nerdexam
(ISC)2

CAP · Question #339

In which of the following DIACAP phases is residual risk analyzed?

The correct answer is B. Phase 4. DIACAP (DoD Information Assurance Certification and Accreditation Process) has five phases: Phase 1 (Initiate and Plan IA C&A), Phase 2 (Implement and Validate Assigned IA Controls), Phase 3 (Make Certification Determination and Accreditation Decision), Phase 4 (Maintain Authorit

Compliance Maintenance

Question

In which of the following DIACAP phases is residual risk analyzed?

Options

  • APhase 2
  • BPhase 4
  • CPhase 5
  • DPhase 3
  • EPhase 1

How the community answered

(21 responses)
  • B
    90% (19)
  • C
    5% (1)
  • D
    5% (1)

Explanation

DIACAP (DoD Information Assurance Certification and Accreditation Process) has five phases: Phase 1 (Initiate and Plan IA C&A), Phase 2 (Implement and Validate Assigned IA Controls), Phase 3 (Make Certification Determination and Accreditation Decision), Phase 4 (Maintain Authority to Operate and Conduct Reviews), and Phase 5 (Decommission). Residual risk - the risk remaining after security controls have been implemented - is analyzed in Phase 4, during ongoing maintenance and periodic reviews of the system's security posture. This is when the organization evaluates whether remaining risks are acceptable and whether the Authority to Operate should be maintained.

Topics

#DIACAP#Residual Risk#Certification and Accreditation (C&A)#Continuous Monitoring

Community Discussion

No community discussion yet for this question.

Full CAP Practice