nerdexam
(ISC)2

CISSP-ISSAP · Question #153

Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.

The correct answer is B. Continuous Monitoring C. Initiation. Certification and Accreditation (C&A) - commonly associated with frameworks like NIST SP 800-37 (RMF) or the older DITSCAP/NIACAP - follows defined phases, two of which are Initiation (C) and Continuous Monitoring (B). Initiation kicks off the C&A process by defining scope, roles

Architect for Governance, Risk, and Compliance

Question

Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.

Options

  • ADetection
  • BContinuous Monitoring
  • CInitiation
  • DAuditing

How the community answered

(43 responses)
  • A
    9% (4)
  • B
    88% (38)
  • D
    2% (1)

Explanation

Certification and Accreditation (C&A) - commonly associated with frameworks like NIST SP 800-37 (RMF) or the older DITSCAP/NIACAP - follows defined phases, two of which are Initiation (C) and Continuous Monitoring (B). Initiation kicks off the C&A process by defining scope, roles, and system boundaries, while Continuous Monitoring is the ongoing phase where security controls are tracked after authorization to maintain an acceptable risk posture.

Detection (A) is not a C&A phase - it's a concept from incident response and intrusion detection frameworks (e.g., NIST incident lifecycle: Preparation, Detection, Containment, Recovery). Auditing (D) is a general security activity and a component of logging/accountability, but it is not a named phase in the C&A lifecycle.

Memory tip: Think of C&A as a lifecycle - it starts (Initiation) and never truly ends (Continuous Monitoring). The two wrong answers (Detection, Auditing) belong to incident response and access control, respectively - they're real security concepts, just in the wrong category.

Topics

#C&A Process#System Authorization#Continuous Monitoring#Security Compliance

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSAP Practice