Accreditation is required for all sensitive and classified DOC general support and application systems. New IT systems or those not fully operational shall complete all requirements and be accredited prior to full implementation.
All sensitive and classified DOC IT general support or application systems will be accredited. The term accreditation describes the process whereby information pertaining to the security of a system is developed, analyzed and submitted for approval to the appropriate senior management official identified in this document as the Designated Approving Authority (DAA). Section 4 of the "DOC IT Security Manual," identifies the required steps in the accreditation process. The DAA will review the accreditation support documentation and either concur, thereby declaring that a satisfactory level of operational security is present or not concur, indicating that the level of risk either has not been adequately defined or reduced to an acceptable level for operational requirements. The DAA will sign a formal accreditation statement declaring that the system appears to be operating at an acceptable level of risk, or defining any conditions or constraints that are required for appropriate system protection. Sample accreditation statements are contained in Section 4 of the "DOC IT Security Manual."
Security of classified IT systems operated by, or in support of DOC programs is the responsibility of the Department and these systems must be accredited in accordance with the requirements defined in this policy. Approvals granted by external agencies, i.e., Department of State, Department of Defense, Central Intelligence Agency, etc., are not valid authority to operate classified IT systems within the Department. Approvals granted to these systems by DOC, prior to this policy, are no longer in effect and new approval to operate must be granted through the DOC accreditation process.
Interim authority to operate can be granted for a fixed period of time, not to exceed one year. This authority is based on an approved security plan and is contingent on certain conditions being met. The interim authority to operate, while continuing the accreditation process, permits the IT system to meet its operational mission requirements while improving its IT security posture. If the DAA is not satisfied that the IT system is protected at an acceptable level of risk, an interim accreditation can be granted to allow time for implementation of additional controls. Recommendation or request for an interim accreditation may be made by the IT system owner, the operating unit IT Security Officer (ITSO) or the DAA. Interim authority to operate is not a waiver of the requirement for accreditation. The IT system must meet all requirements and be fully accredited by the interim accreditation expiration date. No extensions of interim accreditation can be granted except by the DOC Director for Information Resources Management.
Systems will be reaccredited when major changes occur to the system or every three years, whichever occurs first. Examples of major changes are contained in Section 4 of the "DOC IT Security Manual."
Prior to reaccreditation, an on-site IT security verification review must be conducted by an evaluation team under the direction of the DOC IT Security Manager, the operating unit ITSO or the ITSO of a subordinate organizational unit (i.e., Line Office, Regional Office, Laboratory, etc.). Procedures for conducting IT security verification reviews are contained in Section 5 of the "DOC IT Security Manual."