[This is mirrored on Intelink-U]
In a previous post, I traced through the various policy documents that describe the certification and accreditation processes for the Department of Defense, ultimately tracing back to OMB Circular A-130. In summary, “systems” need accreditation, while “applications” do not, and the distinction (per A-130) turns on the highly subjective decision of whether it is a “major” application.
In tracing this definitional tangle, I unwittingly provided a roadmap for how to get your
system “application” on a DoD network without a full-blown Approval To Operate (ATO). I was not trying to provide an easy-out for getting operational without being accredited … although the method is a well-trodden path with a lot of history. I’m was trying to show that our C&A policy is at-least-slightly broken, and we generally don’t even understand it ourselves.
Again, to summarize, this is what not to do: Continue reading