I added more information about the confusing C&A process into the post, Jargons: V&V and C&A. The newly added materials are included as follows.

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

C&A Systems

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

NIST SP 800-160 V1 and ISO 15288


1 thought on “V&V, RMF, and ISO SDLC

  1. Pingback: CISSP PRACTICE QUESTIONS – 20201206 - Wentz Wu

Leave a Reply