Certification and Accreditation (C&A) is a process for implementing information security. Which statement correctly describes Certification?

Certification is the comprehensive assessment of the management, operational, and technical security controls in an information system. In this phase, evaluators review the governance and policies (management), the procedures, training, and day-to-day practices (operational), and the actual technical safeguards like access controls, encryption, and system configurations (technical). The goal is to verify that these controls are properly implemented, functioning as intended, and capable of reducing risk to an acceptable level. The outcome is an evidence-based determination about the system’s security posture, which is why this description best matches what certification entails. After certification, the formal decision to allow the system to operate is the accreditation decision—seeking authorization for operation. Certification isn’t about retiring or decommissioning systems, and it isn’t a contract for interconnecting systems; those are separate activities.