Wednesday, September 05, 2007


I'm going to give a presentation today about C&A efforts to our company's sales staff. I thought I'd start with a description of what a C&A is.

These are my definitions based on other standard definitions like NIST and others. What do you think of them?


Certification: A formal evaluation, in support of an accreditation, of a computer system's safeguards to determine whether it meets a specific set of security requirements.

Accreditation: A formal decision by an approving authority that a computer system is approved to operate at an acceptable level of risk based on a set of specific requirements.

C&A: A process that ensures a system meets a formal set of security requirements.

No comments: