Certification and Accreditation (C&A or CnA) is a process for implementing information security. Which of the following is the correct order of C&A phases in a DITSCAP assessment?
A.
Verification, Definition, Validation, and Post Accreditation
B.
Definition, Verification, Validation, and Post Accreditation
C.
Verification, Validation, Definition, and Post Accreditation
D.
Definition, Validation, Verification, and Post Accreditation
Explanation:
C&A consists of four phases in a DITSCAP assessment. These phases are the same as NIACAP phases. The order of these phases is as follows:
1. Definition: The definition phase is focused on understanding the IS business case, the mission, environment, and architecture. This phase determines the security requirements and level of effort necessary to achieve Certification & Accreditation (C&A).
2. Verification: The second phase confirms the evolving or modified system’s compliance with the information. The verification phase ensures that the fully integrated system will be ready for certification testing.
3. Validation: The third phase confirms abidance of the fully integrated system with the security policy. This phase follows the requirements slated in the SSAA. The objective of the validation phase is to show the required evidence to support the DAA in accreditation process.
4.Post Accreditation: The Post Accreditation is the final phase of DITSCAP assessment and it starts after the system has been certified and accredited for operations. This phase ensures secure system management, operation, and maintenance to save an acceptable level of residual risk.