Recertification Process

PURPOSESCOPEPROCESS DESCRIPTIONPROCESS DIAGRAMPROCESS INPUTS/OUTPUTSPROCESS RELATIONSHIPSROLES AND RESPONSIBILITIESSUPPORTING DOCUMENTATIONREVISION HISTORY

Process Owner: Manager, Corporate Information Security Office

Note: An owner must be a PCES-level manager or higher.

This process establishes standard tools and processes for recertification within the Postal Service Technical Environment.

1. PURPOSE

Recertification is the process the Postal Service uses to re-evaluate the protection of its existing technology solutions so that risks associated with deployment can be appropriately managed throughout the life cycle of the solution.

2. SCOPE

Recertification applies to all existing technology solutions (small or field) sponsored by, developed for, or maintained or operated on behalf of the Postal Service, whether or not they are located at a Postal Service facility. Recertification also applies to pilot and proof-of-concept projects.

3. PROCESS DESCRIPTION

Step 1: Revisit Business Impact Assessment (BIA):
The TSPM and ISSO will revisit the existing BIA and check to see if any changes are needed.
Step 2: Perform Risk Assessment:
The existing Risk Assessment will be revisited and will be updated according to any new risks identified for the existing technology solution.
If there were new risks found or changes in the BIA, the process will continue onward through the C&A Process.
Step 3: Obtain Recertification Letter:
If Recertification is not required the TSPM and ISSO complete the Recertification Exception Letter.

4. PROCESS DIAGRAM

In this section, there is a diagram of the Recertification process. The process steps are stacked vertically; as each process step is completed, there is a downward arrow to the next process step in the sequence. The first process step is “Revisit Business Impact Statement”. The second process step is “Revisit Risk Assessment”. The third process step is a decision point. If this is a new risk, go to the fourth process step, “Go to C&A Process Steps 3-10”. If this is not a new risk, go to the fifth process step, “Obtain Recertification Exception Letter”. There are no further steps for this process.

5. PROCESS INPUTS/OUTPUTS

Inputs

Outputs

6. PROCESS RELATIONSHIPS

The following image is the Recertification process relationships diagram. At the top, the following TSLC (Technology Solution Life Cycle) phases are shown: Initiate & Plan, Technology Solution Requirements, Analysis & Design, Technology Solution Build, Systems Integration Testing (SIT), Customer Acceptance Testing (CAT), and Release Management. There are no steps in the Initiate & Plan phase. In the Requirements phase, the first step is “Revisit Business Impact Assessment”. The next step is “Revisit Risk Assessment” in the Analysis & Design phase. The next step is a decision point in the Analysis & Design phase. If the risk is new, the next step is “Go to C&A Process Steps 3-10” in the Build phase. If the risk is not new, the next step is “Obtain Recertification Letter” in the Analysis & Design phase. There are no steps in the SIT, CAT, and Release Management phases. There are no further steps in this process.

7. ROLES AND RESPONSIBILITIES

Information Systems Security Officers (ISSOs): These individuals are responsible for evaluating the existing technology solutions to see if recertification is necessary.

8. SUPPORTING DOCUMENTATION

None.

9. REVISION HISTORY

Version #1.0
Section(s) Revised:        N/A
Revision Description:      Baseline
Revision Date:               

Version #2.0
Section(s) Revised:        All
Revision Description:     This document was made Section 508 compliant and was converted to HTML.
Revision Date:               FY12/Q3