nerdexam
(ISC)2

CAP · Question #87

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or a

The correct answer is A. Certification is a comprehensive assessment of the management, operational, and technical D. Accreditation is the official management decision given by a senior agency official to authorize. In the C&A framework (as defined by NIST and U.S. federal standards): Certification (A) is the comprehensive assessment of the management, operational, and technical security controls in an information system - it is the technical evaluation performed by security professionals to

Security and Privacy Governance, Risk Management, and Compliance Program

Question

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.

Options

  • ACertification is a comprehensive assessment of the management, operational, and technical
  • BAccreditation is a comprehensive assessment of the management, operational, and technical
  • CCertification isthe official management decision given by a senior agency official to authorize
  • DAccreditation is the official management decision given by a senior agency official to authorize

How the community answered

(35 responses)
  • A
    91% (32)
  • B
    6% (2)
  • C
    3% (1)

Explanation

In the C&A framework (as defined by NIST and U.S. federal standards): Certification (A) is the comprehensive assessment of the management, operational, and technical security controls in an information system - it is the technical evaluation performed by security professionals to determine how well controls meet stated requirements. Accreditation (D) is the official management decision given by a senior agency official (the Authorizing Official/DAA) to authorize operation of the information system - it is the formal acceptance of risk. Options B and C swap these definitions incorrectly; B falsely defines accreditation as a technical assessment, and C falsely defines certification as the management authorization decision.

Topics

#Certification#Accreditation#C&A process#Authorization to Operate (ATO)

Community Discussion

No community discussion yet for this question.

Full CAP Practice