So here is my question. I've kind of put it in a Scenario format. So let's
say I'm creating a "software application" and I'm using the SDLC framework
to comply and build my application to. In this process I want to do
Certification and Accreditation for my application. Can you tell me in what
phase of the process do I implement Certification after my application is built and what phase of the process do I implement Certification. Same applies for Accreditation. Once my application is built when is the Accreditation step implemented into the specific phase of the SDLC process
-
SDLC CISSP Question
-
Wesley,
I hope all is well. So another great SDLC question, let's start with a definition of the C&A process so we understand what the steps involve/imply:
Certification and Accreditation (Security Authorization) -
Certification - process of evaluating the security architecture of the software or system against a predetermined set of security standards or policies. Certification also examines how well the system performs its intended functional requirements.
Accreditation - acceptance of risk by senior management associated with operating a system or piece of software for a specified period of time
2 types: provisional and full
Provisional is for a specific period and outlines required changes to the applications, system, or accreditation documentation.
Full implies that no changes are required for making the accreditation decision.
NOTE: management may choose to accredit a system that has failed certification or may refuse to accredit a system even if it has been certified correct.
Now, about your scenario. The short answer is that it depends on the methodology being used to drive the SDLC AND the C&A processes, as they are separate and distinct. We really only see the C&A process in a government/military environment in the real world, it is not a traditional Business/Enterprise process mostly. In addition, C&A has for the most part gone away and is morphed into the Risk Management Framework (RMF), which is much more widely deployed and used by Business/Enterprise globally today. As a result, it is a bit of a tricky question, and one that you would not traditionally see on the CISSP exam.
Having said that, the answer to your scenario, assuming that the stages of the SDLC are the ones that I have discussed with you in your other question regarding the phases, would be the following:
Certification would normally be ascribed to the TESTING phase activities
Accreditation would normally be ascribed to the DEPLOYMENT phase activities
I hope that helps. Please let me know if you have any other questions as you continue your studying.
Cheers,
Adam