If you are doing Certification & Accreditation then you know it’s all about the documentation.
But its not just about reviewing the documentation that a system is supposed to have. If you’re in the business of getting systems validated sometimes you’ll have to produce the documentation.
An IA Analyst, system security engineer or Information Assurance Officer (IAO) usually documents the results of their security tests. For example, if they run a Retina Scan they will want to generate a report that has the results of that network or system scan.
DoD Information Assurance Certification & Accreditation (DIACAP) Knowledge Service, the Enterprise Information Technology Data Repository (EITDR) and other IT profile databases have very detailed information on what the final Validators are looking for.
If you’re in line with the final validators you will not have much of a problem, because they will approve the system and move it on to the Designated Approval Authority (DAA).