E3.5.3. Develop Recommendation to the DAA. This process activity
begins after completion of all certification tasks and ends with the
accreditation decision by the DAA. The purpose is to consolidate the findings
developed during certification of the integrated system, submit the CAís
report to the DAA, and produce the DAA accreditation decision.
E18.104.22.168. CAís Recommendation. If the CA concludes that the
integrated IT satisfies the SSAA technical requirements, the CA issues a
system certification. That is a certification that the IT system has
complied with the agreed on security requirements. Supplemental
recommendations also might be made to improve the systemís security posture.
Such recommendations should provide input to future system enhancements and
change management decisions.
E22.214.171.124.1. In some cases, the CA may uncover security deficiencies,
but continue to believe that the short-term system operation will present
no unacceptable risks. The CA may recommend accreditation with the
understanding that deficiencies will be corrected in a specified period.
These deficiencies shall be reflected in the SSAA and an agreement
obtained on the conditions under which the system may be operated and the
date by when the deficiencies will be remedied.
E126.96.36.199.2. If the CA determines that the system does not satisfy the
SSAA and that short-term risks are unacceptable, the CA shall recommend
that the IT system not be