Your company is awarded a contract to develop a customized firewall product for a well-known brand security company. As a security professional, you are a member of the integrated product team. After a workshop for collection and elicitation of protection needs from the customer and stakeholders, you finished specifying security functional and assurance requirements. Which of the following activities conducted by the quality assurance team ensures the product compliant with the specifications? 
A. Certification
B. Accreditation
C. Verification
D. Validation

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Verification.

V&V is a general concept in quality management, while C&A are specific activities of the assurance system. Generally speaking, V&V and C&A can be concluded as follows:

• Verification by internal parties for correctness while validation by external parties for effectiveness.
• Certification by independent parties for trustworthiness wile accreditation by authoritative parties for operation.

This context of this question is, a well-known brand security company sells the firewall product developed by your company, which may or may not be submitted to the authorized lab for certification. It’s not a case that an information system is developed, tested, accepted, and authorized to operate.

V&V

In system or software engineering, the internal quality team verifies our work products for correctness or compliance with the requirement and design specifications, while external users or customers validate them for effectiveness and accept them.

C&A

• IT Products

As the firewall product is sold by a well-known brand security company, it may be submitted to the authorized lab for certification. If it meets the evaluation criteria, it is accredited by an accreditation body. CC is a good example of C&A.

• ISMS

Certification and accreditation of ISO 27001 is another example of C&A for ISMS. A company implements ISO 27001, the requirements of ISMS, can be assessed by third-party independent certification bodies, e.g., SGS, BSI, or TUV, if it passes the audit or assessment, an accreditation body can issue a certificate to the company.

• Information Systems

There existed various C&A systems for information systems in the US government. However, they are evolved and converged into the RMF nowadays.

• DoD 5200.40 (DITSCAP)
• DoD 8510.01 (DIACAP)
• CNSSP No. 22 (superseded NIACAP)
• DCID 6/3 Policy (Manual)

Sybex OSG on C&A

The official CISSP study guide (Sybex) has the following side note:

Certification and accreditation do seem similar, and thus it is often a challenge to understand them. One perspective you might consider is that certification is often an internal verification of security security for the system. Remember that the certification is valid only for a system in a specific environment and configuration. Any changes could invalidate the certification. Once you have certified a security rating for a specific configuration, you are ready to seek acceptance of the system. Management accepts the certified security configuration of a system through the accreditation process.

Conclusion

The context matters. Are we talking about the development, operation, or marketing of an IT product or information system? Is the organization in question in the private sector or government? The terminologies, V&V and C&A, may vary across contexts.

Reference

• Jargons: V&V and C&A
• Overview of the DoD Information Assurance Certification and Accreditation Process ‐ DIACAP