CAP · Question #87
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or a
The correct answer is A. Certification is a comprehensive assessment of the management, operational, and technical D. Accreditation is the official management decision given by a senior agency official to authorize. In the C&A framework (as defined by NIST and U.S. federal standards): Certification (A) is the comprehensive assessment of the management, operational, and technical security controls in an information system - it is the technical evaluation performed by security professionals to
Question
Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two.
Options
- ACertification is a comprehensive assessment of the management, operational, and technical
- BAccreditation is a comprehensive assessment of the management, operational, and technical
- CCertification isthe official management decision given by a senior agency official to authorize
- DAccreditation is the official management decision given by a senior agency official to authorize
How the community answered
(35 responses)- A91% (32)
- B6% (2)
- C3% (1)
Explanation
In the C&A framework (as defined by NIST and U.S. federal standards): Certification (A) is the comprehensive assessment of the management, operational, and technical security controls in an information system - it is the technical evaluation performed by security professionals to determine how well controls meet stated requirements. Accreditation (D) is the official management decision given by a senior agency official (the Authorizing Official/DAA) to authorize operation of the information system - it is the formal acceptance of risk. Options B and C swap these definitions incorrectly; B falsely defines accreditation as a technical assessment, and C falsely defines certification as the management authorization decision.
Topics
Community Discussion
No community discussion yet for this question.