Accreditation of US Federal Government IT systems is one of many critical aspects of maintaining an Enterprise Security Program at a Federal Agency. It is a very public metric (think FISMA Report Card.) This has led many to decry Certification and Accreditation (C&A) as strictly a paper exercise. However, when administered correctly, it is probably the best risk management tool available to government executives as it forces the agency to identify/classify systems according to criticality and perform an in-depth examination of every system identified.