SA-10-009 Deployment Certification

Issue Date:  9/15/2009

Revision Effective Date:  3/15/2010


To provide for the content and format for a deployment certification.


A Deployment Certification shall be provided by an agency authorizing official using the following format:


From:    [AUTHORIZING OFFICIAL]                                            Date: [          ]

Thru:     Senior Agency Information Security Officer

To:          Information System Owner

Subject: Deployment Certification - Authorization to Operate [INFORMATION SYSTEM]

After reviewing the results of the security certification of the [INFORMATION SYSTEM] and its constituent system-level components (if applicable) located at [LOCATION] and the supporting evidence provided in the associated security accreditation package (including the current system security plan, the security assessment report, and the plan of action and milestones), I have determined that the risk to agency operations, agency assets, or individuals resulting from the operation of the information system is acceptable. Accordingly, I am issuing an authorization to operate the information system in its existing operating environment. The information system is accredited without any significant restrictions or limitations. This security accreditation is my formal declaration that adequate security controls have been implemented in the information system and that a satisfactory level of security is present in the system.

The security accreditation of the information system will remain in effect as long as: (i) the required security status reports for the system are submitted to this office every [TIME PERIOD]; (ii) the vulnerabilities reported during the continuous monitoring process do not result in additional agency-level risk which is deemed unacceptable; and (iii) the system has not exceeded the maximum allowable time period between security accreditations in accordance with federal or agency policy.

A copy of this letter with all supporting security certification and accreditation documentation should be retained in accordance with the agency’s record retention schedule.






Placing Applications into Production (SA-10-001)


“Guide for the Security Certification and Accreditation of Federal Information Systems”, NIST Special Publication 800-37, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD


Deployment Certification - This Certification is an explicit go-live decision to place a new or modified application into production and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of business, system and security requirements. The Deployment Certification should be proceduralized as an essential component of the project quality assurance lifecycle, as well as the procurement and contracting processes, and any related product or service contract should include a payment holdback provision subject to acquiring Deployment Certification.  Deployment Certification is required prior to initial deployment, with updates, at least every three years or more often at each instance of change to any component of a deployed application.

Authorizing Official - Official with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets or individuals.