Assessment & Authorization

U.S. federal agencies are mandated by the Federal Information Security Management Act (FISMA) to understand the security risks posed to their infrastructure and to take appropriate actions to mitigate the risks. Security Assessment and Authorization (SA&A), formerly Certification and Accreditation (C&A), is the process by which Federal agencies evaluate their information technology infrastructure and document evidence necessary for security assurance accreditation. Working through the SA&A process can be a heavy lift and many agencies require additional resources to meet their SA&A needs.  Assessment is the process of evaluating, testing, and examining security controls that have been pre-determined based on the data type in an information system. The evaluation process compares the current system’s security posture with specific standards.  The assessment process ensures that security weaknesses are identified and plans for mitigation strategies are in place.  Authorization, on the other hand, is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate for a specified period of time.  We have developed SA&A packages for over 30 General Support Systems and Major Applications in accordance with NIST 800-53 R4 and the Risk Management Framework (RMF).