I am interested in learning what are the C&A versus DIACAP criterias when evaluating a system? Please refer to question below.
Assume you are doing the Certification & Accreditation (C&A) on a Department of Defense system. Which “activity” (if any) of the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) do the following tasks fit into? Explain briefly.
a.Risk analysis for possible leaks of Secret data to outsiders (e. g., Wikileaks)
b.Assessment of the security of a crypto-token for system access
c.Physical Security of the installation site
d.Software security testing processes for commercial software
e.Security assessment of software upgrades & patches