||DoDI 5200.40: DoD Information Technology Security Certification and Accreditation Proc
E3.3.5. SSAA. The objectives of the SSAA, shown in figure E3-6, are to document the conditions of C&A for an IT system. The SSAA is a formal agreement among the DAA(s), the CA, the IT system user representative, and the program manager. It is used throughout the entire DITSCAP to guide actions, document decisions, specify ITSEC requirements, document certification tailoring and level of effort5, identify possible solutions, and maintain operational systems security. The SSAA shall identify all costs relevant to the C&A process and the program manager shall add a C&A funding line item to the program budget to ensure the funds are available. Funding shall cover any travel or program contractor costs associated with certification, test development, testing and accreditation. Where multiple accreditors may be involved, an agreement between the accreditors may be necessary. That agreement must be included with the SSAA. Since the SSAA is an agreement among Government entities, to be binding on the government’s contractors, the provisions must be included in contractual documents between the Government and any
Figure E3-6. SSAA Objectives.
1. Document the formal agreement among the DAA(s), the CA, the user representative, and the program manager.
2. Document all requirements necessary for accreditation.
3. Document all security criteria for use throughout the IT system life-cycle.
4. Minimize documentation requirements by consolidating applicable information into the SSAA (security policy, concept of operations (CONOPS), plans, architecture description, etc.).
5. Document the DITSCAP plan.
E18.104.22.168. The SSAA is intended to reduce the need for extensive documentation by consolidation of security related
documentation into one document. That eliminates the redundancy and potential confusion as multiple documents describe the system, security policy, system and security architecture, etc. When feasible, the SSAA can be tailored to
incorporate other documents as appendices or by reference to the pertinent document. An outline of the SSAA is found in enclosure E6.
E22.214.171.124. Each IT system shall have a SSAA. The physical characteristics
of the SSAA will depend on the system class and level of effort needed for
C&A. The SSAA can be as simple as a single coordinated message or as
complex as a detailed system security plan. For generic accreditation’s, a
single SSAA may be prepared for the system, but the description of the
operating environment will need to reflect each proposed operation location.
The goal is to produce a SSAA that will be the basis of agreement throughout
the system’s life-cycle.
E126.96.36.199. The four parties to the negotiation have the authority to
tailor the SSAA to meet the characteristics of the IT, operational
requirements, security policy, and prudent risk management. The SSAA must be
flexible enough to permit adjustment throughout the system’s life-cycle as
conditions warrant. New requirements may emerge from design necessities,
existing requirements may need to be modified, or the DAA’s overall view of
acceptable risk may change. When that occurs, the program manager, the DAA,
the CA, and the user representative shall ensure the SSAA is updated to
accommodate the new components. Common sense must be applied to the rules.
The SSAA is developed in phase 1 and updated in each phase as the system
development progresses and new information becomes available. In this sense,
the SSAA is regarded as a living document. The completed SSAA contains those
items that must be agreed on by the DAA, the CA, the user representative,
and the program manager. The support organizations must understand each of
these essential items.
5Supporting C&A teams may be useful to support the accreditor.