A. The SSAA is used throughout the entire process. B. The SSAA is a formal agreement among the DAA(s), certifier, user representative, and program manager. C. The SSAA is used only during Phase 3, Validation. D. The SSAA documents the conditions of the C&A for an IS.
The product of the DITSCAP Phase 1 is the System Security Authorization Agreement (SSAA).
The SSAA is a formal agreement among the DAA(s), certifier, user representative, and program manager The objective of the SSAA is to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to a system are made. The SSAA is used throughout the entire C&A process to guide actions, document decisions, specify IA requirements, document certification tailoring and level of effort, identify possible solutions, and maintain operational systems security. After accreditation, the SSAA becomes the baseline security configuration document.