I'm going to give a presentation today about C&A efforts to our company's sales staff. I thought I'd start with a description of what a C&A is.
These are my definitions based on other standard definitions like NIST and others. What do you think of them?
Certification: A formal evaluation, in support of an accreditation, of a computer system's safeguards to determine whether it meets a specific set of security requirements.
Accreditation: A formal decision by an approving authority that a computer system is approved to operate at an acceptable level of risk based on a set of specific requirements.
C&A: A process that ensures a system meets a formal set of security requirements.