The whole idea of the Certification & Accreditation (C&A for short) process within the government started out as a fundamentally sound plan.  Unfortunately, as everything began to unfold over time, it quickly changed into a convoluted and burdening process for any Information System Security Officer (ISSO).

Each agency is required to meet the controls that are adapted from the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53.  The issue is not necessarily in the controls that are required to be met but in the interpretations that are handed down to sub-agencies from their parent agency.  Not every sub-agency operates in the same manner but many times each parent agency treats all sub-agencies the same regardless of the function of the sub-agency.

Luckily, there is a solution that is easier said than implemented.  That solution is to allow the sub-agencies to adapt the NIST SP 800-53 controls to their specific environments then get approval for their adaptations from their parent agency.  Now, even though this solution is obviously not definitive nor is it fool-proof, it allows for the already existing C&A infrastructure to be used as seen fit but it also allows for the modifications as needed by the sub-agencies.

I'm not saying this would be an easy task but in the end the C&A process that started out so promising could once again be a good plan.

NOTE: This is not the only thing about the C&A process that needs work but keep checking back with us to find out what else could be done to better improve the process.