This question is posted by G M Faruk Ahmed in my group, Effective CISSP. As far as I know, it’s a classic question discussed and debated for quite a long time and came with a suggested answer C, but I can’t entirely agree with it. My suggested answer is A. Certification.
V&V and C&A
Verification and Validation (V&V) are terminologies used in system engineering. Certification and Accreditation (C&A) are used in assurance. The Verification process emphasizes evaluating compliance of the system with its specifications (or system requirements) for correctness. Certification emphasizes independent evaluation that can be done by independent external parties or internal authorities.
Certification is “a comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.” (NIST Glossary)
Verification refers to “confirmation, through the provision of objective evidence, that specified requirements have been fulfilled (e.g., an entity’s requirements have been correctly defined, or an entity’s attributes have been correctly presented; or a procedure or function performs as intended and leads to the expected outcome).” (NIST Glossary)
Assessment and Authorization (A&A)
RMF Transition
There existed various C&A systems for information systems in the US government. However, they are evolved and converged into the RMF nowadays.
- DoD 5200.40 (DITSCAP)
- DoD 8510.01 (DIACAP)
- CNSSP No. 22 (superseded NIACAP)
- DCID 6/3 Policy (Manual)
The Obsolete DITSCAP
The obsolete DITSCAP treats V&V as phases and C&A as tasks conducted in the V&V phases.