Assessment and Authorization

Assessment and Authorization (A&A) is required by the Federal Information Security Management Act (FISMA) of 2002. FISMA requires that all systems and applications supporting federal agencies must go through a formal A&A/Certification and Accreditation (C&A) process before being put into production and use. System granted authority to operate (ATO) are recertified every three years thereafter.

Keya staff works with civilian federal agencies to guide them through three essential A&A/C&A processes:  (1) independently evaluate the system’s protection features within their mission and operational environment; (2) certify the technical and non-technical features of a system and security controls; and (3) prepare the agency to receive official accreditation in compliance with agency regulatory mandates. Keya complies with all applicable OMB circulars, NIST Special Publications, and/or agency-specific policies to take federal agencies through a detailed process leading to certification and accreditation.  Keya’s certification assistance involves three phases.

  • Initiation. Keya works closely with the certification agent (Office of the Chief Information Officer) to analyse the security documentation supporting the information system.  The purpose of this phase is to ensure that the Authorizing Official and the agency’s Chief Information Security Officer are in agreement with the contents of the System Security Plan (SSP). All in-place security controls are identified.
  • Assessment. Keya undertakes a comprehensive assessment of the management, operational, and technical security controls in an agency’s information systems and platform IT.  The purpose of this phase is to determine the effectiveness of in-place security controls. This assessment determines if protections and controls are properly designed, implemented correctly, operating as intended, and producing the desired cybersecurity controls.
  • Authorization. Keya works with the certification agent to attain security accreditation by a senior agency official to authorize the operation of an information system with an agreed-upon set of security controls.  The purpose of this phase is to prepare the Security Assessment Report (SAR) to support the Authorizing Officials decision to grant authority to operate.

Keya areas of expertise and assessment include:

  • Risk Assessment and Transitioning to the Risk Management Framework.

    We are assisting clients in their transition from DoD Information Assurance Certification Accreditation Process (DIACAP) to the March 2014 version of DoD Instruction 8510.01, Risk Management Framework for DoD Information Technology. Keya personnel are assisting clients with the transition from Certification and Accreditation (C&A) to the Assessment and Authorization (A&A) process.

    Keya personnel are skilled and knowledgeable in risk management support within the nation’s intelligence community. Assigned personnel have the required security clearances and are experienced assisting client’s transition from Director of Central Intelligence Directive (DCID) 6/3 processes to the more comprehensive Intelligence Community Directive (ICD) 503, Intelligence Community Information Technology Security Risk Management (July 2015) assessment and authorization.


  • Civilian Federal and Health Care Risk Assessments.

    Keya personnel are skilled and highly experienced and provided NIST SP 800-53-compliant risk management support to civilian federal agencies. We are familiar with and have applied a variety of agency unique regulations. With DoD and intelligence community experience Keya personnel are a position to offer a wide array of procedural and product-driven security control solutions to meet every operational need.

    The Health Insurance Portability and Accountability Act (HIPAA) of 1996 require all necessary administrative, technical, and physical controls be implemented to protect the privacy of sensitive patient information. Keya personnel understand HIPAA mandates and are skilled and experienced in meeting the unique needs of defense and civilian agencies providing medical services. With assignments within the DoD medical community and the civilian federal agencies as well Keya personnel have strong qualifications to deliver comprehensive risk management framework assessments and concurrent compliance with HIPAA and other special care mandates within the Federal Government’s medical communities including TRICARE, Department of Veteran Affairs, Department of Health and Human Services, The National Science Foundation, and the National Institutes for Health.