nerdexam
(ISC)2

CISSP-ISSEP · Question #109

Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package?

The correct answer is D. Security Accreditation. Security Accreditation (D) is correct because this phase is where the Authorizing Official (AO) reviews the complete security package, evaluates residual risk to determine if it is at an acceptable level, and then issues the final accreditation decision - typically an Authorizati

Risk Management

Question

Which of the following phases of NIST SP 800-37 C&A methodology examines the residual risk for acceptability, and prepares the final security accreditation package?

Options

  • AInitiation
  • BSecurity Certification
  • CContinuous Monitoring
  • DSecurity Accreditation

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    4% (1)
  • D
    92% (22)

Explanation

Security Accreditation (D) is correct because this phase is where the Authorizing Official (AO) reviews the complete security package, evaluates residual risk to determine if it is at an acceptable level, and then issues the final accreditation decision - typically an Authorization to Operate (ATO), Interim ATO, or Denial of ATO.

Why the distractors are wrong:

  • A. Initiation - This phase focuses on preparation: documenting the system, reviewing existing security controls, and planning the C&A effort. No risk acceptability decision is made here.
  • B. Security Certification - This phase assesses whether security controls are correctly implemented and effective, but it does not make the final authorization decision; it feeds findings into the accreditation package.
  • C. Continuous Monitoring - This occurs after accreditation is granted and involves ongoing tracking of the security posture over the system's lifecycle.

Memory tip: Link the word "Accreditation" to "Authorization" - both start with "A" and both represent the official final approval. The AO signs off on residual risk in the Accreditation phase, making it the gateway between assessment and operation.

Topics

#NIST SP 800-37#Risk Management Framework#Security Accreditation#Residual Risk

Community Discussion

No community discussion yet for this question.

Full CISSP-ISSEP Practice