This is the first post in hopefully a long line to give you my opinions on Certification and Accreditation. If you have reached this site, I will presume that you don't need a course in what FISMA is or how it is implemented. What I want to accomplish is to begin a dialog on conducting C&A.
I myself am a NIST 800 series guy, I have friends who do DITSCAP (transitioning to DIACAP), and DCID 6/3. I am trying to talk them into a couple of posts as well. We'll see how that goes. I've done work for a couple different agencies and feel like I've got a good handle on things.
In my career thus far, I have found a lot of white washing and incomplete testing being conducted. I have found some mis-understandings and mis-steps. Is a Nessus scan the only scan that should be conducted? Are ST&E Procedures required and to what extent?
But enough about what I want, what do you want? Post a comment and let's get rolling.