History
- Priority
- must
- Nov 2018
- Removed
- Removed due to not having a strong reason to be retained. Reaccreditation should be triggered by significant changes to a system or its operating environment, not an arbitrary timeframe.
- 2017
- Agencies must ensure that the period between accreditations of systems does not exceedthree years.
- 2015
- Agencies must ensure that the period between accreditations of systems does not exceedthree years.
- 2010
- Agencies must ensure that the period between accreditations of systems does not exceed three years.
- 2008
- Agencies that have not conducted ICT security re-accreditation for a system within a three year period must conduct a risk assessment at the three year mark and every year thereafter until the system is re-accredited.