A Question about V&V and C&A

This question is posted by G M Faruk Ahmed in my group, Effective CISSP. As far as I know, it’s a classic question discussed and debated for quite a long time and came with a suggested answer C, but I can’t entirely agree with it. My suggested answer is A. Certification.

V&V and C&A

Verification and Validation (V&V) are terminologies used in system engineering. Certification and Accreditation (C&A) are used in assurance. The Verification process emphasizes evaluating compliance of the system with its specifications (or system requirements) for correctness. Certification emphasizes independent evaluation that can be done by independent external parties or internal authorities.

NIST SP 800-160 V1 and ISO 15288
NIST SP 800-160 V1 and ISO 15288

Certification is “a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” (NIST Glossary)

Verification refers to “confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).” (NIST Glossary)

Verification and Validation (V&V)
Verification and Validation (V&V)
Certification and Accreditation (C&A)
Certification and Accreditation (C&A)

Assessment and Authorization (A&A)

A&A in the NIST RMF

The Obsolete DITSCAP

The obsolete DITSCAP treats V&V as phases and C&A as tasks conducted in the V&V phases.

DITCAP Verification
DITCAP Verification
DITCAP Validation
DITCAP Validation

Leave a Reply