The challenge of securing U.S. Department of Defense (DoD) information systems has grown significantly. A new approach to information assurance certification and accreditation (IA C&A) is needed to effectively extend the IA C&A process to aggregations of systems and improve their security. An examination of current policy shows that a number of changes could enable the IA C&A of aggregations of DoD information systems on a common platform.