-130, which requires all federal agencies to:

• Periodically review the security controls in their information systems
• Authorize system processing prior to operations, and, periodically thereafter.

The process of reviewing the management, operational and technical security controls of an information system is called Certification . The “authorization to operate,” given by a senior official and based on the results of the certification, is called accreditation.

NOTE: The new Risk Management Framework refers to these processes collectively as Security Authorization.