 NSTSSI Security Education Standards |
| NSTSSI Security Education Standards |
SECTION IV - PREFACE
7. The System Certifier is an individual or a member of a team who performs the
comprehensive multidisciplined assessment of the technical and non-technical security
features and other safeguards of an information system in an operational configuration,
made in support of the accreditation process. The Certifier identifies the assurance levels
achieved in meeting all applicable security policies, standards, and requirements for the
Designated Approving Authority (DAA), who in turn determines whether or not an
information system and/or network is operating within the bounds of specified
requirements and at an acceptable level of risk. For the purposes of this document, we
have defined "System Certifier" to avoid any confusion between it and the Department of
Defense definition of "certification authority," as well as the NSTISSC definition of
"certification agent." In this document, the term "System Certifier" is used as defined
above.
8. The designated Certification Authority (sometimes referred to as "certification
agent," as defined in NSTISSI No. 4009) is ultimately responsible for determining the
correct skill sets required to adequately certify the system, and for identifying personnel to
accomplish the comprehensive evaluation of the technical and non-technical security
features of the system. The scope and the complexity of the information system determine
whether the Certifier will be an individual or a member of a team performing the
certification. The Certifiers' responsibilities evolve as the system progresses through the
life-cycle process. Because an in-depth understanding and application of the certification
and accreditation (C&A) process is required of the System Certifiers, these professionals
operate at the highest level of the Information Technology Security Learning Continuum
model referenced in the National Institute of Standards and Techology (NIST) Special
Publication No. 800-16. According to this model, learning starts with awareness, builds to
training, and evolves into education, the highest level. Overall the performance items
contained in this training standard are at that advanced level.
9. To be a qualified System Certifier, one must first be formally trained in the
fundamentals of INFOSEC, and have field experience. It is recommended that System
Certifiers have system administrator and/or basic information system security officer
(ISSO) experience, and be familiar with the knowledge, skills and abilities (KSAs) required of
the DAA. Throughout the complex information systems certification process, the Certifiers
exercise a considerable amount of INFOSEC-specific as well as non-INFOSEC-specific
KSAs. ANNEX A lists the actual performance items under each of the System Certifier
KSAs, which in turn are outlined under each of the major job functions. Concomitant
capabilities, provided in ANNEX B, are those capabilities which are exercised while
performing a specified Certifier job function.
10. While this Instruction was developed using the National Information Assurance
Certification and Accreditation Process (NIACAP) as a framework, this training standard
employs common knowledge, skill, and attribute requirements that can be extended to
develop courseware for any certification and accreditation process.