You are here

Audit Report: IG-0752

January 3, 2007

Certification and Accreditation of Unclassified Information Systems

Information systems are essential to accomplishing the Department of Energy's environmental, energy, and national security-related missions. Actions to protect these systems from increasingly sophisticated attacks have become critically important to the Department and each of its subordinate organizations. The certification and accreditation (C&A) process, required by Federal law and Departmental guidance, is designed to ensure that the agency's inforniation systems are secure prior to beginning operation and that they remain so throughout their lifecycle. The process involves determining whether system controls are in place and operating as intended, identifying weaknesses, mitigating them to the maximum extent possible, and officially recognizing and accepting residual risks. C&A's must be performed on all systems, and they remain in force for a three-year period unless significant changes are made to the system or operating environment.