CGRC Question #577: Real Exam Question with Answer & Explanation

Question

Certification and Accreditation (C&A or CnA) is a process for implementing information security. It is a systematic procedure for evaluating, describing, testing, and authorizing systems prior to or after a system is in operation. Which of the following statements are true about Certification and Accreditation? Each correct answer represents a complete solution. Choose two. Response:

Options

• AAccreditation is the official management decision given by a senior agency official to authorize
• BCertification is a comprehensive assessment of the management, operational, and technical
• CAccreditation is a comprehensive assessment of the management, operational, and technical
• DCertification is the official management decision given by a senior agency official to authorize

Explanation

Certification is the technical assessment and evaluation of a system's security, while Accreditation is the formal management decision to authorize system operation based on that assessment. These two components are distinct yet interdependent processes in securing information systems.

Common mistakes.

• C. This statement incorrectly defines Accreditation as the 'comprehensive assessment'; that description belongs to Certification.
• D. This statement incorrectly defines Certification as the 'official management decision'; that description belongs to Accreditation.

Concept tested. Certification vs. Accreditation definitions

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

No community discussion yet for this question.