Inforn~ations ystems are essential to accomplishing the Department of Energy's
environmental, energy, and national security-related missions. Actions to protect these
systems from increasingly sophisticated attacks have become critically important to the
Department and each of its subordinate organizations. The certification and accreditation
(C&A) process, required by Federal law and Departmental guidance, is designed to
ensure that the agency's inforniation systems are secure prior to beginning operation and
that they remain so throughout their lifecycle. The process involves determining whether
system controls are in place and operating as intended, identifying weaknesses,
mitigating them to the maximum extent possible, and officially recognizing and accepting
residual risks. C&A's must be performed on all systems, and they remain in force for a
three-year period unless significant changes are made to the system or operating
environment.
