FISMA Certification and Accreditation Handbook

You say it as you understand it.
Johann Friedrich von Schiller, famous German dramatist and poet
The Certification and Accreditation (C&A) process begins when an information system owner recognizes that either an application, system, group of systems, or site requires Accreditation. The information systems owner might be an IT operations director, an IT operations manager, a security officer, or an application development manager. When the need for C&A is recognized, it is time to put in motion a plan to carry out and oversee the C&A process.
All general support systems and major applications are required by FISMA and the Office of Management and Budget (OMB) Circular A-130, Appendix III (see Appendix B) to be fully certified and accredited before they are put into production. Production systems and major applications are required to be reaccredited every three years. Going forward we will refer to systems that require C&A (e.g., general support systems and major applications) simply as information systems.
One of the primary objectives of C&A is to force the authorizing official to understand the risks an information system poses to agency operations. Only after understanding the risks can an authorizing official ensure that the information system has received adequate attention to mitigate unacceptable risks. Evaluating risk and documenting the results is something that should be incorporated throughout a system or application s system development life-cycle. NIST has defined the system development lifecycle to consist of five phases:
System initiation
Development and acquisition
Implementation
Operation...