Certification and Accreditation

NIST Special Publication 800-37
Guide for the Security Certification and Accreditation of Federal Information Systems

The purpose of NIST Special Publication 800-37 is to provide guidelines for the security certification and accreditation of information systems supporting the executive agencies of the federal government. These guidelines have been developed to:

• Enable more consistent, comparable, and repeatable evaluations of security controls applied to federal information systems;
• Promote a better understanding of enterprise-wide mission risks resulting from the operation of information systems;
• Create more complete, reliable, and trustworthy information for authorizing officials---- facilitating more informed security accreditation decisions; and
• Help achieve more secure information systems within the Federal government including the critical infrastructure of the United States.

The guidelines provided in Special Publication 800-37 are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective so as to be complementary to similar guidelines issued by agencies and offices operating or exercising control over national security systems. This publication replaces Federal Information Processing Standards (FIPS) Publication 102, Guidelines for Computer Security Certification and Accreditation, September 1983, which has been rescinded. State, local, and tribal governments as well as private sector organizations comprising the critical infrastructure of the United States are also encouraged to consider the use of these guidelines, as appropriate.