Description of this class: Certification and Accreditation (C&A) of Federal IT Systems: This course explains the basic principles of how to perform a C&A of an IT System. Also, explain the new initiative of FEDRamp and its influence of on cloud computing. The class explains the two roles that are key to this process. The class will explain the role of the Certifier and the Information System Security Officer. This class will be hands on as to the project that is to be completed and use vulnerability scanning software to perform tasks. The objective of this class is to produce a final document that maps out security findings for the system. We will also discuss FEDRAMP which is how the cloud is being approved for processing Government data Text: Risk Management Framework: A Lab-Based Approach to Securing Information Systems (Required) ISBN-10: 1597499951 ISBN-13: 978-1597499958 NIST Special Publications (These can be downloaded from the NIST Special Publications Website for free) ________________________________________ 1. Explain the each of the 3 different ways to assess a security control and give an example of how each one is used. 2. Explain the difference between a General Support System, Major Application, and a Minor Application and how do you determine the accreditation boundary for each type? 3. Explain how to determine a Systems Categorization and why is this important? 4. Explain the process of how you determine the minimum security requirements for a system. 5. Explain why FEDRAMP is important to cloud companies? Also, explain what is the biggest advantage of the FEDRAMP process? 6. Explain the difference between a PIA and BIA. Please provide examples of each? 7. Explain what is a CP? Also, in today’s world, provide an example of what is a possible solution for a CP for the users of an organization? Explain what is the purpose of the CMP and then explain the Change Control Process? 8. Please explain why Security Awareness and Training is so important and explain the difference between the two types? Also, explain why an IRP is needed, explain the steps on how to handle an issue, and provide an example of an incident. 9. Explain what a ROB is and how it is used in the absence of a technical solution for a security vulnerability? 10. Explain the process of converting “findings” into “POAMS”?