nerdexam
(ISC)2

CAP · Question #299

Which of the following is NOT a phase of the security certification and accreditation process?

The correct answer is C. Operation. The NIST security certification and accreditation (C&A) process, as described in NIST SP 800-37, consists of four phases: Phase 1 - Initiation; Phase 2 - Security Certification; Phase 3 - Security Accreditation; Phase 4 - Continuous Monitoring (also called Maintenance). 'Operatio

Security and Privacy Governance, Risk Management, and Compliance Program

Question

Which of the following is NOT a phase of the security certification and accreditation process?

Options

  • AInitiation
  • BSecurity certification
  • COperation
  • DMaintenance

How the community answered

(33 responses)
  • A
    6% (2)
  • B
    3% (1)
  • C
    91% (30)

Explanation

The NIST security certification and accreditation (C&A) process, as described in NIST SP 800-37, consists of four phases: Phase 1 - Initiation; Phase 2 - Security Certification; Phase 3 - Security Accreditation; Phase 4 - Continuous Monitoring (also called Maintenance). 'Operation' is not a named phase of the C&A process. While systems do operate after accreditation, the formal phase is called 'Continuous Monitoring' or 'Maintenance,' not 'Operation.'

Topics

#Security Certification and Accreditation (C&A)#Risk Management Framework (RMF)#C&A Phases#System Authorization Process

Community Discussion

No community discussion yet for this question.

Full CAP Practice