CAP · Question #339
In which of the following DIACAP phases is residual risk analyzed?
The correct answer is B. Phase 4. DIACAP (DoD Information Assurance Certification and Accreditation Process) has five phases: Phase 1 (Initiate and Plan IA C&A), Phase 2 (Implement and Validate Assigned IA Controls), Phase 3 (Make Certification Determination and Accreditation Decision), Phase 4 (Maintain Authorit
Question
In which of the following DIACAP phases is residual risk analyzed?
Options
- APhase 2
- BPhase 4
- CPhase 5
- DPhase 3
- EPhase 1
How the community answered
(21 responses)- B90% (19)
- C5% (1)
- D5% (1)
Explanation
DIACAP (DoD Information Assurance Certification and Accreditation Process) has five phases: Phase 1 (Initiate and Plan IA C&A), Phase 2 (Implement and Validate Assigned IA Controls), Phase 3 (Make Certification Determination and Accreditation Decision), Phase 4 (Maintain Authority to Operate and Conduct Reviews), and Phase 5 (Decommission). Residual risk - the risk remaining after security controls have been implemented - is analyzed in Phase 4, during ongoing maintenance and periodic reviews of the system's security posture. This is when the organization evaluates whether remaining risks are acceptable and whether the Authority to Operate should be maintained.
Topics
Community Discussion
No community discussion yet for this question.