E3.3.4. Negotiation. Negotiation is the process activity of the DITSCAP, where all the participants involved in the information systemís development, acquisition, operation, security certification, and accreditation agree on the implementation strategy to be used to satisfy the security requirements identified during system registration. The key parties who must reach agreement during the negotiations are the program manager, the DAA, the CA, and the user representative4. The negotiation tasks are shown in figure E3-5.
E188.8.131.52. A review of the initial SSAA is performed by the DAA. The DAA shall conduct a complete review of the draft SSAA and all aspects that may impact C&A. The CA is responsible for the comprehensive evaluation of the technical
and nontechnical security features of the IT. The CA is regarded as the technical expert in the discussions that consider tradeoffs between security requirements, cost, availability, and schedule to manage security risk.
E184.108.40.206. A certification requirements review (CRR) shall be held for the principals involved in the C&A process. As a minimum, the program manager, the user representative, the DAA, and the CA shall attend the CRR. The review
shall include the information documented in the SSAA; i.e., mission and system information, operational and security functionality, operational environment, system class, security policy, system security requirements, known security problems or deficiencies, and other security relevant information. While that review may be held with other system reviews, the intent of the CRR is to assist the organization responsible for IT system in preparing for the certification actions. The CRR review shall result in an agreement regarding the level of effort and the approach that will be taken to implement the security requirements.
E220.127.116.11. Negotiation is Not a consideration of which security requirements to implement and which to delete. For example, any system connected to the DII, or any network, shall comply with the connection rules for those systems that it is to be connected. The purpose of negotiation is to ensure that all participants understand their roles and responsibilities and that the SSAA properly and clearly defines the approach and level of effort. Negotiation ends when the responsible organizations adopt the SSAA and concur that those objectives have been reached.