C&A is still a nascent science, and although excellent guidance exists on how to evaluate the risk exposure of federal information systems, agencies are still working on improving their C&A programs. C&A is, however, a large endeavor. Although the process has been proven to reduce risk to federal information systems, many folks new to C&A don't know where to start or how to get going on their C&A projects. Seasoned C&A experts continue to look for new ideas on how to improve their existing processes. This book is the first publication with numerous practical examples than can help you step through the C&A process from beginning to end. I wish this book had existed while I was the Security Staff Director of the FDIC so that I could have provided copies to my staff. - from the Foreword by Sunil J. Porter, Former Security Staff Director of the FDICIn This Book You Will Find:# What Is Certification and Accreditation?# Types of Certification and Accreditation# Understanding the Certification and Accreditation Process# Establishing a Certification and Accreditation Program# Developing a Certification Package# Preparing the Hardware and Software Inventory# Determining the Certification Level# Performing and Preparing the Self-Assessment# Addressing Security Awareness and Training Requirements# Addressing End-User Rules of Behavior# Addressing Incident Response# Performing the Security Tests and Evaluation# Conducting a Privacy Impact Assessment# Performing the Business Risk Assessment Preparing the Business Impact Assessment Developing the Contingency Plan Performing a System Risk Assessment Developing a Configuration Management Plan Preparing the System Security Plan Submitting the C&A Package Evaluating the Certification Package for Accreditation Addressing C&A Findings Improving Your Federal Computer Security Report Card Scores