It is critical that security be included in the design stage of a new application or information system. Security can be designed into a new system at a lower cost in the design phase than attempting to “paint it on” later in the life cycle. The security Certification and Accreditation (C&A) process is a formal methodology that examines security risks, threats, and vulnerabilities, as well as sensitivity and criticality of information, to determine what security controls are necessary to mitigate risk to an acceptable level.  The process is established in many organizational directives and During this phase of the project, security documentation should continue to be updated as necessary.  The following documents and processes, should be addressed:

▲    Updated System Security Plan (SSP)

▲    Security Risk Assessment (RA)

▲    Contingency Planning (CP) and Disaster Recovery Plans (DRP)

▲    Configuration Management Plan (CMP)

▲    Interconnection Security Agreements (ISA) for systems that interconnect to other systems

▲    An Interim Authority to Operate (IATO) which may be required if the prototype or test system will attach to a production network or use live test data during its development

▲    Security Controls Assessment (SCA, a.k.a., Security Test and Evaluation, or ST&E)

At Milestone II, to gain approval for full-scale systems development or acquisition, PMs are expected to focus primarily on rows 3 and 4 of the Framework. This is largely addressed in Chapter 5 of version 2.1 of the One Enterprise Architecture. PMs are expected to revalidate the information addressed at Milestones 0, I, and II.

Projects that will involve organizational telecommunications and operations infrastructure should consider the following questions leading up to Milestone II:

Network Capacity Planning:

▲    What are the project’s performance requirements:

■        Average expected volume of traffic?