Security Certification Phase
The Security Certification Phase consists of two tasks: (i) security control assessment; and (ii) security certification documentation. The purpose of this phase is to determine the extent to which the security controls in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This phase also addresses specific actions taken or planned to correct deficiencies in the security controls and to reduce or eliminate known vulnerabilities in the information system. Upon successful completion of this phase, the Authorizing Official will have the information needed from the security certification to determine the risk to agency operations, agency assets, or individuals-and thus, will be able to render an appropriate security accreditation decision for the information system.