What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?
Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.
Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified (or certified) to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize (accredit) it into operation.
The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.
Added on 2020/07/21:
C&A can be applied to IT products (CC), management systems (ISO 27001, ISO 22301, or ISO 9001), engineering/procurement/service capabilities (CMMI), or people competency (CISSP).
Certification is typically conducted by independent or 3rd party through evaluation against agreed standards. The evaluation result is accredited by trusted authorities. C&A is the core element of assurance.
In the private sector, C&A is not quite fit for in-house information systems in most companies. I prefer using V&V. Verifying if the system is implemented correctly by internal team members, and validating if it is implemented effectively to solve users’ problems or meet their requirements and accepted by external users. The system is then authorized (some may use the term, accredited) to operate.
I’d summarize the key concept as follows: C&A is about the product’s trustworthiness, customer’s confidence, and authority’s assurance. V&V is about doing things right (correctness) and doing the right things (effectiveness).
Added on 2020/07/30:
There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.
The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.
I would conclude,
- Verification and Validation (V&V) are informal engineering processes.
- Certification and Accreditation (C&A) are formal assurance processes.
- Every system should go through V&V, but not every organization requires C&A.