Primary Roles and Responsibilities

Certifying Agent

Certifying Agent: The certifying agent is the independent authority charged with assessing the security controls protecting a specific information system to determine if they are implemented correctly, are operating as intended and produce the desired outcome. The certifying agent also recommends corrective action to reduce or eliminate vulnerabilities in assessed controls. To ensure independence, this role is normally performed by an individual assigned to another part of the organization or who is a contractor or consultant tasked with performing this function on a short-term This position is referred to as the security control assessor in NIST guidance.

Approving Authority

Approving Authority: The approving authority, accrediting official, authorizing official, or designated approving authority (DAA) is the senior management official responsible for deciding if a system should be allowed to operate. Inherent in this role is the responsibility for accepting any residual risks to the system. The approving authority is the executive who has the authority and ability to evaluate a system's security risks. This normally requires budget authority over the system, oversight of business processes supported by the systems, and knowledge required to determine the acceptable level of risk to the agency that operation of the system may present. In government agencies, only a government employee may serve as an approving authority. This position is referred to as the authorizing official in NIST guidance

Chief information security officer (CISO)

Chief Information Security Officer: The CISO normally serves as the organization's senior agency information security officer (SAISO) as required by FISMA. The CISO's primary responsibility is information security, and he or she carries out the FISMA-related functions assigned to the CIO. The CISO exercises overall responsibility for the organization's information technology security-related programs, such as risk management, policy development and compliance monitoring, security awareness, incident investigation and reporting, and often contingency planning. The CISO is normally charged with responsibility for the enterprise-wide system authorization program as well. The CISO's system authorization responsibilities include establishingthe program and ensuring enforcement of program-related policies. FisMA requires the CISO to possess necessary professional qualifications and to be in charge of the agency information security office. This position is referred to as the senior information security officer in NIST guidance.

Information System Security Officer

Information System Security Officer: The Isso serves as the principal staff advisor to the system owner, who appoints the ISSO. Under the system owner's authority, the ISSO is responsible for securing the system and managing all security aspects of the system. The Isso closely monitors the day-to-day security of the system as well as routinely monitors the effectiveness of controls. He or she controls security mechanisms, performs security activities and tasks, develops and enforces security procedures for the system, follows up on incidents, and advises the system owner on security-related matters. The ISSO plays the most significant role in the certification of the system by serving as the point of contact for the certifying agent and assembling the security accreditation package.

System Owner

System Owner: The system owner is the official who bears the primary responsibility for the security of an information system. The system owner establishes the sensitivity level of the system based on the data it processes and thus establishes the basis for the kinds of controls needed to protect the system. The system owner exercises this responsibility over the full life cycle of the system from its initial development to its final disposition. system owner ensures that controls are implemented, requests resources to ensure implementation is accomplished, oversees the continued effectiveness of controls day to day, and oversees remediation of weaknesses in controls. The system owner initiates system authorization activities, ensures that resources are available, prepares the system security plans, and monitors preparation of the accreditation package from initiation to final system accreditation. The relationship between the owners of the major application and general support system owners must be close and well defined. Because major applications are normally connected to or hosted on a general support system, the owner of the major application must to a large degree rely on the owner of that supporting system to provide a substantial amount of the for his her application