Certification is a requirement for all sensitive and classified DOC general support and application systems. New IT systems or those not fully operational shall complete all certification requirements and be accredited prior to full implementation.
Prior to accreditation, each IT system is to undergo appropriate technical certification evaluations to ensure that it meets all federal and DOC policies, regulations and standards and that all installed security safeguards appear to be adequate and appropriate for the protection requirements of the system. Certification of the system is based on the documented results of the design reviews, system tests, and the recommendations of the testing teams. All systems must include security controls that reflect the true importance of the information processed on the system and/or the government investment embodied in the components of the IT system. Section 3 of the "DOC IT Security Manual," identifies the required actions in the certification process.
Systems will be recertified when substantial changes are made to the system, when changes in requirements result in the need to process data of a higher sensitivity, after the occurrence of a serious security violation which raises questions about the validity of an earlier certification, and in any case no less frequent than three years after the previous certification. Examples of major changes are contained in Sections 3 and 4 of the "DOC IT Security Manual."