Which of the following individuals informs all C&A participants about life cycle actions, security requirements, and documented user needs?

A.
Certification Agent

B.
User representative

C.
DAA

D.
IS program manager

Explanation:

The IS program manager is the primary authorization advocate. He is responsible for the Information Systems (IS) throughout the life cycle of system development. He also ensures that the security requirements are integrated in a way that will result in an acceptable level of risk. He also informs all C&A participants about life cycle actions, security requirements, and documented user needs. The program manager is also responsible for system acquisition, life cycle schedules, funding, system operation, system performance, and maintenance.
Answer option A is incorrect. The Certification Agent is also referred to as the certifier. He provides the technical expertise to conduct the certification throughout the system life cycle. The certifier determines the existing level of residual risk. He also makes an accreditation recommendation to the DAA. He determines whether a system is ready for certification and conducts the certification process. Answer option B is incorrect. A user representative is one who focuses on system availability, access, integrity, functionality, performance, and confidentiality in a Certification and Accreditation (C&A) process.

He is responsible for the identification of operational requirements and for the secure operation of a certified and accredited IS. He represents the user community and assists in the C&A process. He also defines the system’s operations and functional requirements. Answer option C is incorrect. The Designated Approving Authority (DAA), in the United States Department of Defense, is the official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. The DAA is responsible for implementing system security. The DAA can grant the accreditation and can determine that the system’s risks are not at an acceptable level and the system is not ready to be operational.