NSTSSI Security Education Standards
SECTION IV - PREFACE 7. The System Certifier is an individual or a member of a team who performs the comprehensive multidisciplined assessment of the technical and non-technical security features and other safeguards of an information system in an operational configuration, made in support of the accreditation process. The Certifier identifies the assurance levels achieved in meeting all applicable security policies, standards, and requirements for the Designated Approving Authority (DAA), who in turn determines whether or not an information system and/or network is operating within the bounds of specified requirements and at an acceptable level of risk. For the purposes of this document, we have defined "System Certifier" to avoid any confusion between it and the Department of Defense definition of "certification authority," as well as the NSTISSC definition of "certification agent." In this document, the term "System Certifier" is used as defined above. 8. The designated Certification Authority (sometimes referred to as "certification agent," as defined in NSTISSI No. 4009) is ultimately responsible for determining the correct skill sets required to adequately certify the system, and for identifying personnel to accomplish the comprehensive evaluation of the technical and non-technical security features of the system. The scope and the complexity of the information system determine whether the Certifier will be an individual or a member of a team performing the certification. The Certifiers' responsibilities evolve as the system progresses through the life-cycle process. Because an in-depth understanding and application of the certification and accreditation (C&A) process is required of the System Certifiers, these professionals operate at the highest level of the Information Technology Security Learning Continuum model referenced in the National Institute of Standards and Techology (NIST) Special Publication No. 800-16. According to this model, learning starts with awareness, builds to training, and evolves into education, the highest level. Overall the performance items contained in this training standard are at that advanced level. 9. To be a qualified System Certifier, one must first be formally trained in the fundamentals of INFOSEC, and have field experience. It is recommended that System Certifiers have system administrator and/or basic information system security officer (ISSO) experience, and be familiar with the knowledge, skills and abilities (KSAs) required of the DAA. Throughout the complex information systems certification process, the Certifiers exercise a considerable amount of INFOSEC-specific as well as non-INFOSEC-specific KSAs. ANNEX A lists the actual performance items under each of the System Certifier KSAs, which in turn are outlined under each of the major job functions. Concomitant capabilities, provided in ANNEX B, are those capabilities which are exercised while performing a specified Certifier job function. 10. While this Instruction was developed using the National Information Assurance Certification and Accreditation Process (NIACAP) as a framework, this training standard employs common knowledge, skill, and attribute requirements that can be extended to develop courseware for any certification and accreditation process.