[This is mirrored on Intelink-U]

In a previous post, I traced through the various policy documents that describe the certification and accreditation processes for the Department of Defense, ultimately tracing back to OMB Circular A-130.  In summary, “systems” need accreditation, while “applications” do not, and the distinction (per A-130) turns on the highly subjective decision of whether it is a “major” application.

In tracing this definitional tangle, I unwittingly provided a roadmap for how to get your system “application” on a DoD network without a full-blown Approval To Operate (ATO).  I was not trying to  provide an easy-out for getting operational without being accredited … although the method is a well-trodden path with a lot of history.  I’m was trying to show that our C&A policy is at-least-slightly broken, and we generally don’t even understand it ourselves.

Again, to summarize, this is what not to do:  Continue reading →