The required C&A documentation includes the following:

· An independent Risk Assessment (including final written report) compliant with NIST Special Publication 800-30, draft Risk Management for Information Technology Systems, and conforming to the Department Information Technology Security Risk Assessment Guide, including the Risk Assessment Template included in the Guide.  Each Risk Assessment must also validate a NIST Security Self-Assessment Guide for Information Technology Systems (NIST Special Publication 800-26). 

· Written System Security Plan (SSP) compliant with NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, conforming to the appropriate Template included in the NIST guide.

· Written Configuration Management (CM) Plan compliant with NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, and the NIST Special Publication 800-12, An Introduction to Computer Security. The NIST Handbook, the Department Information Technology Security Certification and Accreditation Guide. 

· Written Disaster Recovery Plan (DRP) compliant with NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, and the NIST Special Publication 800-12, An Introduction to Computer Security. The NIST Handbook, the Department Information Technology Security Certification and Accreditation Guide.  The DRP must satisfy the requirements of the SSP contingency planning section.  As such, it may either be incorporated into the relevant SSP or may be a separate document.  The DRP must be tested and this testing documented as well.

· Written System Security Testing and Evaluation (SST&E) Plan compliant with NIST Special Publication, 800-12, An Introduction to Computer Security. The NIST Handbook, and the Department Information Technology Security Certification and Accreditation Guide.  The SST&E must be executed and the results documented as well.

· Written System Security Authorization Agreement, compliant with NIST Special Publication, 800-12, An Introduction to Computer Security. The NIST Handbook, and the Department Information Technology Security Certification and Accreditation Guide.

The scope of most similar project requirements covers all aspects of the preparing the documentation necessary for Certification and Accreditation, including all the Information Assurance activities requiring to produce this documentation.

Risk Assessments must be compliant with NIST Special Publication 800-30, Risk Management for Information Technology Systems, and conforming to the Department Information Technology Security Risk Assessment Guide. 

The written report of each Risk Assessment should conform to the Risk Assessment Template included in the Guide.  Each Risk Assessment must also validate a NIST Security Self-Assessment Guide for Information Technology Systems (NIST Special Publication 800-26) department that it being assessed.