“The Chief Information

Officer, with the support

of the senior agency

information security

officer, works closely

with authorizing officials

and their designated

representatives to ensure

that an agency-wide

security program is

effectively implemented,

that the certifications

and accreditations

required across the

agency are

accomplished in a timely

and cost-effective

manner, and that there

is centralized reporting

of all security-related

activities. “

NIST SP 800-37

“A senior management

official or executive

with the authority to

formally assume

responsibility for

operating an

information system at

an acceptable level of

risk to agency

operations, agency

assets, or individuals.” -

NIST SP 800-37

“Official responsible for the overall procurement,

development, integration, modification, or

operation and maintenance of an information

system. “ - (NIST SP 800-37)

“Individual responsible for the

installation and maintenance

of an information system,

providing effective information

system utilization, adequate

security parameters, and sound

implementation of established

Information Assurance policy

and procedures.”

CNSS Instruction No. 4009

“The information system security officer often plays an active

role in developing and updating the system security plan as well

as in managing and controlling changes to the system and

assessing the security impact of those changes.“ NIST SP 800-37

The certification agent is an individual, group, or organization

responsible for conducting a security certification, or comprehensive

assessment of the management, operational, and technical security

controls in an information system to determine the extent to which

the controls are implemented correctly, operating as intended, and

producing the desired outcome with respect to meeting the security

requirements for the system. - NIST SP 800-37

“At the discretion of senior agency officials, certain security

certification and accreditation roles may be delegated and if so,

appropriately documented. Agency officials may appoint

appropriately qualified individuals, to include contractors, to

perform the activities associated with any security certification

and accreditation role with the exception of the Chief Information

Officer and authorizing official. The Chief Information Officer and

authorizing official have inherent United States Government

authority, and those roles should be assigned to government

personnel only. Individuals serving in delegated roles are able to

operate with the authority of agency officials within the limits

defined for the specific certification and accreditation activities.

Agency officials retain ultimate responsibility, however, for the

results of actions performed by individuals serving in delegated

roles. “ NIST SP 800-37

Mission

Business Unit

IT

Security

Audit

IG

IA

SCA

SISO

ISSM

ISSO

CIO

SO

SA

BUM

IO

EU

Program

Level

System

Level

Audit Security ITBusiness

Unit

Middle- Tier

Independence

AO

Risk Executive Function

Head of Agency (CEO)

SO

D

SO

D

Mission

DoDI 8510.01 & 8500.2 SP 800-37 Rev 1

Head od DoD Components Head of Agency (CEO)

Principle Accrediting Authority (PAA) Risk Executive Function and/or

Approving Authority (AA)

Senior Information Assurance Officer

(SIAO)

Senior Information Security Officer

(SISO)

Designated Accrediting Authority

(DAA)

Approving Authority (AA)

Systems Manager Common Control Provider and/or

Systems Owner

Program Manager Common Control Provider and/or

System Owner

Information Assurance Manager (IAM) ISSO and/or SISO

Information Assurance Officer (IAO) Information Systems Security Officer

(ISSO)

Certification Agent Security Control Assessor

CISSP

CISM

CISSP

ISSMP

CAP CISA

GSNA

SSCP

CASP

Security+

CISSP

ISSEP/

ISSAP

CSSLP

Management /

Risk Audit

Software

Dev

Network /

Communications

Level Qualifying Certifications

CND Analyst GCIA, CEH

CND Infrastructure

Support

SSCP, CEH

CND Incident Responder GCIH, GSIH, CEH

CND Auditor CISA, CEH, GSNA

CN-SP Manager CISM, CISSP-ISSEP

“The CNSS is directed to assure the security of NSS against technical

exploitation by providing: reliable and continuing assessments of threats and

vulnerabilities and implementation of effective countermeasures; a technical

base within the USG to achieve this security; and support from the private

sector to enhance that technical base assuring that information systems security

products are available to secure NSS.”