David A. Noack, NCC Communications Chairman
1.0 The Purpose of C&A
C&A applies to the General Support Systems (GSS) and Major Applications (MA) that are designed and implemented within an agency. As these systems are built or updated, C&A gives the agency assurances that the security features and components of their GSS or MA are going to be implemented and operated properly. Another reason to conduct C&A is that it provides a standard process for validating the security measures being designed into a system. Finally, C&A gives the organization’s senior management a formal way to evaluate and accept the risks of operating the system with the specific security measures proposed.
For many of my readers, detailed discussions of federal standards and compliance must seem arcane and difficult to follow. The federal market has a huge influence in IT, not simply because of its purchasing power, which is considerable, but because it has traditionally driven the rest of the industry. Once the Federal government adopts a practice or procedure it will filter out to all of its contractors and to the industry as a whole. That is why it is critical to follow these discussions.