What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?
Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.
Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize it into operation.
The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.