CISSP-ISSAP · Question #153
Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.
The correct answer is B. Continuous Monitoring C. Initiation. Certification and Accreditation (C&A) - commonly associated with frameworks like NIST SP 800-37 (RMF) or the older DITSCAP/NIACAP - follows defined phases, two of which are Initiation (C) and Continuous Monitoring (B). Initiation kicks off the C&A process by defining scope, roles
Question
Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.
Options
- ADetection
- BContinuous Monitoring
- CInitiation
- DAuditing
How the community answered
(43 responses)- A9% (4)
- B88% (38)
- D2% (1)
Explanation
Certification and Accreditation (C&A) - commonly associated with frameworks like NIST SP 800-37 (RMF) or the older DITSCAP/NIACAP - follows defined phases, two of which are Initiation (C) and Continuous Monitoring (B). Initiation kicks off the C&A process by defining scope, roles, and system boundaries, while Continuous Monitoring is the ongoing phase where security controls are tracked after authorization to maintain an acceptable risk posture.
Detection (A) is not a C&A phase - it's a concept from incident response and intrusion detection frameworks (e.g., NIST incident lifecycle: Preparation, Detection, Containment, Recovery). Auditing (D) is a general security activity and a component of logging/accountability, but it is not a named phase in the C&A lifecycle.
Memory tip: Think of C&A as a lifecycle - it starts (Initiation) and never truly ends (Continuous Monitoring). The two wrong answers (Detection, Auditing) belong to incident response and access control, respectively - they're real security concepts, just in the wrong category.
Topics
Community Discussion
No community discussion yet for this question.