DoD Certification and Accreditation. The standard DoD approach for identifying information security requirements, providing security solutions, and managing the security of DoD information systems.
— DoDI 8500.2, Information Assurance (IA) Implementation http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf

If you have an important system (an asset) that is producing, processing, storing or distributing important data then you need to make sure that it is protected. Â You need a high level of confidence that your asset and its data is secure, not tampered with stolen or corrupted. Â
If you go through IT Security training, we are talking about confidentiality, integrity, and availability (aka CIA). Â You want to make sure your data has confidentiality (trade secrets are protected), available to users and that the data has integrity (not corrupted). Â
The process of ensuring assets are secure is known as certification and accreditation (aka C&A). Â The C&A process consists of evaluating the system for security and then having someone in charge take responsibility for the remaining risks to that system.
Certification – a comprehensive evaluation and validation of a DoD IS to establish the degree to which it complies with assigned IA controls based on standardized procedure (8510.01, E2.10)
Accreditation Decision – a formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO) (8510.01, E2.2).
The C&A process has been done by most major companies and organizations in the private sector and governments. Â They may have different names for it and slightly different methods, but they are are essentially doing the same thing. Â They have to do it because their enterprise gets so big that its impossible to stop every threat and quickly remove everyone weakness. Â The best they can do is create a process to manage the risk. Â That is what C&A is supposed to do. Â
The problem with certification and accreditation is that it is inefficient often taking months to do thousands of hours and millions of dollars. Â Since there is so much documentation involved and coordination its often ignored or not done thoroughly. Â
The certification and accreditation process has been automated (somewhat) with online databases and there has been a move to do away with C&A all together and move to a risk management framework. Â