Jargons: V&V and C&A

What do verification and validation (V&V) and certification and accreditation (C&A) mean? They are indeed jargons, aren’t they?

Take software development project as an example; the software must be verified against solution requirements to confirm if they are implemented correctly, while validated against stakeholder and business requirements to ensure the effectiveness.

Once the software solution is developed, tested, and delivered, it becomes part of the information system as a whole. The information system must be verified (or certified) to ensure it meets the security requirements. The verification report is the objective evidence for the management to accept the residual risks and authorize (accredit) it into operation.

The traditional Certification and Accreditation (C&A) process is transformed into the six-step Risk Management Framework (RMF). Please refer to the latest revision of NIST SP 800-37 for details.

Added on 2020/07/21:

C&A can be applied to IT products (CC), management systems (ISO 27001, ISO 22301, or ISO 9001), engineering/procurement/service capabilities (CMMI), or people competency (CISSP).

Certification is typically conducted by independent or 3rd party through evaluation against agreed standards. The evaluation result is accredited by trusted authorities. C&A is the core element of assurance.

In the private sector, C&A is not quite fit for in-house information systems in most companies. I prefer using V&V. Verifying if the system is implemented correctly by internal team members, and validating if it is implemented effectively to solve users’ problems or meet their requirements and accepted by external users. The system is then authorized (some may use the term, accredited) to operate.

I’d summarize the key concept as follows: C&A is about the product’s trustworthiness, customer’s confidence, and authority’s assurance. V&V is about doing things right (correctness) and doing the right things (effectiveness).

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

C&A Systems

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

I would conclude,

  • Verification and Validation (V&V) are informal engineering processes.
  • Certification and Accreditation (C&A) are formal assurance processes.
  • Every system should go through V&V, but not every organization requires C&A.

NIST SP 800-160 V1 and ISO 15288

References

3 thoughts on “Jargons: V&V and C&A

  1. There’s a question from the Sybex Practice questions book (Chapter 3, question 52) that asks the following question:

    Which one of the following systems assurance processes provides an independent third-party evaluation of a systems’ controls that may be trusted by different organizations?
    A. Certification
    B. Definition
    C. Verification
    D. Accreditation

    I like your explanation that C&A is about the product’s or the system’s trustworthiness by customers and authorities and that V&V is about doing things right and doing the right things. If I use your explanation to answer the question, then my best answer would be A. Certification.

    But the book points the correct answer as C. Verification because “verification may go a step further (than certification) by involving a third-party testing service and compiling results that may be trusted by many different organizations”. In this case, verification would fit into the former explanation regarding C&A.

    Such a confusing topic! 🙂

    • Hi Greg, the Sybex question must set the context in the obsolete DITSCAP which treated V&V as phases of its C&A process. Please refer to my addon on 2020/07/30 in this post. Terminologies need a context to be specific and precise. The latest and unified V&V process is defined by the NIST RMF R2 which is aligned with the SDLC defined in ISO 15288. As a result, the ISO definitions of V&V are more effective nowadays. ISO standards apply to a variety of organizations, so verification can be an internal process as part of the quality control or assurance. It doesn’t have to be conducted by a third party.
      The following link is the obsolete DITSCAP for your information:
      http://www.acqnotes.com/Attachments/DoD%20Instruction%205200.40.pdf

  2. Pingback: CISSP PRACTICE QUESTIONS – 20200623 by Wentz Wu, CISSP-ISSMP,ISSAP,ISSEP/CCSP/CSSLP/CISM/CISA/CEH/PMP/CBAPWentz Wu

Leave a Reply