System Authorization Case Study

At the end of scal year 2002, the department had received a failing score in its level of compliance with Federal Information Security Management Act (FISMA) standards. The FISMA scorecard indicated that the department’s information technology security program had performed very poorly, particularly in the area ofsystem authorization, then referred to as certication and accreditation. Although department management had published system authorization guidance and had documented a certication and accreditation policy, neither had been effectively enforced, and less than 10% of the department’s mission-critical systems and practically none of its noncritical systems were accredited. To that point, most of the department’s certication and accreditation efforts had wisely been focused on life safety systems, which were being effectively managed; high standards for certication testing were being maintained; and effective tracking of risk mitigation was being accomplished.