The CDC Certification and Accreditation (C&A) Process

All information systems developed by CDC’s National Program of Cancer Registries (NPCR) adhere to the standards defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-37 revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [PDF-485KB]. This publication provides guidelines for the security certification and accreditation (C&A) of information systems supporting the executive agencies of the federal government, and these guidelines apply to all federal information systems except national security systems.

CDC’s C&A process ensures that all information systems made available by CDC to implement the NPCR meet or exceed the C&A accreditation standards when operated with appropriate management review. It requires ongoing security control monitoring and reaccreditations periodically or when there is a significant change to an information system or its environment.

• Security certification is a comprehensive evaluation of CDC’s management, operational, and technical security controls for an information system. It documents the effectiveness of the security controls in a particular operational environment and includes recommendations for new controls to mitigate system vulnerabilities. Security certification results are used to assess risks to the system and update the system’s security plan.
• Security accreditation is CDC management’s official decision to authorize an information system to operate. By accrediting an information system, a CDC official explicitly accepts responsibility for adverse impacts to CDC resulting from the documented risk levels for the system. The certification documents provide the factual basis for a security accreditation decision. CDC officials must have the most complete, accurate, and trustworthy information possible to make credible, risk-based decisions on whether to authorize system operation. A system can be accredited for as long as three years.

Sample CDC C&A Checklist

A generic version of NIST’s checklist is available upon request. This spreadsheet is recommended for state central cancer registries that are using applications that are considered a moderate threat and need security details on the NIST security controls.

Web Plus Security Features and Recommendations

Web Plus is a highly secure application that can be used to transmit confidential patient data between reporting locations and a central registry safely over the Internet. See Security Features in Web Plus for basic information and Maximizing Data Security in Web Plus for technical information.